SOLIDserver Administrator

Guide
Version 8.1
SOLIDserver Administrator Guide
SOLIDserver Administrator Guide
Revision: #121977

Publication date August 30, 2022

Copyright © 2000-2022 EfficientIP
All product specifications and information provided in this document are subject to change or update without notice and should not be
construed as a commitment by EfficientIP. EfficientIP assumes no responsibility or liability for any mistakes, inaccuracies or omissions
that may appear in this document. All statements and recommendations in this document are believed to be accurate at the time they
are drafted but are presented without any representation or warranty of any kind, either express or implied, regarding their accuracy,
completeness, performance, up-to-dateness or suitability for any particular use or purpose, or with respect to the infringement of any
right. In particular, EfficientIP makes no representation or warranty that the results that may be obtained from your use of our products
will be effective, accurate or reliable or that the quality of the products will meet your expectations. Users must take full responsibility
for their application of any product.

This document aims at detailing EfficientIP proprietary solutions. As our solutions rely on several third-party products, created by other
companies or organizations, it may redirect readers to third-party websites and documentation for further information. EfficientIP cannot
be liable for or expected to provide said information regarding products maintained or created by third parties.

In no event shall EfficientIP be liable for any special, punitive, indirect, incidental or consequential damages of any kind including, but
not limited to, loss of present or prospective profits or business, loss of data, business interruption, damages to reputation or image,
whether in an action of contract, negligence, or other action, arising out of or in connection with the use, reliance upon or performance
of the products provided by EfficientIP or any information contained herein.

All EfficientIP products and documentation are subject to separate licensing terms which users must agree to and comply with in order
to use such products and documentation.
Table of Contents
About This Guide ........................................................................................................... xxii
Documentation Organization .................................................................................. xxii
Documentation Convention .................................................................................... xxiii
I. Starting ......................................................................................................................... 1
1. Hardware Appliance Specificities ............................................................................ 3
5th Generation Hardware Appliances ................................................................. 3
4th Generation Hardware Appliances ............................................................... 13
2. First Configuration ............................................................................................... 19
Prerequisites .................................................................................................. 19
SOLIDserver-50 First Configuration .................................................................. 19
Rack Hardware Appliances First Configuration .................................................. 20
Completing the Basic Network Configuration via CLI ......................................... 26
3. Using SOLIDserver for the First Time .................................................................... 31
Connecting to SOLIDserver ............................................................................. 31
Requesting and Activating a License ................................................................ 32
Defining the Internal Module Setup .................................................................. 33
Configuring SOLIDserver Network and Services ............................................... 34
Configuring User Access to SOLIDserver ......................................................... 34
4. Understanding the GUI ........................................................................................ 36
SOLIDserver Main Dashboard ......................................................................... 37
Sidebar .......................................................................................................... 38
Top Bar .......................................................................................................... 44
Breadcrumb .................................................................................................... 49
Menu ............................................................................................................. 50
Listing Pages .................................................................................................. 53
Properties Pages ............................................................................................ 71
Wizards .......................................................................................................... 72
My Bookmarks ................................................................................................ 79
Charts ............................................................................................................ 81
Quick Wizards ................................................................................................. 85
Account Configuration ..................................................................................... 88
II. Configuring SOLIDserver ............................................................................................. 90
5. Configuring the Time and Date ............................................................................. 92
Configuring NTP Servers ................................................................................. 92
Forcing the NTP Update .................................................................................. 94
Setting the Appliance Time and Date Manually ................................................. 94
6. Configuring the Network ...................................................................................... 95
Configuring Basic IP Addressing on an Interface ............................................... 96
Setting the Routing ......................................................................................... 97
Setting the Hostname ...................................................................................... 99
Setting the DNS Resolver .............................................................................. 100
Setting the Firewall ........................................................................................ 100
Setting up a VLAN Interface ........................................................................... 103
Setting up an Ethernet Port Failover ............................................................... 105
Configuring a VIP .......................................................................................... 107
Setting up and Managing a VIF ...................................................................... 110
Configuring the Loopback Interface ................................................................ 112
Configuring a Media Interface ........................................................................ 114
7. Configuring the Services .................................................................................... 115
Handling Services ......................................................................................... 116
Configuring the SSH Account ......................................................................... 117

iv
 SOLIDserver Administrator Guide

Changing the SFTP/SCP/RSYNC User Account Password .............................. 118

Managing the TFTP Upload Authorizations ..................................................... 118
Configuring the SMTP Relay .......................................................................... 119
Changing the HTTPS Certificate .................................................................... 120
Configuring Windows Events Collector ........................................................... 121
Configuring DNS Guardian ............................................................................ 121
Configuring GSLB Server .............................................................................. 122
Configuring the SNMP Server ........................................................................ 123
Downloading a DNS or DHCP Configuration File ............................................. 125
III. Imports and Exports ................................................................................................. 126
8. Importing Data from a CSV File .......................................................................... 128
The Import Wizard ......................................................................................... 129
Importing Data to the IPAM ............................................................................ 130
Importing Data to the DHCP .......................................................................... 145
Importing Data to the DNS ............................................................................. 153
Importing Data to NetChange ........................................................................ 157
Importing Data to Device Manager ................................................................. 159
Importing Data to VLAN Manager ................................................................... 161
Importing Data to VRF ................................................................................... 165
Importing Data to SPX ................................................................................... 167
Importing Data to the Administration Module ................................................... 171
Managing Import Templates ........................................................................... 174
9. Importing IPAM Data .......................................................................................... 176
Importing a VitalQIP Export ........................................................................... 176
Importing Nortel NetID IP Address Data ......................................................... 177
10. Importing DHCP Data ...................................................................................... 179
Importing an ISC DHCP Configuration ............................................................ 179
Importing an Alcatel-Lucent VitalQIP Configuration .......................................... 180
Importing a Microsoft DHCP Configuration ...................................................... 181
Importing an Infoblox DHCP Configuration ...................................................... 182
Importing a MetaIP DHCP Configuration ......................................................... 183
Importing a Nortel NetID Configuration ........................................................... 184
Aggregating DHCP Options from Ranges or Statics ........................................ 185
11. Importing DNS Data ......................................................................................... 187
Importing DNS Zones from a BIND Archive File .............................................. 187
Importing DNS Zones from a VitalQIP Archive File .......................................... 188
12. Exporting Data ................................................................................................ 190
The Export Wizard ........................................................................................ 192
Browsing the Exports Database ..................................................................... 192
Configuring Exports ...................................................................................... 193
Exporting Data to Reimport It Later ................................................................ 195
Managing Scheduled Exports ........................................................................ 199
Managing Scheduled Exports Configuration Files ............................................ 200
Managing Export Templates ........................................................................... 200
IV. Dashboards .............................................................................................................. 202
13. Managing Dashboards ..................................................................................... 204
Browsing the Dashboards .............................................................................. 204
Adding Dashboards ....................................................................................... 205
Displaying or Hiding Dashboards .................................................................... 205
Ordering Dashboards .................................................................................... 205
Editing Dashboards ....................................................................................... 206
Deleting Dashboards ..................................................................................... 208
14. Managing Gadgets .......................................................................................... 209
Browsing Gadgets ......................................................................................... 209

v
 SOLIDserver Administrator Guide

Gadgets Displayed by Default ........................................................................ 211

Adding Gadgets ............................................................................................ 215
Assigning Gadgets ........................................................................................ 221
Displaying or Hiding a Gadget ........................................................................ 223
Editing Gadgets ............................................................................................ 223
Setting the Gadgets Visibility .......................................................................... 225
Enabling or Disabling Gadgets ....................................................................... 225
Deleting Gadgets .......................................................................................... 226
V. IPAM ......................................................................................................................... 227
15. Managing Spaces ............................................................................................ 231
Browsing Spaces .......................................................................................... 231
Adding Spaces .............................................................................................. 231
Editing Spaces .............................................................................................. 232
Automating the IPv4 to IPv6 Transition ............................................................ 233
Exporting Spaces .......................................................................................... 233
Deleting Spaces ............................................................................................ 233
Defining a Space as a Group Resource .......................................................... 234
16. Managing Networks ......................................................................................... 235
Browsing Networks ....................................................................................... 235
Adding Networks ........................................................................................... 237
Editing Networks ........................................................................................... 243
Splitting Networks ......................................................................................... 244
Merging Networks ......................................................................................... 244
Moving Networks .......................................................................................... 245
Discovering the Assigned IP Addresses in a Network ...................................... 246
Using Network Map to Display Assigned IP Addresses .................................... 246
Managing or Unmanaging Networks ............................................................... 248
Creating Networks from NetChange ............................................................... 248
Finding Identity Manager Sessions at Network Level ....................................... 248
Automating the IPv4 to IPv6 Transition ............................................................ 249
Adding Pools from the Page All networks ........................................................ 249
Adding IP Addresses from the Page All networks ............................................ 249
Adding DHCP Scopes from the Page All networks ........................................... 250
Adding or Updating DNS Zones from the Page All networks ............................. 250
Adding VLANs from the Page All networks ...................................................... 250
Exporting Networks ....................................................................................... 250
Deleting Networks ......................................................................................... 250
Defining a Network as a Group Resource ....................................................... 251
17. Managing Pools ............................................................................................... 252
Browsing Pools ............................................................................................. 252
Adding Pools ................................................................................................ 253
Reserving Pools ............................................................................................ 254
Resizing Pools .............................................................................................. 254
Adding Pools at Network Level ....................................................................... 254
Adding DHCP Ranges from the Page All pools ................................................ 255
Exporting Pools ............................................................................................. 255
Deleting Pools ............................................................................................... 255
Defining a Pool as a Group Resource ............................................................. 255
18. Managing IP Addresses ................................................................................... 256
Browsing IP Addresses .................................................................................. 256
Adding IP Addresses ..................................................................................... 258
Editing IP Addresses ..................................................................................... 262
Configuring and Managing IP Address Aliases ................................................ 263
Configuring Multiple A Records for an IP Address ........................................... 266

vi
 SOLIDserver Administrator Guide

Renaming IPv4 Addresses Massively ............................................................. 267

Moving IP Addresses .................................................................................... 268
Pinging IP Addresses .................................................................................... 270
Populating Device Manager ........................................................................... 270
Finding Identity Manager Sessions at IP Address Level ................................... 270
Adding Gateway IP Addresses at Network Level ............................................. 271
Automating the IPv4 to IPv6 Transition ............................................................ 271
Updating DHCP Scopes from the Page All addresses ...................................... 272
Adding DHCP Statics from the Page All addresses .......................................... 272
Adding DNS Records from the Page All addresses .......................................... 272
Adding Devices from the Page All addresses .................................................. 272
Updating Ports and Interfaces from the Page All addresses ............................. 272
Adding IP Addresses from the DHCP ............................................................. 273
Adding IP Addresses from the DNS ................................................................ 273
Exporting IP Addresses ................................................................................. 273
Deleting IP Addresses ................................................................................... 273
Cleaning Invalid IP Addresses ........................................................................ 273
Cancelling Deletions ...................................................................................... 274
19. Managing Raw Data ........................................................................................ 276
Limitations .................................................................................................... 276
Exporting Raw Data ...................................................................................... 276
Importing Raw Data ...................................................................................... 277
20. Managing IPAM Templates ............................................................................... 280
1. Adding Template Classes in Class Studio .................................................... 281
2. Configuring Templates ............................................................................... 282
3. Deploying Templates .................................................................................. 288
21. Using VLSM to Manage Your IPAM Network ....................................................... 290
Choosing the Method That Suits Your Needs ................................................... 290
Managing a Space-Based VLSM Organization ................................................ 294
Managing a Network-Based VLSM Organization ............................................. 304
Using the VLSM Hierarchy to Delegate Management ....................................... 309
22. Managing Cloud Synchronization ...................................................................... 312
Prerequisites ................................................................................................ 312
Limitations .................................................................................................... 313
Configuring a Proxy Server ............................................................................ 313
Configuring AWS Synchronization .................................................................. 313
Configuring Azure Synchronization ................................................................. 317
Configuring GCP Synchronization .................................................................. 320
Monitoring the Synchronization ...................................................................... 323
Disabling Cloud Synchronization .................................................................... 324
VI. DHCP ...................................................................................................................... 325
23. Understanding DHCP Smart Architectures ........................................................ 330
Implementing DHCP Smart Architectures ....................................................... 331
DHCP Vendors Compatible with Smart Architectures ....................................... 334
Building a Highly Available Service With Smart Architectures ........................... 335
24. Managing DHCP Smart Architectures ............................................................... 336
Browsing DHCP Smart Architectures .............................................................. 336
Adding DHCPv4 Smart Architectures ............................................................. 337
Adding DHCPv6 Smart Architectures ............................................................. 344
Editing DHCP Smart Architectures ................................................................. 348
Handling the Status Locked Synchronization ................................................... 353
Exporting DHCP Smart Architectures ............................................................. 355
Deleting DHCP Smart Architectures ............................................................... 355
Defining DHCP Smart Architectures as Group Resources ................................ 355

vii
 SOLIDserver Administrator Guide

25. Managing DHCP Failover Channels .................................................................. 356

DHCP Failover Principles and Operational States ............................................ 356
Browsing DHCP Failover Channels ................................................................ 359
Switching DHCP Servers to Partner-down ...................................................... 362
Exporting DHCP Failover Channels ................................................................ 363
26. Managing DHCP Servers ................................................................................. 364
Browsing DHCP Servers ............................................................................... 364
Managing EfficientIP DHCP Servers ............................................................... 366
Managing Microsoft Windows DHCP Servers .................................................. 371
Managing ISC DHCP Servers on Linux ........................................................... 377
Synchronizing DHCP Servers ........................................................................ 386
Editing DHCP Servers ................................................................................... 386
Repairing Leases .......................................................................................... 387
Configuring DHCP Options at Server Level ..................................................... 387
Exporting DHCP Servers ............................................................................... 389
Deleting DHCP Servers ................................................................................. 389
Defining DHCP Servers as Group Resources ................................................. 389
27. Managing DHCP Shared Networks ................................................................... 390
Browsing Shared Networks ............................................................................ 390
Adding DHCP Shared Networks ..................................................................... 391
Editing DHCP Shared Networks ..................................................................... 391
Exporting Shared Networks ........................................................................... 392
Deleting DHCP Shared Networks ................................................................... 392
28. Managing DHCP Scopes .................................................................................. 393
Browsing DHCP Scopes ................................................................................ 393
Adding DHCP Scopes ................................................................................... 394
Editing DHCP Scopes ................................................................................... 395
Configuring DHCP Options at Scope Level ..................................................... 396
Defining a Specific IPAM Space for a Scope ................................................... 398
Defining a Specific Failover Channel for Scopes .............................................. 398
Replicating Scope Data in the IPAM ............................................................... 399
Configuring Multiple Scopes for a Network Segment ....................................... 400
Copying or Moving DHCPv4 Scopes .............................................................. 401
Configuring DHCP Relay Agents .................................................................... 401
Adding DHCP Scopes from the IPAM ............................................................. 402
Updating DHCP Scopes from the IPAM .......................................................... 403
Exporting DHCP Scopes ............................................................................... 403
Deleting DHCP Scopes ................................................................................. 403
Defining DHCP Scopes as Group Resources .................................................. 403
29. Managing DHCP Ranges ................................................................................. 404
Browsing DHCP Ranges ................................................................................ 404
Adding DHCP Ranges ................................................................................... 405
Editing DHCP Ranges ................................................................................... 408
Replicating Range Data in the IPAM ............................................................... 409
Configuring DHCP Options at Range Level ..................................................... 410
Adding DHCP Ranges from the IPAM ............................................................. 412
Exporting DHCP Ranges ............................................................................... 412
Deleting DHCP Ranges ................................................................................. 412
30. Managing DHCP Leases .................................................................................. 413
Browsing DHCP Leases ................................................................................ 413
Defining the DHCP Leases Duration ............................................................... 416
Converting DHCPv4 Leases into Statics ......................................................... 417
Blacklisting DHCPv4 Leases .......................................................................... 418
Repairing DHCPv4 Leases at Server Level ..................................................... 419

viii
 SOLIDserver Administrator Guide

Displaying the Relay Agent Information (Option 82) ......................................... 419

Adding IP Addresses from the Page All leases ................................................ 420
Adding DNS Records from the Page All leases ............................................... 420
Exporting DHCP Leases ................................................................................ 420
Purging the DHCP Leases History ................................................................. 420
Deleting DHCPv4 Leases .............................................................................. 422
31. Managing DHCP ACLs and ACL Entries ........................................................... 423
Managing DHCP ACLs .................................................................................. 424
Managing DHCP ACL Entries ........................................................................ 429
32. Managing DHCP Groups .................................................................................. 432
Browsing DHCP Groups ................................................................................ 432
Adding DHCP Groups ................................................................................... 433
Configuring DHCP Options at Group Level ..................................................... 433
Exporting DHCP Groups ................................................................................ 434
Deleting DHCP Groups ................................................................................. 434
33. Managing DHCP Statics ................................................................................... 435
Browsing DHCP Statics ................................................................................. 436
Adding DHCP Statics .................................................................................... 437
Editing DHCP Statics .................................................................................... 440
Replicating Static Data in the IPAM ................................................................ 440
Configuring DHCP Options at Static Level ...................................................... 441
Copying DHCPv4 Statics Without IP ............................................................... 443
Adding DHCP Statics from the IPAM .............................................................. 443
Exporting DHCP Statics ................................................................................ 443
Deleting DHCP Statics .................................................................................. 444
34. Managing DHCP Options ................................................................................. 445
Browsing DHCP Options ................................................................................ 446
Configuring DHCP Options ............................................................................ 447
Customizing DHCP Options ........................................................................... 448
Setting Advanced Option Configurations ......................................................... 451
Exporting DHCP Options ............................................................................... 458
Deleting DHCP Options ................................................................................. 459
35. Configuring DHCPv6 Prefix Delegation ............................................................. 460
Prerequisites ................................................................................................ 460
Specificities .................................................................................................. 460
Limitations .................................................................................................... 461
Managing DHCPv6 Prefix Delegations ........................................................... 461
Managing DHCPv6 Delegated Prefixes .......................................................... 463
36. Monitoring and Reporting DHCP Data ............................................................... 465
Monitoring DHCP Servers from their Properties Page ...................................... 465
Monitoring DHCP Servers from the Page Analytics .......................................... 467
Monitoring DHCP Servers Using Rules ........................................................... 473
Generating DHCP Reports ............................................................................ 475
VII. DNS ....................................................................................................................... 476
37. Understanding DNS Smart Architectures ........................................................... 481
Master/Slave Smart Architecture .................................................................... 482
Multi-Master Smart Architecture ..................................................................... 482
Stealth Smart Architecture ............................................................................. 483
Single-Server Smart Architecture ................................................................... 483
Farm Smart Architecture ................................................................................ 484
38. Managing DNS Smart Architectures .................................................................. 485
Browsing DNS Smart Architectures ................................................................ 485
Adding a DNS Smart Architecture .................................................................. 486
Converting a DNS Server into a Smart Architecture ......................................... 496

ix
 SOLIDserver Administrator Guide

Editing a DNS Smart Architecture .................................................................. 497

Handling the Status Locked Synchronization ................................................... 501
Exporting DNS Smart Architectures ............................................................... 502
Deleting a DNS Smart Architecture ................................................................ 502
Defining a DNS Smart Architecture as a Group Resource ................................ 502
39. Managing DNS Servers .................................................................................... 503
Browsing DNS Servers .................................................................................. 504
Managing EfficientIP DNS Servers ................................................................. 505
Managing Microsoft Windows DNS Servers .................................................... 511
Managing BIND DNS Servers on Linux ........................................................... 514
Managing Generic DNS Servers .................................................................... 523
Managing Amazon Route 53 Servers ............................................................. 526
Managing Azure DNS Servers ....................................................................... 538
Synchronizing DNS Servers ........................................................................... 542
Editing DNS Servers ..................................................................................... 543
Securing the Management of DNS Servers Using a TSIG Key ......................... 544
Flushing the Cache of DNS Servers ............................................................... 545
Exporting DNS Servers ................................................................................. 546
Deleting DNS Servers ................................................................................... 546
Defining a DNS Server as a Group Resource .................................................. 546
40. Configuring DNS Servers ................................................................................. 547
Configuring DNS Forwarding at Server Level .................................................. 547
Configuring DNS Recursion at Server Level .................................................... 549
Configuring DNS Notify Messages at Server Level .......................................... 552
Restricting DNS Queries at Server Level ........................................................ 553
Limiting Zone Transfers at Server Level .......................................................... 556
Configuring a Blackhole ................................................................................. 557
Configuring Client Resolver Cache Options at Server Level ............................. 558
Configuring EDNS Options at Server Level ..................................................... 559
Configuring Prefetch on a Server ................................................................... 560
Improving the Server Performance ................................................................. 560
Configuring a Sortlist at Server Level .............................................................. 561
Limiting the Number of Responses of a Server ................................................ 562
Configuring DNS64 ....................................................................................... 563
Configuring DNS Sources at Server Level ....................................................... 567
Authenticating the Zones Dynamic Update from the Server .............................. 570
Configuring Access Control Lists for a Server ................................................. 572
Configuring DNS Keys ................................................................................... 574
Including Non-Supported DNS Settings .......................................................... 575
Setting up Anycast DNS ................................................................................ 575
Integrating Cisco Umbrella ............................................................................. 588
Forwarding the Client IP Address ................................................................... 591
41. Managing DNS Views ...................................................................................... 593
Browsing DNS Views ..................................................................................... 593
Adding DNS Views ........................................................................................ 594
Editing DNS Views ........................................................................................ 597
Editing the Order of the Views ........................................................................ 598
Exporting DNS Views .................................................................................... 598
Deleting DNS Views ...................................................................................... 599
Defining a DNS View as a Group Resource .................................................... 599
Going Back to Managing Zones Without Views ................................................ 599
42. Configuring DNS Views .................................................................................... 601
Configuring DNS Forwarding at View Level ..................................................... 601
Configuring DNS Notify Messages at View Level ............................................. 602

x
 SOLIDserver Administrator Guide

Configuring DNS Recursion at View Level ....................................................... 604

Restricting DNS Queries at View Level ........................................................... 606
Limiting Zone Transfer at View Level ............................................................... 608
Configuring Client Resolver Cache Options at View Level ................................ 609
Configuring EDNS Options at View Level ........................................................ 610
Configuring a Sortlist at View Level ................................................................ 611
Configuring DNS Sources at View Level ......................................................... 611
43. Managing DNS Zones ...................................................................................... 615
Browsing DNS Zones .................................................................................... 615
Adding DNS Zones ....................................................................................... 616
Synchronizing DNS Zones ............................................................................. 630
Editing DNS Zones ........................................................................................ 630
Converting DNS Zones .................................................................................. 635
Adding or Removing an NS Record ................................................................ 636
Copying or Moving DNS Zones ...................................................................... 636
Setting Properties on Multiple DNS Zones ...................................................... 637
Configuring Scavenging on DNS Zones .......................................................... 642
Forcing the Update of DNS Zones Content ..................................................... 645
Disabling and Enabling DNS Zones ................................................................ 647
Adding or Updating DNS Zones from the IPAM ............................................... 647
Exporting DNS Zones .................................................................................... 647
Deleting DNS Zones ...................................................................................... 647
Defining a DNS Zone as a Group Resource .................................................... 648
44. Configuring DNS Zones ................................................................................... 649
Managing DNS Zone Delegation .................................................................... 649
Configuring DNS Forwarding at Zone Level .................................................... 651
Configuring DNS Notify Messages at Zone Level ............................................ 652
Managing DNS Security ................................................................................ 655
Configuring DNS Sources at Zone Level ......................................................... 659
45. Managing DNS Resource Records ................................................................... 663
Browsing DNS Resource Records .................................................................. 663
Adding Resource Records ............................................................................. 665
Editing Resource Records ............................................................................. 683
Configuring the Delegation at Record Level .................................................... 686
Copying or Moving Records ........................................................................... 687
Changing the Hostname Convention .............................................................. 688
Load Balancing with Round-Robin .................................................................. 688
SPF Record .................................................................................................. 689
Adding IP Addresses and Aliases from the Page All RRs ................................. 689
Updating DNS Records from the IPAM ........................................................... 690
Adding Records from the DHCP ..................................................................... 690
Exporting DNS Resource Records ................................................................. 690
Deleting Resource Records ........................................................................... 690
46. Implementing Dynamic Update ......................................................................... 691
Configuring Dynamic Update ......................................................................... 691
Configuring Secure Dynamic Update .............................................................. 691
Disabling Dynamic Update and Deleting Keys ................................................. 699
47. DNS Firewall (RPZ) ......................................................................................... 702
Prerequisites ................................................................................................ 702
Limitations .................................................................................................... 702
Managing RPZ Zones .................................................................................... 703
Managing RPZ Rules .................................................................................... 712
48. Hybrid DNS Service ......................................................................................... 724
Checking the Compatibility with Hybrid ........................................................... 724

xi
 SOLIDserver Administrator Guide

Switching to Hybrid DNS ............................................................................... 727

Forcing Compatibility with Hybrid ................................................................... 730
Switching Back to BIND ................................................................................. 731
Administrating the Backup and Restoration of Hybrid Configurations ................ 732
49. DNSSEC ......................................................................................................... 733
Managing DNSSEC on Authoritative Servers .................................................. 734
Managing DNSSEC on Recursive Servers ...................................................... 750
50. Monitoring and Reporting DNS Data ................................................................. 756
Monitoring DNS Servers from their Properties Page ........................................ 756
Monitoring DNS Servers from the Page Analytics ............................................ 758
Monitoring DNS Queries and Answers ............................................................ 765
Generating DNS Reports ............................................................................... 767
VIII. Global Policies ....................................................................................................... 768
51. Inheritance and Propagation ............................................................................. 770
Prerequisites ................................................................................................ 771
Limitations .................................................................................................... 772
Configuring the Inheritance of a Parameter Value ............................................ 772
Configuring the Propagation of a Parameter Value ........................................... 774
Setting Class Parameters .............................................................................. 775
Reconciling Class Parameters ....................................................................... 776
52. Managing Advanced Properties ........................................................................ 778
Prerequisites ................................................................................................ 779
Browsing Advanced Properties ...................................................................... 779
Configuring IPAM Advanced Properties .......................................................... 780
Configuring DHCP Advanced Properties ......................................................... 806
Configuring DNS Advanced Properties ........................................................... 810
Setting Advanced Properties .......................................................................... 812
IX. Application ............................................................................................................... 814
53. Configuring Application .................................................................................... 816
Prerequisites ................................................................................................ 816
Limitations .................................................................................................... 816
Configuring and Enabling the Service GSLB Server ........................................ 817
54. Managing Applications ..................................................................................... 819
Browsing Applications ................................................................................... 819
Adding and Deploying Applications ................................................................. 820
Adding and Deploying Applications and Traffic Policies .................................... 821
Editing Applications ....................................................................................... 823
Deleting Applications ..................................................................................... 824
55. Managing Pools ............................................................................................... 825
Browsing Pools ............................................................................................. 825
Adding Pools ................................................................................................ 826
Editing Pools ................................................................................................. 827
Deleting Pools ............................................................................................... 828
56. Managing Nodes ............................................................................................. 829
Browsing Nodes ............................................................................................ 829
Adding Nodes ............................................................................................... 831
Editing Nodes ............................................................................................... 834
Managing or Unmanaging Nodes ................................................................... 834
Deleting Nodes ............................................................................................. 835
X. Guardian .................................................................................................................. 836
57. Configuring Guardian ....................................................................................... 839
Prerequisites ................................................................................................ 839
Limitations .................................................................................................... 839
Enabling the Service DNS Guardian ............................................................... 840

xii
 SOLIDserver Administrator Guide

Getting Started With Guardian ....................................................................... 841

58. Setting Guardian Parameters ............................................................................ 844
Browsing Guardian Configuration ................................................................... 844
Available Guardian Parameters ...................................................................... 845
Editing Guardian Configuration ...................................................................... 848
Configuring the Action Quarantine Redirect .................................................... 849
Enabling or Disabling Guardian Cache ........................................................... 850
Capturing Guardian Traffic ............................................................................. 852
59. Monitoring Guardian ........................................................................................ 853
Monitoring Guardian Statistics ....................................................................... 853
Monitoring Guardian Analytics ....................................................................... 857
60. Managing Guardian Statistics ........................................................................... 864
Managing Guardian Server Statistics .............................................................. 864
Managing Guardian Client Statistics ............................................................... 874
61. Managing Guardian Cache ............................................................................... 884
Displaying Guardian Cache Content ............................................................... 884
Resetting Guardian Cache ............................................................................. 889
Saving Guardian Cache ................................................................................. 890
Restoring Guardian Cache ............................................................................ 890
Forcing Cache Entries as Expired .................................................................. 890
Clearing Guardian Cache Manually ................................................................ 891
Clearing Guardian Cache Automatically .......................................................... 893
Sharing the Cache Between Several Guardian Servers ................................... 895
62. Managing Policies ............................................................................................ 898
Browsing Policies .......................................................................................... 898
Adding and Deploying Policies ....................................................................... 899
Duplicating Policies ....................................................................................... 900
Editing Policies .............................................................................................. 900
Deleting Policies ........................................................................................... 901
63. Managing Triggers ........................................................................................... 902
Prerequisites ................................................................................................ 902
Limitations .................................................................................................... 903
Browsing Triggers .......................................................................................... 903
Adding Triggers ............................................................................................. 904
Enabling Querylog and Answerlog on Triggers ................................................ 918
Editing Triggers ............................................................................................. 920
Managing or Unmanaging Triggers ................................................................. 921
Deleting Triggers ........................................................................................... 921
64. Managing Guardian Views ................................................................................ 922
Displaying the Views Configuration ................................................................. 922
Enabling or Disabling Views ........................................................................... 923
Identifying the Clients Querying the Views ...................................................... 924
Using Lists to Filter Guardian Views ............................................................... 927
Logging List Filters Client Activity ................................................................... 932
Setting a Transparent DNS Proxy for Guardian Views ...................................... 933
65. Managing Lists ................................................................................................ 934
Displaying the Lists Content ........................................................................... 935
Renaming a List ............................................................................................ 937
Defining the Type of a List .............................................................................. 937
Configuring the Content of a List .................................................................... 938
Identifying Clients via a List ............................................................................ 942
Setting a List Saving Mechanism .................................................................... 944
Resetting the Counter of a List ....................................................................... 945
Clearing a List ............................................................................................... 945

xiii
 SOLIDserver Administrator Guide

66. Managing the Rescue Mode ............................................................................. 946

Prerequisites ................................................................................................ 946
Configuring the Rescue Mode ........................................................................ 947
Forcing the Rescue Mode .............................................................................. 949
Disabling the Rescue Detection ...................................................................... 950
XI. NetChange .............................................................................................................. 951
67. Managing Network Devices .............................................................................. 955
Browsing Network Devices ............................................................................ 955
Adding Network Devices ................................................................................ 957
Importing Network Devices Using Discovery Protocols .................................... 958
Enabling or Disabling the 802.1X Authentication Protocol ................................ 960
Editing the SNMP Properties of a Network Device ........................................... 961
Refreshing the Network Devices Database ..................................................... 962
Connecting to a Network Device Via a Console ............................................... 964
Making a Network Device Snapshot ............................................................... 964
Automatically Adding New Network Devices as Group Resource ...................... 965
Adding Network Devices in Device Manager ................................................... 966
Exporting Network Devices ............................................................................ 966
Deleting Network Devices .............................................................................. 966
Defining a Network Device as a Group Resource ............................................ 966
68. Managing Routes ............................................................................................ 967
Prerequisites ................................................................................................ 967
Limitations .................................................................................................... 967
Browsing Routes ........................................................................................... 967
Enabling the Registry Key Required to Display the VRF Routes ....................... 969
Creating Routes in the IPAM .......................................................................... 970
Exporting Routes .......................................................................................... 971
69. Managing VLANs ............................................................................................. 972
Browsing VLANs ........................................................................................... 972
Adding a VLAN ............................................................................................. 973
Editing a VLAN .............................................................................................. 973
Creating a VLAN in VLAN Manager ................................................................ 973
Exporting VLANs ........................................................................................... 974
Deleting a VLAN ........................................................................................... 974
70. Managing Ports ............................................................................................... 975
Browsing Ports .............................................................................................. 976
Enabling or Disabling a Port ........................................................................... 977
Editing a Port Interconnection ........................................................................ 977
Editing a Port Speed and Duplex Mode .......................................................... 978
Updating a Port Description ........................................................................... 978
Managing the 802.1X Authentication Protocol on a Port ................................... 979
Restricting Access to a Port with the Protocol Port-security .............................. 980
Limiting Port Edition Rights to Specific Groups of Users .................................. 983
Configuring VLAN Tagging on a Port ............................................................... 984
Exporting Ports ............................................................................................. 987
71. Managing Configuration Versioning ................................................................... 988
Prerequisites ................................................................................................ 988
Limitations .................................................................................................... 988
Browsing Configuration Files .......................................................................... 988
Managing Connection Profiles ....................................................................... 990
Configuring the Versioning of a Network Device .............................................. 992
Refreshing a Configuration File ...................................................................... 994
Comparing Configuration Files ....................................................................... 995
Monitoring the Configuration Versioning in the Logs ......................................... 996

xiv
 SOLIDserver Administrator Guide

Downloading Versioning Information ............................................................... 997

Configuring Advanced Versioning Options ....................................................... 998
Exporting Configuration Files ......................................................................... 999
Disabling Versioning on a Network Device ...................................................... 999
72. Managing Addresses ..................................................................................... 1001
Browsing Addresses .................................................................................... 1001
Exporting Addresses ................................................................................... 1002
73. Managing Discovered Items ............................................................................ 1003
Browsing Discovered Items .......................................................................... 1003
Refreshing the Discovered Items Database ................................................... 1005
Populating Device Manager ......................................................................... 1005
Creating the IP Address of a Discovered Item in the IPAM .............................. 1005
Purging the Discovered Items Database ....................................................... 1006
Tracking the Discovered Items History of a Specific Device ............................ 1006
Exporting Discovered Items ......................................................................... 1007
74. Managing Statistics ........................................................................................ 1008
Displaying NetChange Statistics ................................................................... 1008
Displaying Network Device Statistics ............................................................ 1008
Displaying Port Statistics .............................................................................. 1008
75. Monitoring and Tuning .................................................................................... 1010
Generating NetChange Reports ................................................................... 1010
Keeping NetChange Data Up-to-date ............................................................ 1010
Synchronizing the Network Devices with a CSV File ...................................... 1011
Customizing the Type of Network Devices ..................................................... 1012
XII. Workflow ............................................................................................................... 1014
76. Granting Access to Workflow Classes ............................................................. 1016
77. Managing Outgoing Requests ......................................................................... 1017
Browsing Outgoing Requests ....................................................................... 1017
Adding Requests for Creation ...................................................................... 1017
Adding Requests for Edition ......................................................................... 1019
Adding Requests for Deletion ....................................................................... 1020
Editing Requests ......................................................................................... 1022
Exporting Outgoing Requests ...................................................................... 1023
Canceling Requests .................................................................................... 1023
78. Managing Incoming Requests ......................................................................... 1025
Browsing Incoming Requests ....................................................................... 1025
Managing the Requests Content .................................................................. 1025
Administrating Requests Using the Default Statuses and Options ................... 1026
Administrating Requests Using Your Own Settings ......................................... 1029
Exporting Incoming Requests ...................................................................... 1029
79. Executing Requests ....................................................................................... 1030
Executing Requests Using the Execute Option .............................................. 1030
Executing Requests Using Classes .............................................................. 1031
80. Customizing the Requests Administration ........................................................ 1034
Editing the Workflow Statuses ...................................................................... 1035
Editing the Email Notification Details ............................................................. 1037
Adding a Workflow Status ............................................................................ 1038
Customized Statuses Best Practices ............................................................ 1039
XIII. Device Manager ................................................................................................... 1041
81. Managing Devices ......................................................................................... 1043
Browsing Devices ........................................................................................ 1043
Adding Devices ........................................................................................... 1044
Editing Devices ........................................................................................... 1049
Duplicating Devices ..................................................................................... 1049

xv
 SOLIDserver Administrator Guide

Merging Devices ......................................................................................... 1050

Adding Devices from the IPAM ..................................................................... 1050
Exporting Devices ....................................................................................... 1050
Deleting Devices ......................................................................................... 1050
82. Managing Ports and Interfaces ....................................................................... 1052
Browsing Ports and Interfaces ...................................................................... 1052
Adding Ports and Interfaces ......................................................................... 1053
Editing Ports and Interfaces Properties ......................................................... 1060
Tracking Changes on the Page All ports & interfaces ..................................... 1064
Updating Ports and Interfaces from the IPAM ................................................ 1065
Exporting Ports and Interfaces ..................................................................... 1065
Deleting Ports and Interfaces ....................................................................... 1065
83. Managing the Interaction with the IPAM ........................................................... 1066
Assigning IP Addresses to an Interface Using their MAC Address ................... 1066
Managing the IP Addresses / Interfaces Link from the IPAM ........................... 1068
84. Rules Impacting Device Manager .................................................................... 1071
DHCP Rules Impacting Device Manager ....................................................... 1071
Adding Device Manager Rules ..................................................................... 1071
Enabling or Disabling Device Manager Rules ................................................ 1072
XIV. VLAN Manager ..................................................................................................... 1073
85. Managing VLAN Domains ............................................................................... 1075
Browsing VLAN Domains ............................................................................. 1075
Adding VLAN Domains ................................................................................ 1075
Editing VLAN Domains ................................................................................ 1076
Automatically Adding New VLAN Domains as Group Resource ...................... 1077
Exporting VLAN Domains ............................................................................ 1078
Deleting VLAN Domains .............................................................................. 1078
Defining a VLAN Domain as a Group Resource ............................................. 1078
86. Managing VLAN Ranges ................................................................................ 1079
Browsing VLAN Ranges ............................................................................... 1079
Adding VLAN Ranges .................................................................................. 1079
Editing VLAN Ranges .................................................................................. 1080
Exporting VLAN Ranges .............................................................................. 1081
Deleting VLAN Ranges ................................................................................ 1081
Defining a VLAN Range as a Group Resource .............................................. 1082
87. Managing VLANs ........................................................................................... 1083
Browsing VLANs ......................................................................................... 1083
Adding VLANs ............................................................................................. 1084
Editing VLANs ............................................................................................. 1085
Adding VLANs from the IPAM ....................................................................... 1085
Creating VLANs from NetChange ................................................................. 1085
Exporting VLANs ......................................................................................... 1085
Deleting VLANs ........................................................................................... 1086
XV. VRF ...................................................................................................................... 1087
88. Managing Virtual Routing and Forwarding ....................................................... 1089
Browsing VRFs ........................................................................................... 1089
Adding VRFs ............................................................................................... 1089
Editing VRFs ............................................................................................... 1090
Exporting VRFs ........................................................................................... 1090
Deleting VRFs ............................................................................................. 1090
89. Managing VRF Route Targets ......................................................................... 1091
Browsing VRF Route Targets ........................................................................ 1091
Adding VRF Route Targets ........................................................................... 1091
Exporting VRF Route Targets ....................................................................... 1092

xvi
 SOLIDserver Administrator Guide

Deleting VRF Route Targets ......................................................................... 1092

XVI. SPX .................................................................................................................... 1094
90. Configuring SPX ............................................................................................ 1096
Enabling the SPX Classes ........................................................................... 1096
Enabling the SPX Rules ............................................................................... 1096
Configuring the SPX Connection .................................................................. 1096
Editing the Connection to the RIPE or APNIC ................................................ 1099
91. Managing SPX Persons .................................................................................. 1101
Browsing SPX Persons ................................................................................ 1101
Adding SPX Persons ................................................................................... 1102
Editing SPX Persons ................................................................................... 1102
Registering SPX Person Changes ................................................................ 1103
Deleting SPX Persons ................................................................................. 1103
92. Managing SPX Networks ................................................................................ 1105
Browsing SPX Networks .............................................................................. 1105
Adding SPX Networks ................................................................................. 1106
Editing SPX Networks ................................................................................. 1111
Registering SPX Network Changes .............................................................. 1113
Validating a New Assignment Window .......................................................... 1113
Deleting SPX Networks ............................................................................... 1114
93. Managing SPX AS Numbers ........................................................................... 1116
Browsing SPX AS Numbers ......................................................................... 1116
Adding SPX AS Numbers ............................................................................ 1117
Editing SPX AS Numbers ............................................................................ 1118
Exporting SPX AS Numbers ........................................................................ 1118
Deleting SPX AS Numbers .......................................................................... 1119
XVII. Identity Manager ................................................................................................. 1120
94. Configuring Identity Manager .......................................................................... 1122
Prerequisites ............................................................................................... 1122
Limitations .................................................................................................. 1122
Preparing the Module .................................................................................. 1122
Configuring the Directory Synchronization Frequency .................................... 1126
95. Managing Directories ..................................................................................... 1127
Browsing Directories .................................................................................... 1127
Adding Directories ....................................................................................... 1128
Synchronizing Directories ............................................................................ 1129
Editing Directories ....................................................................................... 1129
Deleting Directories ..................................................................................... 1130
96. Managing Identities ........................................................................................ 1131
Browsing Identities ...................................................................................... 1131
97. Managing Sessions ........................................................................................ 1133
Browsing Sessions ...................................................................................... 1133
Finding Active Sessions in the IPAM ............................................................. 1134
Purging Inactive Sessions ............................................................................ 1135
XVIII. Rights Management ........................................................................................... 1136
98. Managing Groups .......................................................................................... 1138
Browsing Groups of Users ........................................................................... 1138
Adding Groups of Users ............................................................................... 1139
Managing the Rights of a Group of Users ...................................................... 1140
Managing the Resources of a Group of Users ............................................... 1141
Managing the Users of a Group of Users ...................................................... 1145
Editing Groups of Users ............................................................................... 1146
Enabling or Disabling Groups of Users .......................................................... 1147
Exporting Groups of Users ........................................................................... 1147

xvii
 SOLIDserver Administrator Guide

Deleting Groups of Users ............................................................................. 1147

99. Managing Users ............................................................................................ 1148
Browsing Users ........................................................................................... 1148
Adding Users .............................................................................................. 1149
Editing Users .............................................................................................. 1150
Changing the User Password ....................................................................... 1151
Configuring the User Password Complexity ................................................... 1151
Configuring Users Connection Parameters .................................................... 1152
Configuring User Sessions ........................................................................... 1153
Enabling or Disabling Users ......................................................................... 1154
Generating User Reports ............................................................................. 1155
Exporting Users .......................................................................................... 1155
Deleting Users ............................................................................................ 1155
100. Managing Authentication Rules ..................................................................... 1156
Browsing Authentication Rules ..................................................................... 1157
Adding Authentication Rules ........................................................................ 1157
Editing Authentication Rules ......................................................................... 1167
Enabling or Disabling Authentication Rules ................................................... 1167
Deleting Authentication Rules ...................................................................... 1168
XIX. Administration ...................................................................................................... 1169
101. Centralized Management .............................................................................. 1173
Browsing Centralized Management .............................................................. 1173
Configuring SOLIDserver to Remotely Manage Other Appliances ................... 1177
Adding Remote Appliances .......................................................................... 1177
Managing the Services and Network Configuration of Another Appliance ........ 1179
Monitoring the Appliances Managed from the Page Centralized Manage-
ment ........................................................................................................... 1180
Configuring Two Appliances in High Availability ............................................. 1183
Editing Remote Appliances .......................................................................... 1186
Managing a High Availability Configuration .................................................... 1186
Replacing Appliances Managed Remotely .................................................... 1198
Exporting Remote Appliances ...................................................................... 1199
Deleting Remote Appliances ........................................................................ 1199
102. Managing Licenses ...................................................................................... 1202
Browsing the License and License Metrics .................................................... 1202
Refreshing the Metrics of a License .............................................................. 1204
Renewing the Licenses ................................................................................ 1205
Exporting Licenses ...................................................................................... 1209
103. Monitoring ................................................................................................... 1210
Managing Reports ....................................................................................... 1210
Managing Alerts .......................................................................................... 1219
Managing the Logs ...................................................................................... 1226
Monitoring the Appliance Statistics ............................................................... 1229
Monitoring from Session Tracking ................................................................. 1231
Monitoring from User Tracking ...................................................................... 1231
Forwarding Events ....................................................................................... 1233
Managing SNMP Profiles ............................................................................. 1243
Monitoring Using SNMP .............................................................................. 1245
Displaying Netstat Data ............................................................................... 1246
Sizing the Database Tables .......................................................................... 1246
104. Maintenance ................................................................................................ 1248
Managing Files from the Local Files Listing ................................................... 1248
Using the Maintenance mode ....................................................................... 1255
Updating the Macros and Rules ................................................................... 1255

xviii
 SOLIDserver Administrator Guide

Clearing the Appliance Cache ...................................................................... 1255

Troubleshooting ........................................................................................... 1256
Managing Backups and Restoring Configurations .......................................... 1258
Shutting Down and Rebooting ...................................................................... 1264
105. Securing ...................................................................................................... 1268
Managing SSL Certificates .......................................................................... 1268
Encrypting the Database ............................................................................. 1277
106. Configuring Space Synchronization ............................................................... 1284
Prerequisites ............................................................................................... 1284
Limitations .................................................................................................. 1284
Exposing a Space ....................................................................................... 1285
Synchronizing an Exposed Space ................................................................ 1286
Completing the Synchronization Configuration .............................................. 1287
Monitoring IPAM Synchronization ................................................................. 1288
Disabling Space Synchronization ................................................................. 1288
107. Upgrading .................................................................................................... 1290
Prerequisites ............................................................................................... 1290
Recommendations ...................................................................................... 1290
Upgrading an Appliance ............................................................................... 1291
Upgrading Appliances Managed Remotely .................................................... 1292
Upgrading Appliances in High Availability ...................................................... 1293
Troubleshooting the Upgrade ....................................................................... 1295
XX. Customization ....................................................................................................... 1302
108. Customizing the GUI .................................................................................... 1304
Customizing SOLIDserver Login Page .......................................................... 1304
Customizing the Main Dashboard Welcome Banner ....................................... 1307
Customizing the Interface Names and Fields ................................................. 1309
109. Managing Smart Folders .............................................................................. 1311
Browsing Smart Folders ............................................................................... 1311
Adding Smart Folders .................................................................................. 1312
Editing Smart Folders .................................................................................. 1313
Sharing Smart Folders ................................................................................. 1313
Deleting Smart Folders ................................................................................ 1314
110. Managing IPv6 Labels .................................................................................. 1315
Limitations .................................................................................................. 1315
Adding Labels ............................................................................................. 1315
Displaying or Hiding Labels .......................................................................... 1316
Editing Labels ............................................................................................. 1316
Deleting Labels ........................................................................................... 1317
111. Configuring Classes ..................................................................................... 1318
Browsing Class Studio Database .................................................................. 1319
Managing Classes ....................................................................................... 1321
Configuring the Classes Content .................................................................. 1328
112. Configuring Custom Databases ..................................................................... 1376
Managing Custom Databases ...................................................................... 1376
Managing Custom Data ............................................................................... 1378
113. Managing Customization Packages ............................................................... 1381
Browsing the Packages Database ................................................................ 1381
Uploading Packages .................................................................................... 1382
Creating Packages ...................................................................................... 1382
Editing Packages ......................................................................................... 1384
Installing Packages ...................................................................................... 1384
Uninstalling Packages ................................................................................. 1384
Downloading Packages ................................................................................ 1385

xix
 SOLIDserver Administrator Guide

Deleting Packages ...................................................................................... 1385

A. Matrices of Network Flows ....................................................................................... 1386
SOLIDserver ....................................................................................................... 1387
IPAM .................................................................................................................. 1388
DHCP ................................................................................................................. 1389
DNS ................................................................................................................... 1391
NetChange ......................................................................................................... 1394
Identity Manager ................................................................................................. 1395
Remote Management .......................................................................................... 1396
B. Default Gadgets ...................................................................................................... 1397
C. Synchronizing Cisco DNA ........................................................................................ 1400
Prerequisites ....................................................................................................... 1400
Limitations .......................................................................................................... 1400
Preparing SOLIDserver ....................................................................................... 1400
Configuring the Synchronization ........................................................................... 1402
D. DHCP Options ........................................................................................................ 1404
Most Used Options .............................................................................................. 1405
Basic .................................................................................................................. 1405
Server Parameters .............................................................................................. 1406
Lease Information ............................................................................................... 1407
WINS/NetBIOS ................................................................................................... 1407
Host IP ............................................................................................................... 1407
Interface ............................................................................................................. 1408
Servers ............................................................................................................... 1409
BootP Compatible ............................................................................................... 1411
DHCP Packet Fields ............................................................................................ 1412
Microsoft DHCP Client ......................................................................................... 1412
NetWare Client .................................................................................................... 1413
NIS/NISplus ........................................................................................................ 1414
Miscellaneous ..................................................................................................... 1414
Vendor Nwip ....................................................................................................... 1417
Vendor MSFT ...................................................................................................... 1417
E. MAC Address Types References .............................................................................. 1418
F. Custom AWS IAM Policy Route 53 Minimal Permissions ............................................. 1420
G. DNS Resource Records Configuration Fields ............................................................ 1422
H. Advanced Properties ............................................................................................... 1426
I. Multi-Status Messages .............................................................................................. 1428
DHCP Multi-Status Messages .............................................................................. 1428
DNS Multi-Status Messages ................................................................................ 1428
Application Multi-Status Messages ....................................................................... 1429
J. Configuring OpenID Authentication ........................................................................... 1430
Configuring OpenID Authentication for Google ...................................................... 1430
Configuring OpenID Authentication for Azure ........................................................ 1432
K. SNMP Metrics ......................................................................................................... 1434
Prerequisites ....................................................................................................... 1434
Understanding the SNMP Metrics Presentation ..................................................... 1435
Retrieving SNMP Metrics via CLI .......................................................................... 1435
Monitoring the Hardware ...................................................................................... 1436
Monitoring the System ......................................................................................... 1438
Monitoring the DHCP Service .............................................................................. 1442
Monitoring the DNS Service ................................................................................. 1443
Monitoring DNS Guardian .................................................................................... 1446
L. Class Studio Pre-defined Variables ........................................................................... 1454
M. Configuring RADIUS ............................................................................................... 1459

xx
 SOLIDserver Administrator Guide

Configuring FreeRADIUS ..................................................................................... 1459

Configuring RADIUS with Cisco ACS .................................................................... 1460
Configuring OneTime Password with Token Authentication ..................................... 1462
N. Using Remote Authentication for SSH Connections to SOLIDserver ........................... 1464
Configuring LDAP Authentication for SSH Connections .......................................... 1464
Configuring RADIUS Authentication for SSH Connections ...................................... 1469
O. Configuring Non-Supported Options ......................................................................... 1473
Prerequisites ....................................................................................................... 1473
Limitations .......................................................................................................... 1474
Configuring Non-Supported Firewall Rules ............................................................ 1475
Configuring Non-Supported Apache Settings ........................................................ 1478
Configuring Non-Supported Unbound Settings ...................................................... 1480
Configuring Non-Supported NSD Settings ............................................................ 1482
Configuring Non-Supported BIND Settings ........................................................... 1484
Configuring Non-Supported SNMP Settings .......................................................... 1488
Configuring Non-Supported DHCP Configurations ................................................. 1490
Configuring Non-Supported NTP Settings ............................................................. 1492
Configuring Non-Supported syslog-ng Settings ..................................................... 1493
Configuring Non-Supported PostgreSQL Settings ................................................. 1494
Configuring Non-Supported OpenSSH Settings .................................................... 1495
Index .......................................................................................................................... 1497

xxi
About This Guide
SOLIDserver is a hardware or software appliance suite that allows to manage from one device
a network at all levels, from the IP addresses to the network devices, through key services, systems
and protocols.

The Administrator Guide describes and details the modules you might have purchased with your
license. This guide does not detail the existing license types and what they may contain or lack.
Note that some configurations described in this document should not be handled by end users
if they do not have previous knowledge of the basic principles of certain protocols and what the
operations imply on the network configuration.

Documentation Organization
The guide is divided into the following parts:
• Starting: the hardware appliances description, the installation of SOLIDserver on hardware
and software, the basic network configuration, the appliance first use procedures and a com-
prehensive presentation of the GUI.
• Configuring SOLIDserver: all the available time, network, service configurations to properly
set up and use the appliance.
• Imports and Exports: all the data import and export options available.
• Dashboards: all the dashboard and gadget management options available in the module
Dashboards.
• IPAM: all the options available in the module IPAM.
• DHCP: all the options available in the module DHCP.
• DNS: all the options available in the module DNS.
• Global Policies: all the behaviors you can set between and within modules via the parameters
inheritance and propagation and/or the advanced properties.
• Application: all the options available in the module Application.
• Guardian: all the options available in the module Guardian.
• NetChange: all the options available in the module NetChange.
• Workflow: all the options available in the module Workflow.
• Device Manager: all the options available in the module Device Manager.
• VLAN Manager: all the options available in the module VLAN Manager.
• VRF: all the options available in the module VRF.
• SPX: all the options available in the module SPX.
• Identity Manager: all the options available in the module Identity Manager.
• Rights Management: all the options available to manage the access to SOLIDservers, via
users, groups of users and authentication rules.
• Administration: all the management options available in the module Administration, from remotely
managing other appliances, to managing licenses, monitoring, maintaining, securing and up-
grading an appliance. It also details how to set High Availability or space synchronization
between two appliances.
• Customization: a description of all the options available in the module Administration to cus-
tomize your appliance: from images, IPv6 labels and Smart Folders to custom databases,
classes and customization packages.

xxii
 About This Guide

At the end of the guide, you can also find appendices containing further information:
• Matrices of Network Flows details all the service flows to take into account to properly utilize
SOLIDserver on your network.
• Default Gadgets describes the type and purpose of the gadgets available by default.
• Synchronizing Cisco DNA details how to synchronize Cisco DNA pools, subpools and IP ad-
dresses in the IPAM.
• DHCP Options describes all supported DHCP options in dedicated categories.
• MAC Address Types References displays the reference number, in the GUI, of DHCP statics
supported MAC types.
• Custom AWS IAM Policy Route 53 Minimal Permissions details the required Amazon Account
permissions to configure before managing Amazon Route 53 servers from the GUI.
• DNS Resource Records Configuration Fields displays the fields that need to be configured
when adding resource records to a zone.
• Advanced Properties provides illustrated representations of all the advanced properties inter-
actions between the modules IPAM, DHCP and DNS.
• Multi-Status Messages contains the existing messages returned by the column Multi-status.
• Configuring OpenID Authentication details the preliminary configuration to authenticate external
users via the OpenID authentication rule.
• SNMP Metrics provides a list of the most relevant SOLIDserver indicators you can monitor
through an external solution.
• Class Studio Pre-defined Variables describes how to add and configure the class object Pre-
defined-variables.
• Configuring RADIUS describes the procedures to implement user authentication via FreeRadius,
RADIUS with Cisco ACS and OneTime Password with Token Authentication.
• Using Remote Authentication for SSH Connections to SOLIDserver provides the configuration
details to use LDAP or RADIUS authentication and grant access to existing LDAP/RADIUS
users to SOLIDserver via SSH.
• Configuring Non-Supported Options provides advanced configuration details to incorporate
non-supported firewall rules and options for the services Apache, Unbound, NSD, BIND, SNMP,
DHCP, NTP, syslog-ng and PostgreSQL.

Documentation Convention
Each part of this guide is divided into chapters where the available operations are detailed in
procedures. Throughout the guide, you will find the following elements.

Element Description
Procedure All configurations and operations are detailed in step by step procedures. In each procedure,
the key words of the Graphical User Interface (GUI) are formatted as detailed below.
Name All key words to browse the GUI, like a page name or a wizard title.
BUTTON The buttons in the GUI, like OK , EDIT or CANCEL .
Menu The menus and their entries. The navigation within menu entries is symbolized by arrows as
such: menu > option > sub-option.

xxiii
 Part I. Starting
This part details the very first operations to connect to SOLIDserver, for hardware and software appliances
as well as a presentation of the GUI and the modules' dashboard. It contains the following chapters:
• Hardware Appliance Specificities: describes our hardware appliance suite. Depending on the model you
chose, the front panel and available buttons and possible configurations from the hardware appliance
differ.
• First Configuration: describes the hardware appliance installation procedures for all hardware models,
the installation via USB and the basic network configuration to complete the appliance configuration or
to reset the default configuration details.
• Using SOLIDserver for the First Time: describes the first steps and best practices to follow after setting
SOLIDserver with an IP address: from logging in and configuring the appliance service to adding users.
• Understanding the GUI: describes the default features of SOLIDserver Graphical User Interface. It includes
a presentation of the navigation philosophy, some tips and all the extra functionalities we provide: book-
marks, quick wizards, global search, etc.
Table of Contents
1. Hardware Appliance Specificities .................................................................................... 3
5th Generation Hardware Appliances ......................................................................... 3
4th Generation Hardware Appliances ....................................................................... 13
2. First Configuration ....................................................................................................... 19
Prerequisites .......................................................................................................... 19
SOLIDserver-50 First Configuration .......................................................................... 19
Rack Hardware Appliances First Configuration .......................................................... 20
Completing the Basic Network Configuration via CLI ................................................. 26
3. Using SOLIDserver for the First Time ............................................................................ 31
Connecting to SOLIDserver ..................................................................................... 31
Requesting and Activating a License ........................................................................ 32
Defining the Internal Module Setup .......................................................................... 33
Configuring SOLIDserver Network and Services ....................................................... 34
Configuring User Access to SOLIDserver ................................................................. 34
4. Understanding the GUI ................................................................................................ 36
SOLIDserver Main Dashboard ................................................................................. 37
Sidebar .................................................................................................................. 38
Top Bar .................................................................................................................. 44
Breadcrumb ............................................................................................................ 49
Menu ..................................................................................................................... 50
Listing Pages .......................................................................................................... 53
Properties Pages .................................................................................................... 71
Wizards .................................................................................................................. 72
My Bookmarks ........................................................................................................ 79
Charts .................................................................................................................... 81
Quick Wizards ......................................................................................................... 85
Account Configuration ............................................................................................. 88

2
Chapter 1. Hardware Appliance
Specificities
There are two generations of SOLIDserver rack hardware appliances that have specific plugs,
ports and/or connectors on their front and back panels that they may share.
• SOLIDserver fifth generation hardware appliances:

SOLIDserver-270 SOLIDserver-270.
SOLIDserver-570
SOLIDserver-1170 SOLIDserver-570, SOLIDserver-1170 and SOLIDserver-2270.
SOLIDserver-2270
SOLIDserver-Blast-3370 SOLIDserver-3370.
SOLIDserver-Blast-4070
SOLIDserver-Blast-5070 SOLIDserver-Blast Series.
SOLIDserver-Blast-5570
SOLIDserver-7070 SOLIDserver-7070.
They all come with SOLIDserver Bezel.

• SOLIDserver fourth generation hardware appliances:

SOLIDserver-260 SOLIDserver-260.
SOLIDserver-550
SOLIDserver-1100 SOLIDserver-550, SOLIDserver-1100 and SOLIDserver-2200.
SOLIDserver-2200
SOLIDserver-3300
SOLIDserver-4000
SOLIDserver-3300 and SOLIDserver-Blast Series.
SOLIDserver-5000
SOLIDserver-5500

5th Generation Hardware Appliances

The fifth generation of SOLIDserver hardware appliances includes the models: SOLIDserver-
270, SOLIDserver-570, SOLIDserver-1170, SOLIDserver-2270, SOLIDserver-3370, SOLIDserver-
Blast Series (SOLIDserver-Blast-4070, SOLIDserver-Blast-5070 or SOLIDserver-Blast-5570) or
SOLIDserver-7070. They all have a common LCD bezel.

SOLIDserver Bezel
All fifth generation hardware appliances share a common LCD bezel that allows to set up the IP
address of the iDRAC used to configure SOLIDserver software and display hardware information.

3
 Hardware Appliance Specificities

SOLIDserver TM

Figure 1.1. Front panel

The button to remove the bezel.

The bezel lock.
The LCD menu left button. Moves the cursor back in one-step increments.
The LCD menu selection button. Selects the menu item highlighted by the cursor.
The LCD menu right button. Moves the cursor forward in one-step increments.
The LCD screen.

SOLIDserver-270
The sections below describe the front and back panel of SOLIDserver-270 appliances.

SOLIDserver-270 Front Panel

Figure 1.2. Front panel

The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
The iDRAC micro-USB direct port.
The front USB 2.0 port.
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.

SOLIDserver-270 Back Panel

iDRAC

Figure 1.3. Back panel

4
 Hardware Appliance Specificities

The serial port.

The ethernet connector bge2.
The ethernet connector bge3.
The ethernet connector bge1.
The ethernet connector bge0.
The power supply unit (PSU).
The PSU status indicator. You can press the button under it to diagnose the cabled PSU,
if it does not turn green the power source is disconnected or faulty.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The VGA port.

SOLIDserver-570, SOLIDserver-1170 and SOLIDserver-2270

The sections below describe the front and back panel of SOLIDserver-570, SOLIDserver-1170
and SOLIDserver-2270 appliances. The back panel differs on SOLIDserver-2270 appliances.

SOLIDserver-570, SOLIDserver-1170 and SOLIDserver-2270 Front Panel

Figure 1.4. Front panel

The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 2.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 1.

5
 Hardware Appliance Specificities

SOLIDserver-570 and SOLIDserver-1170 Back Panel

iDRAC

Figure 1.5. Back panel

The serial port.

The ethernet connector bge0.
The ethernet connector bge1.
The ethernet connector igb3.
The ethernet connector igb2.
The ethernet connector igb1.
The ethernet connector igb0.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The VGA port.

SOLIDserver-2270 Back Panel

iDRAC

Figure 1.6. Back panel

The serial port.

The ethernet connector bge0.
The ethernet connector bge1.
The ethernet connector igb0.
The ethernet connector igb1.
The ethernet connector igb2.

6
 Hardware Appliance Specificities

The ethernet connector igb3.

The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The VGA port.

SOLIDserver-3370
The sections below describe the front and back panel of SOLIDserver-3370 appliances. Depending
on the current of your appliance, refer to the section AC or DC.

AC SOLIDserver-3370 Front Panel

Figure 1.7. Front panel

The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 2.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 1.

7
 Hardware Appliance Specificities

AC SOLIDserver-3370 Back Panel

iDRAC

Figure 1.8. Back panel

The serial port.

The ethernet connector bge0.
The ethernet connector bge1.
The ethernet connector igb0.
The ethernet connector igb1.
The ethernet connector igb2.
The ethernet connector igb3.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The VGA port.

DC SOLIDserver-3370 Front Panel

Figure 1.9. Front panel

The hardware status indicators, respectively the health indicator, temperature indicator,
electrical indicator, memory indicator and PCIe indicator.They flash amber if any error occurs.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The front USB 3.0 port.
The front VGA port.
The On/Off button. It is lit when the appliance is on.
The front USB 2.0 port.

8
 Hardware Appliance Specificities

The iDRAC micro-USB direct port.

The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 2.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 1.

DC SOLIDserver-3370 Back Panel

Figure 1.10. Back panel

The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The serial port.
The VGA port.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The ethernet connector igb3.
The ethernet connector igb2.
The ethernet connector igb1.
The ethernet connector igb0.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.

SOLIDserver-Blast Series
The sections below describe the front and back panel of SOLIDserver-Blast Series appliances:
SOLIDserver-Blast-4070, SOLIDserver-Blast-5070 and SOLIDserver-Blast-5570. Depending on
the current of your appliance, refer to the section AC or DC.

The back panel provides two 10 Gbps optical fiber slots, for a full DNS Guardian protection.

9
 Hardware Appliance Specificities

AC SOLIDserver-Blast Series Front Panel

Figure 1.11. Front panel

The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The On/Off button. It is lit when the appliance is on.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 2.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 1.

AC SOLIDserver-Blast Series Back Panel

iDRAC

Figure 1.12. Back panel

The serial port.

The ethernet connector bge0.
The ethernet connector bge1.
The ethernet connector igb0.
The ethernet connector igb1.
The ethernet connector igb2.
The ethernet connector igb3.
The optical slot ixl1.
The optical slot ixl0.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.

10
 Hardware Appliance Specificities

The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The VGA port.

DC SOLIDserver-Blast Series Front Panel

Figure 1.13. Front panel

The hardware status indicators, respectively the health indicator, temperature indicator,
electrical indicator, memory indicator and PCIe indicator.They flash amber if any error occurs.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The front USB 3.0 port.
The front VGA port.
The On/Off button. It is lit when the appliance is on.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 2.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.
The hot swappable hard drive 1.

DC SOLIDserver-Blast-Series Back Panel

Figure 1.14. Back panel

11
 Hardware Appliance Specificities

The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The optical slot ixl0.
The optical slot ixl1.
The serial port.
The VGA port.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The ethernet connector igb3.
The ethernet connector igb2.
The ethernet connector igb1.
The ethernet connector igb0.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.

SOLIDserver-7070
The sections below describe the front and back panel of AC and DC SOLIDserver-7070 appliances.

SOLIDserver-7070 Front Panel

Figure 1.15. Front panel

The hardware status indicators, respectively the health indicator, temperature indicator,
electrical indicator, memory indicator and PCIe indicator.They flash amber if any error occurs.
The appliance information indicator. It flashes amber if anything is wrong with the hardware.
The front USB 3.0 port.
The front VGA port.
The On/Off button. It is lit when the appliance is on.
The front USB 2.0 port.
The iDRAC micro-USB direct port.
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 2.
The hard drive health indicator. It flashes amber if any error occurs.
The hard drive activity indicator.

12
 Hardware Appliance Specificities

The hot swappable hard drive 1.

SOLIDserver-7070 Back Panel

Figure 1.16. Back panel

The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The optical slot ixl0.
The optical slot ixl1.
The serial port.
The VGA port.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The ethernet connector igb3.
The ethernet connector igb2.
The ethernet connector igb1.
The ethernet connector igb0.
The back USB 3.0 ports.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.

4th Generation Hardware Appliances

The fourth generation of SOLIDserver hardware appliances includes the models: SOLIDserver-
260, SOLIDserver-550, SOLIDserver-1100, SOLIDserver-2200, SOLIDserver-3300 or SOLID-
server-Blast series (SOLIDserver-4000, SOLIDserver-5000 or SOLIDserver-5500).

SOLIDserver-260
The sections below describe the front and back panel of SOLIDserver SOLIDserver-260 appli-
ances.

From the front panel, you can connect a keyboard and monitor to set up the access IP address
of the iDRAC. From the iDRAC interface, you can configure SOLIDserver IP address.

13
 Hardware Appliance Specificities

SOLIDserver-260 Front Panel

Figure 1.17. Front panel

The On/Off button. It is lit when the appliance is on.

The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The front VGA port.
The hard drive indicator. It flashes amber if there is a hard drive error.
The temperature indicator. It flashes amber if the system experiences a thermal error (for
example, a temperature out of range or fan failure).
The USB ports 1 and 2 (2.0 compliant).
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The memory indicator. It flashes amber if a memory error occurs.
The electrical indicator. It flashes amber if the system experiences an electrical error (for
example, voltage out of range, or a failed power supply unit or voltage regulator).
The health indicator. If the system is on and in good health, it turns solid blue. The indicator
flashes amber if the system is on or in standby, and if any error is detected (for example, a
failed fan or hard drive).

SOLIDserver-260 Back Panel

Figure 1.18. Back panel

The serial port.

The vFlash card slot.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The ethernet connector bge1.
The ethernet connector bge0.
The power supply unit (PSU).
The PSU status indicator. You can press the button under it to diagnose the cabled PSU,
if it does not turn green the power source is disconnected or faulty.

14
 Hardware Appliance Specificities

The AC power supply unit status indicator. When pressing the self-diagnostic button, it turns
green if a valid power source is connected. Otherwise, the PSU is not connected or faulty.
The USB ports 3 and 4 (3.0 compliant).
The ethernet connector bge3.
The ethernet connector bge2.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The VGA port.

SOLIDserver-550, SOLIDserver-1100 and SOLIDserver-2200

The sections below describe the front and back panel of SOLIDserver SOLIDserver-550,
SOLIDserver-1100 and SOLIDserver-2200 appliances.

From the front panel LCD screen, you can set up the IP address of the iDRAC used to configure
SOLIDserver and display hardware information.

SOLIDserver-550, SOLIDserver-1100, SOLIDserver-2200 Front Panel

Figure 1.19. Front panel

The On/Off button. It is lit when the appliance is on.

The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The front VGA port.
The LCD menu left button. Moves the cursor back in one-step increments.
The LCD menu selection button. Selects the menu item highlighted by the cursor.
The LCD menu right button. Moves the cursor forward in one-step increments.
The LCD screen.
The USB ports 1 and 2 (2.0 compliant).
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 2.
The hot swappable hard drive 1.

15
 Hardware Appliance Specificities

SOLIDserver-550, SOLIDserver-1100, SOLIDserver-2200 Back Panel

Figure 1.20. Back panel

The serial port.

The vFlash card slot.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The ethernet connector igb0.
The ethernet connector igb1.
The power supply units (PSU), respectively PSU1 and PSU2. It is recommended to use
them both to prevent connection loss if one fails.
The USB ports 3 and 4 (3.0 compliant).
The ethernet connector bge1.
The ethernet connector bge0.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The VGA port.

SOLIDserver-3300 and SOLIDserver-Blast Series

The sections below describe the front and back panel of SOLIDserver-3300 and SOLIDserver-
Blast Series appliances: SOLIDserver-4000, SOLIDserver-5000 and SOLIDserver-5500.

From either appliance front panel LCD screen, you can set up the IP address of the iDRAC used
to configure SOLIDserver and display hardware information.

SOLIDserver-Blast Series appliances back panel provides two 10 Gbps optical fiber slots, for a
full DNS Guardian protection.

16
 Hardware Appliance Specificities

SOLIDserver-3300 and SOLIDserver-Blast Series Front Panel

Figure 1.21. Front panel

The On/Off button. It is lit when the appliance is on.

The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.
The front VGA port.
The LCD menu left button. Moves the cursor back in one-step increments.
The LCD menu selection button. Selects the menu item highlighted by the cursor.
The LCD menu right button. Moves the cursor forward in one-step increments.
The LCD screen.
The hardware information tag. Pull it out to see the service tag (serial number) and express
service tag.
The hot swappable hard drive 1.
The hot swappable hard drive 2.
The USB port 2 (2.0 compliant).
The USB port 1 (2.0 compliant).
The SD card slot.

SOLIDserver-3300 and SOLIDserver-Blast Series Back Panel

Figure 1.22. Back panel

The optical slot ix1. It is only available on SOLIDserver-Blast Series appliances.

17
 Hardware Appliance Specificities

The optical slot ix0. It is only available on SOLIDserver-Blast Series appliances.

The second power supply unit, PSU2. Use both PSUs to prevent connection loss if one fails.
The first power supply unit, PSU1. Use both PSUs to prevent connection loss if one fails.
The ethernet connector igb3.
The ethernet connector igb2.
The ethernet connector igb1.
The ethernet connector igb0.
The USB port 4 (3.0 compliant).
The USB port 3 (3.0 compliant).
The VGA port.
The serial port.
The iDRAC ethernet port, it is dedicated to the remote management of the appliance.
The system identification button, push it to light up the front and back indicators and locate
the appliance in a rack, push it again to turn them off. It flashes amber if anything is wrong
with the hardware.

18
Chapter 2. First Configuration
This chapter is a recollection of the proper first configuration of all SOLIDserver hardware
appliances.

The first configuration requires to connect the appliance to the network and set it an IP address
to access the Graphical User Interface (GUI). To properly do so, you must:
• Meet the prerequisites.
• Identify your hardware appliance and follow the appropriate procedure:
• For SOLIDserver-50 appliances, refer to the section SOLIDserver-50 First Configuration.
• For all other SOLIDserver- hardware appliances, the rack appliances of the fifth or fourth
generation, refer to the section Rack Hardware Appliances First Configuration.
• For non-Efficient IP hardware appliances, you can install SOLIDserver software appliance
via a USB flash drive. For more details, refer to the guide SOLIDserver_Hardware_Reimaging-
1
x.x.pdf available on our download portal .

When the first configuration is done, you can further the basic network configuration of the appli-
ance (hostname, interfaces...) through a terminal. For more details, refer to the section Completing
the Basic Network Configuration via CLI.

Prerequisites
• One of the following supported web browsers installed on your computer: Google Chrome,
Mozilla Firefox, Microsoft Internet Explorer, Microsoft Edge or, for Mac computers, Safari. We
recommend using its latest and most stable version.
• A web browser with all pop-up blockers disabled for the IP address and domain name used
during the configuration of your appliance. Otherwise, you may not manage the iDRAC and/or
SOLIDserver properly.

SOLIDserver-50 First Configuration

SOLIDserver software is already installed on hardware appliances SOLIDserver-50, you need
to configure the access IP address of your choice to manage it.

Prerequisites
• A SOLIDserver-50 hardware appliance.
• A computer with a serial port.
• A terminal emulator able to connect to a serial port installed on your computer.

Configuring SOLIDserver IP Address

To configure SOLIDserver and the IP address used to access it, you must use a terminal emulator.

To configure SOLIDserver on SOLIDserver-50 appliances

1. Prepare the appliance.
a. Plug in the appliance power cable.

1
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.

19
 First Configuration

b. Plug in the appliance to your computer serial port.

c. Plug in at least one physical interface Ethernet cable to the appliance.
2. Open a Serial session using a terminal emulator on the computer.
3. Specify the appropriate Serial line, either COM1 or COM2.
4. Open the session. When the appliance has started, the page WELCOME TO SOLIDSERVER
opens.
5. Log in as the default admin user, the default password is admin. The page SOLIDserver
<version> opens and displays the Main menu.
6. The line S Quick Start is highlighted, hit Enter to start the configuration. The window Quick
Start - Configure basic network settings opens.
7. Hit Enter to launch the quick start configuration. The menu Physical interfaces opens.
8. Select one or more interfaces.
Hit 1, 2, 3 or the arrows to highlight an interface. Hit space to select the interface. Each
selected interface is preceded by (*).
The selected interface(s) respond(s) to the IP address, netmask and gateway you configure
next. Selecting several interfaces configures an Ethernet port failover.
9. Hit Enter to confirm the interface(s) selection. The menu Network configuration opens.
10. Configure the interface IP address, netmask and gateway used to access SOLIDserver.
• Set an IP: and hit the down arrow to get to the next line.
• Set a Netmask: and hit the down arrow to get to the next line.
• Set a default Gateway: and hit tabulation to highlight OK.
11. Hit Enter to confirm your configuration and go back to the Main menu.
12. The line C Commit modifications to system is highlighted, hit Enter to save the whole
configuration.The window Do you really want to commit modifications to system? opens.
13. The button Yes is highlighted, hit Enter to confirm.
When it is done, the window Configuration applied opens.
14. Hit Enter to close the window. The Main menu is visible again.
15. Hit E to select EXIT and hit Enter. The configuration window closes.

Your configuration is now complete and you can connect to SOLIDserver software using the IP
address you configured. For more details, refer to the chapter Using SOLIDserver for the First
Time.

Rack Hardware Appliances First Configuration

All rack hardware appliances come embedded with a sub-component, the Integrated Remote
Access Controller, or iDRAC, designed to remotely manage the appliance. It provides a dedicated
management platform from where you can monitor the hardware appliance itself and configure
SOLIDserver software.

For these reasons, the installation of these hardware appliance models requires to:
1. Configure an IP address for the iDRAC. On all appliances, except SOLIDserver-260, you can
set it from the LCD screen.
2. Connect to the iDRAC to configure SOLIDserver access IP address.
3. Once the software installation is over, you need to connect to SOLIDserver, add your license
and set up the Internal module setup. For more details, refer to the chapter Using SOLIDserver
for the First Time.

20
 First Configuration

All rack hardware appliances, except the SOLIDserver-260, provide an LCD screen that allows
to set up

Prerequisites
• An EfficientIP rack hardware appliance:
• A 5th generation hardware appliance: SOLIDserver-270, SOLIDserver-570, SOLIDserver-
1170, SOLIDserver-2270, SOLIDserver-3370, SOLIDserver-Blast Series (SOLIDserver-
Blast-4070, SOLIDserver-Blast-5070 or SOLIDserver-Blast-5570) or SOLIDserver-7070.
• Or a 4th generation hardware appliance: SOLIDserver-260, SOLIDserver-550, SOLIDserv-
er-1100, SOLIDserver-2200, SOLIDserver-3300 or SOLIDserver-Blast series (SOLIDserver-
4000, SOLIDserver-5000 or SOLIDserver-5500). They require a browser with the latest
version of Java JRE installed.
• Making sure that the appliance power supply cables are plugged.
• Making sure that the iDRAC dedicated port and physical interface port are connected. Note
that you can set up an Ethernet port failover with up to 4 cables.

Setting up the iDRAC IP Address

Once you identified your hardware appliance, you must set up the IP address of the iDRAC:
1. Make sure you meet the prerequisites.
2. Follow the proper procedure:
• For 4th generation hardware appliances SOLIDserver-260, you must set up the iDRAC IP
address without LCD screen, using a keyboard and monitor, as detailed in the section Setting
up the iDRAC IP Address Without LCD Screen.
• For all 5th generation appliances (SOLIDserver-270, SOLIDserver-570, SOLIDserver-
1170, SOLIDserver-2270, SOLIDserver-3370, SOLIDserver-Blast-4070, SOLIDserver-Blast-
5070, SOLIDserver-Blast-5570 and SOLIDserver-7070) and the rest of the 4th generation
hardware appliances (SOLIDserver-550, SOLIDserver-1100, SOLIDserver-2200, SOLID-
server-3300, SOLIDserver-4000, SOLIDserver-5000 and SOLIDserver-5500) you can set
up the iDRAC IP address from the LCD screen, as detailed in the section Setting up the
iDRAC IP Address from the LCD Screen.

Once the iDRAC IP address is set, you can access it and configure SOLIDserver IP address.

Setting up the iDRAC IP Address Without LCD Screen

For SOLIDserver-260 appliances, you can configure an access IP address for the iDRAC using
a keyboard and monitor. This is the only method for SOLIDserver-260 appliances. You can
configure the iDRAC IP address without LCD screen on any other appliance, of the 4th or 5th
generation.

Once the iDRAC IP address is set, you can access it and configure the IP address of your
SOLIDserver appliance. The iDRAC is already configured with a default IP address -
192.168.0.120, netmask - 255.255.255.0 and gateway - 192.168.0.0.

If this IP address is free and accessible on your network, you do not need to follow the procedure
below, you can go straight to the section Configuring the Access to SOLIDserver from the iDRAC.

To set up the iDRAC IP address without LCD screen

1. Plug in the Ethernet cables at the back of the appliance:
a. Plug in one Ethernet cable in the iDRAC plug, on the left-end side of the back panel.

21
 First Configuration

b. Plug in up to four physical interface Ethernet cables.

2. Connect a monitor and keyboard to the appliance.
3. Press the button to turn on the hardware appliance.
4. When the BIOS splash screen appears, hit F2 to enter the system setup.

F2 = System Setup
F10 = Lifecycle Controller
F11 = BIOS Boot Manager
F12 = PXE Boot

BIOS Revision 2.3.3

Figure 2.1. BIOS splash screen

The window System Setup eventually opens.

5. In the System Setup Main Menu, use the down arrow to highlight iDRAC Settings and
hit Enter. The page iDRAC Settings opens.
6. Use the down arrow to highlight Network and hit Enter. The page iDRAC Settings - Net-
work opens.
7. Use the down arrow to get to the section IPV4 SETTINGS and, if need be, edit the following
fields:
a. In the field Static IP Address, set the IP address of your choice. You need it to connect
to the iDRAC. The default IP address is 192.168.0.120.
b. In the field Static Gateway, set the gateway of your choice. The default gateway is
192.168.0.0.
c. In the field Static Subnet Mask, set the netmask of your choice. The default netmask
is 255.255.255.0.
8. When you have configured the three fields, hit tabulation to select the button Back in the
window bottom right corner and hit Enter to get back to the page iDRAC Settings.
9. Hit tabulation to select the button Finish and hit Enter. The window Warning / Saving
Changes / Settings have changed. Do you want to save the changes? opens.
10. Select Yes and hit Enter. The window Success / Saving Changes / Settings saved suc-
cessfully opens.
11. Hit Enter. The menu System Setup opens.
12. Hit tabulation to highlight the button Finish and hit Enter. The window Warning / Confirm
Exit / Are you sure you want to exit and reboot? opens.
13. Select Yes and hit Enter. The menu closes and the hardware appliance reboots.

Now you can connect to the iDRAC to configure SOLIDserver as detailed in the section Config-
uring the Access to SOLIDserver from the iDRAC.

22
 First Configuration

Setting up the iDRAC IP Address from the LCD Screen

For all hardware appliances, except SOLIDserver-260 appliances, you can set up the access IP
address for the iDRAC from the LCD screen. Note that this screen also displays hardware inform-
ation, configurations and errors.

If you already configured the iDRAC IP address using a keyboard and monitor, following the
section Configuring the iDRAC IP address Without LCD Screen, you can go straight to the section
Configuring the Access to SOLIDserver from the iDRAC.

Once the iDRAC IP address is set, you can access it and configure the IP address of your
SOLIDserver appliance. The iDRAC is already configured with a default IP address -
192.168.0.120, netmask - 255.255.255.0 and gateway - 192.168.0.0.

If this IP address is free and accessible on your network, you do not need to follow the procedure
below, you can go straight to the section Configuring the Access to SOLIDserver from the iDRAC.

To set up the iDRAC IP address from the LCD screen

1. Plug in the Ethernet cables at the back of the appliance:
a. Plug in one Ethernet cable in the iDRAC plug, on the left-end side of the back panel.
b. Plug in up to four physical interface Ethernet cables.
2. Press the button to turn on the hardware appliance. During the boot sequence, the LCD
screen displays System booting. The message disappears once the appliance has booted.
3. Press to display the menu.
4. Press to highlight Setup. Press to enter the Setup menu.
5. iDRAC is highlighted, press . The message Security Notice: Default network credentials
in effect appears.
6. Press to enter the menu. Press twice to highlight Static IP.
7. Press to enter the menu. The default IP address is displayed: IP: 192.168.0.120 . Set the
IP address of your choice:
• Use the arrows and to put the cursor over the digit you want to edit.
• Once the cursor is on the digit you want to edit, press . The cursor blinks.
• Once the cursor blinks, use the arrows to change the digit value and press to commit
the new value.
• Repeat these actions for every digit you want to change.
Once the full IP address matches your needs, press until the cursor highlights >> at the
end of the IP address.
8. Press to commit the IP address. The subnet mask is displayed: Sub: 255.255.255.000 .
Set the netmask of your choice using the technique detailed in step 7.
Once the full netmask matches your needs, press until the cursor highlights >> at the end
of the subnet mask.
9. Press to commit the subnet mask. The gateway is displayed: Gtw: 192.168.000.000 . Set
the gateway of your choice using the technique detailed in step 7.
Once the gateway matches your needs, press until the cursor highlights >> at the end of
the subnet mask.
10. Press to commit the gateway IP address. The DNS configuration menu appears: Setup
DNS: Yes.

23
 First Configuration

11. Press to highlight No and press to skip the DNS configuration. The screen displays:
Save: Yes | No, Yes is highlighted.
12. Press to save your configuration. The LCD screen is now empty.

Now you can connect to the iDRAC to configure SOLIDserver as detailed in the section Config-
uring the Access to SOLIDserver from the iDRAC below.

Configuring the Access to SOLIDserver from the iDRAC

Using the iDRAC IP address you set, you can configure access to SOLIDserver as follows:
1. Connect to SOLIDserver from the iDRAC GUI, as detailed in the procedure To connect to
SOLIDserver from the iDRAC virtual console.
2. Configure SOLIDserver IP address, as detailed the procedure To configure SOLIDserver from
the iDRAC virtual console.

To connect to SOLIDserver from the iDRAC virtual console

1. Open any supported browser and, in the URL field, type in https://<iDRAC-configured-IP-
address>. If you are configuring from an iDRAC in version 8, the browser must have Java
installed.
2. Accept the certificate. The iDRAC login page opens.
3. In the field Username, type in root.
4. In the field Password, type in calvin.
5. Click on Log in. The page refreshes.
6. Tick the box Keep Default Password. On the right, under the field Username: root, both
password input fields are grayed out.
If you want, you can tick the box Do not show this warning again.
7. Click on Continue. The iDRAC homepage opens, it details the hardware information.
8. Launch the virtual console.
a. In the section Virtual Console, click on Launch Virtual Console. A window opens.
b. During your first connection, you must authorize the pop-ups and press F5 to refresh
the window.
c. If your iDRAC is in version 8 or in a higher version set with its Plug-in Type to Java, you
must accept to save the file viewer.jnlp to be able to launch the console, and then open
2
the file .
d. In the pop-up window SecurityWarning, click on Continue.
e. In the pop-up window Do you want to run this application?, click on Run.
f. In the pop-up window Warning-Security, click on Run to accept the certificate. The
console opens.
9. When SOLIDserver installation is complete, the page WELCOME TO SOLIDSERVER ap-
pears.

2
If the file .jnlp has not been automatically opened by Java, you have to associate it manually with the file javaws.exe located in the
folder jre\bin of the appropriate Java version.

24
 First Configuration

Figure 2.2. SOLIDserver login page

If an error message is displayed on the screen, you need to reimage SOLIDserver. For more
details, refer to the guide SOLIDserver_Hardware_Reimaging-x.x.pdf available on our
3
download portal .

Once you are connected to SOLIDserver from the iDRAC console, you can configure its IP ad-
dress.

To configure SOLIDserver from the iDRAC virtual console

1. From the page WELCOME TO SOLIDSERVER, log in as the default admin user, the default
password is admin. The page SOLIDserver <version> opens and displays the Main menu.
2. The line S Quick Start is highlighted, hit Enter to start the configuration. The window Quick
Start - Configure basic network settings opens.
3. Hit Enter to launch the quick start configuration. The menu Physical interfaces opens.
4. Select one or more interfaces.
4
The interfaces are named and numbered: bgeX, igbX and/or ixX , where X is a digit. Their
status is displayed between brackets: (active) or (no carrier).
Hit 1, 2, 3 or the arrows to highlight an interface. Hit space to select the interface. Each
selected interface is preceded by (*).
The selected interface(s) respond(s) to the IP address, netmask and gateway you configure
next. Selecting several interfaces configures an Ethernet port failover.
5. Hit Enter to confirm the interface(s) selection. The menu Network configuration opens.
6. Configure the interface IP address, netmask and gateway used to access SOLIDserver:
• Set an IP: and hit the down arrow to get to the next line.
• Set a Netmask: and hit the down arrow to get to the next line.
• Set a default Gateway: and hit tabulation to highlight OK.
7. Hit Enter to confirm your configuration and go back to the Main menu.
8. The line C Commit modifications to system is highlighted, hit Enter to save the whole
configuration.The window Do you really want to commit modifications to system? opens.
9. The button Yes is highlighted, hit Enter to confirm.
When it is done, the window Configuration applied opens.
10. Hit Enter to close the window. The Main menu is visible again.
11. Hit E to select EXIT and hit Enter. The configuration window closes.

3
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.
4
ixX interfaces correspond to 10 Gb ports.

25
 First Configuration

Now your configuration is complete and you can connect to SOLIDserver software using the IP
address you configured.

Completing the Basic Network Configuration via CLI

After configuring access to SOLIDserver using the terminal menu Quick Start, you can complete
its basic network configuration via Command-Line Interface (CLI). You can set the appliance
hostname, default gateways and/or physical and virtual interfaces.

Note that you can also configure a pre-authentication banner message for SSH connections. For
more details, refer to the section Configuring Non-Supported OpenSSH Settings in appendix.

The configuration method depends on your appliance:

• On software appliances, you can connect to the appliance using its IP address to open a
shell session via a terminal emulator. If you installed SOLIDserver on VMware, you can also
access its CLI from VMware console.
• On hardware appliances, accessing CLI depends on the model:
• For appliances SOLIDserver-50, you must connect your computer to the hardware serial
port and open a serial connection session via a terminal emulator.
• For appliances SOLIDserver-260, SOLIDserver-550, SOLIDserver-1100, SOLIDserver-2200,
SOLIDserver-3300 and SOLIDserver-Blast series (SOLIDserver-4000, SOLIDserver-5000
and SOLIDserver-5500), you can connect to the iDRAC GUI and open the Virtual console,
or plug a monitor and keyboard into the hardware appliance VGA and USB ports.
• For appliances SOLIDserver-270, SOLIDserver-570, SOLIDserver-1170, SOLIDserver-2270,
SOLIDserver-3370, SOLIDserver-Blast series (SOLIDserver-Blast-4070, SOLIDserver-Blast-
5070 and SOLIDserver-Blast-5570) and SOLIDserver-7070, you can connect to the iDRAC
GUI and open the Virtual console, or plug a monitor and keyboard into the hardware appliance
VGA and USB ports.

By default there is already an interface configured for SOLIDserver image, it has the IP address
192.168.1.1 and the netmask 255.255.255.0.You can change both according to your need when
configuring the basic network settings or during the first installation.

In the procedure below, we configure a virtual interface, a physical interface, an IP address, a

netmask, a gateway and the IP address of the DNS resolver.

To complete the basic network configuration through a terminal

1. Connect to SOLIDserver appliance via CLI.
2. Once you are connected, the page WELCOME TO SOLIDserver opens.

26
 First Configuration

Figure 2.3. SOLIDserver login page

3. Log in as the default admin user, the default password is admin. The Main menu appears.
4. The line N Network Configuration is highlighted.

Figure 2.4. Main menu

Hit Enter, the menu Network configuration opens.

5. Configure a virtual interface
a. The line V Virtual interfaces is highlighted.

Figure 2.5. Network configuration

Hit Enter, the menu Virtual interfaces opens.

b. The line 1 DEFAULT_INTERFACE is highlighted.

Figure 2.6. Virtual interfaces

27
 First Configuration

Hit Enter, the menu Virtual interface name opens.

c. Edit the interface Name if you want.

Figure 2.7. Virtual interface name

Hit Enter, the menu Physical interfaces opens.

6. Configure the physical interface(s)
a. Select one or several interfaces. Each interface is named and numbered, the names
depend on the appliance, and followed by its status between brackets, (active) or (no
carrier).
Hit the digits or arrows to highlight an interface. Hit space to select the interface. Each
selected interface is preceded by [*].
The selected interface(s) respond(s) to the IP address, netmask and gateway you con-
figure next. Selecting several interfaces configures an Ethernet port failover.

Figure 2.8. Physical interfaces

Hit Enter to confirm the interface(s) selection. The menu IP addresses list opens.
b. The line 1 192.168.1.1 255.255.255.0 is highlighted. The IP address 192.168.1.1 and
the netmask 255.255.255.0 are the default values.

Figure 2.9. IP addresses list

Hit Enter, the menu IP addresses configuration opens.

c. Edit the Address and Prefix/Netmask fields according to your needs.

28
 First Configuration

Figure 2.10. IP addresses configuration

Hit Enter to save your changes, the menu IP addresses list menu opens again.
d. Hit E to select E EXIT and it Enter. The menu Network configuration opens.
7. Configure the appliance hostname
a. Hit G to select G Global configuration.

Figure 2.11. Network configuration

Hit Enter, the menu Global configuration opens.

b. Edit the Hostname if need be. Edit the Default IPv4 gateway and 1st DNS resolver
according to your needs.

Figure 2.12. Global configuration

Hit Enter to save your changes, the menu Network configuration opens again.
c. Hit E to select E EXIT and it Enter. The menu Main menu opens.
8. The line C Commit modifications to system is highlighted.

29
 First Configuration

Figure 2.13. Main menu before saving your configuration

Hit Enter to save the whole configuration. The last message appears.
9. The button Yes is highlighted.

Figure 2.14. Confirmation window

Hit Enter to confirm saving your configuration.

When it is done, the window Configuration applied opens.
10. Hit Enter to close the window. The Main menu is visible again.
11. Hit E to select E EXIT and it Enter. The configuration window closes.

Your configuration is now complete and you can access your SOLIDserver through the browser
of your choice. Make sure the browser version complies with the prerequisites mentioned above.

30
Chapter 3. Using SOLIDserver for the
First Time
When using SOLIDserver for the first time, you need to:
1. Log in.
2. Request and activate a license.
3. Define the modules interaction, or internal module setup.
4. Configure SOLIDserver on your network.
5. Configure user access to the appliance.

Connecting to SOLIDserver
No matter the browser you choose to use, to access SOLIDserver you need to follow the procedure
below.

If you defined a hostname for your SOLIDserver in your DNS, you can use its name in the URL
field rather than the IP address.

To connect to SOLIDserver for the first time

1. Open your browser, in the URL field type in https://<SOLIDserver-configured-IP-address>.
2. Hit Enter. The browser displays a security warning because the default certificate is in use.
Your browser probably identified that the certificate is not from a trusted certifying authority
and that the hostname on the certificate is invalid or does not match the name of the site.
3. Accept the certificate. SOLIDserver login page appears.

ddi.mycorp.com

Login

Password

Figure 3.1. First connection to SOLIDserver

4. In the field Login, type in ipmadmin, the default superuser login.

5. In the field Password, type in admin, the default superuser password.
6. Hit Enter. The page Main dashboard opens, this is the homepage of SOLIDserver.

On the dashboard the gadget System Information indicates that there is No license installed,
you must request a license and add it to manage SOLIDserver.

31
 Using SOLIDserver for the First
Time

Requesting and Activating a License

After the first connection, you need to request a license from EfficientIP. They will generate and
send you a valid license key that you must add to the GUI to activate the license and use
SOLIDserver.

Each license key is unique and specific to one SOLIDserver appliance, you cannot use the
same license key on several appliances.

To request a license key

1. Retrieve the request license key, from SOLIDserver Main Dashboard.
a. In the gadget System Information, click on the link Request license . The wizard Request
license opens.
b. Read the Software License Agreement and click on NEXT . The next page opens.
c. Copy the content of the field Request key, you need it to fill out the request license
form.
d. Click on OK to close the wizard.
2. Send the request key to Efficient IP via the form Request Your License.
a. Go to the page http://www.efficientip.com/license-request/.
b. In the fields First Name, Last Name, Email, Phone, Company and Country Name,
specify your contact details. All these fields are required.
c. In the field License Period Request, select the length of your choice: 1 month, 2 months,
3 months, 6 months or Permanent. This field is required.
d. If you selected Permanent, the following fields appear.
Fill them with the information provided by EfficientIP.

Table 3.1. Required information for permanent licenses

Field Description
Contract Number Your Maintenance contract number. This field is required.
(if permanent license) The Maintenance contract number is composed of 12 digits and your client
name, it looks as follows 221231200101CORP. The first 6 digits are the
maintenance expiry date (yymmdd) and the next 6 digits are the maintenance
start date (yymmdd).
EfficientIP Serial Number Your appliance serial number. This field is required.
(if permanent license) For virtual appliances, it looks as follows SW550-0123. For hardware appli-
ances, it looks as follows A1B23R4.

e. In the field SOLIDserver Model, specify your model number. This field is required. It
looks as follows SDS-570.
f. In the field Request Key, paste your request key or the content of your request key file.
This field is required.
g. In the field Number of External Managed Servers (MVSM, if any), specify the total
number of servers - DNS, DHCP... - you intend to manage from SOLIDserver.
h. In the section Optional Module, tick all the optional modules you might need: DNS
1
Guardian, DNS GSLB, NetChange, Device Manager or SPX.
i. If relevant, fill in the field If requester is NOT end customer, please provide your
contact information (Name, Company, Email, Phone): with all the appropriate data.

1
If you do not tick this box, you are using NetChange-IPL, NetChange basic options.

32
 Using SOLIDserver for the First
Time

j. In the drop-down list Language, you can select in which language to display the Privacy
Policy. By default, English is selected, you can change to French, German or Spanish.
The panel provides a link towards EfficientIP Privacy Statement.
k. Tick the box I accept the Terms and Conditions.
l. Click on SUBMIT to send us your information.

Once EfficientIP has answered your request and sent you a license key, you can add it to the
appliance to activate your licence as detailed below. Note that the appliance should be time
synchronized before activating the license.

To make sure the appliance is on time, we strongly recommend configuring the NTP. For more
details, refer to the chapter Configuring the Time and Date.

To activate a license
1. From the EfficientIP email response to your license request, copy the license key.
2. Connect to SOLIDserver using the superuser credentials. The page Main dashboard opens.
3. In the gadget System Information, click on the link Add license . The wizard opens.
4. Read the License Agreement and click on NEXT . The page Add a license opens.
5. In the field License(s), paste the license key.
6. Click on OK to complete the operation.The page refreshes. In the gadget System Information
the License type is updated and all the modules that come with your license are visible.

If you need to renew your license, to have more services, extend the maintenance time or manage
the license metrics, refer to the chapter Managing Licenses.

Defining the Internal Module Setup

Once the license is installed, and before making any further network configurations, we recommend
that you set the Internal module setup.

The Internal module setup allows you to enable the interaction between the modules IPAM, DNS
and DHCP. That way you can manage your resources and objects on one page and update them
in other modules.

To configure the internal module setup from the configuration gadget

1. In the sidebar, go to Dashboard > Main dashboard.
2. At the bottom of the gadget SOLIDserver Configuration Checklist, next to Internal module
setup, click on Configuration. The wizard Internal module setup opens.
3. If you want to activate all module interactions:
a. In the drop-down list Architecture, select IPAM.
b. Tick the box Use DNS.
c. Tick the box Use DHCP.
4. If you only want to activate the DNS, in the drop-down list Architecture, select DNS only.
5. Click on OK to complete the operation. The wizard closes and the page refreshes. The In-
ternal module setup is marked .

At any point, you can edit the internal module setup from the module Administration.

33
 Using SOLIDserver for the First
Time

To configure the internal module setup from the module Administration

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Internal module setup. The wizard opens.
3. If you want to activate all the module interactions:
a. In the drop-down list Architecture, select IPAM.
b. Tick the box Use DNS.
c. Tick the box Use DHCP.
4. If you only want to activate the DNS, in the drop-down list Architecture, select DNS only.
5. Click on OK to complete the operation. The wizard closes.

Configuring SOLIDserver Network and Services

Before using SOLIDserver you need to complete its configuration. The appliance Main dashboard
allows to quickly set network and service configurations:
1. The gadget SOLIDserver Configuration Checklist provides an overview of key configurations.
What is marked has not been configured yet. You can click on each link to configure
everything you need. For more details, refer to the section SOLIDserver Configuration
Checklist.
2. The gadget General Information provides shortcuts toward services and appliance settings.
• Services lists key services. services are not configured yet, are not started yet and
are configured and running. Clicking on configured services allows to start/stop them,
clicking on services not configured yet opens the page Services configuration where you
can configure them. For more details, refer to the chapter Configuring the Services.
Make sure that the service NTP is started, it is crucial for DHCP, DNS and High Availability
management. For more details, refer to the chapter Configuring the Time and Date.
• Hostname, IP Addresses, Default gateways and Status return the appliance basic network
configuration details. Clicking on any value opens the page Network Configuration where
you can edit or set them. For more details, refer to the chapter Configuring the Network.
• SOLIDserver role is the appliance role on the page Centralized management. For more
details, refer to the chapter Centralized Management.

Configuring User Access to SOLIDserver

Within SOLIDserver, user rights and resources depend on the group they belong to.

Being logged as the superuser, ipmadmin, you belong to the most privileged group, admin. Users
of that group can perform all operations and have access to all existing resources. Some operations
can only be performed by the users of that group, in which case it is specified in the procedure.

To configure access to other users, you need to:

1. Add or import users.
2. Add a group of users.
3. Configure that group with users. At group level, the users are considered a resource.
4. Configure that group with rights. From the page Rights of each group you can grant or deny
access to operations in all modules to the users of the group.
5. Configure that group with resources. From the page Resources of each group, you can add
existing objects as resource.The resources define the list of objects on which users can perform

34
 Using SOLIDserver for the First
Time

operations. If a group does not have resources, its users are granted rights that they cannot
use on any object.

Note that you can also configure and enable authentication rules relying on Active Directory,
LDAP, RADIUS and OpenID Connect to securely log in external users. For more details regarding
users and groups, refer to the part Rights Management.

35
Chapter 4. Understanding the GUI
SOLIDserver centralizes all the operations in a unified Graphical User Interface (GUI) divided
into modules with common management principles and navigation logic.

When you log in, the first page available is SOLIDserver Home Page.

Throughout the GUI, all management pages share common elements, detailed in the image below.

Figure 4.1. Common elements on listing pages in the GUI

The sidebar gives access to the SOLIDserver dashboards, the modules, the Tree view and
the Smart folders. For more details, refer to the section Sidebar.
The top bar gives access to the Global search, all Notifications, Bookmarks, your settings
through the menu My Account and the menu Help. For more details, refer to the section
Top Bar.
The breadcrumb is a navigation bar available on all pages of all modules except Administra-
tion, where it is only displayed on some pages. It provides direct and hierarchical access to
the module objects. For more details, refer to the section Breadcrumb.
The menu is displayed on every page. Its content differs on each page. For more details,
refer to the section Menu.

In addition, the GUI provides Listing Pages, Properties Pages, Wizards, Charts, the page My
Bookmarks and Quick Wizards.

36
 Understanding the GUI

SOLIDserver Main Dashboard

Once you are connected, SOLIDserver Main dashboard, the appliance home page, opens. It
contains the welcome banner and the Main dashboard right under it. You can access this page
from anywhere in the appliance if you click on the button Dashboards in the sidebar.

The Main dashboard contains one or several gadgets depending on the user connected. For
more details, refer to the section Gadgets Displayed by Default.

You can edit the Main dashboard welcome banner with a different message or even an image.
For more details, refer to the chapter Customizing the GUI.

Figure 4.2. The Main dashboard of the superuser session

In the module Dashboards, you can add and manage dashboards and customize their content
with gadgets. For more details, refer to the part Dashboards.

37
 Understanding the GUI

Sidebar
The sidebar allows to access all the modules as well as the Tree view and the Smart folders.

The toggle button allows to either display:

• a collapsed menu with only the icons of each module. Hover over the icons to display the name
of a module and the list of its pages.
• an expanded menu with the icon and name of each module. Below the name of a module, the
list of its pages is displayed.

Modules
Each module has a dedicated section in the sidebar.

When you navigate from one module to another, the latest page visited is saved and you can
open it again if you go back to the module.

Clicking on the icon or name of the module you are currently in opens the page of the top level.

Figure 4.3. Overview of the page All networks in the module IPAM

When the sidebar is expanded, each module icon and name are displayed.
The button highlighted in blue indicates the module you are currently in.
The module you are currently in is displayed. The current page is highlighted in blue.
In the breadcrumb, the current page is also highlighted in blue.
The menu contains some options specific to the module. For more details, refer to the section
Menu.

38
 Understanding the GUI

To open a specific page of a module when the sidebar is expanded

1. If the sidebar is expanded, next to the name of the module of your choice, click on the arrow.
The list of the pages of this module is displayed.
2. Click on the name of the page you want to open. The page opens.
In the image above, to list the networks, in the sidebar, go to IPAM > Networks. The page
All networks opens.

Figure 4.4. Overview of the page All networks in the module IPAM

The button highlighted in blue indicates the module you are currently in.
When the sidebar is collapsed, only the module icons are displayed.
When you hover over the icon of a module, its name and the list of the pages it contains are
displayed.

To open a specific page of a module when the sidebar is collapsed

1. Hover over the icon of the module of your choice. The name and the list of the pages of this
module are displayed.
2. Click on the name of the page you want to open. The page opens.
In the image above, to list the networks, in the sidebar, go to IPAM > Networks. The page
All networks opens.

Keep in mind that in addition to the menu entries in the sidebar, the breadcrumb allow to access
the pages of the module. For more details, refer to the section Breadcrumb.

The module Administration has a dedicated sidebar and a homepage, Admin Home.

39
 Understanding the GUI

Figure 4.5. Overview of Admin Home, the homepage of the module Administration

The button Quit Administration allows to leave the module Administration and to go back to
the other modules.
Admin Home is divided into six sections. In each section, you find links to open the different
pages of the module.
Two links on one line provide access to separate pages dedicated to one object. Here, the
link Alerts opens the page Alerts and the link Definitions opens the page Alerts Definition.
Note that the link turns light blue when you hover over it, here it is over Definitions.
The sidebar cannot be reduced in the module Administration. It allows to navigate between
specific pages of the module without displaying the homepage.

To open a specific page in the module Administration

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In a section, click on the link of your choice. The page opens.

40
 Understanding the GUI

Tree View
The Tree view is a side panel that allows to display and access the data of the modules IPAM,
v1 v2

DHCP and DNS. When one of these modules is open, the button Tree view is available at
the bottom of the sidebar and allows to display a panel that contains the following information:
DHCP
This section is divided among DHCP servers, DHCP scopes, DHCPv6 servers and DHCPv6
scopes. Open each type to display and access the servers and scopes you manage in the
module DHCP.
DNS
This section is divided among servers and zones. Open each type to display and access the
servers and zones you manage in the module DNS.
IPAM
This section is divided among the spaces you manage. Open each space sub-section to
display and access the objects it contains in the module IPAM.

Figure 4.6. Overview of the IPAM Tree view

41
 Understanding the GUI

This button allows to open or close the Tree view. The button turns blue when the Tree view
is open.
These icons indicate that a branch of the Tree view hierarchy is opened or closed . They
allow to display or hide the content.
This button allows to refresh the Tree view content.
The right edge can be dragged to adjust the size of the Tree view panel. A double-click on
the right edge closes the panel.

To open the Tree view

1. In the sidebar, go to the module for which you want to display the Tree view: IPAM,
DHCP or DNS.
v1 v2

2. In the sidebar, click on Tree view. The Tree view opens.

3. Each final line is a shortcut to the page listed. The page does not open if it is empty.

To refresh the content of the Tree view

1. Open the Tree view.
2. In the top left corner of the Tree view, click on .

To expand or collapse the Tree view

1. Put your mouse over the right-end side of the Tree view. The pointer changes shape, a
darker gray line appears.
2. To expand the panel, drag the line to the right.
3. To collapse the panel, double-click on the line or slide it the left. The Tree view collapses.

To close the Tree view

v1 v2

1. In the sidebar, click on Tree view. The Tree view closes.

If you open a module for which the tree view is not available, the panel closes automatically.

42
 Understanding the GUI

Smart Folders
Smart folders are gathered in a side panel accessible via the button My Smart Folders at the
bottom of the sidebar. Smart folders provide links towards properties pages, the objects are or-
ganized following your hierarchy. For more details, refer to the chapter Managing Smart Folders.

Figure 4.7. Overview of the Device Manager smart folders

This button allows to open or close the Smart Folders panel. The button turns blue when
the Smart Folders panel is open.
These icons indicate that a branch of the Smart folders hierarchy is opened or closed .
They allow to display or hide the content.
This button allows to refresh the Smart Folders content.
The right edge can be dragged to adjust the size of the Smart Folders panel. A double-click
on the right edge closes the panel.

43
 Understanding the GUI

Top Bar
The top bar is available on all pages. It gives access to 5 key elements useful to all users:

Figure 4.8. Overview of the top bar

Global search, a research field detailed in the section Global Search.

Notifications, a window gathering past operations detailed in the section Notifications.
Bookmarks, a button detailed in the section Bookmarks.
My Account, a menu dedicated to the connected user detailed in the section My Account.
Help, a menu detailed in the section ?.

Note that banner messages can be displayed above the top bar. The banner color indicates the
message criticality. Blue messages are informative, orange ones are warnings and red ones are
critical. All license related messages can be closed for the remainder of the session.

Global Search
SOLIDserver includes a search engine called Global search that allows you to perform searches
in the database of several modules at once.

This Global search field is available from any page.You can look for data using full names, values
or look for fragments of information (some letters of a name for instance) to find all the partial
matches.

Figure 4.9. An example of search results performed using Global search

This field allows to specify the data you are looking for.
The magnifying glass allows to perform the search.

44
 Understanding the GUI

This button allows to close the window. Once you performed a search, the window remains
open above the page you are currently on, until you close it.
The button allows to access the properties page of the object.
A click on the result line allows to display more information in the window Global search.
The data loads under the object line.
This button allows to resize the window Global search.
All matching results are returned in sections dedicated to all the relevant modules and objects
and preceded by their dedicated icon.
They are displayed progressively, module by module. You may need to wait until the
matching results in every module are returned.

Note that Global search:

• Looks for matching results in the modules IPAM, DHCP, DNS, NetChange, Device Manager,
Identity Manager and two pages of Administration. It returns the following objects:
• From the IPAM: IPv4 and IPv6 spaces, networks, pools and IP addresses, even in their
compressed form.
• From the DHCP: DHCPv4 and DHCPv6 smart architectures, physical servers not managed
via a smart architecture, scopes, ranges, statics, leases, ACLs and DHCPv6 delegated
prefixes.
• From the DNS: smart architectures, physical servers not managed via a smart, views, zones
and resource records, except NS records.
• From NetChange: network devices, ports, device address and discovered items. To find
discovered items, you have to search for their MAC or IP address. The result specifies if the
discovered item was discovered via an interco port or not.
• From Device Manager: devices, ports and interfaces.
• From Identity Manager: directories, identities and active sessions.
• From Administration: groups of users and users.
• From all modules: Hostnames or MAC addresses.
• Returns results saved on names or values. For instance, you can find an IP address using its
address, MAC address or name.
• Displays all the matching results following the order of the modules: IPAM, DHCP, DNS,
NetChange, Device Manager and finally Administration.
• Displays all the matching results respecting the internal hierarchy of the module. So if you look
for an IP address, Global search returns first the network(s) from level 0 to n, then the pool(s)
and finally the IP address(es) matching your search.
• Does not return DHCP shared networks or VLAN information, whether it is managed from
NetChange or VLAN Manager.

To perform a global search

1. In the top bar, in the field Global search specify the data you are looking for.
2. Click on or hit Enter on your keyboard to perform the search.
3. The window Global search opens under the field and displays the results found in each
module.
a. To display more information, click on any result line. More information loads under the
object line.
b. To access the object properties page in the module where it is managed, click on .

45
 Understanding the GUI

Notifications
SOLIDserver keeps track of all the operations performed during the last week in the dedicated
window Notifications. Whether the operation was successful or not, this window lists the services
run and allows to see and export the final report of the operation.

Figure 4.10. An example of results displayed in the window Notifications

The button Notifications allows to open the window. The number in the red flag above the
icon Notifications indicates the number of error messages in the window.
This button allows to close the window. Once you open it, the window remains open above
the page you are currently on, until you close it.
This button allows to delete a notification. There is no warning before deletion.
The status is either if the operation was successful or if at least one error occurred.
Any other icon indicates that the operation is ongoing.
The operation performed is displayed, it may use the matching service as follows: <opera-
tion>:<object concerned>.
This button allows to resize the notifications window.
The notifications are listed in reverse chronological order.

To display and export notifications, click on the line of your choice.

Figure 4.11. An example of a detailed result in the window Notifications

Once you clicked on a line, the type and full details of the report appear in the window.
These buttons allow to export the final report in either format.
This button allows to go back to the list of notifications.

46
 Understanding the GUI

To open the window Notifications

1. In the top bar, click on Notifications. The window Notifications opens. The latest oper-
ations are displayed as follows: <date><hour:minute> <operation> <status> where operation
contains the executed service as follows: <action>:<resource it was performed on>.
2. To display the report of an operation, click on the notification of your choice.
3. To go back to the list of Notifications, click on BACK .

To export the operation report

1. In the top bar, click on Notifications. The window Notifications opens.
2. Click on the operation of your choice. The report opens.
3. Under the content of the report, click on TEXT , HTML or EXCEL to export the report in the cor-
responding format.

Bookmarks
Bookmarks give quick access to the pages of your choice.

You can access any page that you have bookmarked in a dedicated window.

Figure 4.12. The window Bookmarks

When bookmarks are available, a down arrow is displayed right of the icon . It allows to
display the list of all the available bookmarks.

Note that all the operations described below are performed from the top bar. To manage book-
marks from the page My Bookmarks, refer to the section My Bookmarks.

Adding Bookmarks
You can bookmark any page, except in the module Dashboards. In all other modules, you can
even bookmark pages displaying filtered data.

On pages that cannot be bookmarked the icon is grayed out.

To bookmark a page
1. From any page that can be bookmarked, in the top bar, click on . The wizard Bookmark
this page opens.

47
 Understanding the GUI

2. In the field Name, specify your own bookmark name if need be. By default a bookmark is
named Module: Page.
3. In the field Bookmark Folder, you can specify a name to organize the bookmarks in folders
in the window Bookmarks and on the page My Bookmarks.
The name you specify can add a folder or help you find existing ones, click on SEARCH to
find matching folders and select the one you need.
4. Tick the box Add to the gadget Bookmarks if you want to add the bookmark to the gadget
Bookmarks.
For more details, refer to the section Adding the Gadget Bookmarks in the chapter Managing
Gadgets.
5. Tick the box Share with the other users if you want to make the bookmark visible to any
user. If you leave it unticked, you are the only user who can see it.
6. Click on OK to complete the operation. The report opens and closes. The page is marked
. The bookmark is listed in the window Bookmarks and on the page My Bookmarks.

You can edit bookmarks from the page My Bookmarks. For more details, refer to the section
Editing Bookmarks.

Accessing Bookmarked Pages

You can access bookmarked pages form the window Bookmarks.

To access a bookmarked page from the window Bookmarks

1. From any page that can be bookmarked, in the top bar, click on the arrow next to the icon
. The list of all available bookmarks is displayed.
2. Click on the name of the bookmark of your choice. The corresponding page opens.

You can also access bookmarked pages from the page My Bookmarks. For more details, refer
to the section My Bookmarks.

Deleting Bookmarks
You can delete bookmarks from the bookmarked page.

To delete a bookmark from the bookmarked page

1. From any page that can be bookmarked, in the top bar, click on the arrow next to the icon
. The list of all available bookmarks is displayed.
2. Click on the name of the bookmark of your choice. The corresponding page opens.
3. In the top bar, click on . The wizard Delete opens.
4. Click on OK to complete the operation. The page refreshes. The page is marked .

You can also delete bookmarks from the page My Bookmarks. For more details, refer to the
section My Bookmarks.

My Account
The menu My Account allows to:
• Access the connected user account configuration options via My Settings. For more details,
refer to the section Account Configuration.
• Change the connected user password.

48
 Understanding the GUI

• Access the page My Quick Wizards. For more details, refer to the section Quick Wizards.
• Access the page My Smart Folders. For more details, refer to the chapter Managing Smart
Folders.
• Access the page My Bookmarks. For more details, refer to the section My Bookmarks.
• Access the page My Gadgets, that provides access to the pages Gadgets Library and My
Gadgets. For more details, refer to the chapter Managing Gadgets.
• Close your session via Logout.

Help
This menu allows to:
• Open SOLIDserver Administrator Guide, via Administrator Guide. The PDF file opens in a new
tab of your browser. You can save it on your computer to access it even when you are no
longer connected to the appliance.
• Open the Software License Agreement, via License Agreement.
• Open the license details of the major open source components embedded in SOLIDserver,
via Credits.

Breadcrumb
The breadcrumb is a navigation bar. It is available on all the pages of SOLIDserver except in the
module Dashboards and on most pages of the module Administration. It provides direct and
hierarchical access to the module objects, allows you to filter data displayed on the listing pages
and to access additional pages.

Browsing a Module Hierarchy

The breadcrumb gives access to the objects of a module and allows to view several levels of
hierarchy on a single line. In the image below, the breadcrumb in the IPAM follows the module
hierarchy, from the highest level on the left down to the lowest level on the right, displaying in
order All spaces, All networks, All pools and finally All addresses.

Figure 4.13. The breadcrumb

The icon and name displayed in blue show the page you are currently on, here the page All
networks. The current level and its parent(s) have a dark gray background.
The lower levels are displayed in a light gray area. Here All pools or All addresses. You can
access either directly.

Filtering Data via the Breadcrumb

The breadcrumb allows to filter and browse the content of specific objects in each module.

Once the breadcrumb is filtered at a level:

• The page refreshes and no longer displays the columns dedicated to the parent level.

49
 Understanding the GUI

• The breadcrumb no longer displays All <objects> but <Object>: <object-name>, and everything
right of this filter only concerns the object name. For instance, if you filter the breadcrumb with
a specific DNS server and zone, the breadcrumb provides access to both properties page.

Figure 4.14. Navigational information in the breadcrumb

This display indicates that you are filtering data and browsing the content of the object
mentioned. Here, you are displaying the views, zones and records of the DNS server
ns1.mycompany.com.
With the breadcrumb filtered at server level, clicking on All views opens the page but only
displays the views of the server ns1.mycompany.com.
With the breadcrumb filtered, the object level All <objects> is renamed <Object>. It still
provides access to the page, here DNS zone opens the page All zones but only displays
the zones of the server ns1.mycompany.com as the breadcrumb is filtered at server level.
If it was not, it would list all existing zones regardless of their server.
With the breadcrumb filtered, the object name is a link toward its properties page. Here,
clicking on domain.com opens its properties page.
With the breadcrumb filtered at zone level, clicking on All RRs opens the page but only dis-
plays the records of the zone domain.com.

Accessing Additional Pages

Some pages are not displayed by default in the breadcrumb. If some additional pages are available
for an object, right to its name in the breadcrumb, you will see the chevron icon .

Figure 4.15. Additional pages in the breadcrumb

The chevron icon indicates that additional pages are available. Click on the icon to display
these pages in the breadcrumb.
When the additional pages are displayed in the breadcrumb, you can click on to hide
them.
All additional pages available are displayed to the right of the icon.

Menu
The menu is displayed on almost every listing page. Its content differs on each page and the
options available vary from one user to another depending on the rights they are granted. For
more details regarding rights, refer to the part Rights Management.

50
 Understanding the GUI

Figure 4.16. The menu

Add
This menu is available on all the listing pages when relevant.

It allows to add the objects you manage on the page.

Delete
This menu is available on all the listing pages when relevant.

On some pages, the button Delete is grayed out. You need to select the object that you want
to delete in the list to be able to click on it.

Edit
This menu is available on all the listing pages when relevant.

For example, it allows to synchronize/refresh servers and devices, manage access to the objects
for groups of users or perform specific operations on the objects listed.

On the properties page of the objects, it allows to edit the panels on the page.

On some pages, the menu option Edit is grayed out. You need to select the object that you
want to edit in the list to have access to this menu.

Tools
This menu is available on all the listing pages. It allows to:
• Perform advanced operations on the objects listed.
• Perform Expert operations.

On the properties pages, this menu is available only for some specific advanced operations.

On some pages, the menu Tools is grayed out. You need to select an object in the list to
have access to this menu.

Import
This menu is available on all the listing pages when relevant.

In the IPAM, the DNS and Device Manager it allows to import the objects you manage on the
page as well as the objects they can contain. For instance, you can import IP addresses from
the page All spaces.

Report
This menu is available on the listing pages of all the modules when relevant. It allows to:

51
 Understanding the GUI

• Export the list in a CSV, HTML, XML, EXCEL and PDF file.
• Generate a report specific to the data listed in a HTML or PDF file.

This menu also allows to generate reports from some properties pages.

Alerts, Gadgets & Smart Folders

This menu is accessible from any listing page or properties page of SOLIDserver. It allows you
to add alerts, gadgets and Smart folders.

For more details, refer to the chapters Managing Gadgets, Managing Alerts and Managing Smart
Folders.

Extra Options
Ancienne taille de la page

This menu is accessible from any listing page or properties page of SOLIDserver.

From all pages, it allows to access the page All templates where your can:
• Manage List templates, i.e. customized column layouts of the module. For more details, refer
to the section Managing List Templates.
• Manage Import and Export templates, i.e. specific configurations saved during imports and
exports in the module. For more details, refer to the sections Managing Import Templates and
Managing Export Templates.

From the listing pages, it allows to:

• Display the configuration of the class global applied to the objects listed, via Meta-data. For
more details regarding classes, refer to the chapter Configuring Classes.
• To enable classes, via Classes configuration.
• Configure the advanced properties fields you want to enable or display in the addition/edition
wizard of your IPAM, DNS or DHCP objects, via Wizard customization. For more details, refer
to the chapter Managing Advanced Properties.

Other Buttons
On the right-end side of the menu you can see other buttons.

Figure 4.17. Extra buttons on the right-end side of the menu

List Templates
This button allows to display, edit or add list templates for the current page in a dedicated window.
For more details, refer to the section Managing List Templates.

Switch to IPv4
This toggle buttons is displayed next to on the pages that provide both IPv4 and IPv6 man-
agement in the IPAM, DHCP and NetChange. The gray button indicates the current version dis-
played. If you click on the white button, you display the other version.

52
 Understanding the GUI

Switch to IPv6
This toggle buttons is displayed next to on the pages that provide both IPv4 and IPv6 man-
agement in the IPAM, DHCP and NetChange. The gray button indicates the current version dis-
played. If you click on the white button, you display the other version.

Use IPv6 Labels

This button is displayed when the IPv6 toggle is active. It allows to use IPv6 labels. For more
details, refer to the chapter Managing IPv6 Labels.

Uncompress IPv6 addresses

This button is displayed when the IPv6 toggle is active. It allows to uncompress IPv6 addresses

Show/Hide
In the module IPAM, it allows to show/hide subnet-type networks managed by other networks
under the column Address + prefix.

In the DHCP and the DNS, it allows to show/hide the physical servers managed via smart archi-
tectures under the Name of each smart architecture.

In the module Application, it allows to show/hide the deployed applications and traffic policies
under the Name of each application.

In the module Guardian, it allows to show/hide the deployed policies under the Name of each
policy.

Listing Pages
The listing pages display data as a list to simplify resource management.

The details of all resources are displayed in dedicated columns that you can:
• Expand and reduce columns. You can display a column full content or its reduced version,
as detailed in the section Expanding or Reducing Columns.
• Sort the data displayed on the page. When the name of a column is underlined, it indicates
that you can click on it to sort the data listed, as detailed in the section Sorting Columns.
• Filter data. Use the search engine located under the column name to only display the data
matching your search, as detailed in the section Filtering Columns.

Administrators can:
• Lock and unlock up to four columns in list templates, as detailed in the section Locking or
Unlocking Columns.
• Move and order columns in the list templates, as detailed in the section Moving Columns.
• Add new list templates, as detailed in the section Managing List Templates.

In addition, listing pages:

• Allow to Manage objects. The menu indicates what operations users can perform on the page.
Depending on their rights, some options are not visible. For more details, refer to the part Rights
Management.

53
 Understanding the GUI

• Allow to access the properties page of the objects listed, when relevant. For more details,
refer to the section Properties Pages.
• Provide a contextual menu with some options for the objects listed. For more details, refer to
the section Using the Contextual Menu.
• Provide Multi-statuses on some pages. For more details, refer to the section Understanding
the Column Multi-Status.
• Provide custom IPv6 labels in some modules, that can be displayed above the addresses of
your choice. For more details, refer to the section Displaying IPv6 Labels.

The listing pages all share the same structure.

Figure 4.18. The elements on all the listing pages

Each object can be selected and managed separately. You can tick objects one by one,
or you can tick a set of successive objects using the key SHIFT on your keyboard.
The line of each selected object is highlighted in blue until you deselect it.
All the objects can be selected at once. Above the list, you can tick the box left to the first
column to select all the objects listed, whether the list is filtered or not, it selects all the objects
counted in the result.
It allows to refresh the listing page.
Within the data listed, all the data underlined provides a link. Depending on the page, it
can be a filter to list the content of a container or open the properties page of an object. At
the lowest level of a module hierarchy, it can perform specific operations (assign the object
for instance) or open the edition wizard or properties page of the object.

There is no limit to the number of objects on a page but the more data you display, the more
resources SOLIDserver uses to display them. To define the number of elements per page, refer
to the procedure To configure the user settings.

If there are more lines to be displayed than the number selected in your settings, the listing area
contains sub-pages that allow to navigate within the object database. The GUI provides some
key fields, buttons and areas to navigate within these pages. The following elements only appear
when there are many elements on the same page:

54
 Understanding the GUI

Figure 4.19. The buttons to navigate between sub-pages

The results indicates the total number of objects listed on all pages, if no filter is applied. If
a filter is applied, it indicates the total number of objects matching your search.
The number of pages on which data is listed. The number highlighted in blue displays which
page you are currently on.
These buttons allow you to display, respectively, the next and last page of data.
These buttons allow you to display, respectively, the first and previous pages of data.

Expanding or Reducing Columns

Columns are by default as thin as possible on each listing page, they are reduced to fit as much
information as possible.

You can expand the columns that contain a lot of data and display their content.

Figure 4.20. An example of a reduced column

The button allows to expand the column.

The three dots ... indicate that more data is available and that you can expand the column.

To expand/reduce columns
1. Go to the module and listing page of your choice.
2. If one or more columns contains a lot of data, the icon or is displayed next to its name.
a. Click on to expand the column. The column gets wide enough to fully display all the
data.
b. Click on to reduce the column. The column is reduced back to its default width and
hides part of the data under ... .

55
 Understanding the GUI

Sorting Columns
On all the listing pages, you can sort by ascending or descending order any column that has its
name underlined.

Figure 4.21. The columns name can be used as a sorting tool

The underlined column names indicate that you can sort the data listed in direct/reverse al-
phabetical order.
This arrow indicates that the list is sorted through the column Date in descending order.
The columns name not underlined indicate that you cannot sort the column data.

To sort a column
1. Go to the module and listing page of your choice.
2. Click on any underlined column name. The list is sorted in descending order using the values
in the column. If this is the column that sorts the list by default, it reverses the default order.
3. If you click on the name of the same column again, you change the sorting order.

Keep in mind that sorting a list:

• Follows the natural alphabetical order, with the digits first and then the letters. Sorting is case
sensitive, uppercase is displayed before lowercase.
• Can only be done one column at a time but can be used on a filtered list.
• If a column contains too much data, its name is followed by and you cannot sort it.

Filtering Columns
Almost all the data listed on the GUI pages can be filtered, using one or several columns.

Figure 4.22. The columns filtering tools

This button allows to apply the filter using the data entered in the column search engine.
You can also hit Enter to perform a filtered search.
The search engine allows to specify the data you are looking for in the column. Without it,
you cannot filter the column data, you might only be able to sort.

56
 Understanding the GUI

The funnel icon allows to open the filter constructor.

This button allows to unset all the filters applied on the page.
If a column does not have a search engine, it cannot be filtered.

To filter columns
1. Go to the module and listing page of your choice.
2. In the search engine of any column, specify the values of your choice. You can even include
operators, they are all detailed in the table Filtering operators.
3. Click on the button Refresh or hit Enter. The page refreshes, the list is filtered.
4. You can filter more columns if need be.
To remove a column filter, in its search engine click on . The list refreshes.
To remove all filters, on the right-end side of the menu click on . The list refreshes. If the
page has columns filtered by default, they are removed as well. Default filters are set per
session, they are applied again the next time you connect.

Table 4.1. Filtering operators

Expression Description
string contains string.
~string contains string.
=string strictly equals string.
>string greater than string.
<string less than string.
>=string greater or equal to string.
<=string less than or equal to string.
!=string strictly different from string.
!~string does not contain string.
=# returns empty lines.
!=# OR !~# returns lines containing data.
*string ends with string.
!~*string does not end with string.
string* begins with string.
!~string* does not begin with string.
expression1 expression2 expression1 and expression2 on the same line.
expression1 & expression2 expression1 and expression2 on the same line.
expression1 | expression2 expression1 or expression2 in the same column: the line matching either data
in the column is returned.

You can also filter the list using:

• The Filter constructor of a column. For more details, refer to the section Filtering Using Filter
Constructors.
• The Top occurrences of the most represented values, in columns returning recurring values.
For more details, refer to the section Filtering Using Top Occurrences.
• Time and date operators, in columns displaying times and dates. For more details, refer to the
section Filtering Time & Date Columns.

57
 Understanding the GUI

Filtering Using Filter Constructors

All the columns that can be filtered provide a search engine and a filter constructor where you
can type in or select the values that you want to match or avoid.

Figure 4.23. Filter constructor operators

To filter columns using the filter constructor

1. Go to the module and listing page of your choice.
2. In the search engine of any column, click on . The filter constructor opens.
For columns containing a specific data, like Status, a list of existing values is displayed.
3. Specify the value(s) to look for:
a. In the drop-down list, select a filter constructor, either contains, !~ (doesn't contain), =
(equal to), != (different from), > greater than, < less than, >= greater than or equal to or
<= less than or equal to.
b. In the field on the right, specify the value of your choice.
4. To use several values, click on . A new line appears.
a. Select AND or OR depending on your needs. By default, OR is selected.
b. In the drop-down list, select a filter constructor, either contains, !~ (doesn't contain), =
(equal to), != (different from), > greater than, < less than, >= greater than or equal to or
<= less than or equal to.
c. In the field on the right, specify the value of your choice.
5. Repeat this action for as many filters as needed.
To remove a value, click on at the end of the line.
6. Click on APPLY . Only the data matching your search is displayed in the column.
7. You can filter more columns if need be.
To remove a column filter, in its search engine click on . The list refreshes.
To remove all filters, on the right-end side of the menu click on . The list refreshes. If the
page has columns filtered by default, they are removed as well. Default filters are set per
session, they are applied again the next time you connect.

58
 Understanding the GUI

Filtering Using Top Occurrences

The columns that return recurring values in your database provide a filter constructor containing
Top occurrences.

Figure 4.24. Example of Top occurrences on the page All ports

To filter columns using top occurrences

1. Go to the module and listing page of your choice.
2. In the search engine of any column returning recurring values, click on .The filter constructor
opens.
3. Specify the value(s) to look for:
a. In the drop-down list, select a filter constructor, either contains, !~ (doesn't contain), =
(equal to), != (different from), > greater than, < less than, >= greater than or equal to or
<= less than or equal to.
b. In the field on the right, click on to open the drop-down list Top occurrences.
c. Select the value of your choice. Its name is displayed in the field on the right.
To specify a value instead of a value of the list, click on right of the field.
4. To use several values, click on . A new line appears.
a. Select AND or OR depending on your needs. By default, OR is selected.
b. In the drop-down list, select a filter constructor, either contains, !~ (doesn't contain), =
(equal to), != (different from), > greater than, < less than, >= greater than or equal to or
<= less than or equal to.
c. In the field on the right, specify or select the value of your choice.
5. Repeat this action for as many filters as needed.
To remove a value, click on at the end of the line.
6. Click on APPLY . Only the data matching your search is displayed in the column.
7. You can filter more columns if need be.
To remove a column filter, in its search engine click on . The list refreshes.
To remove all filters, on the right-end side of the menu click on . The list refreshes. If the
page has columns filtered by default, they are removed as well. Default filters are set per
session, they are applied again the next time you connect.

Filtering Time & Date Columns

The columns that return time and date have a dedicated filter constructor that allows to filter
specific dates or whole periods of time, based on UTC time.

59
 Understanding the GUI

Figure 4.25. The dedicated time and date filters

To filter columns using time and date

1. Go to the module and listing page of your choice.
2. In the search engine of any column returning time and date, you can specify the value of
your choice. You can even include date related filtering operators.
3. To filter a column using the filter constructor, click on of any column returning time and
date. The filter constructor opens.
a. In the drop-down list, select a filter constructor, either = equal to, != different from, >=
since or <= before.
b. In the field on the right, specify the value of your choice, it can include any of the date
related filtering operators or top occurrences. For more details, refer to the section Fil-
tering Using Top Occurrences.
4. To use several values, click on . A new line appears.
a. Select AND or OR depending on your needs. By default, OR is selected.
b. In the drop-down list, select a filter constructor, either = equal to, != different from, >=
since or <= before.
c. In the field on the right, specify or select the value of your choice.
5. Repeat this action for as many filters as needed.
To remove a value, click on at the end of the line.
6. Click on APPLY . Only the data matching your search is displayed in the column.
7. You can filter more columns if need be.
To remove a column filter, in its search engine click on . The list refreshes.
To remove all filters, on the right-end side of the menu click on . The list refreshes. If the
page has columns filtered by default, they are removed as well. Default filters are set per
session, they are applied again the next time you connect.

Table 4.2. Date related filtering operators

Expression Description
date The date of your choice, using only digits or the month in full letters, as follows: dd/mm/yyyy,
mm/dd/yyyy, dd <month> yyyy or <month> dd yyyy. The order of the day and month must
match the Date format of the user session, for more details refer to the section Configuring
the User Display Settings.
today The results only include data matching the date of the search.
now The results only include data matching the time and date of the search.
yesterday The results only include data matching the day before the date of the search.

60
 Understanding the GUI

Expression Description
last The results only include all the data matching the day, week, month or year prior to date
of the search.
n period ago The results only include data matching the number n of day, week, month, year prior to
date of the search.
day Used with the keyword ago following the format <n period ago>, day or
days allows to filter data based on a specific number of days prior to the
date of the search.
week Used with the keyword ago following the format <n period ago>, week or
weeks allows to filter data based on a specific number of weeks prior to
the date of the search.
month Used with the keyword ago following the format <n period ago>, month
or months allows to filter data based on a specific number of months prior
to the date of the search.
year Used with the keyword ago following the format <n period ago>, year or
years allows to filter data based on a specific number of years prior to
the date of the search.
day of the week Any day of the week can provide a filter like last <day-of-the-week> or n
<day-of-the-week> ago. The column search engine is not case sensitive.

Locking or Unlocking Columns

You can lock columns on pages where you can manage the columns display.

Locking columns allows to always display them on the left-end side and right-end side of the
page.

Once you locked column(s), you can scroll the page horizontally to display, sort and filter the
unlocked columns.

Figure 4.26. Locked and unlocked columns in the window List Templates

Note that:
• You can only lock and unlock columns from the window List templates.
• By default, the first column displayed on the page is locked.
• You can only lock displayed columns. They are preceded by .

61
 Understanding the GUI

• You can lock up to four columns on each side of the page, two on the left-end side and two on
the right-end side.
In the window List templates, they correspond to the first two and last two columns in the list
of displayed columns.
• Lockable columns are marked . Once the first or last column in the list is locked, the column
next to it can be locked.
• Locked columns are marked . Once the two first or two last columns in the list are locked,
you cannot move any columns between them.
• You cannot unlock the first or last column if the column next to it is locked, once it is unlocked
the first or last column can be unlocked as well.

To lock/unlock a column
Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. On the right-end side of the menu, click on List Templates. The window opens.
3. In the drop-down list Displayed list template, select the template of your choice. The page
refreshes and only displays the relevant columns.
4. To lock a column, next to its name, click on . The column is marked . The column next
to it may now be lockable.
You can lock the two first and two last displayed columns.
5. To unlock a column, next to its name, click on . The column is marked .
To unlock the first and last columns, make sure to unlock the columns next to them first.
6. Click on SAVE . The page refreshes. The column is locked or unlocked.

Moving Columns
From the List templates, users of the group admin can move columns. Note that administrators:
• Can only move columns from the window List templates.
• Can only move displayed columns. They are preceded by .
• Cannot move locked columns. Only unlocked columns can be moved.
• Cannot move a column between two locked columns.

To edit a list template from a dedicated wizard, refer to the section Editing List Templates.

To move a column
Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. On the right-end side of the menu, click on List Templates. The window opens.
3. In the drop-down list Displayed list template, select the template of your choice. The page
refreshes and only displays the relevant columns.
4. Make sure the column you want to move is ticked, otherwise click on it.
5. Next to the column name, click on and drag it. A line indicates the column new location.
6. Drop the column in the location of your choice in the list template.
7. Click on SAVE . The page refreshes. The column moved to its new location. The Displayed
list template is edited accordingly.

62
 Understanding the GUI

Managing List Templates

Throughout SOLIDserver you can add your own list templates, customized column layouts that
display, hide and/or order the columns of your choice on listing pages. Keep in mind that:
List templates are not available on all pages
• Only the pages providing the menu List templates can be configured with customized
column layouts.
In the module Administration, only the pages Centralized Management, All licenses, Users
and Groups provide it.
• On pages not providing the menu, all columns are displayed and their layout cannot be
edited.
The menu is not available on the pages Analytics in the modules DHCP and DNS, All
configurations in NetChange and All policies in Guardian.
Some users can manage list template, anyone can display them
• Only users of the group admin can add, edit and delete list templates.
All list template changes are visible to all users.
• Any user can display the list template of their choice on a page. It only changes the page
layout for their session.
On pages providing list templates
• Adding a list template does not display it. The new template must be selected in the menu
List templates.
• Editing a Displayed list template automatically updates the columns display for all users.
• A default list template is available. It cannot be renamed or deleted.
The columns of this template can be edited, but we recommend adding new templates in-
stead. Editing this list template overwrites the initial page layout and prevents from displaying
it again.
• Any list template can include class parameter dedicated columns, they are all named Class
param: *. For more details on classes, refer to the section Configuring Classes.
• Some pages provide an Automatic template that allows to change the column layout based
on class(es) applied to a parent object. For more details, refer to the section Adding An
Automatic List Template.

Browsing List Templates

From the page All templates, administrators can manage list templates.

The page is accessible from all modules, it provides columns that can be sorted and filtered but
their layout cannot be edited.

Table 4.3. Columns on the page All templates

Column Description
Name The name of the template, it must be unique to each Object. By default, all the pages
where you can customize the layout provide a List template named default.
Type The template type, either List for column layouts, Import for CSV import configurations or
Export for export configurations. For more details, refer to the sections Managing Import
Templates and Managing Export Templates.
Object The object associated with the template. The list of objects is unique to each module.

63
 Understanding the GUI

To display the list of list templates

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. In the menu, select Extra options > Templates Management. The page All templates
opens. It only contains the templates of the module.
Ancienne taille de la page

3. In the column Type, you can type in List to only display list templates.

Displaying List Templates

Any user can display an existing list template to change the column layout of a listing page.

To display a list template

1. Go to a listing page that has at least one custom list template.
2. On the right-end side of the menu, click on List Templates. The window opens.
For users of the group admin, it lists all available columns.The columns of the current template
are ticked.
3. In the drop-down list Displayed list template, select the template of your choice. The page
refreshes and only displays the relevant columns.

To display an automatic list template

1. Go to a listing page that has at least one automatic list template.
2. On the right-end side of the menu, click on List Templates. The window opens.
For users of the group admin, it lists all available columns.The columns of the current template
are ticked.
3. In the drop-down list Displayed list template, select Automatic template.The page refreshes.
4. In the relevant column, click on the name of a parent object configured with one of the classes
selected in the template. The page refreshes, it displays the content of the selected object
and only the columns configured in the template.
Note that if an administrator has configured several templates with the same class, the
column layout of the most recent automatic list template is displayed.

Adding List Templates

Users of the group admin can add list templates to display the columns of their choice on the
listing pages that support them.

Before adding list templates, note that:

• There are two kinds of list templates:
• Standard list templates that only focus on the columns themselves.
• Automatic list templates that automatically change the column layout based on the class
applied to a parent object.
• All list templates can be added from listing pages or the page All templates.
• The page All templates contains all the templates of a module. For each module, the page
content varies.
• Each List template is added for an Object. All the templates of an object must have a unique
name.
• All new templates are immediately available to all users.

64
 Understanding the GUI

• New templates are not automatically displayed, they must be selected as the Displayed list
template.

Adding a List Template

Administrators can add list templates. They are available to all users.

In the following procedure, we add a list template from the page All templates but they can also
be added from listing pages.

To add a list template from the page All templates

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. In the menu, select Extra options > Templates Management. The page All templates
opens. It only contains the templates of the module.
Ancienne taille de la page

3. In the menu, click on . The wizard Add a new list template opens.
4. In the field Name, specify the template name. It must be unique to the Object.
5. In the drop-down list Object, select the resource of your choice. The list is unique to each
module, it matches the listing pages where you can customize the column layout.
Note that you cannot add list templates for the pages Analytics (DHCP and DNS), All config-
urations (NetChange) and All policies (Guardian).
6. Click on NEXT . The page <Objects> lists configuration opens.
7. Configure the list template using the lists Hidden columns and Displayed columns, they
contain the columns of the default list template of the page:
• To add a column to the template, select it in the list Hidden columns and click on . The
column is moved to the Displayed columns.
• To remove a column from the template, select it in the list Displayed columns and click
on . The column is moved to the Hidden columns.
• To set the order of the columns, select them one by one in the list Displayed columns
and click on or .
If you are adding a template at the highest level of a module, go to the step 10.
8. Click on NEXT . The last page opens.
9. In the drop-down list Parent level, None is selected.
If you want to take into account classes applied to a parent object, refer to the section Adding
An Automatic List Template.
10. Click on OK to complete the operation. The report opens and closes. The new template is
listed.
11. To display the template, go to the relevant listing page and in the menu select List
templates > Displayed list template > <your new template>.

Adding An Automatic List Template

Administrators can add automatic list templates. These templates take into account one or sev-
eral classes applied at higher level, on a parent object, and are available to all users.

Adding an automatic list template provides two templates to display in the drop-down list Displayed
list template:

65
 Understanding the GUI

1. The option Automatic template, that allows to automatically change the column layout if and
when you display the content of an object configured with one of the classes included in the
list template.
2. The template itself, a customized column layout you can display no matter the class applied
to a parent object.

Note that:
• Automatic list templates cannot be added at the highest of any module. They rely on classes
applied on a parent object.
• The option Automatic template does not change the column layout on a page if the list is not
filtered to display the content of a parent object configured with a class included in a list template.
• If one class is included in several list templates on a page, the option Automatic template dis-
plays the most recent template.

In the following procedure, we add an automatic list template from a listing page, but they can
also be added from the page All templates.

To add an automatic list template from a listing page

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice. It cannot be a top level page, you can only add auto-
matic list templates for objects that have a container.
2. In the menu, click on List templates. The window opens.
3. Click on MORE OPTIONS . The wizard opens.
4. In the drop-down list Action, select New template.
5. Click on NEXT . The page Add a new list template opens.
6. In the field Name, specify the template name. It must be unique to the Object.
7. Click on NEXT . The page <Objects> lists configuration opens.
8. Configure the list template using the lists Hidden columns and Displayed columns, they
contain the columns of the default list template of the page:
• To add a column to the template, select it in the list Hidden columns and click on . The
column is moved to the Displayed columns.
• To remove a column from the template, select it in the list Displayed columns and click
on . The column is moved to the Hidden columns.
• To set the order of the columns, select them one by one in the list Displayed columns
and click on or .
9. Click on NEXT . The last page opens.
10. Configure the template with the relevant class(es):
a. In the drop-down list Parent level, select the level where the class is applied. The lists
Available classes and Selected classes appear.
b. In the list Available classes, select the class of your choice and click on . It is moved
to the list Selected classes.
Repeat this action for as many classes as needed. To remove a class, select it in the
list Selected classes and click on . It is moved back to the list Available classes.
11. Click on OK to complete the operation. The report opens and closes.
12. To display the template and automatically edit the column layout based on the class applied
to a parent object:
a. In the menu, select List templates > Displayed list template > Automatic template.

66
 Understanding the GUI

b. In the relevant column, click on the name of a parent object configured with one of the
classes selected in the template. The page refreshes.
The page only displays the selected object content, and only the columns configured
in the template.
13. To only display the template and ignore the class applied to a parent object, in the menu
select List templates > Displayed list template > <your new template>. The page re-
freshes.

Editing List Templates

Users of the group admin can edit list templates. Note that:
• Any template can be edited, even if it is currently displayed. This operation immediately affects
all users.
• Moving the columns of a page also edits the Displayed list template. For more details, refer to
the section Moving Columns.
• To rename a template, you must edit it from the page All templates. For more details, refer to
the section Renaming List Templates.

In the following procedure, we edit a list template from a listing page, but they can also be edited
from the page All templates.

To edit a list template from a listing page

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. In the menu, click on List templates. The window opens.
3. Click on MORE OPTIONS . The wizard opens.
4. In the drop-down list Action, select Edit: <template-name>.
5. Click on NEXT . The page <Objects> lists configuration opens.
6. Edit the content of the lists Hidden columns and Displayed columns according to your
needs.
If you are editing a template at the highest level of the module, go to the step 9.
7. Click on NEXT . The last page opens.
8. In the drop-down list Parent level, select the value of your choice. For more details, refer to
the section Adding An Automatic List Template.
9. Click on OK to complete the operation. The report opens and closes.
10. If the template you edited is not currently displayed, you can display it via the menu List
templates > Displayed list template > <your new template>. The page refreshes.

Renaming List Templates

Users of the group admin can rename list templates. Note that:
• List templates can only be renamed from the page All templates. This operation immediately
affects all users.
• The default list templates cannot be renamed.
• Each List template name must be unique to an Object. It is impossible to specify a name already
used.
• If the list template currently displayed on a page is renamed, the default template is automatically
displayed again. The renamed template must be selected again as the Displayed list template.

67
 Understanding the GUI

To rename a list template

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. In the menu, select Extra options > Templates Management. The page All templates
opens. It only contains the templates of the module.
Ancienne taille de la page

3. In the column Type, type in List to only display list templates.

4. Right-click over the line of the template of your choice. The contextual menu opens.
5. Click on Edit. The wizard opens.
6. In the field Name, change the template name. You cannot specify a name already used for
this Object.
7. Click on NEXT until you get to the last page of the wizard.
To change the template content, refer to the section Editing List Templates.
8. Click on OK to complete the operation. The report opens and closes. The new name is listed.

Deleting List Templates

Users of the group admin can delete list templates. Note that:
• List templates can only be deleted from the page All templates. This operation immediately
affects all users.
• The default list templates cannot be deleted.
• If the list template currently displayed on a page is deleted, the default template is automatically
displayed again.

To delete a list template

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. In the menu, select Extra options > Templates Management. The page All templates
opens. It only contains the templates of the module.
Ancienne taille de la page

3. In the column Type, type in List to only display list templates.

4. Tick the template(s) of your choice.
5. In the menu, click on . The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The template is no
longer listed.

Displaying the Contextual Menu

On every listing page, SOLIDserver provides a right-click contextual menu for each object listed.
It provides a few shortcuts and some minimal options also available on the properties page of
the object. The content of the menu differs on every page and column.

68
 Understanding the GUI

Figure 4.27. The full contextual menu

At most the menu offers 5 buttons:

• Properties is a shortcut to the properties page of the object.
• Edit is a shortcut to open the object's edition wizard. It opens the same wizard as the button
EDIT of the panel Main properties on the properties page.
• Chart displays a statistics chart: this chart is also available on the properties page of the
object.
• Information displays a table containing the basic information of the object. This information
is also displayed in the panel Main properties on its properties page.
• Filter allows to filter the list using the value you right-clicked on.

For more details regarding the options available on the properties page, refer to the section
Properties Pages.

Understanding the Column Multi-status

The column Multi-status returns messages if the current configuration of an object is worth
mentioning or very specific. When the column returns information, a colored square containing
a number appears on the line of the object.

The messages returned by this column do no always reflect configuration errors for the object.
For instance, in the DNS, the Multi-status message 61006: Server type incompatible with Hybrid
indicates that the server in question cannot be switched to Hybrid DNS, it is probably managing
authoritative and recursive zones; it does not mean that the server is not running properly or is
misconfigured.

The column is displayed by default on some pages of the modules DNS and DHCP. You can
display it on the other pages. For more details, refer to the section Managing List Templates.

Figure 4.28. Example of Multi-status messages on the page All zones

69
 Understanding the GUI

The column Multi-status returns colored squares containing messages. The color indicates
the severity of the message. In each square, a number indicates how many messages match
the severity. In this example, the gray square indicates that there is 1 informational message
returned for the smart architecture and its content.
Hovering over a square opens the window containing the message(s) of the object. In this
example, a zone returns the Multi-status 61004.

The column provides messages divided into 6 levels of severity. Each one provides useful status
and state information regarding the object or the configuration within the module.

Table 4.4. Multi-Status severity levels

Severity Color Description
Emergency Red The object configuration prevents the system from running properly. Action is required.
Critical Orange The object configuration is in critical conditions. Immediate action is recommended.
Error Yellow The object configuration failed at some level. Action is recommended.
Warning Blue The object configuration triggers error messages if no action is taken. Action to be
taken at your discretion.
Notice Light blue The object configuration is normal but undergoing events that might trigger errors.
No immediate action is required.
Informational Gray The object configuration is normal, operational messages (might inform you about
potential incompatibilities with other modules, etc). No action is required.

Each message and level of severity is specific to each object. The number of the messages are
distributes among the modules: all DHCP messages start with 60000, all DNS messages with
61000... For more details, refer to the appendix Multi-Status Messages.

Displaying IPv6 Labels

IPv6 Labels allow to customize the display of IPv6 addresses managed on a set of pages of the
modules IPAM, DHCP, NetChange and Application.

They are displayed above start addresses to highlight IPv6 containers. For more details, refer to
the chapter Managing IPv6 Labels.

Figure 4.29. Example of IPv6 labels used to highlight a geographical distribution in the IPAM

70
 Understanding the GUI

Properties Pages
The properties pages gather all the information regarding an object. Note that:
• The properties page is accessible from a listing page. Some objects do not provide a properties
page because all their details are already displayed in the columns.
• The properties page allows to edit or configure further an object. Some options are only available
on the properties page.
• It distributes all the information among panels. All objects provide the panel Main properties,
it contains the most general information. All the extra panels contain more specific data, objects
of a common module or level in the hierarchy share panels. All the panels that can be edited
contain the button EDIT.
• Some objects do not have a properties page, if they are managed from a listing page that
already gathers all the information available.

Figure 4.30. An example of properties page

In the menu, Edit presents the editable panels in one list.

The name of the object displayed. Here, we are displaying the properties of the zone do-
main.com.
All underlined names on properties pages are links toward a listing page or the properties
page of the object specified. Here, it redirects to the page Resources of the group admin.
A closed panel, only the panel name is visible. You can open it via the button .
The button Expand/Collapse All allows to open or close at once all the panels of the
page.
The button EDIT is present at the bottom of each and every open panel that you can edit. It
opens the relevant edition wizard.
An open panel. It details an object configuration in dedicated field(s). Here, it indicates that
the Notify configuration of the zone is inherited from the server, and that the Also-Notify is
not set.

71
 Understanding the GUI

Some panels are specific to the object, others are available across the modules:
• Main properties: provides an overview of the main information regarding the object.
• Advanced properties: displays the advanced properties configuration of the object and the
level the property was inherited from.
This panel is available in the modules IPAM, DHCP and DNS for the resources that can be
configured with advanced properties, for more details refer to the chapter Managing Advanced
Properties.
• Audit: logs all the changes carried out on the object by the connected user over time.
This panel is available on all properties pages of the modules IPAM, DHCP and DNS; except
for DHCP servers, groups, scopes, leases and DNS views and RRs.
If the user belongs to a group with access to the modifications of all users, it displays all the
operations ever performed on the object. For more details, refer to the section Allowing Users
to Display All the Operations Performed.
• Groups access: displays all the groups that have the object as resource. Under each group
name are listed the rights granted over the resource and its content.
This panel is available in the modules IPAM, DHCP and DNS on all properties page, except
at the lowest level of each module hierarchy and on the properties page of DHCP groups and
ranges.
In the module NetChange, it is only available on the properties page of network devices.
In the module Administration, it is available on the properties page of users, except ipmadmin.
Only the name of the group is displayed but not the rights granted to the group. For more details,
refer to the part Rights Management.

Wizards
Within SOLIDserver every operation - an object addition, edition, configuration, deletion - is per-
formed via a wizard. All the modules share a common wizard structure, the fields and/or buttons
that it contains depend on each operation. The title of the wizard specifies the ongoing operation.

In addition to the wizards, SOLIDserver uses pop-up windows: when there are configuration errors
or when you select too many or not enough objects from a list before performing operations via
the menu. However, some pages, like the Administration pages Groups and Class Studio or the
IPAM page All addresses, use pop-up windows. Therefore, to use SOLIDserver to the best of
its potential, make sure your Internet browser is not configured to block pop-up windows.

All the wizards share a common structure detailed in the sections below.

72
 Understanding the GUI

Common Structure of the Wizards

Figure 4.31. The common structure of the wizards

The gray areas are informational sections. The top of the wizard page is a location reminder
providing the object basic information and a container/class when relevant.The other sections
are read-only sections, they can be Comment areas or informational messages guiding you
during the configuration.
The wizard drag bar contains the title, a pushpin to save the wizard and a cross to
close the wizard without saving any changes. For more details on how to save a wizard,
refer to the section Quick Wizards.
The input fields are the most commonly used. Their border changes color in case of miscon-
figuration.
The button Set, Propagate allows to configure the inheritance or propagation properties of
the specified value in a dedicated layer. For more details, refer to the chapter Inheritance
and Propagation.
The fields name and border turn red in case of syntax error or misconfiguration, you cannot
save the configuration until the information is correct. Right of the field, the exclamation
mark may detail what must be changed.
The star icon indicates that a field is required. If you leave the field blank, you cannot save
your configuration, unless it has a default value.
The down arrow indicates a drop-down list, it provides several values to choose from.
The navigation buttons of the wizard, PREVIOUS , NEXT , OK and CANCEL .
The button OK indicates that you are on the last page of the wizard. Clicking on it saves and
applies your configuration.
The button CLOSE closes the wizard without saving the configuration or changes applied.
The box is present on many wizards. Ticking it usually reloads the wizard and allows to set
specific parameters in extra fields.

73
 Understanding the GUI

For more specific configurations, the wizards embed extra information icons. These icons open
a window containing more detailed information to help with a thorough configuration of the object.

Figure 4.32. An example of help information buttons in the wizards

The question mark icon indicates extra details regarding a field. Hover over it to open the
field configuration help.

74
 Understanding the GUI

Messages in the Wizards

A number of wizards include warning and information messages that you should take into account
before saving your changes or configuration.

For instance, all the object deletion wizards contain a warning message to make you confirm the
deletion or to provide extra information regarding the consequences of the deletion.

Figure 4.33. An example of messages in the wizards

Warning messages are displayed in orange. Some specific required values that cannot be
directly verified by the wizard are introduced by warning messages.
Information messages are displayed in blue.

75
 Understanding the GUI

Configuration Lists in the Wizards

A number of wizards provide configurations lists to manage data. They contain two lists that
gather all available data and allow you to choose values from a list or set up your own list. They
usually go in pairs: Available/Selected or Hidden/Displayed.

Figure 4.34. An example of configuration lists in a wizard

This list displays all the available columns that are not yet configured in the list template. In
this example, the columns that could be displayed on the page All scopes.
Once you have selected a value in the list Hidden column, click on to move it to the list
Displayed columns and include them into the list template.
These buttons allow to order the list entries. Select them one at a time and move them up
or down until the order suits your needs.
This list displays all the columns that are part of the list template.
You can remove any column from the list template. Select them one at a time in the list
Displayed columns and click on to move them to the list Hidden columns.

76
 Understanding the GUI

The module Administration provides a set of wizards where you can set up and edit multiple
entries in a single list.

Figure 4.35. An example of data edition in a wizard providing entries management in one list

Once you have selected an entry in the list at the bottom of the wizard page, in this example
IP addresses list, its configuration details appear in these fields.You can edit any white field.
Click on UPDATE to save your modifications and overwrite the former configuration and follow
the wizard to commit your changes.
Click on DELETE to delete the selected configuration entry and follow the wizard to commit
your changes.
Click on CANCEL to discard any modifications made in the fields and to select another entry
in the configuration list or to add a whole new set of data.
The list of existing configurations. The blue color indicates the selected line. During the
modification, it turns gray.

77
 Understanding the GUI

Autocompletion Fields in the Wizards

Some fields in the wizards provide an autocompletion option, either manual or automatic.

Figure 4.36. An example of manual autocompletion in the wizards

The button SEARCH provides manual completion, it allows to query the DNS resolver of the
appliance. In this example, you can specify a hostname and click on the button to retrieve
the matching Management IP address.

78
 Understanding the GUI

Figure 4.37. An example of automatic autocompletion in the wizards

There is no indicator of the autocompletion fields. Specifying a value automatically returns

matching data in a list. If only one value matches your search, it is displayed in the field. If
several entries match your search, a list appears under the field.

My Bookmarks
From the page My Bookmarks, you can access the pages you saved and manage bookmarks.
You can edit, share and delete them.

If you want to add bookmarks, refer to the section Bookmarks.

Browsing the Bookmarks Database

In the module Administration, the page My Bookmarks allows to manage all your bookmarks.

To display the list of bookmarks

1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. Using the columns, you can filter and sort the list. Bookmarks do not have a properties page,
the columns gather all the information.

79
 Understanding the GUI

Figure 4.38. The page My Bookmarks

The column Name displays the bookmark name. It allows to edit the bookmarks. For more
details, refer to the section Editing Bookmarks.
The column All users indicates if you share the bookmark visibility with other users (Yes)
or not (No).
The column Bookmark Folder indicates if the bookmark belongs to a folder. / means the
bookmark is not in any folder.
The column Path contains the link Access, toward the bookmarked page.

Accessing Bookmarked Pages

From the page My Bookmarks, you can access all bookmarked pages.

To access a bookmarked page from the page My Bookmarks

1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. In the column Path of the bookmark of your choice, click on Access. The corresponding
page opens.

Editing Bookmarks
From the page My Bookmarks, you can edit your bookmarks. During the edition, you can rename
them, include or exclude them from a folder, attach them to the gadget Bookmarks and/or share
or unshare them.

To edit a bookmark
1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. Click on the name of the bookmark of your choice. The wizard Edit Bookmarks opens.
3. Edit the Name according to your needs.
4. Edit or remove the Bookmark Folder to organize the bookmark according to your needs.
Note that you can SEARCH for existing names.
5. Tick or untick the box Add to the gadget Bookmarks according to your needs. Ticking the
box adds the bookmark to the gadget Bookmarks. For more details, refer to the section
Adding the Gadget Bookmarks in the chapter Managing Gadgets.
6. Tick or untick the box Share with the other users according to your needs. If the box is
ticked, the bookmark is visible to any user. If you leave it unticked, you are the only user
who can see it.

80
 Understanding the GUI

7. Click on OK to complete the operation. The report opens and closes. The content of the
columns matches your modifications.

Sharing or Unsharing Bookmarks

From the page My Bookmarks you can change the visibility settings of one or several bookmarks
at once. You can share them or make them visible only to you.

To share/unshare bookmarks
1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. Tick the bookmark(s) of your choice.
3. In the menu, select Edit > Visible to all users > Yes or No. The wizard Bookmark
Visibility opens.
4. Click on OK to complete the operation. The report opens and closes. The bookmark is marked
Yes or No in the column All users.

Deleting Bookmarks
From the page My Bookmarks, you can delete one or more bookmarks at once.

To delete bookmarks from the page My Bookmarks

1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. Tick the bookmark(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes.

Charts
A set of charts are available by default on properties pages and the page System statistics or
even in some gadgets and reports. For more details, refer to the sections Properties Pages,
Monitoring the Appliance Statistics, Managing Gadgets and Managing Reports.

There are two types of charts:

1. Time-based charts: they take the form of line or stacked-line charts. On time-based charts,
you can display the data of your choice, zoom in or select a specific period to display. All these
functionalities are detailed below.
Note that, on the DNS page Analytics, all Guardian analytics offer a specific time-based chart
to narrow down the data to return. For more details, refer to the section Monitoring Guardian
Analytics in the chapter Managing Guardian Statistics.
2. Instant charts: they take the form of pie and bar charts. On instant charts, you can display
the data of your choice but you cannot zoom in or select any period.
Note that you can add instant charts from most listing pages, for more details refer to the
section Adding a Chart Gadget in the chapter Managing Gadgets.

All charts share a common structure and set of options. The illustration below contains a time-
based chart, therefore all time related options are not available on instant charts.

81
 Understanding the GUI

Figure 4.39. Overview of a time-based chart

The start and end dates of the data displayed on time-based charts. It matches the period
selected in the timeline and affects the scale of the x-axis. By default, it displays the last 3
hours.
The display options. They allow to open the chart in a pop-up window with the button , to
refresh the data with . On time-based charts, you can select a period with that opens
a drop-down list to display the Current hour, Last 3 hours, Day, Week, Month or Year, and
the button to select a specific date.
The data retrieved is represented in a chart, where the y-axis indicates the unit, axis scale
and unit prefix and the x-axis indicates the data displayed or period. On time-based charts,
the y-axis depend on the period selected and maximum value displayed. Following the
standard ISO 80000-1, all the y-axis units can have no prefix or any SI prefix such as: m
(milli), k (kilo) or M (mega).
The timeline, the overall period of data available, of any time-based chart. The period dis-
played is highlighted in gray. By default, it displays a maximum of 365 days, to change it
refer to the section Editing the Number of Days Available on the Timeline.
The legend of the chart. Each set of data has a name and a dedicated color. You can click
on any entry to hide or display the data in the chart.

All charts can be used as gadgets. For more details, refer to the section Assigning Gadgets in
the chapter Managing Gadgets.

Note that the options in the sections below are only available for time-based charts.

Setting the Period to Display

The period selected in the timeline can be extended, reduced or moved.

If you hover over the edge of the gray area, the mouse pointer turns into a two-sided arrow that
you can move left or right according to your needs.

82
 Understanding the GUI

Figure 4.40. Extending or reducing the period selected on the timeline

This period, represented by a gray area can also be dragged to select a different period.

If you hover over the gray area, the mouse pointer turns into a four-sided arrow.

Figure 4.41. Sliding along the timeline

In addition, you can click and drag on the timeline to select a period directly.

Figure 4.42. Zooming in using the timeline of a chart

Within the timeline, with a left-click of the mouse over a white area, you can select the period
that suits your needs. The pointer changes from an arrow to a cross.
Once you release the mouse, the data displayed in the chart, x-axis points of reference and
y-axis scale adjust accordingly.

Displaying Some Data and Zooming in

You can zoom in and out directly on the chart. The period selected when you zoom automatically
updates the x-axis of the chart and the period selected in the timeline.

83
 Understanding the GUI

Figure 4.43. Zooming in on specific data

When you hover over the chart, the arrow pointer turns into a four-sided arrow and the
background turns blue to indicate that you can interact with the data. You can display the
data date and time above the chart and the value at that time is displayed in the legend of
the chart.
A black vertical line indicates where you are on the chart, each measurements focus is
symbolized by a circle in the color of the element displayed. Using the scroll wheel on the
mouse, you can zoom in and out.
You can click on the elements of the chart legend to display or hide them from the chart.
When you are browsing the chart, the value of each measurement on the line is indicated
above each element of the legend.

Editing the Number of Days Available in the Timeline

The timeline of every time-based chart, including the filtering chart of Guardian analytics, indicates
the overall period displayed. At first you only have hours and then days, weeks, months and finally
a year.

By default, the period of data displayed in the timeline of all charts is one year, 365 days. This
period is set in a dedicated registry database entry.

If you change the default period, all time-based charts refresh and display only the data retrieved
over the period, number of days, that you set.

To edit the registry key that sets the number of days displayed in the timeline
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.graph.default.period.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.

84
 Understanding the GUI

6. In the field Value, specify the value of your choice, in days. The default value is 365.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

Quick Wizards
The quick wizard are shortcuts in essence that allow to save any wizard at any point of its config-
uration. The wizard's page and all the data filled or selected is saved within the quick wizard and
accessible at any time.

The quick wizards are saved and managed on a dedicated page but you can set shortcuts toward
each of them in a gadget or in a dedicated menu.

Browsing Quick Wizards

All quick wizards are saved and listed on the page My Quick Wizards, in the module Administration.

Figure 4.44. The page My Quick Wizards

The column Name displays the quick wizard name. It allows to edit the quick wizards. For
more details, refer to the section Editing Quick Wizards.
The column All users indicates if the quick wizard is shared with other users (yes) or not
(no).
The column Description displays the description you might have set during the quick wizard
addition or edition.
The menu Quick access. It appears if at least one quick wizard was assigned to the
Quick access menu.
The column Dashboard indicates on which dashboard the Quick wizard gadget is displayed.
It is empty if you only saved it in the Quick access menu. You cannot filter this column.
The column Access is a link toward the wizard you saved.

The menu Quick access, can contain as many quick wizards as you want. You can access them
from any page as the menu is displayed in the top bar.

85
 Understanding the GUI

Figure 4.45. An example of Quick Access menu

To access the page My Quick Wizards

1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. The page contains five columns that you can sort and/or filter. Quick wizards do not have a
properties page, all the information is divided among the columns.

Adding Quick Wizards

The pushpin located on the drag bar of all the pages of any wizard allows to add a quick wizard.
Note that:
• When adding a quick wizard, you can only indicate one location for the shortcut, a module
dashboard or the quick access menu. For more details regarding the gadget Quick Wizards,
refer to the section Adding a Quick Wizards Gadget.
You can edit it afterward to specify more locations. For more details, refer to the section Editing
Quick Wizards.
• Once added, a quick wizard is only available to the user who added it. To make it visible to
everyone, you can edit its visibility. For more details, refer to the section Editing Quick Wizards.
• You can access your quick wizards in different ways. For more details, refer to the section
Accessing Quick Wizards.

To add a quick wizard

1. From any wizard page, click on . The page Add a Quick Wizard opens.
2. In the field Name, specify the quick wizard name.
3. In the drop-down list Save in, select either:
• A module to display the gadget Quick wizard on the dashboard of the selected module. It
includes a shortcut toward the quick wizard.
• The menu Quick access to add a shortcut toward the quick wizard in the top bar .
4. In the field Description, you can specify a description.
5. Click on OK to complete the operation. The report opens, the wizard closes and the page
you were on reopens. The quick wizard is listed on the page My Quick Wizards and is also
accessible where you saved it.

Accessing Quick Wizards

There are three ways of accessing the quick wizards:
• Via the page My Quick Wizards.
• Via the gadget Quick Wizards. For more details, refer to the chapter Managing Gadgets.

86
 Understanding the GUI

• Via the menu Quick Access that is visible on every page of the appliance in the top bar.

To access a quick wizard from the page My Quick Wizards

1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. In the column Access, click on Access. The wizard page you saved opens and all the data
you filled before saving the wizard is already entered.

To access a quick wizard from the gadget Quick Wizards

1. Go to the dashboard where you displayed the gadget Quick Wizards.
2. In the gadget, click on the name of the quick wizard of your choice. The wizard page you
saved opens and all the data you filled before saving the wizard is already entered.

To access a quick wizard from the menu Quick Access

1. Go to the listing page of your choice.
2. In the top bar, select Quick Access > <your-quick-wizard>. The wizard page you saved
opens and all the data you filled before saving the wizard is already entered.

Editing Quick Wizards

You can edit your quick wizards: you can rename them, change their description, their access
method and visibility from the page My Quick Wizards.

To edit a quick wizard

1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. Click on the name of the quick wizard you want to edit. The wizard Quick Wizard Edition
opens.
3. If need be, edit the fields Name and Description.
4. In the list Available, select one by one the the locations of your choice.
5. Click on . Your selection is moved to the list Configured.
6. If you want to remove an item from the list Configured, select it and click on . The item is
moved back to the list Available.
7. Tick or untick the box Share with other users according to your needs. Sharing a quick
wizard makes it available for all users.
8. Click on OK to complete the operation. The report opens and closes.

Sharing Quick Wizards

You can share several quick wizards at once from the page My Quick Wizards.

To share several quick wizards at once

1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. Tick the quick wizards you want to share.
3. In the menu, select Edit > Visible to all users > Yes. The wizard Quick wizard visibility
opens.
4. Click on OK to complete the operation. The report opens and closes.

87
 Understanding the GUI

To make several quick wizards visible only to you

1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. Tick the quick wizards you no longer want to share.
3. In the menu, select Edit > Visible to all users > No. The wizard Quick wizard visibility
opens.
4. Click on OK to complete the operation. The report opens and closes.

Deleting Quick Wizards

You can only delete your quick wizards from the page My Quick Wizards.

To delete a quick wizard

1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. Tick the quick wizard(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The selected quick
wizards are no longer listed.

Account Configuration
Each user can edit their account once they are connected. In the top bar, the menu My Account
allows to edit their account preferences.

Note that any user can close license related banner messages, displayed above the top bar, for
the remainder of their session.

Configuring the User Display Settings

From the top bar, the connected user can configure their appliance preferences.These preferences
include the interface language, the number of lines displayed on listing pages or the time zone
standard and format.

Note that the superuser, ipmadmin, can change the account preferences from the gadget System
Information.

To configure the user settings

1. From any page, in the top bar, select My account > My Settings. The wizard Configure
User Settings opens.
2. In the field List line count, you can change the number of entries (lines) to display on each
sub-page of listing pages. By default, it is set to 256.
Keep in mind that the more data you display, the more resources SOLIDserver uses to display
them.
3. In the drop-down list List format, you can select 1-1 to alternate row colors every row, or
3-3 to alternate them every three rows. By default, 1-1 is selected.
4. In the drop-down list Display time in, select the time zone standard UTC-GMT or Local
time. By default, Local time is selected, it matches the time zone of your browser.
All your services must be set at the same time to prevent any management problems.

88
 Understanding the GUI

5. In the drop-down list Date format, select mm/dd/yyyy or dd/mm/yyyy. By default, dd/mm/yyyy
is selected
6. In the drop-down list Language, you can set the interface language: English, French,
Spanish, German, Dutch, Chinese or Japanese. By default, English is selected.
7. Click on OK to complete the operation. The report opens and closes.

To configure the user settings from the gadget System Information

Only the superuser ipmadmin can perform this operation.
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. In the gadget System Information, right of Connected as, click on ipmadmin. The wizard
Configure user settings opens.
3. In the field List line count, you can change the number of entries (lines) to display on each
sub-page of listing pages. By default, it is set to 256.
Keep in mind that the more data you display, the more resources SOLIDserver uses to display
them.
4. In the drop-down list List format, you can select 1-1 to alternate row colors every row, or
3-3 to alternate them every three rows. By default, 1-1 is selected.
5. In the drop-down list Display time in, select the time zone standard UTC-GMT or Local
time. By default, Local time is selected, it matches the time zone of your browser.
All your services must be set at the same time to prevent any management problems.
6. In the drop-down list Date format, select mm/dd/yyyy or dd/mm/yyyy. By default, dd/mm/yyyy
is selected
7. In the drop-down list Language, you can set the interface language: English, French,
Spanish, German, Dutch, Chinese or Japanese. By default, English is selected.
8. Click on OK to complete the operation. The report opens and closes.You can see the display
change on the Administration syslog page for instance.

Changing the Session Password

If you were granted sufficient rights, you can edit your local user password, the password used
to connect to SOLIDserver.

Keep in mind that remote users cannot edit their password. Remote users come from a third
party server or directory - AD, LDAP or RADIUS - and are authenticated via a dedicated rule.
For more details, refer to the chapter Managing Authentication Rules.

To change the password

Only local users can perform this action.
1. From any page, in the top bar, select My account > Change Password. The wizard
Modify User Password opens.
2. In the field Previous password, specify your old password.
3. In the fields New password and Confirmation, specify your new password.
4. Click on OK to complete the operation. The report opens and closes.

89
 Part II. Configuring SOLIDserver
Before managing your network, your administrator needs to configure your appliance.

This part details all the available system configurations needed to set up SOLIDserver from the module
Administration, they are divided as follows:

• Configuring the Time and Date: describes the ways of setting the appliance time and date, a mandatory
configuration to ensure services synchronization and data reliability.
• Configuring the Network: describes the operations to integrate the appliance to your network. From its IP
address and hostname to its DNS resolver, firewall settings, routes and so on.
• Configuring the Services: describes all the services and servers that you can configure and/or manage
from SOLIDserver, like SSH, NTP, HTTP, DNS, DHCP, etc.

Note that the module Administration provides extra pages and features all described in the parts Adminis-
tration and Customization.
Table of Contents
5. Configuring the Time and Date ..................................................................................... 92
Configuring NTP Servers ......................................................................................... 92
Forcing the NTP Update .......................................................................................... 94
Setting the Appliance Time and Date Manually ......................................................... 94
6. Configuring the Network .............................................................................................. 95
Configuring Basic IP Addressing on an Interface ....................................................... 96
Setting the Routing ................................................................................................. 97
Setting the Hostname .............................................................................................. 99
Setting the DNS Resolver ...................................................................................... 100
Setting the Firewall ................................................................................................ 100
Setting up a VLAN Interface ................................................................................... 103
Setting up an Ethernet Port Failover ....................................................................... 105
Configuring a VIP .................................................................................................. 107
Setting up and Managing a VIF .............................................................................. 110
Configuring the Loopback Interface ........................................................................ 112
Configuring a Media Interface ................................................................................ 114
7. Configuring the Services ............................................................................................ 115
Handling Services ................................................................................................. 116
Configuring the SSH Account ................................................................................. 117
Changing the SFTP/SCP/RSYNC User Account Password ...................................... 118
Managing the TFTP Upload Authorizations ............................................................. 118
Configuring the SMTP Relay .................................................................................. 119
Changing the HTTPS Certificate ............................................................................ 120
Configuring Windows Events Collector ................................................................... 121
Configuring DNS Guardian .................................................................................... 121
Configuring GSLB Server ...................................................................................... 122
Configuring the SNMP Server ................................................................................ 123
Downloading a DNS or DHCP Configuration File ..................................................... 125

91
Chapter 5. Configuring the Time and Date
Your appliance must always be set with the proper time and date to prevent any manage-
ment problems. That way, all your services are properly synchronized and all the data you
manage is up-to-date.

There are two ways of configuring the appliance time and date:
1. Via NTP.
We strongly recommend configuring NTP servers on your appliance. You can configure sev-
eral servers and even force an update. For more details, refer to the sections Configuring NTP
Servers and Forcing the NTP Update.
2. Manually.
You can set the date and time yourself as detailed in the section Setting the Appliance Time
and Date Manually.

Note that every user can choose time and date display of their session. For more details, refer
to the section Configuring the User Display Settings.

Configuring NTP Servers

The Network Time Protocol (NTP) ensures clock synchronization on a network.You must configure
NTP servers on your appliance to make sure that its services are set with the proper time and
date, thus ensuring that any transfer, exchange or synchronization of DHCP, DNS, SNMP or
High Availability data is possible. In other words, NTP servers ensure that all the data managed
from SOLIDserver is reliable and up-to-date.

Before configuring the NTP server, keep in mind that:

• You can configure your appliance with public or private NTP servers and each server can have
a specific stratum level.
• You should configure at least 3 reference NTP servers for all the NTP clients on your network.
• The reference NTP servers must be reachable when you start the service.
• All the services must be set at the same time to prevent any management problems.
• You can force an NTP update, for more details refer to the section Forcing the NTP Update.

Note that in the procedure below we configure NTP servers from the module Administration, but
you can also configure them from the Main dashboard, in the gadget SOLIDserver Configuration
Checklist.

To configure NTP servers

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure the appliance of your choice
is selected.
4. In the column Name, click on NTP server. The wizard NTP servers configuration opens.
5. Specify the NTP server(s):
a. In the field NTP server, specify the IP address or hostname of the server. It can be an
IPv4 or IPv6 address.

92
 Configuring the Time and Date

b. In the field Stratum, you can specify a level between 0 and 15. By default nothing is
specified, the stratum is retrieved from the server. We strongly advise against setting a
stratum if it is not necessary.
c. Click on ADD . The server and stratum are moved to the list NTP servers.
d. Repeat these steps for as many servers as you need.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up
or down .
6. Click on NEXT . The page Edit the NTP configuration opens.
7. Set the restrictions of the NTP server(s).
a. In the drop-down list Type, select IPv4 or IPv6.
b. In the field IP address, specify an IPv4 address, an IPv6 address or default.
c. In the field Mask, you can set the netmask of the IPv4 or IPv6 address you specified in
the field IP address. If you specified default, it is useless to set a mask.
d. In the field IP peer limit, you can specify the maximum number of requests for each
client IP address. The IP address and Mask you set identify the clients. You can set any
value between 0 and 65535 in the field, 0 means that no client can query the NTP
server(s). By default, no peer limit is configured, the field is set to -1.
e. In the field Flags, you can set one or several flags, separated by a space. The field
accepts the flags kod, limited, lowpriotrap, noepeer, nomodify, noquery, noserve, notrap,
notrust, ntpport and version.
f. Click on ADD . The configuration is moved to the Restriction list.
g. Repeat these steps for as many restrictions as you need.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

8. Click on OK to complete the operation.

9. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
Once the configuration is applied, under the line NTP server, the content of the lists NTP
servers and Restriction list is displayed on dedicated lines.

If you need to edit the NTP servers configuration, follow the procedure again and make your
changes. To take into account your changes immediately, you can stop the service NTP and
start it again. For more details, refer to the section Starting or Stopping a Service.

93
 Configuring the Time and Date

Forcing the NTP Update

You might need to force an update of the NTP servers time and date.

Before forcing an NTP update:

• Make sure that at least one NTP server is configured and reachable, otherwise you might
not be able to access your appliance at all.
• Keep in mind that forcing the update restarts all the services that rely on NTP, like the
services DNS, DHCP and SNMP, and logs you out.

To force an NTP update

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. Under the line NTP server, click on FORCE UPDATE.The wizard Force NTP update opens.
4. Click on OK to complete the operation. The services restart.

Setting the Appliance Time and Date Manually

From the Administration homepage, you can set the time and date of your appliance without re-
lying on NTP.

We recommend configuring NTP servers on your appliance to make sure that the time and date
are regularly checked and updated, for more details refer to the section Configuring NTP Servers.

Note that, if you set up one or several NTP servers, the time and date you set manually will be
lost the next time an NTP server updates.

To manually set the appliance time and date

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Time & Date configuration. The wizard opens.
3. Set the appliance time and date, by default each field is prefilled with a value matching the
current time and date of the appliance:
a. In the drop-down list Hour, select a value between 0 and 24.
b. In the drop-down list Minute, select a value between 0 and 59.
c. In the drop-down list Day, select the date of your choice, a value between 0 and 31.
d. In the drop-down list Month, select the value of your choice.
e. In the field Year, specify the value of your choice.
4. Click on OK to complete the operation. The services restart.

94
Chapter 6. Configuring the Network
This chapter details the page Network configuration where you can configure all the settings
necessary to run SOLIDserver on your network, including:
• Setting the Hostname of the appliance.
• Setting the DNS Resolver, the DNS server that SOLIDserver uses to resolve the names and
addresses that it manages.
• Setting the Firewall and reinforcing the appliance security by blocking potential dangerous
communications.
• Setting up the Default Gateway address that SOLIDserver uses to reach networks out of its
domain's broadcast.
• Setting up Specific Routes to set a specific path for the returned packets.
• Setting up Static Routes and enable data to be forwarded through the network with fixed paths.
• Configuring Basic IP Addressing on an Interface.
1
• Setting up a VLAN Interface , like using a physical interface as an 801.1Q interface.
• Setting up an Ethernet Port Failover, to allow aggregation of multiple network interfaces as
one virtual interface in order to provide fault-tolerance and high-speed links.
• Configuring a VIP, or Virtual IP address, that is not connected to a specific computer or network
interface card on a computer. Incoming packets are sent to the VIP address, but all packets
travel through real network interfaces.
• Setting up and Managing a VIF details how to add, edit and delete a VIF. A Virtual InterFace
is a container that allows to configure physical interfaces with IP addresses and services.
• Configuring the Loopback Interface of the appliance.
• Configuring a Media Interface, to define the option supported by the physical interface.

Keep in mind that:

• All the services must be set at the same time to prevent any management problems. For
more details, refer to the section Configuring NTP Servers.
• You can set the network of remote appliances via the drop-down list SOLIDserver, whether
you simply manage an appliance remotely or configured it in High Availability. For more details,
refer to the chapter Centralized Management.

1
Virtual Local Area Network (VLAN) is a group of hosts with a common set of requirements that communicate as if they were attached
to the same broadcast domain, regardless of their physical location.

95
 Configuring the Network

Configuring Basic IP Addressing on an Interface

Each virtual interface, VIF, can be set with several IP addresses, or even physical interfaces.

By default, an existing virtual interface (VIF), called DEFAULT_INTERFACE is already applied

to the system.You can edit it, or any other interface you may have added following the procedure
in the section Setting up and Managing a VIF.

Keep in mind that the overlap of IP addresses linked with different physical interfaces is
not allowed in order to avoid asymmetrical routing. Indeed, if a packet is received from a phys-
ical interface it must not be forwarded to another one.

To set up a Basic Interface Configuration

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on the interface of your choice. All virtual interfaces are preceded
by an orange dot. The wizard Virtual network interface configuration opens.
4. In the field Virtual interface name, you can rename the default interface if you want.
5. In the list Available physical interfaces, select an interface and click on . It is moved to
the list Physical interfaces.
All interfaces are named after a physical port and port MAC address as follows: eth#
(##:##:##:##:##:##).
To remove an interface, select it in the list Physical interfaces and click on . The interface
is moved back to the list Available physical interfaces.
6. Click on NEXT . The next page opens.
7. If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you
can select failover or LACP. By default, failover is selected. Click on NEXT . The next page
opens.
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
8. Set the IPv4 address configuration of the interface.

Table 6.1. IPv4 virtual network interface configuration parameters

Parameter Description
IP address The IPv4 address of the interface. This field is required.
Netmask The netmask of the IP address. This field is required.
Specific route The IP address of a route, used to set up source routing and dedicate the route to the
IP address. This field is optional. For more details, refer to the section Setting up
Specific Routes.

Once you specified the parameters, click on ADD . The new IP address is moved to the IP
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .

96
 Configuring the Network

• To discard changes, click on CANCEL .

To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
9. Click on NEXT . The last page opens.
10. Set the IPv6 address configuration of the interface.

Table 6.2. IPv6 virtual network interface configuration parameters

Parameter Description
IPv6 address The IPv6 address of the interface. This field is required.
Prefix The prefix of the IP address. This field is required.

Once you specified the parameters, click on ADD . The new IP address is moved to the IPv6
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
11. Click on OK to complete the operation. If you configured LAGG, the protocol you chose is
displayed in the column Configuration.
12. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page
refreshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.

Setting the Routing

With SOLIDserver you can configure routing on your network by:
• Setting up the Default Gateway, to forward SOLIDserver outgoing traffic.
• Setting up Specific Routes, to set a path for returned packets.
• Setting up Static Routes, to forward data to another subnet.

Setting up the Default Gateway

A gateway is a node on a TCP/IP network that is used as an access point to another network.
The default router is the gateway used by SOLIDserver that forwards traffic to remote subnets
on behalf of a sending host or router. Only one default router can be configured for the entire
appliance in each version of the IP protocol. For security reasons, SOLIDserver does not route
packets between network interfaces.

Keep in mind that the default gateway is only used if a packet is sent from a network address
unknown to SOLIDserver. For some networks, you might want to use route sourcing and set up
a specific route to send the response packet to the sender through the channel it came from
rather than using the default gateway to try and locate the sender. For more details, refer to the
section Setting up Specific Routes.

97
 Configuring the Network

To configure the default gateway

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on Default gateways. The wizard Edit the default gateways
opens.
4. In the field IPv4 default gateway, specify the IPv4 gateway of your choice.
5. In the field IPv6 default gateway, specify the IPv6 gateway of your choice.
6. Click on OK to complete the operation.
7. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Setting up Specific Routes

Setting up specific routes allows to configure source routing on your network for IPv4. Without
specific routes, once a packet is sent from a subnet that has not been configured among
SOLIDserver network interfaces, the response packet is returned through the default gateway
and might, depending on your network architecture, never get back to the sender (asymmetric
routing issue). In other words, setting up a specific route allows to specify the route for the return
packet. Once a specific route is configured, its address is preferred to the default gateway for
the return packets.

Keep in mind that the DHCP does not take into account the specific route. Therefore, the man-
agement IP address a DHCP server should always be on the same network as the default gateway.

Within SOLIDserver, you can set up several specific routes. To configure a specific route, refer
to the procedure To set up a Basic Interface Configuration.

Setting up Static Routes

If it is necessary, SOLIDserver allows you to add static routes. These routes allow you to commu-
nicate with another network(s) and to forward data through a fixed path.

To configure static routes (Add/Edit/Delete)

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on Static routes. The page Static Routes (IPv4) opens. Set the
IPv6 address configuration of the route.

Table 6.3. IPv4 static route configuration parameters

Parameter Description
Route name The name of the static route. This field is required.
IP address The IP address of the static route. This field is required.

98
 Configuring the Network

Parameter Description
Netmask The netmask of the IP address. Depending on the specified address, several values
may be available. The netmask you select automatically updates the Prefix. This field
is optional.
Prefix The prefix of the IP address. It is automatically selected based on the address and
netmask. If you select a different prefix, the netmask is automatically updated. This
field is required.
Gateway The gateway of the static route. This field is required.

Once all the parameters needed are configured, click on ADD . The static route is moved to
the list Static routes.
Repeat these actions for as many static routes as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
4. Click on NEXT . The page Static routes (IPv6) opens. Follow the step 4 to configure an IPv6
static route.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Setting the Hostname

The hostname in the name of you local appliance. It must be a Fully Qualified Domain Name
(FQDN), in other words the name of the host concatenated with the domain name.

The hostname is used to identify and differentiate several appliances. It is all the more useful if
you manage remote appliances or configure appliances in High Availability.

To configure an appliance hostname

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on Hostname. The wizard Edit the hostname opens.
4. In the field Hostname, name your appliance using a valid FQDN. By default, every appliance
is named solid.intranet .
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

99
 Configuring the Network

Setting the DNS Resolver

The DNS resolver is the default DNS server that SOLIDserver uses to resolve local names.
Several modules like IPAM and NetChange use the DNS resolver to find the FQDN of IP addresses
or to resolve FQDN IP addresses.

To configure DNS resolvers

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on DNS Resolvers. The wizard Edit DNS resolvers opens.
4. In the field DNS server IP address, specify the IP address of the server of your choice.
5. Click on ADD . The IP address is now moved to the list DNS Resolvers.
Repeat these actions for as many resolvers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
6. Click on OK to complete the operation.
7. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Setting the Firewall

2
SOLIDserver embeds a restrictive stateful firewall, or Stateful Packet Inspection (SPI) , to secure
flows and provide a Simple Stateful logic.

Stateful filtering treats traffic as a bi-directional exchange of packets comprising a session. It allows
to determine if the session conversation between the originating sender and the destination follows
a valid procedure of bi-directional packet exchange. Any packet that does not properly fit the
session conversation template is automatically rejected.

In addition, you can track down attackers or prevent network attacks by tracking more state per
session. As firewall messages filing are supported, you can review and track information after
the fact. You can see which packets have been dropped, from which addresses they came from
and where they were going, etc.

Enabling or Disabling the Firewall

By default, SOLIDserver firewall is Restricted, i.e. enabled, and all the firewall rules set are re-
spected and enforced in order.

You can Open the firewall, to disable it, and ignore all these rules.

2
also known as dynamic packet filtering.

100
 Configuring the Network

To open or restrict the firewall

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Configuration, in the line Firewall can be Restricted or Open.
4. Click on the current state to change it. The wizard Firewall state configuration opens.
5. Click on OK to complete the operation. The firewall is marked Open or Restricted.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Adding a Firewall Rule

Before adding firewall rules, keep in mind that:
• The precedence sets the configuration of the firewall rule, its set of parameters. If matched,
the rules are applied following the order set by their position. Therefore if you set two firewall
rules from a DNS server A to a DNS server B via the same port, interface and protocol, if one
denies access while the other grants it, only the rule with the smallest position is applied.
• As the firewall is restrictive, the last position 65535 denies access to any kind of packets, no
matter what protocol or where it goes or comes from. In addition, the positions 1 - 99 and 59999
- 65535 are reserved by EfficientIP and cannot be used.

To add a firewall rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Firewall rules. The page Firewall rules opens.
3. In the menu, click on Add. The Firewall rule configuration wizard opens, fill in all the re-
quired parameters following the table below:

Table 6.4. Firewall rules parameters

Parameter Description
Position The rule precedence, a number between 100 and 59998. For more details, refer to the
introduction of the section.
Action The action to execute when a packet matches the selection criterion of the rule.
allow Packets matching the defined criterion. The rule exits the firewall
rule processing. The search terminates at this rule.
deny Packets matching the defined criterion. The packets are discarded.
The search terminates.
Protocol The protocol of the firewall rule. The available protocols handle IPv4 and/or IPv6.
From The source parameters, the accepted values are the following.
The fields From and To work together, so you must specify either two IPv4 addresses
or two IPv6 addresses, you cannot mix the protocol versions
me A special keyword that matches any IP address configured on an
interface in SOLIDserver.
any A special keyword that matches any IP address.
<address>/<prefix> An IP address specified with mask-length. It must follow the format:
x.x.x.x/p or xxxx::/p .

101
 Configuring the Network

Parameter Description
<address> An IP address specified without mask-length. It must follow the
format: x.x.x.x or xxxx:: .
Source port The source port on which the firewall rule should be applied. Use a comma to separate
several port numbers.
To The destination parameters, the accepted values are the following.
The fields From and To work together, so you must specify either two IPv4 addresses
or two IPv6 addresses, you cannot mix the protocol versions.
me A special keyword that matches any IP address configured on an
interface in SOLIDserver.
any A special keyword that matches any IP address.
<address>/<prefix> An IP address specified with mask-length. It must follow the format:
x.x.x.x/p or xxxx::/p .
<address> An IP address specified without mask-length. It must follow the
format: x.x.x.x or xxxx:: .
Destination port The destination port on which the firewall rule should be applied. Use a comma to sep-
arate several port numbers.
Via The interface the packets should go through. The parameter via causes the interface to
always be checked as part of the match process. By default, nothing is selected.
Log The logging status of the rule. By default, No is selected. You can decide to save, Yes,
the log parameter indicating if a packet matches a rule on the page Syslog; it is saved
with a facility SECURITY name.
Keep state The dynamic rule status of the rule. By default, No is selected. It allows to decide if you
want SOLIDserver firewall to add a dynamic rule, upon match, whose default behavior
is to match bidirectional traffic between source and destination IP/port using the same
protocol.

4. Click on OK to complete the operation.

5. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Editing a Firewall Rule

You can edit any underlined firewall rules in the column Position. It includes the rules you added
and the preexisting ones.

Before editing firewall rule, keep in mind that:

• The precedence sets the configuration of the firewall rule, its set of parameters. If matched,
the rules are applied following the order set by their position. Therefore if you set two firewall
rules from a DNS server A to a DNS server B via the same port, interface and protocol, if one
denies access while the other grants it, only the rule with the smallest position is applied.
• As the firewall is restrictive, the last position 65535 denies access to any kind of packets, no
matter what protocol or where it goes or comes from. In addition, the positions 1 - 99 and 59999
- 65535 are reserved by EfficientIP and cannot be used.

To edit a firewall rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Firewall rules. The page Firewall rules opens.

102
 Configuring the Network

3. In the column Position, click on the underlined number corresponding to the rule you want
to edit. The wizard Firewall rule configuration opens.
4. Edit the parameters according to your needs, following the information described in Firewall
rules parameters procedure above.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Deleting a Firewall Rule

Any firewall rule can be deleted, except the rule 65535.

Keep in mind that firewall rules must not be deleted lightly. For instance, the rule #34 is a
delicate rule to delete as it refers to fragmented IP packets. As there is a maximum packet size
for transport level that depends on the transport medium (1500 bytes for Ethernet), if the IP
packet is larger than this, it needs to be broken up into fragments that get reassembled at the
destination. Without the rule #34, fragmented IP packets will be blocked by the firewall.

To delete a firewall rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Firewall rules. The page Firewall rules opens.
3. Tick the firewall rule(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Setting up a VLAN Interface

You can set up a VLAN interface via the VIF configuration wizard.

By default, an existing virtual interface (VIF), called DEFAULT_INTERFACE is already applied

to the system.You can edit it, or any other interface you may have added following the procedure
in the section Setting up and Managing a VIF.

Note that to avoid asymmetrical routing, you cannot link overlapped IP addresses to different
physical interfaces. This way, if a packet is received from a physical interface it cannot be for-
warded to another interface.

To set up a VLAN interface configuration

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on the interface of your choice. All virtual interfaces are preceded
by an orange dot. The wizard Virtual network interface configuration opens.

103
 Configuring the Network

4. In the field Virtual interface name, you can rename the interface if you want.
5. In the list Available physical interfaces, select the available interface, it is named after the
physical port and port MAC address as follows: eth# (##:##:##:##:##:##) and click on . It
is moved to the list Physical interfaces.
6. Click on NEXT . The next page opens.
7. If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you
can select failover or LACP. By default, failover is selected. Click on NEXT . The next page
opens.
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
8. Set the IPv4 address configuration of the VLAN interface. The IP determines to which con-
figured VLAN they belong and the tag provides a more accurate filter.

Table 6.5. IPv4 virtual network interface configuration parameters

Parameter Description
IP address The IPv4 address of the interface. It should belong to a VLAN configured on your
network. This field is required.
Netmask The netmask of the IP address. This field is required.
Specific route The IP address of a route, used to set up source routing and dedicate the route to the
IP address. This field is optional. For more details, refer to the section Setting up
Specific Routes.
802.1q tag number The VLAN ID of your choice, between 1 and 4094. This tag can be common to several
appliances, they are differentiated using their IP addresses on the VLAN, packets
sent to the VLAN with the same tag are only received by these appliances. By default,
the field is empty.

Once you specified the parameters, click on ADD . The new IP address is moved to the IP
addresses list.
Repeat these actions for as many IP addresses as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
9. Click on NEXT . The last page opens.
10. Set the IPv6 address configuration of the VLAN interface. The IP determines to which con-
figured VLAN they belong and the tag provides a more accurate filter.

Table 6.6. IPv6 virtual network interface configuration parameters

Parameter Description
IPv6 address The IPv6 address of the interface. It should belong to a VLAN configured on your
network. This field is required.
Prefix The prefix of the IP address. This field is required.
Specific route The IP address of a route, you can use it to set up source routing and dedicate the
route to the IP address. This field is optional.
802.1q tag number The VLAN ID of your choice, between 1 and 4094. This tag can be common to several
appliances, they are differentiated using their IP addresses on the VLAN, packets
sent to the VLAN with the same tag are only received by these appliances. By default,
the field is empty.

104
 Configuring the Network

Once you specified the parameters, click on ADD . The new IP address is moved to the IPv6
addresses list.
Repeat these actions for as many IP addresses as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
11. Click on OK to complete the operation. If you configured LAGG, the protocol you chose is
displayed in the column Configuration.
12. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page
refreshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.

Setting up an Ethernet Port Failover

The Ethernet Port Failover is an ability of the network system to have 2 or more physical interfaces
configured with one (or more) IP address access. To sum up, Ethernet Port Failover interface
ensures a high accessibility to SOLIDserver, if one of the physical interfaces is disconnected,
the system is still available.

By default, an existing virtual interface (VIF), called DEFAULT_INTERFACE is already applied

to the system.You can edit it, or any other interface you may have added following the procedure
in the section Setting up and Managing a VIF.

To configure an Ethernet Port Failover Interface Configuration

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on the interface of your choice. All virtual interfaces are preceded
by an orange dot. The wizard Virtual network interface configuration opens.
4. In the field Virtual interface name, you can rename the interface if you want.
5. In the list Available physical interfaces, select one by one two or more interfaces and click
on . The interface is moved to the list Physical interfaces.
All interfaces are named after a physical port and port MAC address as follows: eth#
(##:##:##:##:##:##).
To remove an interface, select it in the list Physical interfaces and click on . The interface
is moved back to the list Available physical interfaces.
6. Click on NEXT . The next page opens.
7. In the drop-down list LAGG procotol, select failover or LACP. By default, failover is selected.
Click on NEXT . The next page opens.
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
8. Set the IPv4 address configuration of the interface.

105
 Configuring the Network

Table 6.7. IPv4 virtual network interface configuration parameters

Parameter Description
IP address The IPv4 address of the interface. This field is required.
Netmask The netmask of the IP address. This field is required.
Specific route The IP address of a route, used to set up source routing and dedicate the route to the
IP address. This field is optional. For more details, refer to the section Setting up
Specific Routes.

Once you specified the parameters, click on ADD . The new IP address is moved to the IP
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
9. Click on NEXT . The last page opens.
10. Set the IPv6 address configuration of the interface.

Table 6.8. IPv6 virtual network interface configuration parameters

Parameter Description
IPv6 address The IPv6 address of the interface. This field is required.
Prefix The prefix of the IP address. This field is required.
Specific route The IP address of a route, you can use it to set up source routing and dedicate the
route to the IP address. This field is optional.

Once you specified the parameters, click on ADD . The new IP address is moved to the IPv6
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
11. Click on OK to complete the operation. If you configured LAGG, the protocol you chose is
displayed in the column Configuration.
12. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page
refreshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.

106
 Configuring the Network

Configuring a VIP
SOLIDserver allows you to set up virtual IP addresses (VIP) on supported services. This mech-
anism, known as Common Address Redundancy Protocol (CARP) is a protocol which allows
multiple EfficientIP devices on the same local network to share a single IP address or the same
set of addresses. Its primary purpose is to provide failover redundancy. For example, if there is
a single SOLIDserver running a DNS service and it goes down, then, the networks on each side
of the DNS service can no longer communicate with each other, or, they communicate without
any DNS service. However, if there are two EfficientIP devices running CARP, if one fails, the
other can take over with SOLIDserver on either side of the DNS service not being aware of the
failure. Operations continue as normal. Note that through a VIP you can manage DNS smart ar-
chitectures Master/Slave and Multi-Master.

The general idea is to have a single IP address, and several physical servers behind. In the case
of a failure, the next available server takes the lead and provides the relevant services. This
mechanism is available for the services DNS, NTP, TFTP and SOLIDserver management, the
appliances configured in High Availability.

By default, an existing virtual interface (VIF), called DEFAULT_INTERFACE is already applied

to the system.You can edit it, or any other interface you may have added following the procedure
in the section Setting up and Managing a VIF.

Note that:
• To configure a VIP, the interface must be set with at least another IP address configured with
the VIP service set to None. You cannot set a VIP on its own on an interface.
• With virtual appliances, the VMware ESXi host vSwitch must be configured as follows:
• The option Promiscuous mode must be enabled,
• The option MAC Address Changes must be enabled,
• The option Forged Transmits must be enabled,
• The option Net.ReversePathFwdCheckPromisc must be set to 1.

To configure a VIP
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on the interface of your choice. All virtual interfaces are preceded
by an orange dot. The wizard Virtual network interface configuration opens.
4. In the field Virtual interface name, you can rename the interface if you want.
5. In the list Available physical interfaces, select the available interface, it is named after the
physical port and port MAC address as follows: eth# (##:##:##:##:##:##) and click on . It
is moved to the list Physical interfaces.
6. Click on NEXT . The next page opens.
7. If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you
can select failover or LACP. By default, failover is selected. Click on NEXT . The next page
opens.
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
8. Set the IPv4 address configuration of the interface.

107
 Configuring the Network

The drop-down list VIP service allows to set up the availability of the DNS, NTP, TFTP or
SOLIDserver management services if:
• Both appliances belong to the same LAN (layer 2).
• Both appliances are set with the exact same parameters in all the fields, except the the
Priority. To avoid any conflict, you must set one priority level for the first appliance and a
different one on the other.

Table 6.9. IPv4 virtual network interface configuration parameters

Parameter Description
IP address The IPv4 address of the interface. This field is required.
Netmask The netmask of the IP address. This field is required.
Specific route The IP address of a route, used to set up source routing and dedicate the route to the IP
address. This field is optional. For more details, refer to the section Setting up Specific
Routes.
VIP service The service available through the VIP, either DNS server, NTP server, TFTP server or
SOLIDserver management. By default, None is selected.
DNS server: The IP address dedicated to the service DNS. Selecting it displays the fields
VHID, Password and Priority.
NTP server: The IP address dedicated to the service NTP. Selecting it displays the fields
VHID, Password and Priority.
TFTP server: The IP address dedicated to the service TFTP. Selecting it displays the fields
VHID, Password and Priority.
SOLIDserver management: The IP address used to access the appliances configured in
High Availability, it allows to access to Master appliance. For more details, refer to the
chapter Centralized Management.
Selecting this service server displays the fields VHID and Password. The Master has
automatically priority over the Hot Standby, therefore the dedicated field in not displayed.
VHID The Virtual Host IDentification of the selected service, a number between 1 and 255. The
appliances on which you are setting up the service high availability must have the same
VHID.
Password The password of the selected service, specify the value of your choice. The appliances on
which you are setting up the service high availability must have the same password.
Priority The appliances priority, if you selected DNS server, NTP server or TFTP server. You must
decide which appliance has a Low, Medium or High priority over the selected service. Each
appliance should have a unique Priority.

Once you specified the parameters, click on ADD . The new IP address is moved to the IP
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
Keep in mind that the list must contain at least one IP address configured with the VIP service
set to None, otherwise you cannot apply your VIP configuration.
9. Click on NEXT . The last page opens.
10. Set the IPv6 address configuration of the interface.

108
 Configuring the Network

The drop-down list VIP service allows to set up the availability of the DNS, NTP or TFTP
services if:
• Both appliances belong to the same LAN (layer 2).
• Both appliances are set with the exact same parameters in all the fields, except the the
Priority. To avoid any conflict, you must set one priority level for the first appliance and a
different one on the other.

Table 6.10. IPv6 virtual network interface configuration parameters

Parameter Description
IPv6 address The IPv6 address of the interface. This field is required.
Prefix The prefix of the IP address. This field is required.
Specific route The IP address of a route, you can use it to set up source routing and dedicate the route
to the IP address. This field is optional.
VIP service The service available through the VIP, either DNS server, DNS server, NTP server or TFTP
server. By default, None is selected.
DNS server: The IP address dedicated to the service DNS. Selecting it displays the fields
VHID, Password and Priority.
NTP server: The IP address dedicated to the service NTP. Selecting it displays the fields
VHID, Password and Priority.
TFTP server: The IP address dedicated to the service TFTP. Selecting it displays the fields
VHID, Password and Priority.
VHID The Virtual Host IDentification of the selected service, a number between 1 and 255. The
appliances on which you are setting up the service high availability must have the same
VHID.
Password The password of the selected service, specify the value of your choice. The appliances on
which you are setting up the service high availability must have the same password.
Priority The appliances priority, if you selected DNS server, NTP server or TFTP server. You must
decide which appliance has a Low, Medium or High priority over the selected service. Each
appliance should have a unique Priority.

Once you specified the parameters, click on ADD . The new IP address is moved to the IPv6
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
Keep in mind that the list must contain at least one IP address configured with the VIP service
set to None, otherwise you cannot apply your VIP configuration.
11. Click on OK to complete the operation. If you configured LAGG, the protocol you chose is
displayed in the column Configuration.
12. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page
refreshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.

109
 Configuring the Network

Setting up and Managing a VIF

A VIF (Virtual Interface) allows to set a number of configurations in a virtual container. Thanks
to this container you can apply or edit a network configuration including embedded services. For
instance, configuring multiple IP addresses on a VIF could be helpful during a migration of DNS
servers. You could either set one VIF the IP addresses of multiple servers to provide continuous
service, or configure a VIP of the DNS service among two appliances.

By default, an existing VIF, called DEFAULT_INTERFACE is already applied to the system. You
can add new VIFs and edit or delete them.

Before adding, editing or deleting a VIF, make sure that you have at least one operating
interface connected to SOLIDserver or you might lose your point of access, and therefore be
unable to manage the appliance.

To add a VIF
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the menu, click on Add. The wizard Virtual network interface configuration opens.
4. In the field Virtual interface name, name the interface.
5. In the list Available physical interfaces, select an interface and click on . It is moved to
the list Physical interfaces.
All interfaces are named after a physical port and port MAC address as follows: eth#
(##:##:##:##:##:##).
To remove an interface, select it in the list Physical interfaces and click on . The interface
is moved back to the list Available physical interfaces.
6. Click on NEXT . The next page opens.
7. If you selected at least two Physical interfaces, in the drop-down list LAGG procotol you
can select failover or LACP. By default, failover is selected. Click on NEXT . The next page
opens.
Note that a successful LAGG configuration requires interfaces with the same speed and
duplex and you can only configure LACP on appliances in version 6.0.2 or higher.
For more details, refer to the section Setting up an Ethernet Port Failover.
8. Set the IPv4 address configuration of the interface.

Table 6.11. IPv4 virtual network interface configuration parameters

Parameter Description
IP address The IPv4 address of the interface. This field is required.
Netmask The netmask of the IP address. This field is required.
Specific route The IP address of a route, used to set up source routing and dedicate the route to the
IP address. This field is optional. For more details, refer to the section Setting up
Specific Routes.
802.1q tag number If you specified an IP address belonging to a VLAN configured on your network, the
VLAN ID of your choice, between 1 and 4094. This field is optional. By default, it is
empty. For more details, refer to the section Setting up a VLAN Interface.
VIP service If you are configuring a VIP, select the service that uses the VIP, either DNS server,
NTP server, TFTP server or SOLIDserver management. By default, None is selected.
For more details, refer to the section Configuring a VIP.

110
 Configuring the Network

Once you specified the parameters, click on ADD . The new IP address is moved to the IPv6
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
9. Click on NEXT . The last page opens.
10. Set the IPv6 address configuration of the interface.

Table 6.12. IPv6 virtual network interface configuration parameters

Parameter Description
IPv6 address The IPv6 address of the interface. This field is required.
Prefix The prefix of the IP address. This field is required.
Specific route The IP address of a route, you can use it to set up source routing and dedicate the
route to the IP address. This field is optional.
802.1q tag number If you specified an IP address belonging to a VLAN configured on your network, the
VLAN ID of your choice, between 1 and 4094. This field is optional. By default, it is
empty. For more details, refer to the section Setting up a VLAN Interface.
VIP service If you are configuring a VIP, select the service that uses the VIP, either DNS server,
NTP server or TFTP server. By default, None is selected. For more details, refer to
the section Configuring a VIP.

Once you specified the parameters, click on ADD . The new IP address is moved to the IP
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
11. Click on OK to complete the operation.
12. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

To edit a VIF
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on the interface of your choice. All virtual interfaces are preceded
by an orange dot. The wizard Virtual network interface configuration opens.

111
 Configuring the Network

4. In the field Virtual interface name, you can rename the interface if you want.
5. Edit its Physical interfaces, IPv4 address configuration and/or IPv6 address configuration,
as detailed in the procedure To add a VIF.
6. Click on OK to complete the operation.
7. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

To delete a VIF
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on the interface of your choice. All interfaces are preceded by an
orange dot. The wizard Virtual network interface configuration opens.
4. In the field Physical interfaces, select one by one all the interfaces and click on . The
physical interfaces are moved back to the list Available physical interfaces.You must remove
all the Physical interfaces configured.
5. Click on NEXT . The IPv4 address configuration opens.
6. In the IP addresses list, select one by one all the addresses and click on DELETE . You must
delete all IPv4 addresses.
7. Click on NEXT . The IPv6 address configuration is displayed.
8. In the IPv6 addresses list, select one by one all the addresses and click on DELETE . You
must delete all IPv6 addresses.
9. Click on OK to complete the operation.
In the column Name, the VIF is struck out.
10. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Configuring the Loopback Interface

A loopback interface allows one appliance to communicate with itself locally. This particular inter-
face is virtual and can be used to diagnose and troubleshoot the appliance, or to connect to the
servers running on the appliance.

By default, the loopback interface lo0 is available. You can configure it with one or more IPv4
and/or IPv6 addresses.

Note that you cannot use the loopback interface in LAGG, CARP, 802.1q or specific route config-
urations.

To configure the loopback interface

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.

112
 Configuring the Network

3. In the column Name, click on LOOPBACK_0. The wizard Virtual network interface con-
figuration opens.
4. Set the IPv4 address configuration of the loopback interface.
By default, the IP addresses list already contains 127.0.0.1-255.0.0.0.You should not delete
this address, if you do you lose access to the GUI. You can add more addresses.

Table 6.13. IPv4 virtual network interface configuration parameters

Parameter Description
IP address The IPv4 address of the interface. This field is required.
Netmask The netmask of the IP address. This field is required.
Specific route The IP address of a route, used to set up source routing and dedicate the route to the
IP address. This field is optional. For more details, refer to the section Setting up
Specific Routes.

Once you specified the parameters, click on ADD . The new IP address is moved to the IP
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
Once the loopback interface configuration is applied, all the IP addresses you set are dis-
played in the column Name, under the line Physical interface: lo0.
5. Click on NEXT . The last page opens.
6. Set the IPv6 address configuration of the virtual loopback interface.
By default, the IPv6 addresses list already contains ::1-128. You should not delete this
address. You can add more addresses.

Table 6.14. IPv6 virtual network interface configuration parameters

Parameter Description
IPv6 address The IPv6 address of the interface. This field is required.
Prefix The prefix of the IP address. This field is required.

Once you specified the parameters, click on ADD . The new IP address is moved to the IPv6
addresses list.
Repeat these actions for as many IP addresses as needed. SOLIDserver is accessible
through all the IP addresses configured for the interface.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down in the list.
Once the loopback interface configuration is applied, all the IP addresses you set are dis-
played in the column Name, under the line Physical interface: lo0.

113
 Configuring the Network

7. Click on OK to complete the operation.

8. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The page
refreshes.
Make sure that at least one interface is available, otherwise, you would lose your
current connection to SOLIDserver.

Configuring a Media Interface

By default, SOLIDserver automatically negotiates the optimal connection speed and transmission
type (full or half duplex) on the physical links between the 10/100Base-T and 10/100/1000Base-
T ports and the Ethernet ports on a connecting switch. It is usually unnecessary to change the
default auto-negotiation setting; however, you can manually configure connection settings for a
port if necessary.

Note that you can only configure the media interface of physical interfaces already attached to
a VIF. All the available physical interfaces not used yet are listed under the Unused interfaces.

To configure the media interface

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Network configuration. The page Network configuration
opens.
3. In the column Name, click on the physical interface of your choice. The used physical inter-
faces are listed under a VIF. The wizard Virtual network interface configuration opens.
4. In the drop-down list Media, select the speed and duplex to be applied to the physical interface
you clicked on. By default, the autoselect option is selected, it is automatically selected by
SOLIDserver according to your network configuration.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

114
Chapter 7. Configuring the Services
This chapter details most of the services embedded in SOLIDserver, all gathered on the page
Services configuration:

• Handling Services details how to enable, disable, start and stop all available services.
• Configuring the SSH Account allows to set up the details of the connection to SOLIDserver via
a Secure Shell (SSH) client.
• Changing the SFTP/SCP/RSYNC User Account Password allows to edit the xfer account
1
password used by the protocols SFTP, SCP and RSYNC .
• Managing the TFTP Upload Authorizations allows to deliver Trivial File Transfer Protocol (TFTP)
services in order to send boot and configuration files to DHCP/BOOTP clients (such as IP
phones, thin clients, bootless stations).
• Configuring the SMTP Relay allows to configure the host relay that SOLIDserver uses to send
emails via Simple Mail Transfer Protocol (SMTP).
• Configuring Windows Events Collector allows to enable the communication between SOLID-
server and your AD domains controllers to retrieve data in the module Identity Manager.
• Configuring DNS Guardian allows to configure the listening interfaces and enable the service
DNS Guardian if your license includes it.
• Configuring GSLB Server allows to configure the listening interfaces and enable the service
GSLB server if your license includes it.
• Changing the HTTPS Certificate allows to change the Apache certificate used to connect to
SOLIDserver.
• Downloading a DNS or DHCP Configuration File allows to retrieve all DHCP and DNS config-
uration files.
• Configuring the SNMP Server allows to remotely monitor SOLIDserver performances and load
via SNMP.

Keep in mind that:

• All the services must be set at the same time to prevent any management problems. To
this end, we strongly recommend configuring Network Time Protocol (NTP) servers to update
SOLIDserver timer. For more details, refer to the chapter Configuring the Time and Date.
• You can set the services of remote appliances via the drop-down list SOLIDserver, whether
you simply manage an appliance remotely or configured it in High Availability. For more details,
refer to the chapter Centralized Management.

1
SFTP stands for Secure File Transfer Protocol also known as SSH File Transfer Protocol. SCP stands for Secure Copy. RSYNC
stands for Remote Synchronization.

115
 Configuring the Services

Handling Services
SOLIDserver allows you to completely disable a network service. While a network service is
disabled, it cannot run. Once a network service is enabled, its state is automatically updated after
having applied the configuration. To sum up, a user can easily handle the embedded services:
enabling/disabling and starting/stopping every service provided by SOLIDserver.

Enabling or Disabling a Service

Before enabling or disabling a service, keep in mind that this operation impacts the service:
• Disabling a service automatically stops it.
• Enabling a service automatically starts it

To enable/disable a service
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, look for the service of your choice.
4. In the column Enabled:
a. To enable the service, click on Disabled. The wizard opens.
b. To disable the service, click on Enabled. The wizard opens.
5. Click on OK to complete the operation.
6. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

Starting or Stopping a Service

Before starting or stopping a service, keep in mind that:
• Once a service is disabled, it cannot be started.
• A disabled service is automatically stopped, so you can only stop an Enabled service.

To start/stop a service
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, look for the service of your choice.
4. In the column Running:
a. To start the service, click on Stopped. The wizard opens.
b. To stop the service, click on Started. The wizard opens.
5. Click on OK to complete the operation.

116
 Configuring the Services

Configuring the SSH Account

Administrators can access SOLIDserver appliances via an SSH shell session.

By default, only the account admin can access SOLIDserver via SSH.You cannot edit this account,
but you can edit its default password, admin, and its password level of security as detailed in the
sections below.

Keep in mind that:

• You can access your appliance via SSH only if the service SSH server is enabled. For more
details, refer to the section Handling Services.
• You can allow LDAP/RADIUS authentication for SSH connections. For more details, refer to
the appendix Using Remote Authentication for SSH Connections to SOLIDserver.
• You can configure non-supported OpenSSH settings via a dedicated include file. Using this
file allows to update the service configuration without preventing SOLIDserver from running
properly. For more details, refer to the section Configuring Non-Supported OpenSSH Settings
in appendix.
• You can configure a pre-authentication banner message for SSH connections, it is displayed
between the login and password prompts. For more details, refer to the section Configuring
Non-Supported OpenSSH Settings in appendix.

Changing the SSH Access Password

By default the admin account password is set to admin.

To change the SSH password

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on Account: admin. The wizard opens.
4. In the field New password, specify the password of your choice, in accordance with the
level of security you chose.
5. In the field Confirm password, specify the password again.
6. Click on OK to complete the operation.

Changing the SSH Password Level

From the page Registry database, you can define the security level of the password for the services
that rely on a shell connection. There are 3 levels of security:
1. Low: the password can contain any character and as few as you want. There is no password
restriction, you could set a password composed of one character.
2. Medium: the password requires at least 8 characters, it can be any character.
3. Strong: the password requires at least 8 characters, among which at least 2 must be digits
and at least 2 must be special characters (like !, #, @...).

To change the SSH password security level

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

117
 Configuring the Services

2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, select Tools > Configuration registry database.The wizard Configuration
of registry database opens.
4. Click on NEXT . The last page of the wizard opens.
5. In the drop-down list Security level of ssh password, select Low, Medium or Strong.
6. Click on OK to complete the operation. The report opens and closes.

Changing the SFTP/SCP/RSYNC User Account Password

The xfer account manages the SFTP, SCP and RSYNC services. By default there is no password
applied to xfer account, so you need to set a password and activate the account to be able to
access these services through a shell connection.

To set the xfer account password

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on Account: xfer. The wizard opens.
4. In the field New password, specify the password of your choice, in accordance with the
level of security you chose.
5. In the field Confirm password, specify the password again.
6. Click on OK to complete the operation.

The xfer account is not enabled and disabled like the services. Only one wizard allows to enable
and disable the account that manages the SFTP, SCP and RSYNC protocols.

To enable/disable the xfer account

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Enabled of the Account: xfer line, click on Disabled or Enabled. The wizard
opens.
4. Click on OK to complete the operation. The account is now marked as Enabled or Disabled.

Managing the TFTP Upload Authorizations

You can download and upload files through the Trivial File Transfer Protocol (TFTP). From the
GUI, you can enable or disable the service. For more details, refer to the section Handling Services
above.

You can enable uploads from remote appliances to SOLIDserver GUI. The uploaded files and
files available for download are listed on a dedicated page of the page Local files listing. For more
details, refer to the section Managing Files from the Local Files Listing.

To enable TFTP uploads to SOLIDserver

Only users of the group admin can perform this operation.

118
 Configuring the Services

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, under the line TFTP server, click on Upload Authorization: Disabled.
The wizard TFTP File Upload Authorization opens.
4. Click on OK to complete the operation. The report opens and closes. The TFTP Upload
Authorizations status is now Enabled.

Once the uploads are enabled, following the procedure above disables them.

Configuring the SMTP Relay

SOLIDserver provides Simple Mail Transfer Protocol (SMTP) to notify users via email.

You can add an SMTP relay server and configure source email addresses, one can be dedicated
to mail notifications and the other to alerts.

To configure an SMTP relay server

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on SMTP relay. The wizard SMTP Relay Configuration opens.
4. In the field Outgoing mail server, specify the hostname or IPv4 address of the server of
your choice.
5. In the field Port, you can specify a port number. If you leave the field empty, the default port
25 is used.
6. Tick the box Authentication if the Outgoing mail server authenticates connections. The
fields User and Password appear.
a. In the field User, specify the login of a user.
b. In the field Password, specify the user password.
7. Click on OK to complete the operation.
8. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

You can also change the source email address of the outgoing mails and alerts notifications.
Note that you can only edit the source mail addresses locally.

To change the default source mail

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, under the line Mail - SMTP, click on Default source mail: <mail-ad-
dress>. The wizard Source mail configuration opens.
4. In the field Default mail, specify the email address of your choice. By default, the address
is [email protected].

119
 Configuring the Services

5. Click on OK to complete the operation.The new address has now replaced the default address
in the list.

To change the alert source mail

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, under the line Mail - SMTP, click on Alert source mail: <mail-ad-
dress>. The wizard Source mail configuration opens.
4. In the field Alert mail, specify the email address of your choice. By default, the address is
[email protected].
5. Click on OK to complete the operation.The new address has now replaced the default address
in the list.

Changing the HTTPS Certificate

By default during the first boot, a self-signed certificate is generated and used to connect to
SOLIDserver. As it is not signed by a Certificate Authority (CA), it is not trusted by your web
browser and warning messages appear.

To eliminate these warning messages, you can change this certificate and use one that you
created or imported on the page All certificates. For more details, refer to the section Managing
SSL Certificates in the chapter Maintenance.

Before changing the SSL certificate, keep in mind that:

• The SSL certificate is unique to each SOLIDserver appliance.
• You can only change the SSL certificate locally. If you select a remote appliance in the
drop-down list SOLIDserver, the lines HTTP webserver and SSL Certificate are no longer
available.
• Changing the certificate is immediate. After selecting the new certificate, the wizard checks
the validity and configuration of the certificate. If the certificate is valid, it is immediately used.
If the checks fail, the operation is automatically rolled back and the certificate is not changed.
• Your browser must allow pop-up windows as the validity and configuration checks may
open extra windows.

To change the HTTPS certificate

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure the local appliance is selec-
ted.
4. Under the line HTTP webserver, click on SSL Certificate. The wizard Change the current
SSL certificate opens.
5. In the drop-down list SSL Certificate, select the certificate of your choice. By default, the
certificate Apache SSL Cert Base is available and selected.

120
 Configuring the Services

6. Click on OK to run the validity and configuration checks and complete the operation. During
these checks, a pop-up window may open and detail the checks progression. If it does, you
must accept the certificate to use the new SSL certificate.
If the checks fail, the operation is automatically rolled back and the certificate is not changed.
In this case, you need to import or create a valid certificate and follow this procedure again.

For more details on how to import or create certificates, refer to the section Managing SSL Certi-
ficates in the chapter Maintenance.

Configuring Windows Events Collector

The service Windows Events Collector is dedicated to enabling the communication between
SOLIDserver and AD domain controller(s). Configuring the service is part of the configuration of
the module Identity Manager. Note that:
• Before configuring the service, you must have the SSL certificate and the CA certificate used
on your AD domain controller(s) only saved on your appliance.
• During the configuration, you need to select both certificates to enable the communication.
• Once the service is configured, you must also configure your AD domain controller(s).

For more details, refer to the section Preparing the Module in the chapter Configuring Identity
Manager.

To configure the certificates of Windows Events Collector

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure the local appliance is selec-
ted.
4. In the column Name, click on Windows Events Collector. The wizard Change the current
SSL certificate opens.
5. In the drop-down list SSL Certificate, select the SSL certificate you imported.You must use
the same SSL certificate within SOLIDserver and your AD domain controller(s). By default,
None is selected.
6. In the drop-down list Certificate Authority, select the CA certificate you imported.You must
use the same CA certificate within SOLIDserver and your AD domain controller(s). By default,
None is selected.
7. Click on OK to complete the operation. The wizard works for a while and closes. The name
of the SSL certificate and CA certificate you selected are listed.

Configuring DNS Guardian

If your license includes DNS Guardian, you can configure the listening network interface(s) and
enable the dedicated service.

Keep in mind that to enable and configure the service DNS Guardian your appliance must have
at least 8 GB of RAM. For more details regarding DNS Guardian, refer to the part Guardian.

Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.

121
 Configuring the Services

To configure the listening interfaces of DNS Guardian

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on DNS Guardian or DNS Guardian / GSLB server. The wizard
DNS Guardian configuration or DNS Guardian & GSLB server configuration opens.
4. In the list Available interfaces, select the interface of your choice and click on . The inter-
face is moved to the list Selected interfaces.
Each interface is listed <interface-name> (<MAC-address>), whether it is active or not. Only
Intel network interfaces are listed as no other interface card can be configured for the service.
5. Repeat this action for as many interfaces as you need.
To remove an interface from the list Selected interfaces, select it and click on . The inter-
face is moved back to the list Available interfaces.
6. Click on OK to complete the operation. The report opens and closes.
7. In the column Name, look for DNS Guardian or DNS Guardian / GSLB server.
8. In the column Enabled, click on Disabled to enable the service. The wizard opens.
9. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

The DNS must be running as well. Make sure the services DNS Guardian and DNS server
(named) or DNS Guardian and DNS server (unbound) are both enabled and started.

Configuring GSLB Server

If your license includes DNS GSLB, you can configure the listening network interface(s) and enable
the dedicated service.

Keep in mind that to enable and configure the service GSLB server your appliance must have at
least 8 GB of RAM. For more details regarding the configuration of applications with a GSLB
server, refer to the part Application.

Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.

To configure the listening interfaces of GSLB server

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on GSLB server or DNS Guardian / GSLB server. The wizard
GSLB server configuration or DNS Guardian & GSLB server configuration opens.
4. In the list Available interfaces, select the interface of your choice and click on . The inter-
face is moved to the list Selected interfaces.
Each interface is listed <interface-name> (<MAC-address>), whether it is active or not. Only
Intel network interfaces are listed as no other interface card can be configured for the service.
5. Repeat this action for as many interfaces as you need.

122
 Configuring the Services

To remove an interface from the list Selected interfaces, select it and click on . The inter-
face is moved back to the list Available interfaces.
6. Click on OK to complete the operation. The report opens and closes.
7. In the column Name, look for GSLB server or DNS Guardian / GSLB server.
8. In the column Enabled, click on Disabled to enable the service. The wizard opens.
9. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.

The DNS must be running as well. Make sure the services GSLB server and DNS server
(named / nsd / unbound) are both enabled and started.

Configuring the SNMP Server

You can configure the SNMP server to:
• Define the TCP/UDP ports the server listens on.
• Add the v1, v2c and v3 profiles allowed to access SOLIDserver SNMP agent. By default, a
v1/v2c profile already exists with the community string public.
• Set SNMP traps on the server for a network management platform.

On the page Services configuration, the columns Running and Enabled indicate the SNMP
server state. To enable, disable, start or stop the service, refer to the section Handling Services.

Note that SNMPv3 requires a properly configured NTP server. For more details, refer to the
section Configuring NTP Servers.

To configure the SNMP server

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the column Name, click on SNMP server.The wizard SNMP Server Configuration opens.
4. In the fields UDP port and TCP port, specify the number of the port of your choice to enable
the communication with the relevant protocol.
At least one of the fields must be filled in. By default, the UDP port number is 161, you can
use the same number for the TCP port.
5. Click on NEXT . The next page opens.
6. You can add profile(s) on the SNMP server.
Note that by default a profile v1/v2c already exists, it is set with the community string public
and can be deleted.
a. In the drop-down list SNMP version, select v1/v2c or v3, both values are detailed below.
By default, v1/v2c is selected.

Table 7.1. Available SNMP versions

SNMP version Description
v1/v2c SNMPv1 and SNMPv2c are simple request/response protocols. SNMPv2c includes
a bulk-retrieval mechanism and more detailed error message reporting to man-
agement stations.
If you select it, the fields Community and SNMP restriction appear.

123
 Configuring the Services

SNMP version Description

v3 SNMPv3 uses the security features providing secure access to devices.
If you select it, the Authentication fields User, Level, Key, Algorithm and the Privacy
fields Key and Protocol appear.

No matter what you select, the field Access is grayed out and displays Read-only.
b. If you left v1/v2c selected, complete the configuration via the following fields.

Table 7.2. SNMPv1 and SNMPv2c profile configuration parameters

Field Description
Community The community string that would act as a password to access the SNMP agent.
SNMP restriction The source of the SNMP, an IP address, several IP addresses separated by a
space or default.

c. If you selected v3, complete the configuration via the following fields.

Table 7.3. SNMP v3 profile configuration parameters

Field Description
Authentication
User The login used for the authentication. This field is required.
Level The authentication security level, either a noauth, auth or priv. By default, noauth
is selected. This field is required.
Key The authentication passphrase, i.e. password. It must contain at least 8 characters.
This field is optional.
Privacy
Algorithm The authentication algorithm, either MD5 or SHA. By default, MD5 is selected.
This field is optional.
Key A privacy passphrase. If the privacy passphrase is not specified, it is assumed to
be the same as the authentication passphrase. This field is optional.
Protocol The privacy algorithm, either the DES or AES. By default, DES is selected. This
field is optional.

d. When the configuration is complete, click on ADD . The profile is moved to the SNMP
access list.
e. Repeat these actions for as many SNMP profiles as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

7. Click on NEXT . The last page opens.

8. You can set SNMP trap(s) on the server.
a. Configure an SNMP trap using the following fields.

Table 7.4. SNMP trap configuration

Parameter Description
Send Trap v1 Allows to enable an agent to send a trap notifying of any significant event via
SNMP v1. By default, Yes is selected. This field is optional.
Send Trap V2 Allows to enable an agent to send a trap notifying of any significant event via
SNMP v2. By default, Yes is selected. This field is optional.

124
 Configuring the Services

Parameter Description
Sends a trap Inform Allows to enable routers to send inform requests to SNMP managers. By default,
Yes is selected. This field is optional.
Host The IP address of the device that listens to the network and catches the trap.
Port The number of the port on the host used to catch the trap. This field is optional.
Community The community string that would act as a password to access the SNMP agent.

b. When your configuration is complete, click on ADD . The profile is moved to the Trap
list.
c. Repeat these actions for as many traps as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

9. Click on OK to complete the operation.

10. Right now your configuration is pending. In the menu, select Tools > Apply configuration
to save your changes or Tools > Rollback configuration to discard them. The corres-
ponding wizard opens, click on OK to complete the operation. The page refreshes.
In the column Name, each configured SNMP profile is listed under the SNMP server.

Downloading a DNS or DHCP Configuration File

From the page Services configuration you can download the configuration file of your BIND
(named.conf), DHCP (dhcpd.conf), DHCPv6 (dhcpd6.conf), NSD (nsd.conf) or Unbound (un-
bound.conf) servers.

If you are remotely managing other appliances, you can choose to download a local configuration
file or the configuration file of a remote appliance.

To download the BIND, DHCP, DHCPv6, NSD or Unbound configuration file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. In the drop-down list SOLIDserver, under the menu, select the appliance for which you want
to download the configuration file.
4. In the menu, select Tools > Download configuration file. The wizard Download con-
figuration file opens.
5. In the drop-down list Configuration file, select BIND, DHCP, DHCP V6, NSD or Unbound.
6. Click on OK to complete the operation. The report opens.
7. Click on DOWNLOAD to save the file on your computer.
8. Click on CLOSE . The configuration file is now available on the page Local files listing, ac-
cessible from the page Admin Home.
If you downloaded a remote appliance configuration file, the file name is followed by the re-
mote appliance IP address as follows: <file-name>@<remote-IP-address> .

125
 Part III. Imports and Exports
SOLIDserver supports many imports and exports methods in almost all the modules.
• Importing Data from a CSV File details how to import or reimport data from a CSV file in the modules
IPAM, DHCP, DNS, NetChange, Device Manager, VLAN Manager and Administration.
• Importing IPAM Data details how to import VitalQIP and Nortel NetID data to the module IPAM.
• Importing DHCP Data details how to import ISC, Alcatel-Lucent VitalQIP, Microsoft, Infoblox, MetaIP and
Nortel NetID configuration files to the module DHCP.
• Importing DNS Data details how to import BIND and VitalQIP zones from an archive file to the module
DNS.
• Exporting Data details how to export data from any module to CSV, HTML, XML, Excel or PDF files.

Note that the IPAM provides raw data export and import, it allows add or edit the database objects in bulk.
For more details, refer to the chapter Managing Raw Data.
Table of Contents
8. Importing Data from a CSV File .................................................................................. 128
The Import Wizard ................................................................................................. 129
Importing Data to the IPAM .................................................................................... 130
Importing Data to the DHCP .................................................................................. 145
Importing Data to the DNS ..................................................................................... 153
Importing Data to NetChange ................................................................................ 157
Importing Data to Device Manager ......................................................................... 159
Importing Data to VLAN Manager ........................................................................... 161
Importing Data to VRF ........................................................................................... 165
Importing Data to SPX ........................................................................................... 167
Importing Data to the Administration Module ........................................................... 171
Managing Import Templates ................................................................................... 174
9. Importing IPAM Data .................................................................................................. 176
Importing a VitalQIP Export ................................................................................... 176
Importing Nortel NetID IP Address Data ................................................................. 177
10. Importing DHCP Data .............................................................................................. 179
Importing an ISC DHCP Configuration .................................................................... 179
Importing an Alcatel-Lucent VitalQIP Configuration .................................................. 180
Importing a Microsoft DHCP Configuration .............................................................. 181
Importing an Infoblox DHCP Configuration .............................................................. 182
Importing a MetaIP DHCP Configuration ................................................................. 183
Importing a Nortel NetID Configuration ................................................................... 184
Aggregating DHCP Options from Ranges or Statics ................................................ 185
11. Importing DNS Data ................................................................................................. 187
Importing DNS Zones from a BIND Archive File ...................................................... 187
Importing DNS Zones from a VitalQIP Archive File .................................................. 188
12. Exporting Data ........................................................................................................ 190
The Export Wizard ................................................................................................ 192
Browsing the Exports Database ............................................................................. 192
Configuring Exports .............................................................................................. 193
Exporting Data to Reimport It Later ........................................................................ 195
Managing Scheduled Exports ................................................................................ 199
Managing Scheduled Exports Configuration Files .................................................... 200
Managing Export Templates ................................................................................... 200

127
Chapter 8. Importing Data from a CSV
File
You can massively import data from CSV formatted files in the modules IPAM, DHCP, DNS,
NetChange, Device Manager, VLAN Manager, VRF, SPX and Administration.

Before importing CSV files, keep in mind that:

• The user importing the data must have the appropriate administrative rights
For instance, importing addresses into a terminal network implies that the user has administrative
rights over said network.
• The resources you import must have a unique name
You can import as many resources as you need as long as they all have a unique name.
• An import is generated one page at a time
If you are importing zones from the page All zones in the DNS, you only import the zones
themselves but not the RRs they contain.
• The object parameters that you can import correspond to the columns of the page
When you import objects, you can import all or some of their properties. That way, for instance,
you can import a zone and specify its view, this allows you to set up your DNS hierarchy more
easily.
• An import can overwrite the existing page data
The last step in the import wizard allows to overwrite, or not, all the existing parameters of the
resource except for its name.
• If the page does not have the menu Import you cannot import data
You can import data from almost any page. In the menu, CSV <data> allows to import CSV
files. The list of pages where you can import data is available in each module-dedicated import
section below.
• Your classes may edit the fields available in the wizard
The import procedure only describes the fields that are displayed by default for each resource.
During each import, the number of fields that might appear or be required depends on the
classes you or your administrator might have configured for each resource.
• Any object parameter value is imported with the Inheritance property forced to Set or
Inherit
This allows to respect the configuration of the Inheritance property of an object parameter:
• It is forced to Set if the parameter is not configured on the parent object or if it has a different
value.
• It forced to Inherit if it is configured on the parent object and has the same value.

To import data in other formats note that you can:

• Import external IPAM organizations, as detailed in the chapter Importing IPAM Data.
• Import external DHCP configuration files, as detailed in the chapter Importing DHCP Data.
• Import external DNS configuration files, as detailed in the chapter Importing DNS Data.
• Import or reimport IPAM objects exported as raw data to update your database in bulk. For
more details, refer to the chapter Managing Raw Data in the part IPAM.

128
 Importing Data from a CSV File

The Import Wizard

During a standard CSV import, the wizard displays a set of pages that you should configure
properly. Once you selected the CSV file you want to import, the page CSV fields association,
opens.

Figure 8.1. The first page of the import wizard

This section allows to specify the CSV import file details. They can be configured and saved
as templates to speed up the checking process. Its fields are detailed in the table CSV file
basic parameters.
This section contains some parameters (columns) that you can include in your import.

The first section of the import wizard is common to all objects and can be configured as follows.

Table 8.1. CSV file basic parameters

Parameter Description
Delimiter The delimiter of the file data, either comma (,), semi-colon (;) or tab. By default, the comma is
selected. This field is optional.
Enclosure The enclosure of the file data, either a single (') or a double quotation mark ("). By default, the
double quotation mark is selected. This field is optional.
Input format The data format, either UTF-16, ASCII or UTF-8. ASCII is selected by default. If your data contains
accents, you should select UTF-8. This field is optional.
Skip first line Allows to avoid importing the columns title (Yes) or to include them (No). By default, Yes is se-
lected. This field is optional.
Template The template use, either None, New template or an existing import template. By default, None
is selected. This field is optional.
Select New template to save your current CSV import configuration as a template. The field
Template name appears. For more details, refer to the section Managing Import Templates.
If you select an existing template, the page refreshes and the box Save template appears.

129
 Importing Data from a CSV File

Parameter Description
Template name The name of your New template. This name is available in the list Template the next time you
import the same resource. This field is required.
Save template Tick this box to save the changes made to an existing Template. This field is optional.

On the next page, Class parameters, there are as many drop-down lists as there are existing
class parameters and advanced properties for the resource you are importing. None of the lists
are required, they allow to import your parameters to the database one by one. Any class para-
meter that does not correspond to a class in the database is not displayed in the GUI once impor-
ted.

Finally, on the last page, CSV import parameters, a few options are available.

Figure 8.2. The consistency check page of the import wizard

The drop-down list Existing records allows to decide if you want to replace or not existing
entries with the data you are importing.
The box Trigger the execution of all advanced properties allows to force the DNS, DHCP
and VLAN advanced property replication behaviors during the import of subnet-type networks,
pools and addresses. For more details, refer to the section Importing Data to the IPAM
The button CHECK performs a data validity check of the content of the CSV file. The last
pages of the wizard provide a Report: a data validity report and an import report.

Importing Data to the IPAM

Within the IPAM module, you can import data on every page.

The table below details where you can import them within the module.

130
 Importing Data from a CSV File

Table 8.2. IPAM pages where you can import CSV files
IPAM page Objects that can be imported Option name in the menu Import
All spaces Spaces CSV spaces
Block-type networks CSV networks (block)
Subnet-type networks CSV networks (subnet)
Pools CSV pools
Addresses CSV addresses
IPv6 block-type networks CSV networks (block v6)
IPv6 subnet-type networks CSV networks (subnet v6)
IPv6 pools CSV pools (v6)
IPv6 addresses CSV addresses (v6)
All networks Block-type networks CSV networks (blocks)
Subnet-type networks CSV networks (subnets)
Pools CSV pools
IP Addresses CSV addresses
All networks (v6) IPv6 block-type networks CSV networks (block v6)
IPv6 subnet-type networks CSV networks (subnet v6)
IPv6 pools CSV pools (v6)
IPv6 addresses CSV addresses (v6)
All pools Pools CSV pools
Addresses CSV addresses
All pools (v6) IPv6 pools CSV pools (v6)
IPv6 addresses CSV addresses (v6)
All addresses Addresses CSV addresses
All addresses (v6) IPv6 addresses CSV addresses (v6)

Before importing, keep in mind that:

• The network, pool and IP address procedures below are based on imports made on the V4
and V6 pages All networks, All pools and All addresses. You can also import these objects
within a specific space, in which case the field Space name is not displayed in the wizard.
• The advanced properties can automate the addition of entries in your database after the import.
If all the advanced properties are activated, importing IPAM data may automatically update
the DHCP, DNS and VLAN Manager databases. If you do not want your import to impact other
modules, edit the Internal module setup before importing IPAM data. For more details, refer
to the chapter Managing Advanced Properties.

To import VitalQIP or Nortel NetID data, refer to the chapter Importing IPAM Data.

To import SPX data, whether RIPE or APNIC, refer to the section Importing Data to SPX

To import or reimport IPAM objects exported as raw data to update your database in bulk, refer
to the chapter Managing Raw Data in the part IPAM.

Importing Spaces
When importing space(s), only the field Name is required. The other parameters are optional
and can be left empty.

131
 Importing Data from a CSV File

To import spaces through a CSV file

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the menu, select Import > CSV spaces. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association opens.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.

Table 8.3. Space import parameters

Parameter Description
Name The space name. This field is required.
Description The space description. This field is optional.
Parent space The space parent space (VLSM), if relevant. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Class name The space class name. This field is optional.

7. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results.The last page opens.and displays a
report indicating the total number of spaces actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All spaces. The spaces are now listed.

Importing Networks
You can import block-type networks or subnet-type networks in IPv4 or IPv6.

132
 Importing Data from a CSV File

Importing IPv4 Block-type Networks

Block-type networks must be imported into a space.

When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.

To import IPv4 block-type networks through a CSV file

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV networks (blocks). The wizard Import a CSV file
opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The field First address and any field that indicates the network size (Last address, Netmask,
Prefix or Size) are required. All fields are detailed in the table below.

Table 8.4. Block-type network import parameters

Parameter Description
First address The network first address. This field is required.
Last address
Netmask The drop-down lists that specify the size of the network(s), the number of IP addresses
Prefix being imported. You must fill at least one of them.
Size
Name The network name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Description The network description. This field is optional.
Class name The network class name. This field is optional.
Space name The name of the space where you want to import the network(s). It can be a space of
the import file or an existing space in in the IPAM. This field is required.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.

133
 Importing Data from a CSV File

11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page All networks. The networks are now listed.

Importing IPv6 Block-type Networks

Block-type networks must be imported into a space.

When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.

To import IPv6 block-type networks through a CSV file

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV networks (block v6). The wizard Import a CSV file
opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields First address, Prefix and Space name are required. All fields are detailed in the
table below.

Table 8.5. IPv6 block-type network import parameters

Parameter Description
First address The first address of the IPv6 network(s). This field is required.
Prefix The network Prefix. This field is required.
Name The network name. This field is optional.
Class name The network class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Description The network description. This field is optional.
Space name The name of the space where you want to import the network(s). It can be a space of
the import file or an existing space in in the IPAM. This field is required.

134
 Importing Data from a CSV File

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the list All networks. The networks are now listed.

Subnet-type Networks Import Specificities

Several options and fields are only available for the import of subnet-type networks.
Use best space
This option is available in the drop-down list Space name, if you import IPv4 subnet-type
networks on the page All networks (rather than within a specific space or block-type network).
It allows to import the networks into the space containing the smallest network able to receive
them.
Note that importing subnet-type networks into a space containing no matching block-type
network places them in a container Orphan Networks. Later on, you can add a block-type
network large enough to contain them. For more details, refer to the chapter Adding Networks.
VLSM space name
This option allows to import subnet-type networks in a specific level of a space-based VLSM
organization. Note that to import subnet-type networks in a VLSM configuration:
• To import subnet-type networks in a space and replicate them as block-type networks in
one of its sub-spaces, in the drop-down list Space name, select the parent space and in
the field VLSM space name, select the sub-space.
• You cannot select the option Use best space in drop-down list Space name.
• You cannot specify a VLSM space name and tick the box Imbricated networks in one import.
If you do, the VLSM space name prevails and the option Imbricated networks is ignored.
You can configure them in two separate imports if you need them both in your network
configuration.
Imbricated networks
This box allows to import a network-based VLSM organization. Tick it to import non-terminal
subnet-type networks and all the terminal and non-terminal networks they contain.

135
 Importing Data from a CSV File

Note that you cannot tick the box and specify a VLSM space name in one import. If you do,
the VLSM space name prevails and the option Imbricated networks is ignored. You can
configure them in two separate imports if you need them both in your network configuration.
If you want to import an organization without ticking the box, the subnet-type networks are
imported in a container Orphan Networks in the order saved in the CSV file. The first are
imported, the rest is considered overlap and is not imported.
If you import an organization and tick the box, the receiving container shapes the import be-
havior:
• If the selected Space name does not contain any block-type network to receive it, the first
non-terminal subnet-type network becomes a block-type network.
• If the selected Space name contains block-type networks:
• If an existing block-type network is bigger than the first non-terminal subnet-type network,
the whole hierarchy is added within the block-type network if there is enough space
available. Otherwise, only the subnet-type networks that fit in the block-type network are
imported.
• If an existing block-type network is the same size as the first non-terminal subnet-type
network, the first non-terminal subnet-type network is ignored. The subnet-type networks
it contains are imported in the block-type network if it can receive them. Otherwise, only
the subnet-type networks that fit in the block-type network are imported.

Importing IPv4 Subnet-type Networks

Subnet-type networks can be imported into a block-type network or directly into a space.

When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.

If you import IPv4 subnet-type networks on the page All networks (rather than within a specific
space or block-type network), the option Use best space is available in the drop-down list Space
name. It allows to put the content of the CSV file into the space containing the smallest block-
type network able to receive the subnet-type network(s). Other options are detailed in the section
Subnet-type Networks Import Specificities.

To import IPv4 subnet-type networks through a CSV file

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV networks (subnet). The wizard Import a CSV file
opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields Address, Name, Space name and one field specifying the network size (Netmask,
Prefix or Size) are required. All fields are detailed in the table below.

136
 Importing Data from a CSV File

Table 8.6. IPv4 subnet-type network import parameters

Parameter Description
Address The network start address. This field is required.
Netmask
The drop-down lists that specify the size of the network(s), the number of IP addresses
Prefix
being imported. You must fill at least one of them.
Size
Name The network name. This field is required.
Network is terminal The VLSM status of the network(s), terminal or non-terminal. This field is optional.
By default, if you import a network hierarchy, the last imbricated network is considered
terminal even if it is not. You can select the column Terminal to ensure that the net-
works remain terminal, or non-terminal, during the import. This parameter is only taken
into account if its value is 0 or 1.
Note that if you tick the box Imbricated networks, you must leave this field empty.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Space name The name of the space where you want to import the network(s). It can be a space of
the import file, an existing space in the IPAM or the option Use best space. This field
is required.
Use best space: Allows to import the subnet-type network(s) in the IPAM space
providing the smallest networks able to receive it.
Note that you cannot select this option if you want to specify a VLSM space name.
VLSM space name If you set up a space-based VLSM organization, select the sub space that uses the
subnet-type network you are importing as a block-type network. This field is optional.
Note that if you tick the box Imbricated networks or select the option Use best space
in the drop-down list Space name, you must leave this field empty.
Class name The network class name. This field is optional.
Imbricated networks Tick this box if you want to import a hierarchy of non-terminal and terminal subnet-
type networks.
Note that if you tick this box, you should leave blank the fields Network is terminal
and VLSM space name.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick the box Trigger the execution of all advanced properties if you want to force
the advanced property mechanisms during the import. These mechanisms depend on
the configuration set on the page Class parameters and/or on the properties inherited
from higher level(s), they can include properties impacting the IPAM, DNS, DHCP and
VLAN Manager. For more details, refer to the section Network Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the subnet-type networks of your choice and in the menu select Tools > Expert >
Initialize rules. This operation also triggers the replication on the objects they contain.

137
 Importing Data from a CSV File

10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download that import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All networks. The networks are now listed.

Importing IPv6 Subnet-type Networks

Subnet-type networks can be imported into a block-type network or directly into a space.

When importing a file containing any type of network, the field First address and one of the fields
specifying the network size are required - Last address, Netmask, Prefix or Size.

Note that in IPv6, the option Use best space is not available in the drop-down list Space name.
Available options are detailed in the section Subnet-type Networks Import Specificities.

To import IPv6 subnet-type networks through a CSV file

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV networks (subnet v6). The wizard Import a CSV
file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields Address, Prefix, Name and Space name are required. All fields are detailed in
the table below.

Table 8.7. IPv6 subnet-type network import parameters

Parameter Description
Address The network start address. This field is required.
Prefix The size of the network(s), the number of IP addresses being imported. This field is
required.
Name The network name. This field is required.
Network is terminal The VLSM status of the network(s), terminal or non-terminal. This field is optional.
By default, if you import a network hierarchy, the last imbricated network is considered
terminal even if it is not. You can select the column Terminal to ensure that the net-
works remain terminal, or non-terminal, during the import. This parameter is only taken
into account if its value is 0 or 1.
Note that if you tick the box Imbricated networks, you must leave this field empty.

138
 Importing Data from a CSV File

Parameter Description
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
VLSM space name If you set up a space-based VLSM organization, select the sub space that uses the
subnet-type network you are importing as a block-type network. This field is optional.
Note that if you tick the box Imbricated networks, you must leave this field empty.
Space name The name of the space where you want to import the network(s). It can be a space of
the import file or an existing space in in the IPAM. This field is required.
Class name The network class name. This field is optional.
Imbricated networks Tick this box if you want to import a hierarchy of non-terminal and terminal subnet-
type networks. Note that if you tick this box, you should leave blank the fields Network
is terminal and VLSM space name.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick the box Trigger the execution of all advanced properties if you want to force
the advanced property mechanisms during the import. These mechanisms depend on
the configuration set on the page Class parameters and/or on the properties inherited
from higher level(s), they can include properties impacting the IPAM, DNS, DHCP and
VLAN Manager. For more details, refer to the section Network Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the subnet-type networks of your choice and in the menu select Tools > Expert >
Initialize rules. This operation also triggers the replication on the objects they contain.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of networks actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All networks. The networks are now listed.

Importing Pools
Before importing pools keep in mind that you cannot import pools in an empty space, you
must specify a space containing terminal networks that can receive them.

139
 Importing Data from a CSV File

Importing IPv4 Pools

When importing IPv4 pools, the fields First address, Last address, Name and Space name
are required.

If you import IPv4 pools on the page All networks (rather than within a specific space or block-
type network), the option Use best space is available in the drop-down list Space name. It allows
to put the content of the CSV file into the space containing the smallest network able to receive
the pool(s).

To import IPv4 pools through a CSV file

1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV pools. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields First address, Name, Space name and one of fields specifying the pool size
(Last address or Size) are required. All fields are detailed in the table below.

Table 8.8. IPv4 pool import parameters

Parameter Description
First address The pool first address. This field is required.
Last address Allows to specify the size of the pool(s) or the number of IP addresses being imported.
Size At least one of the fields is required.
Name The pool name. This field is required.
Read-only The pool reservation status. This field is optional.
Class name The pool class name. This field is optional.
Space name The name of the space where you want to import the pool(s). It can be a space of the
import file, an existing space in the IPAM or the option Use best space. This field is
required.
Use best space: Allows to import the pool in the IPAM space providing the smallest
network able to receive it.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . Each available drop-down list is named after a
class parameter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick the box Trigger the execution of all advanced properties if you want to force
the advanced property mechanisms during the import. These mechanisms depend on
the configuration set on the page Class parameters and/or on the properties inherited

140
 Importing Data from a CSV File

from higher level(s), they can include the IPAM to DHCP replication. For more details,
refer to the section Pool Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the pools of your choice and in the menu select Tools > Expert > Initialize rules.
This operation also triggers the replication on the IP addresses they contain.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The The last page opens.and displays
a report indicating the total number of pools actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All pools. The pools are now listed.

Importing IPv6 Pools

When importing IPv6 pools, the fields First address, Last address, Name and Space name
are required.

Note that in IPv6, the option Use best space is not available in the drop-down list Space name.

To import IPv6 pools through a CSV file

1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV pools (v6). The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields First address, Last address, Name and Space name are required. All fields are
detailed in the table below.

Table 8.9. IPv6 pool import parameters

Parameter Description
First address The pool first address. This field is required.
Last address The drop-down lists that specifies the number of IP addresses being imported. This
field is required.
Name The pool name. This field is required.
Read-only The pool reservation status. This field is optional.
Class name The pool class name. This field is optional.

141
 Importing Data from a CSV File

Parameter Description
Space name The name of the space where you want import the pool(s). It can be a space of the
import file or an existing space in the IPAM. This field is required.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . Each available drop-down list is named after a
class parameter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick the box Trigger the execution of all advanced properties if you want to force
the advanced property mechanisms during the import. These mechanisms depend on
the configuration set on the page Class parameters and/or on the properties inherited
from higher level(s), they can include the IPAM to DHCP replication. For more details,
refer to the section Pool Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the pools of your choice and in the menu select Tools > Expert > Initialize rules.
This operation also triggers the replication on the IP addresses they contain.
10. Click on CHECK . The The next page opens and displays a report indicating the total amount
of correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The The last page opens.and displays
a report indicating the total number of pools actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All pools. The pools are now listed.

Importing IP Addresses
Keep in mind that you can import addresses in an empty space, they are saved in a container
Orphan Addresses.

Importing IPv4 Addresses

When importing a file containing IPv4 address(s), the fields IP address, Name and Space name
are required.

To import IPv4 addresses through a CSV file

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV addresses. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.

142
 Importing Data from a CSV File

6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields IP address, Name and Space name are required. All fields are detailed in the
table below.

Table 8.10. IPv4 address import parameters

Parameter Description
IP address The IP address. This field is required.
Name The IP address name. This field is required.
MAC address The IP address MAC address. This field is optional.
Alias The alias associated with the IP address(es). This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Space name The name of the space where you want to import the address(es). It can be a space
of the import file, an existing space in the IPAM or the option Use best space. This
field is required.
To import IP addresses in a container Orphan Addresses, import them from the page
All networks or All pools of a specific space.
Use best space: Allows to import the address(es) in the IPAM space providing the
smallest network able to receive it.
Class name The class name of the IP address(es) you are importing.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick the box Trigger the execution of all advanced properties if you want to force
the advanced property mechanisms during the import. These mechanisms depend on
the configuration set on the page Class parameters and/or on the properties inherited
from higher level(s), they can include properties impacting the IPAM, DNS, DHCP and
Device Manager. For more details, refer to the section IP Address Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the IP addresses of your choice and in the menu select Tools > Expert > Initialize
rules.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of addresses actually imported.

143
 Importing Data from a CSV File

If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All addresses. The IP addresses are now listed.

Importing IPv6 Addresses

When importing a file containing IPv6 address(s), the fields IP address, Name and Space name
are required.

To import IPv6 addresses through a CSV file

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV addresses (v6).The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields IP address, Name and Space name are required. All fields are detailed in the
table below.

Table 8.11. IPv6 address import parameters

Parameter Description
IP address The IP address. This field is required.
Name The IP address name. This field is required.
MAC address The IP address MAC address. This field is optional.
Class name The IP address class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Space name The name of the space where you want to import the address(es). It can be a space
of the import file or an existing space in the IPAM. This field is required.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page CSV import parameters opens:
a. In the drop-down list Existing records, select either Replace to overwrite the existing
records that have the same name or Don't replace to add the items to the listing. Don't
replace is selected by default.
b. Tick the box Trigger the execution of all advanced properties if you want to force
the advanced property mechanisms during the import. These mechanisms depend on

144
 Importing Data from a CSV File

the configuration set on the page Class parameters and/or on the properties inherited
from higher level(s), they can include properties impacting the IPAM, DNS, DHCP and
Device Manager. For more details, refer to the section IP Address Advanced Properties.
After the import, you can still trigger the execution of the configured mechanisms. Tick
the IP addresses of your choice and in the menu select Tools > Expert > Initialize
rules.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of addresses actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All addresses. The IP addresses are now listed.

Importing Data to the DHCP

Within the DHCP module, you can import data on the scopes, ranges and statics pages in IPv4
and IPv6. The table below details where you can import them within the module.

Table 8.12. DHCP pages where you can import CSV files
DHCP page Objects that can be imported Option name in the menu Import
All scopes Scopes CSV scopes
Ranges CSV ranges
Statics CSV statics
All scopes (v6) IPv6 scopes CSV scopes (v6)
IPv6 ranges CSV ranges (v6)
IPv6 statics CSV statics (v6)
All ranges Ranges CSV ranges
All ranges (v6) IPv6 ranges CSV ranges (v6)
All statics Statics CSV statics
All statics (v6) IPv6 statics CSV statics (v6)

Before importing, keep in mind that:

• The scope, range and static procedures below are based on imports made on the V4 and V6
pages All scopes, All ranges and All statics. You can also import these objects within a
specific server, in which case the field DHCP server or DHCP server (v6) is not displayed in
the wizard.
• The advanced properties can automate the addition of entries in your database after the import.
If all the advanced properties are activated, importing DHCP data may automatically update
the IPAM and DNS databases. If you do not want your import to impact other modules, edit
the Internal module setup before importing DHCP data. For more details, refer to the chapter
Managing Advanced Properties.

145
 Importing Data from a CSV File

To import an ISC, Alcatel-Lucent VitalQIP, Microsoft, Infoblox, MetaIP or Nortel NetID configuration,
refer to the chapter Importing DHCP Data.

Importing Scopes
You can import several scopes coming from different DHCP configurations into the same server.
If you plan on importing scopes into different servers, make sure that your CSV file contains a
column dedicated to the server name.

Importing IPv4 Scopes

When importing a file containing IPv4 scope(s), the fields Start address, DHCP server and one
of the fields specifying the scope size are required - End address or Size.

To import IPv4 scopes through a CSV file

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Click on the Name of the DHCP server or smart architecture of your choice. The page All
scopes of the server opens.
3. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
4. In the menu, select Import > CSV scopes. The wizard Import a CSV file opens.
5. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
6. Click on NEXT . The page CSV fields association opens.
7. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
8. Select the columns of your CSV file you want to import.
The fields Address, DHCP server and one field specifying the scope size (Prefix, Netmask
or Size) are required. All fields are detailed in the table below.

Table 8.13. DHCP scope import parameters

Parameter Description
Name The scope name. This field is optional.
Address The scope first address. This field is required.
Prefix
The drop-down lists that specify the size of the scope(s), the number of IP addresses
Netmask
being imported. You must fill at least one of them.
Size
Scope space The scope space in the IPAM. This field is optional.
Shared network The scope shared network. This field is optional.
Failover The scope failover. This field is optional.
Class name The scope class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
DHCP server The name of the server where you want to import the scope. At the bottom of the list
of columns of the CSV file, the existing servers are also listed, select the server where
you want to import the scope(s). This field is required.

146
 Importing Data from a CSV File

9. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
10. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Managing DHCP Options.
11. Click on NEXT . The page CSV import parameters opens.
12. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
13. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
15. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of scopes actually imported.
If you want to download the import report refer to the next step, otherwise go to step 17.
16. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
17. Click on CLOSE to go back to the page All scopes. The scopes are now listed.

Importing IPv6 Scopes

When importing a file containing IPv4 scope(s), the fields Start address, DHCP server (v6) and
one of the fields specifying the scope size are required - End address or Size.

To import IPv6 scopes through a CSV file

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Click on the Name of the DHCP server or smart architecture of your choice. The page All
scopes of the server opens.
3. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
4. In the menu, select Import > CSV scopes (v6). The wizard Import a CSV file opens.
5. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
6. Click on NEXT . The page CSV fields association opens.
7. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
8. Select the columns of your CSV file you want to import.
The fields Start address, DHCP server (v6), any field specifying the scope size (End ad-
dress or Prefix) are required. All fields are detailed in the table below.

147
 Importing Data from a CSV File

Table 8.14. DHCPv6 scope import parameters

Parameter Description
Name The scope name. This field is optional.
Start address The scope start address. This field is required.
End address The drop-down lists that specify the size of the scope(s), the number of IP addresses
Prefix being imported. You must fill at least one of them.
Scope space The scope space in the IPAM. This field is optional.
Class name The scope class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
DHCP server (v6) The name of the server where you want to import the scope. At the bottom of the list
of columns of the CSV file, the existing servers are also listed, select the server where
you want to import the scope(s). This field is required.

9. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
10. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Managing DHCP Options.
11. Click on NEXT . The page CSV import parameters opens.
12. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
13. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
15. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of scopes actually imported.
If you want to download the import report refer to the next step, otherwise go to step 17.
16. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
17. Click on CLOSE to go back to the page All scopes. The scopes are now listed.

Importing Ranges
From the page All ranges, you can import IPv4 and IPv6 ranges. These ranges must be imported
within an existing scope.

Importing IPv4 Ranges

When importing a file containing IPv4 range(s), the fields Start address, DHCP server and one
of the fields specifying the scope size are required - End address or Size.

148
 Importing Data from a CSV File

To import IPv4 ranges through a CSV file

1. In the sidebar, go to DHCP > Ranges. The page ll ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV ranges. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields Start address, DHCP server and any field specifying the range size (End address
or Size) are required. All fields are detailed in the table below.

Table 8.15. DHCP range import parameters

Parameter Description
Start address The range(s) start address. This field is required.
End address The drop-down lists that specify the size of the range(s), the number of IP addresses
Size being imported. You must fill at least one of them.
Failover channel The range failover channel. This field is optional.
ACL The range ACL. This field is optional.
Class name The range class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
DHCP server The name of the server where you want to import the range. At the bottom of the list
of columns of the CSV file, the existing servers are also listed, select the server where
you want to import the range(s). This field is required.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
9. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Managing DHCP Options.
10. Click on NEXT . The page CSV import parameters opens.
11. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
12. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.

149
 Importing Data from a CSV File

14. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of ranges actually imported.
If you want to download the import report refer to the next step, otherwise go to step 16.
15. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
16. Click on CLOSE to go back to the page All ranges. The ranges are now listed.

Importing IPv6 Ranges

Note that there are no DHCP options for DHCPv6 ranges, so you cannot import them.

When importing a file containing IPv6 range(s), the fields Start address, End address and DHCP
server (v6) are required.

To import IPv6 ranges through a CSV file

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV ranges (v6). The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The field Start address, End address and DHCP6 server are required. All fields are detailed
in the table below.

Table 8.16. DHCPv6 range import parameters

Parameter Description
Start address The range start address. This field is required.
End address The range last address. This field is required.
Class name The range class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
DHCP6 server (v6) The name of the server where you want to import the range. At the bottom of the list
of columns of the CSV file, the existing servers are also listed, select the server where
you want to import the range(s). This field is required.

8. Click on NEXT . The page CSV import parameters opens.

9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The page Check the validity of the CSV file opens and displays a report
indicating the total amount of correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.

150
 Importing Data from a CSV File

11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The page Import data from a CSV
file opens and displays a report indicating the total number of ranges actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All ranges. The ranges are now listed.

Importing Statics
From the page All statics, you can import IPv4 and IPv6 static reservations. These statics can
be imported in a DHCP server or group.

If you are importing statics with IP address in a DHCP server, keep in mind that they are managed
like leases by the server. For more details, refer to the section Adding DHCPv4 Statics.

Importing IPv4 Statics

When importing a file containing IPv4 static reservation(s), the fields DHCP server and MAC
address are required.

To import IPv4 statics through a CSV file

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV statics. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields MAC address and DHCP server are required. All fields are detailed in the table
below.

Table 8.17. DHCP static import parameters

Field Description
DHCP static name The static name. This field is optional. For EfficientIP DHCP servers, if you specify
the static name and leave the field Option host-name empty, the value of the
DHCP option is used as the static name as well. You should specify either the
DHCP static name or the Option host-name.
MAC address The static MAC address. This field is required.
DHCP static IP address The static IP address. This field is optional.
DHCP group The name of the group the static belongs to. This field is optional.
DHCP static class name The static class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information
you specify in this drop-down list overwrites any class parameter you may specify
on the page Class parameters. This field is optional.

151
 Importing Data from a CSV File

Field Description
DHCP server The name of the server where you want to import the static. At the bottom of the
list of columns of the CSV file, the existing servers are also listed, select the
server where you want to import the static(s). This field is required.

8. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Managing DHCP Options.
For EfficientIP DHCP servers, you can specify the Option host-name and leave the field
DHCP static name empty to use the value of the option as the name of the static.You should
specify either the DHCP static name or the Option host-name.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of statics actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page All statics. The static reservations are now listed.

Importing IPv6 Statics

When importing a file containing IPv6 static reservation(s), the fields DHCP server, MAC address
and Client DUID are required.

To import IPv6 statics through a CSV file

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > CSV statics (v6). The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields DHCP static name and DHCP server (v6) are required. All fields are detailed in
the table below.

152
 Importing Data from a CSV File

Table 8.18. DHCPv6 static import parameters

Field Description
DHCP static name The static name. This field is required.
Static IP address The static IP address. This field is optional.
MAC address The drop-down lists that identify the static(s) client. It is required to fill at least
Client DUID one of them.
DHCP group The name of the group the static belongs to. This field is optional.
DHCP static class name The static class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information
you specify in this drop-down list overwrites any class parameter you may specify
on the page Class parameters. This field is optional.
DHCP server (v6) The name of the server where you want to import the static. At the bottom of the
list of columns of the CSV file, the existing servers are also listed, select the
server where you want to import the static(s). This field is required.

8. Click on NEXT . The page DHCP options opens. All the fields are optional, choose the data
you want to import. For more details, refer to the chapter Managing DHCP Options.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of statics actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page All statics. The static reservations are now listed.

Importing Data to the DNS

Within the DNS module, you can import zones and resource records. The table below details
where you can import them within the module.

Table 8.19. DNS pages where you can import CSV files
DNS page Objects that can be imported Option name in the menu Import
All zones Zones CSV zones
All RRs Resource records CSV RRs
All RPZ rules RPZ rules CSV RPZ Rules

Before importing, keep in mind that:

• The zone and resource record procedures below are based on imports made on the pages All
zones and All RRs. You can also import these objects within a specific server, in which case
the field DNS server name is not displayed in the wizard.

153
 Importing Data from a CSV File

• The advanced properties can automate the addition of entries in your database after the import.
If all the advanced properties are activated, importing DNS data may automatically update the
IPAM and DHCP databases. If you do not want your import to impact other modules, edit the
Internal module setup before importing DNS data. For more details, refer to the chapter Man-
aging Advanced Properties.

To import zones from a BIND or VitalQIP archive file, refer to the chapter Importing DNS Data.

Importing Zones
When importing a file containing zone(s), the fields DNS zone name, DNS zone type and DNS
server name are required.

To import zones through a CSV file

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the menu, select Import > CSV zones. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association page appears.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields DNS zone name and DNS zone type and DNS server name are required. All
fields are detailed in the table below.

Table 8.20. Zone import parameters

Parameter Description
DNS zone name The zone(s) name. This field is required.
DNS zone type The zone(s) type. This field is required.
Master IP address The zone(s) master server IP address. This field is required when importing slave
zone(s).
Forwarder The zone(s) forwarding server IP address. This field is optional.
IP address
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Class name The zone class name. This field is optional.
DNS view The zone(s) view name. This field is optional.
DNS server name The name of the server where you want to import the zone(s). At the bottom of the
list of columns of the CSV file, the existing servers are also listed, select the server
where you want to import the zone(s). This field is required.

7. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.

154
 Importing Data from a CSV File

9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of zones actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All zones. The zones are now listed.

Importing Resource Records

When importing a file containing resource record(s), the fields RR name, Value 1 and RR type
are required.

To import resource records through a CSV file

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the menu, select Import > CSV RRs. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association page appears.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields RR name, Value 1 and RR type are required. All fields are detailed in the table
below.

Table 8.21. Resource record import parameters

Parameter Description
RR name The record name. This name can be FQDN if you also import the column containing
the Zone name. This field is required.
TTL The record TTL. This field is optional.
Value 1 The first piece of information in the column Value. This field is required.
Value 2
Value 3
Value 4 The extra information that can contain the column Value depending on the RR type.
Value 5 These fields are optional.
Value 6
Value 7
RR type The record type. At the bottom of the list of columns of the CSV file, the existing RR
types are also listed, you can choose one of them. This field is required.

155
 Importing Data from a CSV File

Parameter Description
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Class name The RR class name. This field is optional.
Zone name The name of the zone where you want to import the record. This field is optional.
DNS view The name of the view where you want to import the record. This field is optional.
DNS server The name of the server where you want to import the record. This field is optional.

7. Click on NEXT . The page CSV import parameters opens.

8. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
9. Click on CHECK . The page Check the validity of the CSV file opens and displays a report
indicating the total amount of correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 11.
10. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
11. Click on OK to accept the validity check report results. The page Import data from a CSV
file opens and displays a report indicating the total number of resource records actually im-
ported.
If you want to download the import report refer to the next step. If you do not want to download
it go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
13. Click on CLOSE to go back to the page All RRs. The records are now listed.

Importing RPZ Rules

To import RPZ rules, you must display the list of rules of a specific Master RPZ zone.

When importing a file containing RPZ rules, the fields RR name, Value 1 and RR type are re-
quired.

To import RPZ rules through a CSV file

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Click on the Name of the RPZ Master zone of your choice. The page All RPZ rules of the
zone opens.
3. In the menu, select Import > CSV RPZ Rules. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association appears.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
The fields RR name, Value 1 and RR type are required. All fields are detailed in the table
below.

156
 Importing Data from a CSV File

Table 8.22. Resource record import parameters

Parameter Description
RR name The RR(s) name. This field is required.
TTL The RR TTL. This field is optional.
Value 1 The first piece of information in the column Value. This field is required.
Value 2
Value 3
Value 4 The extra information that can contain the column Value depending on the RR type.
Value 5 These fields are optional.
Value 6
Value 7
RR type The RR type. At the bottom of the list of columns of the CSV file, the existing RR types
are also listed, you can choose one of them. This field is required.

8. Click on NEXT . The page CSV import parameters opens.

9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The page Check the validity of the CSV file opens and displays a report
indicating the total amount of correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The page Import data from a CSV
file opens and displays a report indicating the total number of RPZ rules actually imported.
If you want to download the import report refer to the next step. If you do not want to download
it go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All RPZ rules. The rules are now listed.

Importing Data to NetChange

Within the module NetChange, you can import network devices with an IPv4 address and that
manage interfaces with IPv4 or IPv6 addresses. The table below details where you can import
them within the module.

Table 8.23. NetChange pages where you can import CSV files
NetChange page Objects that can be imported Option name in the menu Import
All network devices Network devices CSV file

Importing Network Devices

When importing network device(s), the fields Address and Target space are required.

To import network devices through a CSV file

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.

157
 Importing Data from a CSV File

2. In the menu, select Import > CSV network devices. The wizard Import a CSV file
opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association appears.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format and
Skip the first line. For more details, refer to the table CSV file basic parameters.
6. The fields Address and Target space are required. All fields are detailed in the table below.

Table 8.24. Network device import parameters

Parameter Description
Address The network device(s) IP address. This field is required.
Community The SNMPv1/v2c community string that would act as a password to access SNMP
agent on the device(s). For SNMPv3, one or several SNMP profiles can be specified
on the last page of the wizard. This field is optional.
SNMP version The version of the SNMP protocol used on the network device(s). It must be either 1
for SNMPv1 or 2 for SNMPv2c. For SNMPv3, one or several SNMP profiles can be
specified on the last page of the wizard. This field is optional.
Class The network device(s) class. This field is optional.
Target space An IPAM space to associate with network device(s) to help differentiate devices on
the page All network devices. This field is required. If you have classes enabled, it will
appear on the next page of the wizard.

7. You can tick the box Expert mode to review and specify more details regarding the device(s)
information retrieval.

Table 8.25. Network device SNMP parameters

Parameter Description
SNMP port The port that the SNMP service must use. By default, it uses the port 161. This field is
required.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 1. This field is required.
SNMP transfer The number of minutes above which the SNMP transfer is aborted when you add or refresh
timeout (minutes) a device, a value between 0 and 999. By default, it is set to 0. This field is optional.
SNMP timeout The number of seconds between each connection attempt, either 1s, 2s, 3s, 4s, 5s, 10s
or 30s. By default, it is set to 2s. This field is optional.
Use bulk For SNMPv2c or SNMPv3. Allows to send several requests at once, it uses a bulk
transfer of data. This compact SNMP request method accelerates transfers. By default,
it is set to Yes. This field is required.
Use TCP The network communication protocol, either TCP (Yes) or UDP (No). By default, No is
selected. You should use TCP instead of UDP if the network link is unreliable. This field
is required.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . Each available drop-down list is named after a
class parameter or advanced property. All the fields are optional.
You must select a Target space and you can tick the Expert mode, both fields are described
in the previous step.
9. Click on NEXT . The last page opens.

158
 Importing Data from a CSV File

You can select the SNMP profile(s) to use to access the SNMP agent on the devices, if they
are not associated with a version or community string in the CSV file. If you do not select
any profile, the default profile standard v2c is used.
It is the only way to specify authentication parameters in SNMPv3.

Table 8.26. SNMP profile information parameters

Field
SNMP profiles configuration
Selected profiles
Description
The available SNMP profiles, select one click on to move it to the list
Selected profiles.
The drop-down list contains the default profiles standard v1, standard v2c,
standard v3 and any profile you added. For more details, refer to the section
Managing SNMP Profiles.
The SNMP profile(s) of your choice. They are used in order to retrieve the
device(s) information.
To order the profiles, select them one by one and click on or .
To remove a profile from the list, select it and click on .

10. Click on OK to complete the operation. The Report opens and work for a while: the import
progression is visible. Once the import is over, the report lists the IP addresses imported as
well as the existing ones.
If you want to download the import report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
12. Click on CLOSE to go back to the page All network devices. The devices are now listed.

Importing Data to Device Manager

Within Device Manager module, you can import data from the page All Devices and All ports &
interfaces. The table below details where you can import them within the module.

Table 8.27. Device Manager pages where you can import CSV files
Device Manager page Objects that can be imported Option name in the menu Import
All devices Devices CSV devices
Ports and/or interfaces CSV interfaces
All ports & interfaces Ports and/or interfaces CSV interfaces

Before importing, keep in mind that the ports and interfaces procedure below is based on imports
made on the page All ports & interfaces. You can also import the objects from the page All
ports & interfaces of a specific device, in which case the field Device is not displayed in the
wizard.

Importing Devices
When importing a file containing device(s), only the field Name is required.

To import devices through a CSV file

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Import > CSV devices. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.

159
 Importing Data from a CSV File

4. Click on NEXT . The page CSV fields association opens.

5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.

Table 8.28. Device import parameters

Parameter Description
Name The device name. This field is required.
Class name The device class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.

7. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of devices actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All devices. The devices are now listed.

Importing Ports & Interfaces

When importing a file containing ports and interface(s), the fields Name, Type and Device are
required.

To import ports and/or interfaces through a CSV file

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. In the menu, select Import > CSV interfaces. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association opens.

160
 Importing Data from a CSV File

5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.

Table 8.29. Port and/or interface import parameters

Parameter Description
Name The port and/or interface name. This field is required.
Type The port and/or interface type. This field is required.
MAC address The port and/or interface MAC address. This field is optional.
Class name The port and/or interface class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Device The name of the device where you want to import the port and/or interface. At the
bottom of the list of columns of the CSV file, the existing devices are also listed, select
the device where you want to import the port(s) and/or interface(s).This field is required.

7. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of ports and/or interface(s) actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All ports & interfaces. The ports and interfaces are
now listed.

Importing Data to VLAN Manager

Within VLAN Manager module, you can import domains, ranges, VLANs and VXLANs. The table
below details where you can import them within the module.

161
 Importing Data from a CSV File

Table 8.30. VLAN Manager pages where you can import CSV files
VLAN Manager page Objects that can be imported Option name in the menu Import
All domains Domains CSV domains
Ranges CSV ranges
VLANs or VXLANs CSV VLANs
All ranges Ranges CSV ranges
VLANs or VXLANs CSV VLANs
All VLANs VLANs or VXLANs CSV VLANs

Before importing, keep in mind that the range and VLAN procedure below is based on imports
made on the page All ranges and All VLANs. You can also import the objects from each page
of a specific domain, in which case the field Domain is not displayed in the wizard.

Importing VLAN Domains

When importing a file containing VLAN domain(s), the fields Name, Start ID and End ID are re-
quired.

To import VLAN domains through a CSV file

1. In the sidebar, go to VLAN Manager > Domains. The page All Domains opens.
2. In the menu, select Import > CSV domains. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association opens.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields Name, Start ID and End ID are required. All fields are detailed in the table below.

Table 8.31. VLAN domain import parameters

Parameter Description
Name The domain name. This field is required.
Start ID The domain first VLAN ID. This field is required.
End ID The domain last VLAN ID. This field is required.
Description The domain description. This field is optional.
Class name The domain class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.

7. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.

162
 Importing Data from a CSV File

9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of domains actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All domains. The VLAN domains are now listed.

Importing VLAN Ranges

When importing a file containing VLAN ranges(s), the fields Name, Start ID, End ID and Domain
are required.

To import VLAN ranges through a CSV file

1. In the sidebar, go to VLAN Manager > Ranges. The page All ranges opens.
2. In the menu, select Import > CSV ranges. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The CSV fields association opens.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields Name, Start ID, End ID and Domain are required. All fields are detailed in the
table below.

Table 8.32. VLAN range import parameters

Parameter Description
Name The range name. This field is required.
No ID overlapping The VLAN ID overlapping policy for the range. By default it is set to yes, the overlapping
is disabled: the ranges can only contain unique VLAN IDs. This field is optional.
Start ID The range first VLAN ID. This field is required.
End ID The range last VLAN ID. This field is required.
Description The range description. This field is optional.
Class name The range class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.
Domain The name of the domain where you want to import the range. This field is required.

163
 Importing Data from a CSV File

7. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of VLAN ranges actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All ranges. The VLAN ranges are now listed.

Importing VLANs or VXLANs

When importing a file containing VLANs or VXLANs, the fields VLAN ID and Domain are required.

To import VLANs or VXLANs through a CSV file

1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
2. In the menu, select Import > CSV VLANs. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association opens.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields VLAN ID and Domain are required. All the fields are detailed in the table below.

Table 8.33. VLAN and VXLAN import parameters

Parameter Description
Name The VLAN or VXLAN name. This field is optional.
VLAN ID The VLAN or VXLAN ID. This field is required.
Range The name of the range where you want to import the VLAN or VXLAN. This field is
optional.
Class name The VLAN or VXLAN class name. This field is optional.
Class parameters All the class parameters declared in a single line, in URL format. The information you
specify in this drop-down list overwrites any class parameter you may specify on the
page Class parameters. This field is optional.

164
 Importing Data from a CSV File

Parameter Description
Domain The name of the domain where you want to import the VLAN or VXLAN. This field is
required.

7. Click on NEXT . The page CSV import parameters opens.

8. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
9. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 11.
10. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
11. Click on OK to accept the validity check report results. The last page opens and displays a
report indicating the total number of VLANs or VXLANs actually imported.
If you want to download the import report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
13. Click on CLOSE to go back to the page All VLANs. The VLANs or VXLANs are now listed.

Importing Data to VRF

Within the VRF module, you can import VRFs and VRF route targets. The table below details
where you can import them within the module.

Table 8.34. VRF pages where you can import CSV files
VRF page Objects that can be imported Option name in the menu Import
All VRFs VRFs CSV VRFs
VRF Route Targets CSV VRF Route Targets
All VRF Route Targets VRF Route Targets CSV VRF Route Targets

Before importing, keep in mind that the route target procedure below is based on imports made
on the page All route targets. You can also import objects from the page All route targets of
a VRF, in which case the field VRF name is not displayed in the wizard.

Importing VRFs
When importing VRF(s), the fields VRF name and VRF RD are required.

To import VRFs through a CSV file

1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. In the menu, select Import > CSV VRFs. The wizard Import a CSV file opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association opens.
5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.

165
 Importing Data from a CSV File

6. Select the columns of your CSV file you want to import.

The fields VRF name and VRF RD are required. All fields are detailed in the table below.

Table 8.35. VRF import parameters

Parameter Description
VRF name The VRF name. This field is required.
VRF RD The VRF RD. This field is required.
VRF comment The VRF comment. This field is optional.
VRF class name The VRF class name. This field is optional.
VRF class parameters All the class parameters declared in a single line, in URL format. The information
you specify in this drop-down list overwrites any class parameter you may specify
on the page Class parameters. This field is optional.

7. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . If you did not specify any class parameter on
the previous page, you can specify one by one the elements to import. Each available drop-
down list is named after a class parameter or advanced property. All the fields are optional.
Note that if you have already specified parameters in the field Class parameters on the
previous page, all the choices made on this page are ignored.
8. Click on NEXT . The page CSV import parameters opens.
9. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
10. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 12.
11. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
12. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of VRFs actually imported.
If you want to download the import report refer to the next step, otherwise go to step 14.
13. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
14. Click on CLOSE to go back to the page All VRFs. The VRFs are now listed.

Importing VRF Route Targets

When importing VRF route target(s), the fields Source RD of the VRF Route Targets and Target
RD of the VRF Route Targets are required. As the VRFs are already in the database, the name
is retrieved and displayed on the page once the Route Targets are imported.

To import VRF Route Targets through a CSV file

1. In the sidebar, go to VRF > VRF Route Targets. The page All VRF Route Targets opens.
2. In the menu, select Import > CSV VRF Route Targets. The wizard Import a CSV file
opens.
3. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
4. Click on NEXT . The page CSV fields association opens.

166
 Importing Data from a CSV File

5. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
6. Select the columns of your CSV file you want to import.
The fields Source RD of the VRF Route Targets and Target RD of the VRF Route Targets
are required. All fields are detailed in the table below.

Table 8.36. VRF route target import parameters

Parameter
Source RD of the VRF Route Targets
Target RD of the VRF Route Targets
Imported VRF Route Target
Exported VRF Route Target
Description
The source VRF of the Route Target. This field is required.
The target VRF of the Route Target. This field is required.
The import VRF Route Target parameter. This field is op-
tional.
The export VRF Route Target parameter. This field is op-
tional.

7. Click on NEXT . The page CSV import parameters opens.

8. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
9. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 11.
10. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
11. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of route targets actually imported.
If you want to download the import report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
13. Click on CLOSE to go back to the page All VRF Route Targets. The VRF Route Targets are
now listed.

Importing Data to SPX

When it comes to importing SPX data, whether RIPE or APNIC, you need to go to the modules
IPAM, Administration and SPX.

From the IPAM page All networks you can import SPX allocated and assigned networks.

Table 8.37. IPAM pages where you can import SPX allocated and assigned networks
IPAM page Objects that can be imported Option name in the menu Import
All spaces SPX allocated networks SPX allocated networks
SPX assigned networks SPX assigned networks
IPv6 SPX allocated networks SPX allocated networks (v6)
IPv6 SPX assigned networks SPX assigned networks (v6)
All networks SPX allocated networks SPX allocated networks
SPX assigned networks SPX assigned networks

167
 Importing Data from a CSV File

IPAM page Objects that can be imported Option name in the menu Import
All networks (v6) SPX IPv6 allocated networks SPX allocated networks (v6)
SPX assigned networks (v6) SPX assigned networks (v6)

From the Administration page All users you can import SPX users, i.e. persons.

Table 8.38. Administration page where you can import SPX users
Administration page Objects that can be imported Option name in the menu Import
Users SPX users SPX persons

From the SPX page All AS Numbers you can import SPX aut-nums.

Table 8.39. SPX page where you can import CSV files
SPX page Objects that can be imported Option name in the menu Import
All AS Numbers SPX aut-nums SPX aut-nums

Importing SPX Allocated Networks

Once your SPX configuration is complete, you can import the networks that the RIPE or APNIC
allocated you. For more details, refer to the chapter Configuring SPX.

Note that:
• Following the IPAM hierarchy, your allocated network(s) must belong to a space.
• You can upload the file ripe.db.inetnum to the Local files listing to speed up the import process.
In the import wizard, the box Use the "ripe.db.inetnum" file stored in the Local files listing allows
you to import the assigned networks from the file locally stored, rather than connecting to the
RIPE or APNIC to obtain the data. For more details regarding how to upload a file to the Local
files listing, refer to the section Managing Files from the Local Files Listing.

To import an IPv4 SPX allocated network

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > SPX allocated networks. The wizard Importing SPX al-
located networks opens.
4. You can tick the box Use the "ripe.db.inetnum" file stored in the Local files listing to
import the allocated network from the Local files listing.
5. In the drop-down list Maintainer, select the maintainer of your choice.
6. In the drop-down list Target space, select the space of your choice. If you are importing
from the page All networks of a specific space, it is already selected.
7. In the drop-down list PA allocated network class, you can choose a class if you manage
an allocated network of Provider Aggregatable IP addresses.
8. In the drop-down list PI allocated network class, you can choose a class if you manage
an allocated network of Provider Independent IP addresses.
9. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The allocated network is listed.

168
 Importing Data from a CSV File

To import an IPv6 SPX allocated networks

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button opens.
3. In the menu, select Import > SPX allocated networks (v6). The wizard Importing IPv6
SPX allocated networks opens.
4. You can tick the box Use the "ripe.db.inetnum" file stored in the Local files listing to
import the allocated network from the Local files listing.
5. In the drop-down list Maintainer, select the maintainer of your choice.
6. In the drop-down list Target space, select the space of your choice. If you are importing
from the page All networks of a specific space, it is already selected.
7. In the drop-down list PA allocated network class, you can choose a class if you manage
an allocated network of Provider Aggregatable IPv6 addresses.
8. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The allocated network is listed.

Note that you can import or add assigned networks to the allocated network(s) you imported. To
import them go to the next section, to add them refer to the chapter Managing SPX Networks.

Importing SPX Assigned Networks

Once your configuration with the SPX is complete and you have imported your allocated networks
in a space, you can import your existing assigned networks if you have any. The RIPE or APNIC
assigned networks correspond to the assigned networks in the IPAM hierarchy. For more details,
refer to the chapter Configuring SPX.

Note that you can upload the file ripe.db.inetnum to the Local files listing to speed up the import
process. In the import wizard, the box Use the "ripe.db.inetnum" file stored in the Local files listing
allows you to import the assigned networks from the file locally stored, rather than connecting to
the RIPE or APNIC to obtain the data. For more details regarding how to upload a file to the
Local files listing, refer to the section Managing Files from the Local Files Listing.

Once you imported your network objects, editing the content of your assigned networks follows
the same procedures as regular assigned networks. For more details, refer to the chapters
Managing Pools and Managing IP Addresses.

To import IPv4 SPX assigned networks

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > SPX assigned networks. The wizard Importing SPX
assigned networks opens.
4. You can tick the box Use the "ripe.db.inetnum" file stored in the Local files listing to
import the assigned network from the Local files listing.
5. In the drop-down list Maintainer, select the maintainer of your choice.
6. In the drop-down list Target space, select the space of your choice. If you are importing
from the page All networks of a specific space, it is already selected.
7. In the drop-down list PA Assigned network class, you can choose a class if you manage
assigned networks of Provider Aggregatable IP addresses.

169
 Importing Data from a CSV File

8. In the drop-down list PI Assigned network class, you can choose a class if you manage
assigned networks of Provider Independent IP addresses.
9. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The assigned networks are listed.

To import IPv6 SPX assigned networks

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > SPX assigned networks (v6). The wizard Importing IPv6
SPX assigned networks opens.
4. You can tick the box Use the "ripe.db.inetnum" file stored in the Local files listing to
import the assigned network from the Local files listing.
5. In the drop-down list Maintainer, select the maintainer of your choice.
6. In the drop-down list Target space, select the space of your choice. If you are importing
from the page All networks of a specific space, it is already selected.
7. In the drop-down list PA Assigned network class, you can choose a class if you manage
assigned networks of Provider Aggregatable IPv6 addresses.
8. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The assigned networks are listed.

Once you imported your assigned networks, you can edit them from the GUI. Any change is sent
to the RIPE or APNIC via POST.

Importing SPX Persons

You can import existing SPX persons to manage them from the GUI like any other user.

You can add a group for your SPX persons to gather them but, unlike standard users managed
via the appliance, there is no need to grant them specific rights.

The SPX persons listed on the page Users do not have access to the appliance if you do not
grant them rights (through the group they belong to) or configure credentials for them.

To import SPX persons

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page Users opens.
3. In the menu, select Import > SPX persons.The wizard Importing SPX persons (users)
opens.
4. In the drop-down list Maintainer, select the maintainer of your choice.
5. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The SPX persons are listed among the users.

Importing SPX Aut-nums and AS Policies

You can import Autonomous System numbers (aut-nums) on the AS Numbers page.

Importing of AS Numbers also imports AS routing policies. The routing policy is described by
enumerating all neighboring AS Number with which routing information is exchanged, they are
all listed in the page All policies. For each neighbor, the routing policy is described in terms of

170
 Importing Data from a CSV File

exactly what is being sent (announced) and allowed (accepted). That way, each aut-num contains
policies that describes what can be implemented and enforced locally by said AS Number.

Keep in mind the page All policies is accessible from the page All AS Numbers. You can access
it through the breadcrumb.

To import SPX aut-nums

1. In the sidebar, go to SPX > AS Numbers. The page All AS Numbers opens.
2. In the menu, select Import > SPX aut-nums. The wizard Importing SPX aut-nums
(AS Numbers) opens.
3. In the drop-down list Maintainer, select the maintainer of your choice.
4. In the drop-down list Class name, you can select a class to apply to the aut-nums you are
importing.
5. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The aut-nums are listed.
6. In the column AutNum name, click on the name of the aut-num of your choice. The page
All policies displays the policies of this AS Number.

Importing Data to the Administration Module

Within the Administration module, you can import data on the pages Groups, Users and Custom
data. The table below details where you can import them within the module.

Table 8.40. Administration pages where you can import CSV files
Administration page Objects that can be imported Option name in the menu Import
Groups Groups of users CSV groups
Users Users CSV file
Custom data Custom data CSV custom data

To import RIPE or APNIC users, i.e. persons, refer to the section Importing SPX Persons.

Importing Groups of Users

When importing a file containing group(s) of users, only the field Name is required.

To import groups through a CSV file

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. In the menu, select Import > CSV groups. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.

171
 Importing Data from a CSV File

Table 8.41. Group of users import parameters

Parameter Description
Name The group of users name. This field is required.
Description The group of users description. This field is optional.
Category The group of users category. This field is optional.
Class name The group of users class name. This field is optional.
Group parent name The name of the parent group of the group of users. This allows to copy the rights of
the selected group and apply them to the group(s) your are importing. This field is
optional.

8. If classes are enabled and/or if advanced properties are available, the page Class parameters
opens when you click on NEXT . Each available drop-down list is named after a class para-
meter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of groups actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page Groups. The groups are now listed.

Importing Users
When importing a file containing user(s), only the field Login is required.

To import RIPE or APNIC users, i.e. persons, refer to the section Importing SPX Persons.

To import users through a CSV file

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page Users opens.
3. In the menu, select Import > CSV file. The wizard Import a CSV file opens.
4. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
5. Click on NEXT . The page CSV fields association opens.
6. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
7. Select the columns of your CSV file you want to import.
Only the field Name is required. All fields are detailed in the table below.

172
 Importing Data from a CSV File

Table 8.42. User import parameters

Parameter Description
Login The user login. This field is required.
First name The user first name. This field is optional.
Last name The user last name. This field is optional.
Email The user email address. This field is optional.
Password The password the user should use to access SOLIDserver. This field is optional.
Description The user description. This field is optional.
Authentication method The user authentication method. This field is optional.
Default page The user default page. This field is optional.
Class name The user class name. This field is optional.
Maintainer group The user maintainer group. This field is optional.

8. If custom classes are enabled and/or if advanced properties are available, the page Class
parameters opens when you click on NEXT . Each available drop-down list is named after a
class parameter or advanced property. All the fields are optional.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of users actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page Users. The users are now listed.

Importing Custom Data

Within a custom DB you can import one or several custom data entries. When importing a file
containing custom data, only the field Value 1 is required. All the fields are named Value <number>
to match the default column name of a custom DB.

To import custom data through a CSV file

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the column Name, click on the name of the custom database of your choice. The page
Custom data of that database opens.
4. In the menu, select Import > CSV custom data. The wizard Import a CSV file opens.
5. Click on BROWSE to select the CSV file to import. The selected file is visible in the field File
name.
6. Click on NEXT . The page CSV fields association opens.

173
 Importing Data from a CSV File

7. Specify the format of the import file using the fields Delimiter, Enclosure, Input format,
Skip the first line and set in as a Template if you want. For more details, refer to the table
CSV file basic parameters.
8. Select the columns of your CSV file you want to import.
Only the field Value 1 is required. There are in total 10 fields named Value 1 through to
Value 10.
9. Click on NEXT . The page CSV import parameters opens.
10. In the drop-down list Existing records, select either Replace to overwrite the existing records
that have the same name or Don't replace to add the items to the listing. Don't replace is
selected by default.
11. Click on CHECK . The next page opens and displays a report indicating the total amount of
correct lines within the file.
If you want to download the validity report refer to the next step, otherwise go to step 13.
12. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
validity report in the specified file format.
13. Click on OK to accept the validity check report results. The last page opens.and displays a
report indicating the total number of custom data entries actually imported.
If you want to download the import report refer to the next step, otherwise go to step 15.
14. In the section Export format of the wizard, click on TEXT , HTML , or EXCEL to download the
import report in the specified file format.
15. Click on CLOSE to go back to the page Custom data. The entries are now listed.

Managing Import Templates

On the page All templates, administrators can rename or delete every Import configuration saved
as template.

The content of the page depends on the module you access it from. Each template has a unique
Name, specific Type and applies to a specific Object of the module.

To edit a template, you must select it during an import and save your changes. For more details,
refer to the table CSV file basic parameters.

To rename an import template

Only users of the group admin can perform this operation.
1. In the sidebar, go to the module of your choice.
2. In the menu, select Extra options > Templates management. The page All templates
opens. It only contains the templates added in the module.
Ancienne taille de la page

3. In the column Type, type in Import to only list import templates.

4. Right -click over the Name of the template of your choice. The contextual menu opens.
5. Click on Edit. The wizard Rename template opens.
6. In the field Name, edit the current template name to rename it.
This name must be unique to the object it applies to.
7. Click on OK to complete the operation.The report opens and closes.The template is renamed.

To delete an import template

Only users of the group admin can perform this operation.
1. In the sidebar, go to the module of your choice.

174
 Importing Data from a CSV File

2. In the menu, select Extra options > Templates management. The page All templates
opens. It only contains the templates added in the module.
Ancienne taille de la page

3. In the column Type, type in Import to only list import templates.

4. Tick the template(s) of your choice.
5. In the menu, click on . The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The template is no
longer listed.

175
Chapter 9. Importing IPAM Data
SOLIDserver offers several ways of importing existing IP addresses organizations without having
to recreate them manually in the GUI.

You can import:

• VitalQIP data.
• Nortel NetID data.

Before importing, keep in mind that:

• The advanced properties can automate the addition of entries in your database after the import.
If all the advanced properties are activated, importing IPAM data may automatically update
the DHCP, DNS and VLAN Manager databases. If you do not want your import to impact other
modules, edit the Internal module setup before importing IPAM data. For more details, refer
to the chapter Managing Advanced Properties.
• You can also import spaces, networks, pools or IP addresses via CSV. For more details, refer
to the section Importing Data to the IPAM in the chapter Importing Data from a CSV File.

Importing a VitalQIP Export

From the page All spaces you can import VitalQIP data in a .qef file. This file includes networks
and addresses so you need to import only one file to manage all your organization from the GUI.

To import VitalQIP data into SOLIDserver:

• The QIP export file (*.qef) must belong to an archive file which extension is .tar, .gz, .tgz, .tar.gz
or .zip .
• The .qef file must be located at the root of the archive file.
• The archive file does not need to include the files *_aud.qef as they are not relevant to the
import and might make your import take longer.

To import Vital QIP data

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the menu, select Import > QIP data. The wizard Import entries from file opens.
3. Click on BROWSE to search for the CSV file to import. A window opens to help you browse
through folders, select the needed file.
4. Click on Open. The window closes and the file is visible in the field File name.
5. Click on NEXT . The page Select a space opens.
6. In the drop-down list Space, select Create space per organization or an existing space to
import your organizations and the block-type networks, subnet-type networks and addresses
they contain. By default, Create space per organization is selected.
If you leave the option Create space per organization selected, a space is automatically
added for each of the organizations you are importing.
If you select an existing space, your data is imported in the selected space.
1
7. In the drop-down list Network (block) class, select an existing class to be applied to the
block-type networks you are importing. If no class exists or is enabled, only None is listed.

1
The classes listed were added and enabled on the page Class Studio and apply to the IPAM networks. For more details, refer to the
chapter Configuring Classes.

176
 Importing IPAM Data

8. In the drop-down list Network (subnet) class, select an existing class to be applied to the
subnet-type networks you are importing. If no class exists or is enabled, only None is listed.
9. Click on OK to complete the operation. The report opens and closes. The data is listed ac-
cording to your import configuration.

Importing Nortel NetID IP Address Data

You can import NetID networks, subnet-type networks and host addresses. The Nortel NetID
database must be exported as a text file with a comma or semi-colon data delimiter. Here below,
are listed the Nortel NetID's fields that SOLIDserver can import via a CSV files.

To avoid missing any parameters or losing any data, we recommend that you follow the module
hierarchy during these imports in an existing space: block-type networks, subnet-type networks
and finally IP addresses .

For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.

Importing Nortel NetID Networks

In SOLIDserver, the Nortel NetID Networks are imported as networks (blocks). Here below are
listed the fields equivalence between the two appliances to help you go through with the networks
import.

Table 9.1. Nortel NetID network fields name when importing networks
Nortel NetID field SOLIDserver field
Network number First address
Network name Name
Subnet type -
CIDR mask -
Subnet mask Netmask

For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.

Importing Nortel NetID Subnets

In SOLIDserver, the Nortel NetID Subnets are also called networks (subnets). However, the
fields to describe them differ. For more details, refer to the table below.

Table 9.2. Nortel NetID subnet fields name when importing networks
Nortel NetID field SOLIDserver field
Network number Address
Network name Name
Subnet type -
CIDR mask -
Subnet mask Netmask

For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.

177
 Importing IPAM Data

Importing Nortel NetID Host Addresses

In SOLIDserver, the Nortel NetID Host addresses are also called addresses. Here below are
listed the fields equivalence between the two appliances to help you go through with the networks
import.

Table 9.3. Nortel NetID host addresses fields name when importing networks
Nortel NetID field SOLIDserver field
Host address IP address
Domain name Domain
Client ID -
MAC address MAC address
ClMAC type -
Custom fields -

For more details regarding CSV imports, refer to the section Importing Data to the IPAM in the
chapter Importing Data from a CSV File.

178
Chapter 10. Importing DHCP Data
You can import into EfficientIP DHCP servers the data, configuration file, of the following external
vendors:
• ISC configuration files.
• Alcatel-Lucent VitalQIP configuration files.
• Microsoft configuration files.
• Infoblox configuration files.
• MetaIP configuration files.
• Nortel NetID configuration files.

Before importing, keep in mind that:

• You can only import the DHCPv4 configuration files.
• You cannot import unsupported DHCP options.
• The advanced properties can automate the addition of entries in your database after the import.
If all the advanced properties are activated, importing DHCP data may automatically update
the IPAM and DNS databases. If you do not want your import to impact other modules, edit
the Internal module setup before importing DHCP data. For more details, refer to the chapter
Managing Advanced Properties.
• You can import more data, DHCPv4 and DHCPv6, via CSV. For more details, refer to the
section Importing Data to the DHCP in the chapter Importing Data from a CSV File.

Importing an ISC DHCP Configuration

You can import DHCPv4 data from ISC DHCP configuration files.

Before importing ISC data, note that:

• You must import the configuration within an existing EfficientIP DHCP server.
• You can only perform the import from the page All scopes.
• The import relies on a configuration file named dhcpd.conf that can contain the whole server
configuration.
It can add scopes, ranges, leases, statics, groups and DHCP options.
• You can import several configuration files one after the other in one DHCP server, to merge
different configurations in one server. However, no data is deleted between the imports even
if the imported configurations conflict with one another. Therefore, if two files contain a common
scope with different names, the name of the first scope imported is overwritten by the new
scope managing the same addresses.
• Before switching to the new DHCP server we recommend reducing the lease time to
one hour to minimize the risk of duplicating IP address assignments during the transition to
SOLIDserver. That way, once you turn off the legacy server, the DHCP clients unable to renew
their lease can broadcast their first DISCOVER message and get an answer from the new
server within the hour.

Keep in mind that the ISC import has the following restrictions:
• Scopes restriction: if the server you are importing contains overlapping scopes, only the first
scope is imported, the rest is ignored.
• Statics restriction: statics associated with an IP address not included in one the imported
scopes are ignored.

179
 Importing DHCP Data

• Shared networks restriction: shared network options are ignored.

• DHCP options restriction: only standard options are imported. If the server was configured
using non standard DHCP options, they are imported only if they were previously defined either
in the configuration file or within the SOLIDserver. You can configure conditional options after-
ward using the DHCP ACLs.

To import an ISC DHCP configuration

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > ISC DHCP. The wizard Import an ISC dhcpd.conf file
opens.
4. Click on BROWSE to find the ISC configuration file dhcpd.conf . Once selected, the file is visible
in the field File name.
5. In the drop-down list DHCP server, select the server of your choice.
6. Click on OK to complete the operation. The report opens and closes. The file content is listed.

Importing an Alcatel-Lucent VitalQIP Configuration

You can import DHCPv4 data from Alcatel-Lucent VitalQIP solutions.

Before importing VitalQIP data, note that:

• You must import the configuration within an existing EfficientIP DHCP server.
• You can only perform the import from the page All scopes.
• The import relies on a configuration file named dhcpd.conf that can contain the whole server
configuration.
It can add server options, scopes, scope options, ranges, range options, address pools, static
reservations, static reservations options and option definitions.
• You can import several configuration files one after the other in one DHCP server, to merge
different configurations in one server. However, no data is deleted between the imports even
if the imported configurations conflict with one another. Therefore, if two files contain a common
scope with different names, the name of the first scope imported is overwritten by the new
scope managing the same addresses.
• Before switching to the new DHCP server we recommend reducing the lease time to
one hour to minimize the risk of duplicating IP address assignments during the transition to
SOLIDserver. That way, once you turn off the legacy server, the DHCP clients unable to renew
their lease can broadcast their first DISCOVER message and get an answer from the new
server within the hour.

Keep in mind that VitalQIP configurations have some specificities:

• The DHCP range concept does not exist in VitalQIP, each address identified as an object in
VitalQIP can become a dynamic assignment.
• VitalQIP dynamic objects are imported as a DHCP range.
• If several VitalQIP contiguous dynamic objects are imported, only one dynamic DHCP range
is added if all dynamic objects share the same DHCP option set.
• Only one dynamic DHCP range is added if all all dynamic objects share the same DHCP
option set.
• Several DHCP ranges are added if the dynamic objects do not share the same options

180
 Importing DHCP Data

To properly import a VitalQIP configuration file, you must:

1. Follow the procedure To import a VitalQIP DHCP configuration.
2. Aggregate the options set at static and range level options to apply them from the scope down,
as detailed in the section Aggregating DHCP Options from Ranges or Statics.

To import a VitalQIP DHCP configuration

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > QIP DHCP.The wizard Import a QIP DHCP configuration
file opens.
4. Click on BROWSE to find the VitalQIP configuration file dhcpd.conf . Once selected, the file is
visible in the field File name.
5. In the drop-down list DHCP server, select the server of your choice.
6. Click on OK to complete the operation. The report opens and closes. The file content is listed.
7. Now you must aggregate static and range options, to apply them at scope level. For more
details, refer to the section Aggregating DHCP Options from Ranges or Statics.

Importing a Microsoft DHCP Configuration

You can import DHCPv4 data from Microsoft servers.

Before importing Microsoft data, note that:

• You must import the configuration within an existing EfficientIP DHCP server.
• You can only perform the import from the page All scopes.
• You must generate yourself the configuration using the command netsh. It can be executed
on Microsoft Window Servers 2008, 2008 R2, 2012 R2 or 2016.
• The import allows to add server option definitions, superscopes, scopes, scope options, ranges,
address pools, reservations, reservation options and/or exclusions.
Within SOLIDserver, superscopes are managed as shared networks. If any imported scope
does not belong to a superscope, a shared network is automatically added for each scope.
Each new shared network is named after the scope start_address/prefix.
• You can import several configuration files one after the other in one DHCP server, to merge
different configurations in one server. However, no data is deleted between the imports even
if the imported configurations conflict with one another. Therefore, if two files contain a common
scope with different names, the name of the first scope imported is overwritten by the new
scope managing the same addresses.
• Before switching to the new DHCP server we recommend reducing the lease time to
one hour to minimize the risk of duplicating IP address assignments during the transition to
SOLIDserver. That way, once you turn off the legacy server, the DHCP clients unable to renew
their lease can broadcast their first DISCOVER message and get an answer from the new
server within the hour.

Keep in mind that Microsoft servers have some specificities and limitations:
• EfficientIP and Microsoft servers display ranges differently. On the page All ranges, the imported
data may vary because:
• No exclusion ranges are imported. Rather than having one range set with exclusions, the
page contains as many ranges as necessary to manage all the IP addresses that do not
belong to a Microsoft exclusion range.

181
 Importing DHCP Data

• A reservation included in one Microsoft range is imported as a reservation wrapped around

two ranges.
For more details this management difference, refer to the section Understanding the Range
Management on Microsoft Servers.
• With Win2008R2 it is impossible to add a static outside a range.
• You cannot import failover relationships. To manage Microsoft failover relationships, refer to
the section Managing Microsoft Windows DHCP Servers.
• Because several Microsoft DHCP configuration files can be imported into the same EfficientIP
DHCP server, DHCP options are not imported at server level.They must be manually configured.

To properly import a Microsoft configuration file, you must:

1. Follow the procedure To import a Microsoft DHCP configuration.
2. If relevant, aggregate the options set at static and range level options to apply them from the
scope down. For more details, refer to the section Aggregating DHCP Options from Ranges
or Statics.

To import a Microsoft DHCP configuration

1. Generate the configuration file
a. Go to the command prompt of a Windows Server.
b. Execute the following command, it must be preceded by netsh dhcp for every command
and parameter.
C:\netsh dhcp server \\myservername dump > C:\dump_dhcp.txt

2. Import the configuration

a. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
b. On the right-end side of the menu, make sure the button V4 is black, otherwise click on
it. The page refreshes and the button turns black.
c. In the menu, select Import > Microsoft DHCP. The wizard Import a Microsoft
DHCP server dump opens.
d. Click on BROWSE to find the Microsoft dump file. Once you clicked on Open, the file is
displayed in the field File name.
e. In the drop-down list DHCP server, select the server of your choice.
f. In the section Import global options, tick the box if you want to apply options configured
in the Microsoft DHCP dump to the destination server.
g. Click on OK to complete the operation. The report opens and closes. The file content
is listed. If you import a large configuration, the import process is launched in the back-
ground and content appears when the import is complete.
h. If need be, when the import is complete, you can aggregate static and range options to
apply them from the scope down. For more details, refer to the section Aggregating
DHCP Options from Ranges or Statics.

Importing an Infoblox DHCP Configuration

You can import DHCPv4 data from Infoblox solutions.

Before importing Infoblox data, note that:

• You must import the configuration within an existing EfficientIP DHCP server.
• You can only perform the import from the page All scopes.

182
 Importing DHCP Data

• The import relies on a configuration file named dhcpd.conf that can contain the whole server
configuration.
It can add scopes, ranges, leases, statics, groups and DHCP options.
• You can import several configuration files one after the other in one DHCP server, to merge
different configurations in one server. However, no data is deleted between the imports even
if the imported configurations conflict with one another. Therefore, if two files contain a common
scope with different names, the name of the first scope imported is overwritten by the new
scope managing the same addresses.
• Before switching to the new DHCP server we recommend reducing the lease time to
one hour to minimize the risk of duplicating IP address assignments during the transition to
SOLIDserver. That way, once you turn off the legacy server, the DHCP clients unable to renew
their lease can broadcast their first DISCOVER message and get an answer from the new
server within the hour.

Keep in mind that the Infoblox import has the following restrictions:
• Scopes restriction: if the server you are importing contains overlapping scopes, only the first
scope is imported, the rest is ignored.
• Statics restriction: statics associated with an IP address not included in one the scopes you
are importing are ignored.
• Shared network restriction: shared network options are ignored.
• DHCP options restriction: only standard options are imported. If the server was configured
using non standard DHCP options, they are imported only if they were previously defined either
in the configuration file or within the SOLIDserver.
• Failover restriction: Failover channels are not imported.
• Infoblox options restriction: all Infoblox options are ignored (these options usually include
"infoblox" in their name).
• You cannot import an Infoblox configuration in a Split-Scope or a Stateless smart architecture.
You can only import it a One-to-One, One-to-Many or Single-Server smart architecture.

To import an Infoblox DHCP configuration

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > Infoblox DHCP. The wizard Import an Infoblox dh-
cpd.conf file opens.
4. Click on BROWSE to find the Infoblox configuration file dhcpd.conf . Once selected, the file is
visible in the field File name.
5. In the drop-down list DHCP server, select the server of your choice.
6. Click on OK to complete the operation. The report opens and closes. The file content is listed.

Importing a MetaIP DHCP Configuration

You can import DHCPv4 data from MetaIP DHCP software solutions.

Before importing MetaIP data, note that:

• You must import the configuration within an existing EfficientIP DHCP server.
• You can only perform the import from the page All scopes.
• The import relies on a configuration file named dhcpd.conf that can contain the whole server
configuration.

183
 Importing DHCP Data

It can add scopes, ranges, leases, statics, groups and DHCP options.
• You can import several configuration files one after the other in one DHCP server, to merge
different configurations in one server. However, no data is deleted between the imports even
if the imported configurations conflict with one another. Therefore, if two files contain a common
scope with different names, the name of the first scope imported is overwritten by the new
scope managing the same addresses.
• Before switching to the new DHCP server we recommend reducing the lease time to
one hour to minimize the risk of duplicating IP address assignments during the transition to
SOLIDserver. That way, once you turn off the legacy server, the DHCP clients unable to renew
their lease can broadcast their first DISCOVER message and get an answer from the new
server within the hour.

Keep in mind that the MetaIP import has the following restrictions:
• Scopes restriction: if the server you are importing contains overlapping scopes, only the first
scope is imported, the rest is ignored.
• Statics restriction: statics associated with an IP address not included in one the scopes you
are importing are ignored.
• Shared networks restriction: shared network options are ignored.
• DHCP options restriction: only standard options are imported. If the server was configured
using non standard DHCP options, they are imported only if they were previously defined either
in the configuration file or within the SOLIDserver. You can configure conditional options after-
ward using the DHCP ACLs.

To import a MetaIP DHCP configuration

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > Meta IP DHCP. The wizard Import a Meta IP dhcpd.conf
file opens.
4. Click on BROWSE to find the MetaIP configuration file dhcpd.conf . Once selected, the file is
visible in the field File name.
5. In the drop-down list DHCP server, select the server of your choice.
6. Click on OK to complete the operation. The report opens and closes. The file content is listed.

Importing a Nortel NetID Configuration

You can import DHCPv4 data from Nortel NetID solutions.

Before importing MetaIP data, note that:

• You must import the configuration within an existing EfficientIP DHCP server.
• You can only perform the import from the page All scopes.
• The import relies on a dump file named dhcpcfg.cur that can contain the whole server config-
uration.
It can add scopes, scope options, ranges, range options, reservations and reservations options.
• You can import several configuration files one after the other in one DHCP server, to merge
different configurations in one server. However, no data is deleted between the imports even
if the imported configurations conflict with one another. Therefore, if two files contain a common
scope with different names, the name of the first scope imported is overwritten by the new
scope managing the same addresses.

184
 Importing DHCP Data

• Before switching to the new DHCP server we recommend reducing the lease time to
one hour to minimize the risk of duplicating IP address assignments during the transition to
SOLIDserver. That way, once you turn off the legacy server, the DHCP clients unable to renew
their lease can broadcast their first DISCOVER message and get an answer from the new
server within the hour.

To import a NetID DHCP configuration

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Import > NetID DHCP. The wizard Import a NetID DHCP dump
file opens.
4. Click on BROWSE to find the NetID dump file dhcpcfg.cur . Once selected, the file is visible
in the field File name.
5. Click on NEXT . The page Select DHCP server preferences opens.
6. In the drop-down list DHCP server, select the server of your choice.
7. In the drop-down lists, select the elements you want to import.

Table 10.1. NetID DHCP import details

Object Description
Scopes Allows to include (Yes) or ignore (No) the scopes of the dump file. By default, Yes is
selected. This field is optional.
Scopes options Allows to include (Yes) or ignore (No) the options of the scopes of the dump file. By
default, Yes is selected. This field is optional.
Ranges Allows to include (Yes) or ignore (No) the ranges of the dump file. By default, Yes is
selected. This field is optional.
Ranges options Allows to include (Yes) or ignore (No) the options of the ranges of the dump file. By
default, Yes is selected. This field is optional.
Statics Allows to include (Yes) or ignore (No) the reservations (statics) of the dump file. By
default, Yes is selected. This field is optional.
Statics options Allows to include (Yes) or ignore (No) the options of the reservations (statics) of the
dump file. By default, Yes is selected. This field is optional.

8. Click on OK to complete the operation. The report opens and closes. The file content is listed.

Aggregating DHCP Options from Ranges or Statics

If you imported an external DHCP configuration and/or a specific DHCP option is configured
across all the ranges or statics of a scope, you can aggregate it, is apply it, on the scope managing
the ranges or statics.

This aggregation automates a homogeneous configuration of DHCP options on each of the

scopes of a specific server. Keep in mind that it:
1. Analyzes the DHCP options configured on the ranges or statics with IP address of a scope.
2. If one DHCP option is configured and has the same value on all the ranges or statics with IP
address of a scope:
a. The DHCP option is applied to the parent scope.
b. The DHCP option is deleted at range or static level, as it is automatically propagated from
the scope down.

185
 Importing DHCP Data

3. If one DHCP option is configured on all the ranges or statics with IP address of a scope, but
their value is not the same on all the objects, the option is not aggregated at scope level.

To aggregate range options

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Tick the server(s) of your choice.
3. In the menu, select Edit > Aggregate range options. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes.

To aggregate static options

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Tick the server(s) of your choice.
3. In the menu, select Edit > Aggregate static options. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes.

186
Chapter 11. Importing DNS Data
You can use archive files to import zones and records of the following external vendors into Effi-
cientIP DNS servers:
• BIND archive files.
• VitalQIP archive files.

Before importing, keep in mind that:

• The advanced properties can automate the addition of entries in your database after the import.
If all the advanced properties are activated, importing DNS data may automatically update the
IPAM and DHCP databases. If you do not want your import to impact other modules, edit the
Internal module setup before importing DNS data. For more details, refer to the chapter Man-
aging Advanced Properties.
• You can also import zones, resource records and RPZ rules via CSV. For more details, refer
to the section Importing Data to the DNS in the chapter Importing Data from a CSV File.

Importing DNS Zones from a BIND Archive File

You can import a BIND archive file containing all your zones or import the content of a BIND
zone.

Prerequisites
• The archive file must be imported in a DNS server, preferably an EfficientIP server, an Effi-
cientIP Package server or a smart architecture.
• The archive file must contain all the directories of your BIND configuration including: the
file named.conf, the zone files and any other necessary files whether they belong to the same
directory or other sub directories.
• The archive file must have one of the following extensions: .tar, .tgz, .gz or .zip . It is not ne-
cessary to change the directory paths of your zone files in the file named.conf , if you are not
able to provide the whole directory organizations in the archive file, the system can retrieve
the files in the archive (several zone files may use the same name in different directories).

Limitations
• You cannot use the characters "_", "@" and ":" when importing a BIND archive file. Make
sure you did not use any of these characters in zone names, record names, etc. as it would
trigger either parsing errors (and not import the file) or import everything but the line containing
these characters. For more details, refer to the RFC 1034Domain Names - Concepts and Fa-
cilities.
• The archive must only contain supported BIND options. Any non-supported BIND option
declared in the archive file is ignored. Once the archive file is imported, you can configure
these extra options following the appendix Configuring Non-Supported BIND Options.
• The file named.conf can contain include directives linking to other files if any include directive
is declared outside existing clauses. Any include directive declared within existing clauses
like option {}, zone {}, etc. is ignored. The file(s) declared in the directive include must be part
of the archive file.
• The archive cannot contain the directive $GENERATE, this directive is not supported.

187
 Importing DNS Data

Importing a BIND Archive File

Once you comply with the prerequisites and limitations, you can import your BIND archive file.

To import zones from a BIND archive file

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Click on the Name of the server of your choice. The page All zones opens.
3. In the menu, select Import > BIND archive file. The wizard Importing a BIND archive
file opens.
4. Click on BROWSE to select the BIND archive file to import.
5. In the field File name, the file is displayed.
6. In the drop-down list Action, you can either Import the zone files or Check the zone files.
7. If you selected Import the zone files, you can tick the box Also import server options if you
want to import the global configuration settings that apply to all the zones.
8. Click on OK to complete the operation. The report opens and works for a while before dis-
playing the import result and potential errors.
9. In the section Export format, you can download the import result report in TEXT , HTML or
EXCEL .

10. Click on CLOSE to go back to the page All zones. The zones are now listed.

Importing the Content of a BIND Zone

If you already added your BIND zone in the GUI, you can import its content from the page All
RRs of the zone.

This import relies directly on the BIND zone file itself, <zone-name>, without extension located
in the DNS database.

To import the content of a BIND zone

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Click on the Name of the server of your choice. The page All zones opens.
3. Click on the Name of the zone. The page All RRs opens.
4. In the menu, select Import > BIND zone file. The wizard Importing a BIND zone file
opens.
5. Click on BROWSE to select the BIND zone file to import.
6. In the field File name, the file is displayed.
7. Click on OK to complete the operation. The report opens and closes. The resource records
are listed.

Importing DNS Zones from a VitalQIP Archive File

You can import a VitalQIP data at server level as long as:
• The export file (*.qef) belongs to an archive file which extension is .tar, .gz, .tgz, .tar.gz or .zip
• The .qef file is located at the root of the archive file.
• The server does not contain more than one view.

188
 Importing DNS Data

Note that the import file includes VitalQIP DNS as well as IPAM data at the same time. If the
archive file includes *_aud.qef files the import might take longer.

To import zones from a VitalQIP archive file

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Import > QIP data. The wizard Importing a QIP file opens.
3. Click on BROWSE to select the QIP archive file to import.
4. In the field File name, the file is displayed once selected.
5. Click on NEXT . The wizard Select DNS server opens.
6. In the drop-down list DNS Server, select the server that should receive the configuration.
7. Click on OK to complete the operation. The report opens and works for a while before dis-
playing the import result and potential errors.
8. In the section Export format, you can download the import result report in TEXT , HTML or
EXCEL .

9. Click on CLOSE to go back to the page All servers.

189
Chapter 12. Exporting Data
Within SOLIDserver, exporting data follows a set of rules:
• The object parameters that you can export correspond to the columns of the page
That way, on the one hand you can export the name of the object container: if you export a list
of zones you can also export the name of the server and view they belong to. And on the other
hand, you can export the customized parameters that you added through Class Studio and
displayed as columns.These columns are preceded by the mention Class param: in the wizard.
• An export is generated one level at a time
If you are exporting zones from the page All zones in the DNS, you only export the zones
themselves but not the RRs they contain.
• An export can be generated in five different formats
You can export lists of objects in .csv, .html, .xml, .xls and .pdf. Only the .csv file format provides
the possibility to reimport the list again in the GUI.
Keep in mind that for exports to PDF the number of columns is limited to 40. That many columns
affects the final display and might generate a file very hard to read.
• An export can take into account from 1 to n objects
On any page, exporting data takes into account every object listed. However, if you tick one
or more elements, only the parameters of the ones you ticked are exported.
• An export can be done at a specific time or scheduled to be generated regularly
From the export wizard, you can choose to export the data right away or later on, even on a
regular basis and at the frequency of your choosing.
• An export name provides time and format information
An export is always named after its format and moment of generation, never after what it con-
tains. Each export is named as follows: export_<extension>_<date>_<time>.<extension>.
Where extension refers to the export format; date is displayed as such: YYYYMMDD and time
as such: HHMMSS. For instance, "export_excel_20130301_073042.xls" is an export generated
in EXCEL on March 1st, 2013 at 07:30:42.
• If the page does not have the menu Report, you cannot export the data listed
Within SOLIDserver, almost any page allows to export data. To see the whole list of pages
where you can export data, refer to the section Pages where you can export data below.

All exports are displayed on a single page, however the configuration files of the scheduled exports
are displayed on their own page.

You can also import or reimport IPAM objects exported as raw data to update your database in
bulk. For more details refer to the chapter Managing Raw Data.

190
 Exporting Data

You can export data from almost any page. The menu Report indicates which pages are con-
cerned:

Table 12.1. Pages where you can export data

Module Pages
IPAM All the pages of the module allow data exports
DHCP All the pages of the module allow data exports
DNS All the pages of the module allow data exports
NetChange All the pages of the module allow data exports
Workflow All the pages of the module allow data exports
Device Manager All the pages of the module allow data exports
VLAN Manager All the pages of the module allow VLAN and/or VXLAN data exports
VRF All the pages of the module allow data exports
SPX All AS Numbers
Administration Centralized Management
All licenses
Groups
Users
Syslog
Session tracking
User tracking
Alerts
Custom database
Custom data

191
 Exporting Data

The Export Wizard

For all exports, except the IPAM raw data, the wizard Export <format> file opens and looks like
the image below.

Figure 12.1. The CSV export wizard

The drop-down list Template allows to save all your configuration as a template for later
exports of the list.
The drop-down list Delimiter allows to select which delimiter you want to use during the
CSV data export.
The box The export might be reimported allows to export the objects as raw data if you
want to reimport them.
The drop-down list Action allows to export right away your list or schedule the export it at
the frequency of your choice.
The list Columns allows to select the columns, i.e. parameters, of your choice. This list
contains all the columns that you can display on the page as well as the class parameters
related to the objects of the list.
The list Selected contains all the columns you are about to export, you can order them ac-
cording to your needs.
The box Translate the columns name allows to export columns using their name in the
GUI, when they are displayed on the page. It takes into account the interface Language.

Browsing the Exports Database

All the exports must be downloaded at the end of the export wizard.

Only the scheduled exports are available on the page Local files listing.The schedule configuration
is available on the page Scheduled exports.

192
 Exporting Data

To display the scheduled exports

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
By default, it displays the list Local where you can find all your exports.

To display the scheduled exports configuration

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Exports, click on Scheduled.The page Scheduled exports
opens.

Configuring Exports
The export can be of numerous forms as you can choose an export format, to schedule it or not
and finally save your columns configuration in a template and later on use the template as is or
use it as a basis during another export.

To export data immediately

1. Go to the page of your choice.
2. Tick the objects of your choice or none if you want to export all the objects listed.
3. In the menu, select Report > Export > <format of your choice>. The wizard Export
<format> file opens.
4. In the drop-down list Template, you can select None, New template or an existing export
template.
• By default, None is selected. Leave it selected if you do want to add an export template
and go to step 5.
• Select New template to save your current export configuration as a template, for CSV
exports it includes the Delimiter.The field Template name appears.
In the field Template name, specify the export template name. This name is available in
the list Template the next time you export the same resource.
Once the export is generated, you can rename or delete the template. For more details,
refer to the section Managing Export Templates.
• Select an existing template to use an existing export configuration. The page refreshes
and the box Save template appears.
Tick the box Save template, if you change the Delimiter or edit the Selected columns to
export.
5. If you chose to export a CSV file:
a. In the drop-down list Delimiter, select comma, semi-colon or tab. By default, comma is
selected.
b. Tick the box The export might be reimported to export the list or selected objects as
raw data. The exported file is faster to reimport in a SOLIDserver appliance.
Note that some columns, like Network is terminal in the IPAM, might not be reimported
at all if you do not tick this box.
6. In the drop-down list Action, select Generate new data.
7. In the list Columns, select one by one the columns that you want to export and click on .
They are moved to the list Selected.

193
 Exporting Data

8. In the list Selected, you can order the columns according to your needs using and . To
remove a column from the export, select it and click on . It is moved back to the list
Columns.
9. The box Translate the columns name is ticked by default. If you do not want to export the
columns name as they are displayed in the GUI, untick the box.
10. Click on OK to complete the operation. The report opens and works for a while.
11. You can click on DOWNLOAD to save the export. The page refreshes when the export is over.
12. Click on CLOSE to go back to the page.

From the menu Report you can also schedule exports. Keep in mind that these exports are
managed differently, the generated file is available in the Local files Listing. In addition,
scheduling an export adds a configuration file that you can manage from the page Scheduled
exports. For more details, refer to the section Managing Scheduled Exports Configuration Files
below.

To schedule an export
1. Go to the page of your choice.
2. Tick the objects of your choice or none if you want to export the whole list.
3. In the menu, select Report > Export > <format of your choice>. The wizard Export
<format> file opens.
4. In the drop-down list Template, you can:
a. Choose not to add a template by selecting None and export your data.
b. Choose to add a template by selecting New template.The field Template name appears,
name your template. The template saves the columns you select as well as the delimiter
if you export the list in a .csv file.
5. If you chose to export a CSV file:
a. In the drop-down list Delimiter, select comma, semi-colon or tab. By default, comma is
selected.
b. Tick the box The export might be reimported to export the list or selected objects as
raw data. The exported file is faster to reimport in a SOLIDserver appliance.
Note that some columns, like Network is terminal in the IPAM, might not be reimported
at all if you do not tick this box.
6. In the drop-down list Action, select Schedule the report. The page refreshes.
7. In the list Columns, select one by one the columns that you want to export and click on .
They are moved to the list Selected.
8. In the list Selected, you can order the columns according to your needs using and . To
remove a column from the export, select it and click on . It is moved back to the list
Columns.
9. The box Translate the columns name is ticked by default. If you do not want to export the
columns name as they are displayed in the GUI, untick the box.
10. Click on NEXT . The last page opens.
11. Configure when the scheduled export should be generated.

Table 12.2. Scheduled export fields

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.

194
 Exporting Data

Field Description
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 20 is selected. This field is optional.
Minute A moment of the hour, either 00, 15, 30 or 45. The minute respects the UTC standard.
By default, 00 is selected. This field is optional.
Name The name of the report on the page Scheduled reports.You can edit the default name.
Mail to The name of the group which users should receive the export notification email. By
default, the first of your groups, in the ASCII alphabetic order, is selected. This field
is optional.
Note that no email can be sent if the users email address is not valid or if your SMTP
relay is not configured. For more details, refer to the section Configuring the SMTP
Relay in the chapter Configuring the Services.
Rights as The name of the user whose rights and limitations are applied in the report, as follows
<user> [<group>]. Only the items this user has access to are listed in the export. By
default, the first of your users, in the ASCII alphabetic order, is selected. This field is
optional.
Period Only for exports scheduled from the DNS page Analytics displaying Guardian data.
The overall period of data to export, either the last 1h, 3h or 6h.

12. Click on OK to complete the operation. The report works and displays the export report.
13. Click on CLOSE to go back to the page.
The export configuration is available on the page Scheduled exports. For more details, refer
to the procedure To display the scheduled exports configuration.
When the export is generated, it is available on the page Local files listing. For more details,
refer to the procedure To display the scheduled exports.

Exporting Data to Reimport It Later

On most pages, the exported data can be reimported. Keep in mind that:
• You can only reimport data exported via a CSV file.
• We strongly recommend that during the export you tick the box The export might be re-
imported, to process faster the import.
• During the export, some columns must be selected. On pages where you can reimport
data, you can choose the columns to import, but some are required, and without them you
cannot go through with the import.

In the sections below, we only detail the required fields, i.e. columns. For more details on the
available fields for each module and page, refer to the chapter Importing Data from a CSV File.

Required Columns to Reimport Data in the IPAM

You can export and reimport data on all pages of the module IPAM. On each page, reimporting
data requires a set of columns, they are all listed in the table below. For more details, refer to the
section Importing Data to the IPAM.

You can also import or reimport IPAM objects exported as raw data to update your database in
bulk. For more details, refer to the chapter Managing Raw Data.

195
 Exporting Data

Keep in mind that the field Space name of the import wizard allows you to:
• Select the corresponding column of your CSV file.
• Select one space among the ones in your database or the option Use best space, with IPv4,
the option uses the IP address and size to place the object in the best space, block-type network
and/or subnet-type network possible.

Table 12.3. Required columns to reimport data in the IPAM

IPAM page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
All spaces Name Space name Name
All networks V4 Start Network start address First address
for block-type networks Space Network space name Space name
All networks V6 Start Network start address First address
for block-type networks Prefix Network prefix Prefix
Space Network space name Space name
a
All networks V4 Address Address + prefix Address
for subnet-type networks Name Network name Name
Space Network space name Space name
All networks V6 Address Network address Address
for subnet-type networks Prefix Network prefix Prefix
Name Network name Name
Space Network space name Space name
All pools V4 Start address Pool start address First address
Name Pool name Name
Space Pool space name Space name
All pools V6 Start address Pool start address First address
End address Pool end address Last address
Name Pool name Name
Space Pool space name Space name
All addresses V4 Address IP address IP address
Name IP name Name
Space IP space name Space name
All addresses V6 Address IP address IP address
Name IP name Name
Space IP space name Space name
a
This field can be used to export and reimport the network start address and size.

Required Columns to Reimport Data in the DHCP

You can export data from all pages of the module DHCP. However, on the pages All servers and
All leases you cannot reimport it, in either version. On all the pages where you can reimport data,
some columns are required, they are all listed in the table below. For more details, refer to the
section Importing Data to the DHCP.

Keep in mind that the DHCP server and DHCP6 server fields of the import wizard allow you to:
• Select the corresponding column of your CSV file.
• Select one server among the ones in your database.

196
 Exporting Data

Table 12.4. Required columns to reimport data in the DHCP

DHCP page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
All scopes V4 Address DHCP scope address Address
Server DHCP server name DHCP server
All scopes V6 Address DHCP scope address Start address
Server Server DHCP server (v6)
All ranges V4 Start address DHCP range start address Start address
Server DHCP server name DHCP server
All ranges V6 Start address Start address Start address
End address End address End address
Server Server DHCP server (v6)
All statics V4 Name DHCP static name DHCP static name
Full MAC address DHCP static MAC address MAC address
Server DHCP server name DHCP server
All statics V6 Name DHCP static name DHCP static name
Server Server DHCP server (v6)

Required Columns to Reimport Data in the DNS

You can export data from all pages of the module DNS. However, on the pages All views, All
RPZ zones and All RPZ rules you cannot reimport it. On all the pages where you can reimport
data, some columns are required, they are all listed in the table below. For more details, refer to
the section Importing Data to the DNS.

Table 12.5. Required columns to reimport data in the DNS

DNS page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
All zones Name Zone name DNS zone name
Type Zone type DNS zone type
Server DNS server name DNS server name
All RRs RR name RR name RR name
a
Value RR value Value 1
Type Space name RR type
All RPZ rules RR name DNS RR name RR name
RR value 1 DNS RR value 1 Value 1
DNS RR type DNS RR type RR type
a
This field includes all the information exported from the column Value.

Required Columns to Reimport Data in NetChange

You can export data from all pages of the module NetChange. However, on the pages All VLANs,
All ports, All discovered Items you cannot reimport it. On all the pages where you can reimport
data, some columns are required, they are all listed in the table below. For more details, refer to
the section Importing Data to NetChange.

197
 Exporting Data

Table 12.6. Required columns to reimport data in NetChange

NetChange page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
All network devices IP address Network device IP address Address
Space Space name Target space

Required Columns to Reimport Data in Device Manager

You can export and reimport data on all pages of the module Device Manager. On each page,
reimporting data requires a set of columns, they are all listed in the table below. For more details,
refer to the section Importing Data to Device Manager.

Table 12.7. Required columns to reimport data in Device Manager

Device Manager page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
All devices Name Device name Name
All ports & interfaces Name Interface name Name
Type Type Type
Device name Device name Device

Required Columns to Reimport Data in VLAN Manager

You can export and reimport data on all pages of the module VLAN Manager. On each page,
reimporting data requires a set of columns, they are all listed in the table below. For more details,
refer to the section Importing Data to VLAN Manager.

Table 12.8. Required columns to reimport data in VLAN Manager

VLAN Manager page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
All domains Name Domain name Name
Domain start ID Domain start ID Start ID
Domain end ID Domain end ID End ID
All ranges Name Range name Name
Range start ID Range start ID Start ID
Range end ID Range end ID End ID
Domain Domain name Domain
All VLANs VLAN ID VLAN ID VLAN ID
Domain Domain name Domain

Required Columns to Reimport Data in VRF

You can export and reimport data on all pages of the module VRF. On each page, reimporting
data requires a set of columns, they are all listed in the table below. For more details, refer to the
section Importing Data to VRF.

Table 12.9. Required columns to reimport data in VRF

VRF page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
All VRFs Name VRF name Name

198
 Exporting Data

VRF page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
RD VRF RD RD
All VRF Route Targets Source RD Source RD Source RD
Target RD Target RD Target RD

Required Columns to Reimport Data in the Module Administration

You can export data in the module Administration from the pages Centralized Management, All
licenses, Groups, Users, Custom database and Custom data. However, on the pages Groups,
Users and Custom data, you cannot reimport it.

On all the pages where you can reimport data, some columns are required, they are all listed in
the table below. For more details, refer to the section Importing Data to the Administration Module.

Table 12.10. Required columns to reimport data on the module Administration

Administration page Column(s) name on the Column name in the ex- Column name in the im-
page port wizard port wizard
Groups Name Group name Name
Users Login Login Login
Custom data Your first column Your matching data Value 1

Managing Scheduled Exports

Once generated, all the scheduled exports are saved in the directory /data1/exports. In the
GUI, they are available in the page Local files listing, under the filter page Local, where you
can export or delete them.

Each column on the page corresponds to the parameters configured during the export configur-
ation. You can sort the list through each column, you can filter it through the columns Name,
Type and Owner. You cannot edit the listing layout of this page or access a properties page as
all the information is displayed.

To download a scheduled export from the Local files listing

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
By default, it displays the list Local where you can find all your scheduled exports.
3. Click on the name of the export of your choice to download it.

To delete a scheduled export from the Local files listing

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
By default, it displays the list Local where you can find all your scheduled exports.
3. Tick the export(s) of your choice.
4. In the menu, select Edit > Delete file(s). The wizard Delete file opens.
5. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the selected scheduled export is no longer listed.

199
 Exporting Data

Managing Scheduled Exports Configuration Files

If you configured scheduled exports, the configuration file is on the page Scheduled exports.
Once you configured a scheduled export, you cannot edit its configuration. However, you can
disable and enable it or even delete it.

All the configuration files are listed and each column corresponds to the parameters set during
the scheduled export configuration. You can sort and filter the list through each column but you
cannot edit the listing layout of this page. The scheduled exports do not have a properties page
as all the information is displayed.

To enable/disable a scheduled export configuration file

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Exports, click on Scheduled.The page Scheduled exports
opens.
3. Tick the configuration file(s) of your choice.
4. In the menu, select Edit > Enable or Disable. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The file is marked
OK or Disabled.

To delete a scheduled export configuration file

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Exports, click on Scheduled.The page Scheduled exports
opens.
3. Tick the configuration file(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the file is no longer listed.

Managing Export Templates

On the page All templates, administrators can rename or delete every Export configuration saved
as template.

The content of the page depends on the module you access it from. Each template has a unique
Name, specific Type and applies to a specific Object of the module.

To edit a template, you must select it during an export and save your changes. For more details,
refer to the section Configuring Exports.

To rename an export template

Only users of the group admin can perform this operation.
1. In the sidebar, go to the module of your choice.
2. In the menu, select Extra options > Templates management. The page All templates
opens. It only contains the templates added in the module.
Ancienne taille de la page

3. In the column Type, type in Export to only list export templates.

4. Right -click over the Name of the template of your choice. The contextual menu opens.
5. Click on Edit. The wizard Rename template opens.

200
 Exporting Data

6. In the field Name, edit the current template name to rename it.
This name must be unique to the object it applies to.
7. Click on OK to complete the operation.The report opens and closes.The template is renamed.

To delete an export template

Only users of the group admin can perform this operation.
1. In the sidebar, go to the module of your choice.
2. In the menu, select Extra options > Templates management. The page All templates
opens. It only contains the templates added in the module.
Ancienne taille de la page

3. In the column Type, type in Export to only list export templates.

4. Tick the template(s) of your choice.
5. In the menu, click on . The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The template is no
longer listed.

201
 Part IV. Dashboards
Dashboards is the first module you see when you connect to SOLIDserver.

The Main dashboard is the appliance homepage. For the superuser, it provides an overview of the appliance
configurations and services.

Within dashboards, you can gather gadgets to monitor data or set up custom shortcuts and search engines
to ease up the management. You can add as many dashboards as you need.

Figure 86. The monitoring dashboard

The Dashboards hierarchy includes two levels:

• Dashboards where you can monitor all data on as many tabs as you want. For more details, refer to the
chapter Managing Dashboards.
• Gadgets that allow to customize your dashboards content. For more details, refer to the chapter Managing
Gadgets.
Table of Contents
13. Managing Dashboards ............................................................................................. 204
Browsing the Dashboards ...................................................................................... 204
Adding Dashboards ............................................................................................... 205
Displaying or Hiding Dashboards ............................................................................ 205
Ordering Dashboards ............................................................................................ 205
Editing Dashboards ............................................................................................... 206
Deleting Dashboards ............................................................................................. 208
14. Managing Gadgets .................................................................................................. 209
Browsing Gadgets ................................................................................................. 209
Gadgets Displayed by Default ................................................................................ 211
Adding Gadgets .................................................................................................... 215
Assigning Gadgets ................................................................................................ 221
Displaying or Hiding a Gadget ................................................................................ 223
Editing Gadgets .................................................................................................... 223
Setting the Gadgets Visibility .................................................................................. 225
Enabling or Disabling Gadgets ............................................................................... 225
Deleting Gadgets .................................................................................................. 226

203
Chapter 13. Managing Dashboards
From the module Dashboards, you can build dashboards to monitor the appliance data via existing
and custom gadgets or gathers links towards your most used pages and wizards.

In addition to the Main dashboard, available by default, users with sufficient rights can add, edit,
and delete dashboards. All dashboards are accessible to all users.

Within each dashboard, you can add and organize gadgets to set up a customized display of in-
formation. For more details regarding gadgets, refer to the chapter Managing Gadgets.

Browsing the Dashboards

Dashboards are organized in tabs. By default, only the Main dashboard is available, you can add
as many dashboards as you need.

Figure 13.1. The available elements in the module Dashboards

The tab Main dashboard. It is SOLIDserver homepage, it cannot be edited or deleted.

The button Edit allows to rename a dashboard. It appears when you are displaying a
custom dashboard or when you hover over a tab.
The button Delete allows to delete a dashboard. It appears when you are displaying a
custom dashboard or when you hover over a tab.
The buttons and allow to display the tabs if all your dashboards do not fit on the page.
The button allows to add dashboards.
The button opens the dashboards window. It allows to order, show and/or hide dash-
boards, if you add any.

To access a dashboard
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. Click on the tab of the dashboard of your choice. The dashboard opens.

Note that if you upgraded to this version, all the dashboards that contained gadgets are available
in a dedicated tab.

204
 Managing Dashboards

Adding Dashboards
In addition to the Main dashboard, you can add many dashboards as you need. Note that:
• A dashboard name cannot exceed 255 characters.
• A dashboard name must be unique.

To add a dashboard
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. In the tab bar, click on . The wizard Add a dashboard opens.
3. In the field Name, name your dashboard. If you use a name matching a label defined in
Language Editor, the dashboard name is translated when you display the interface in the
relevant language. For more details, refer to the section Customizing the Interface Names
and Fields in the chapter Customizing the GUI.
4. Click on OK to complete the operation. The dashboard is added as a new tab.

You can display, hide, order, edit and delete dashboards, as detailed in the next sections.

Displaying or Hiding Dashboards

All dashboards are displayed by default when you add them. You can hide and display custom
dashboards at will. Note that:
• You cannot hide the Main dashboard.
• If you hide a dashboard, it is hidden to all users.

To display/hide a dashboard
1. In the sidebar, click on Dashboards. The last accessed dashboard opens.
2. On the right-end side of the tabs, click on . The dashboards window opens.
3. Set your list of Selected dashboards. All the displayed dashboards are preceded by .
a. To hide a dashboard, click on the name of a ticked dashboard. It is now unticked and
moved outside the list of ticked dashboards.
b. To display a dashboard again, click on the name of an unticked dashboard. It is now ticked
and moved at the end of the list of ticked dashboards.
To order displayed dashboards, refer to the section Ordering Dashboards.
4. Click on SAVE to complete the operation. Your changes update the available tab(s).

Ordering Dashboards
You can order custom dashboards. Note that:
• You cannot order the Main dashboard.
• You cannot order hidden dashboards. To display them, refer to the section Displaying or Hiding
Dashboards.

To order dashboards
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. On the right-end side of the tabs, click on . The dashboards window opens.
3. Next to the name of any ticked dashboard, click on . You can now move it.

205
 Managing Dashboards

4. Drag and drop the dashboard where you want in the list, a line indicates where the dashboard
is moved.
5. Click on SAVE to complete the operation. All dashboards are displayed in the order you set,
right of the Main dashboard.

Editing Dashboards
You can edit custom dashboards. Editing a dashboard includes renaming it, assigning it gadgets,
organizing the gadgets it contains or hiding gadgets.

Note that you cannot edit the Main dashboard.

Renaming a Dashboard
You can rename a custom dashboard. Note that:
• You cannot rename the Main dashboard.
• A dashboard name cannot exceed 255 characters.
• A dashboard name must be unique.

To rename a dashboard
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. Click on the tab of the dashboard of your choice. The dashboard opens.
3. In the tab, click on Edit. The wizard Edit a dashboard opens.
4. Edit the field Name according to your needs. If the name matches a label defined in Language
Editor, the dashboard name is translated when you display the interface in the relevant lan-
guage.
5. Click on OK to complete the operation. The dashboard is renamed.

Assigning a Gadget to a Dashboard

From any dashboard, you can assign existing gadgets using the dedicated button.

Note that you can also assign gadgets from the pages My gadgets, System statistics and some
objects properties page. For more details, refer to the section Assigning Gadgets of the chapter
Managing Gadgets.

Figure 13.2. The button Add a gadget available on each dashboard

The area allows to assign existing gadgets to a dashboard.

206
 Managing Dashboards

To assign a gadget to a dashboard

1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. Click on the tab of the dashboard of your choice. The dashboard opens.
3. If many gadgets are displayed, you may need to collapse some.
4. Click on . The wizard Add a gadget opens.
5. In the list Type, select Chart, Top List, Quick Search or Other, that contains the default de-
scriptive and configuration gadgets, and the gadgets Bookmarks and Quick Wizards if you
added them. For more details, refer to the section Adding Gadgets.
6. Click on NEXT . The list Gadget displays the available gadgets.
If no gadget of this type is available, the list is empty. In this case click on PREVIOUS and select
a different type.
7. Select the gadget of your choice.
8. Click on OK to complete the operation. The gadget is displayed.

If you want to remove a gadget from a dashboard, refer to the section Hiding Gadgets from a
Dashboard.

To add, edit, disable, control the visibility or delete a gadget, refer to the chapter Managing
Gadgets.

Organizing Gadgets on a Dashboard

On any dashboard, you can organize the gadgets. You can move, collapse and expand them.

To move a gadget
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. Click on the tab of the dashboard of your choice. The dashboard opens.
3. Click on the drag bar of the gadget of your choice.
4. Drag the gadget to its new location and drop it. Its former and potential new positions are
highlighted to show how much space it takes.

Figure 13.3. Moving a gadget

To collapse/expand a gadget
1. In the sidebar, click on Dashboards. The Main dashboard opens.

207
 Managing Dashboards

2. Click on the tab of the dashboard of your choice. The dashboard opens.
3. Next to the gadget name, click on to collapse the gadget. Only its drag bar is visible, it
contains its name and buttons.
4. To expand the gadget again, click on .

Figure 13.4. A gadget expanded and collapsed

Hiding Gadgets from a Dashboard

You can hide the gadgets displayed on a dashboard at any point.

Hiding a gadget removes it from the dashboard, it does not delete it. To display it again, refer to
the section Assigning a Gadget to a Dashboard.

To hide a gadget from a dashboard

1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. Click on the tab of the dashboard of your choice. The dashboard opens.
3. In the gadget drag bar, where the gadget name is displayed, click on . The wizard opens.
4. Click on OK to complete the operation. The wizard closes. The gadget is no longer visible.

Deleting Dashboards
You can delete custom dashboards. Note that:
• You cannot delete the Main dashboard.
• You cannot delete a dashboard that contains gadgets. To delete gadgets, refer to the section
Deleting Gadgets in the chapter Managing Gadgets.

If you want to hide rather than delete a dashboard, refer to the section Displaying or Hiding
Dashboards.

To delete a dashboard
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. Click on the tab of the dashboard of your choice. The dashboard opens.
3. In the tab, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation.The tab is deleted, the dashboard is no longer available
in the dashboards window.

208
Chapter 14. Managing Gadgets
The gadgets allow you to monitor the appliance and customize your dashboards.

You can add four types of gadgets:

• Chart, used to get a graphical overview of the data. For more details, refer to the section Adding
a Chart Gadget.
• Top List, used to list resources based on specific filters. For more details, refer to the section
Adding a Top List Gadget.
• Quick Search, used to add shortcuts for columns search engines. For more details, refer to
the section Adding a Quick Search Gadget.
• Shortcut, used to add shortcut links toward specific pages. They include:
• The gadget Quick Wizards, used to add shortcuts toward your quick wizards. For more details,
refer to the section Adding a Quick Wizards Gadget.
• The gadget Bookmarks, used to add shortcuts toward your bookmarked pages. For more
details, refer to the section Adding the Gadget Bookmarks.

In addition, the Main dashboard provides Descriptive and Configuration gadgets, these gadget
types cannot be added. For more details, refer to the section Gadgets Displayed by Default.

All the gadgets are composed of two parts:

Figure 14.1. The common structure of the gadgets

The upper gray part is the gadget drag bar. It contains the gadget name and the buttons
to collapse, expand or hide it. On some gadgets, the button allows to edit them.
The lower white part contains the information. Its content differs for every type of gadget.

You can add, assign, hide and/or delete gadgets. Some can even be edited.

Note that you can manage existing charts like gadgets. By default, a set of gadgets are available
on the page the Gadgets Library, for more details refer to the appendix Default Gadgets.

Browsing Gadgets
The gadgets are available on several pages:
• My Gadgets where you can manage all the gadgets already assigned to at least one dashboard.
• Gadgets Library where you can manage all the existing gadgets.
• System statistics that contains the appliance statistics. Every chart on the page can be used
as a gadget and assigned to a dashboard. For more details, refer to the section Assigning a
Chart of the Page System Statistics as Gadget.

209
 Managing Gadgets

• Any properties page containing charts. For more details, refer to the section Assigning a
Chart on a Properties Page as Gadget.

A number of gadgets are displayed by default on some dashboards, as detailed in the section
Gadgets Displayed by Default.

Browsing the Assigned Gadgets

From the page My Gadgets, you can hide, display and manage the visibility of gadgets already
assigned to a dashboard.

To display the page My Gadgets

1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
Each gadget can be displayed several times, if it is assigned to more than one dashboard.
2. To display the gadgets of a specific dashboard, in the search engine of the column Dash-
board, specify the name of the dashboard of your choice.

The page contains the following columns, you cannot change their layout.

Table 14.1. The columns of the pages Gadgets Library and My Gadgets
Column Description
Name The gadget name.
All users The gadget visibility. It is set to Yes if it is visible to all users, or to No if it is only visible to the
user who added it.
Type The gadget type, either Chart, Configuration, Descriptive, Quick Search, Shortcut or Top List.
Dashboard The name of the dashboard(s) where the gadget is assigned.
Status The gadget status: Enabled or Disabled.

Browsing the Gadgets Database

From the page Gadgets Library you can enable, disable and delete all the existing gadgets,
whether they are already assigned to a dashboard or not.

It contains the same columns as the page My Gadgets.

To display the page Gadgets Library

1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.

To display a gadget assignation details from the page Gadgets Library

1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. In the column Name, click on the gadget of your choice. The page My Gadgets opens. It
lists the gadget as many times as it has been assigned.
The column Dashboard indicates where the gadget is assigned. If the list is empty, it means
that the gadget is not assigned.

210
 Managing Gadgets

To display a gadget properties page from the page Gadgets Library

1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. At the end of the line of the gadget of your choice, click on . The properties page opens.

Gadgets Displayed by Default

A set of gadgets are displayed by default on the Main dashboard:
• System Information. It is only available for ipmadmin.
• General Information. It is only available for ipmadmin.
• SOLIDserver Configuration Checklist. It is only available for ipmadmin.
• My Account Preferences & Configuration. It is available for all users.

Any user can display these default gadgets on their session dashboards, as detailed in the section
Assigning Gadgets from the Page Gadgets Library. They are described in the appendix Default
Gadgets.

System Information
This descriptive gadget is available by default on the Main dashboard of ipmadmin (the superuser
session).

Figure 14.2. The gadget System information

This gadget sums up system and user related information:

Connected as
The name of the user connected. Click on the user name (ipmadmin in the image above) to
open the wizard Configure user settings that allows to set the user account preferences.
For more details, refer to the section Account Configuration.
Version
The current software and architecture versions of SOLIDserver.
Date
The appliance current date and time. If it is not accurate, the License type and finally the
support used (Manufacturer, Product and Serial).

211
 Managing Gadgets

License type
The appliance license type, either Temporary (with the End date between brackets) or Official
(it has no end date, it is permanent).
End of Maintenance
The date of the end of the appliance maintenance period.
Manufacturer
The appliance manufacturer name. It indicates if the appliance is installed on a virtual machine
or a physical hardware appliance.
Product
The product name, either hardware (with its size) or software. It depends on the manufacturer.
Serial number
The appliance serial number. For hardware appliances, it is composed of 6 hexadecimal digits.
For virtual appliances, it is only visible on the page Centralized Management.

General Information
This descriptive gadget is available by default on the Main dashboard of ipmadmin.

Figure 14.3. The gadget General information

This gadget sums up the current network and services configuration:

Services
The main services statuses: running , disabled or not yet configured . Click on each
service name to manage them. A running service can be disabled from the dashboard. The
services that are disabled or not configured yet provide a link to the page Services Configur-
ation. For more details, refer to the chapter Configuring the Services.
Hostname
The appliance hostname. Click on its name (solid.intranet in the image above) to open the
page Network Configuration and edit it. For more details, refer to the chapter Configuring the
Network.
IP Addresses
The appliance interface(s) IP address. The default interface indicates the IP address you
configured to connect to SOLIDserver. Click on the interface name (DEFAULT_INTERFACE
in the image above) to open the page Network Configuration and edit it. For more details,
refer to the chapter Configuring the Network.
Default gateways
The appliance default gateway. Click on its IP address to open the page Network Configuration
and edit it. For more details, refer to the chapter Configuring the Network.

212
 Managing Gadgets

SOLIDserver role
The appliance role: Standalone, Master or Hot Standby. The last two roles imply that your
SOLIDserver is configured in High Availability (HA). Click on the role to open the page
Centralized Management. For more details, refer to the chapter Centralized Management.
Status
The appliance status. A Standalone appliance is always OK. The appliances configured
in HA can be marked , to indicate that the configuration is not working properly. Click on
the status to open the page Centralized Management. For more details, refer to the chapter
Centralized Management.

SOLIDserver Configuration Checklist

This configuration gadget is by default displayed on the Main dashboard of ipmadmin.

Only ipmadmin can share it to allow other users to display it, even if they belong to the group
admin.

Figure 14.4. The gadget SOLIDserver configuration checklist

This gadget provides a set of shortcuts to assist you in setting SOLIDserver main configurations
and making sure that your appliance is used at the best of its potential from the first connexion
onward. Any line marked is not configured yet, the completed configurations are marked .

The gadget provides a checklist and shortcuts toward specific configuration wizards:
Local SOLIDserver
Allows to configure locally the appliance from the gadget. Click on Configuration to open
the wizard Configure local SOLIDserver. For more details, refer to the section Configuring
SOLIDserver to Remotely Manage Other Appliances.
Remote SOLIDserver
Allows to add remote appliances to the page Centralized Management from the gadget. Click
on Add to open the wizard Add/modify remote SOLIDserver. For more details, refer to the
section Adding Remote Appliances.
NTP servers configuration
Allows to add NTP servers from the gadget. Click on Configuration to open the wizard NTP
servers configuration. For more details, refer to the section Configuring NTP Servers.

213
 Managing Gadgets

DNS smart architecture

Allows to add a DNS smart architecture from the gadget. Click on Add to open the wizard
Add a DNS server. For more details regarding smart architectures, refer to the section Adding
a DNS Smart Architecture.
DHCP smart architecture
Allows to add a DHCPv4 smart architecture from the gadget. Click on Add to open the wizard
Add a DHCP server. For more details regarding smart architectures, refer to the section
Adding DHCPv4 Smart Architectures.
Backup
Allows to archive the appliance backup on a remote server from the gadget. Click on Config-
uration to open the wizard Archive server parameters. For more details regarding remote
FTP configuration, refer to the section Archiving the Backup Files on an FTP or SFTP Server.
Change ipmadmin password
Allows the superuser, ipmadmin, to edit their SOLIDserver connexion password from the
gadget. Click on Configuration to open the wizard Modify user password. For more details,
refer to the section Changing the Session Password.
Change SSH password
Allows the superuser, ipmadmin, to edit the SSH admin account password from the gadget.
This account is used to authenticate users who add/edit EfficientIP DNS and DHCP servers
and remote appliances. If you change the password from the gadget, you must also edit the
existing servers and appliances to specify the new password. Click on Configuration to
open the wizard Change SSH password. For more details, refer to the sections Editing DNS
Servers, Editing DHCP Servers and/or to the section Editing Remote Appliances.
Authentication (AD, LDAP, RADIUS)
Allows you to add one by one the three rules that configure the remote user authentication
via AD, RADIUS or LDAP. Click on Configuration to open the wizard Add a rule. For more
details regarding remote authentication, refer to the chapter Managing Authentication Rules.
Group
Allows you to add groups of users from the gadget. Click on Add to open the wizard Add a
group. For more details, refer to the section Adding Groups of Users.
Internal module setup
Allows to set the modules advanced properties interaction of the appliance. Click on Config-
uration to open the wizard Internal module setup. For more details, refer to the section
Defining the Internal Module Setup.

My Account Preferences & Configuration

This shortcut gadget is available by default on the Main dashboard of all the users.

Figure 14.5. The gadget My account preferences & configuration

This gadget provides links to help the connected user set their preferences:
Gadgets Library
This button is a link toward the page Gadgets Library in the module Administration.

214
 Managing Gadgets

Set language
This button opens the wizard Change Language. For more details, refer to the section Account
Configuration.

Adding Gadgets
Each type of gadget has a specific addition and edition methods. For this reason, the addition of
Charts, Top List, Quick Search, Quick Wizards and Bookmarks gadgets is detailed separately.
Note that:
• You can add gadgets from any page of the module IPAM, DHCP, DNS, Application, NetChange,
Workflow, Device Manager or VLAN Manager and some pages of the module Administration.
• The descriptive and configuration gadgets are default gadgets, you cannot add new ones or
delete them, you can only enable or disable them and change their visibility.

Once a gadget has been added, you can assign it on any dashboard or share it with other users.
For more details, refer to the sections Assigning Gadgets and Setting the Gadgets Visibility.

Adding a Chart Gadget

The chart gadget allows to compare values and labels and add graphical representations of re-
sources activity or repartition via a pie chart or a bar chart. For instance, the DNS resource records
type distribution among the zones of a server.

Figure 14.6. Example of a bar chart representation of record types distribution

215
 Managing Gadgets

Figure 14.7. Example of a pie chart representation of record types distribution

You can add charts gadgets from any listing page, except in the modules Administration and
SPX. Once added, you can display as many charts as you want on each dashboard.

In the GUI, some charts are already available on the page System Statistics or on the properties
page of some resources. These charts can be assigned as gadget thanks to the button in the
drag bar. For more details, refer to the section Assigning Gadgets.

To add a chart gadget

1. Go to the listing page of your choice.
2. Filter the list according to your needs. The data listed on the page affects the content of the
chart.
3. In the menu, select Alerts, gadgets & Smart Folders > Add a Chart. The wizard Add
a chart opens.
4. Configure the chart:
a. In the field Name, specify the name of the gadget.
b. In the drop-down list Type, select Pie or Bar.
c. In the drop-down list Aggregate function, select the information to display in the chart.
On some pages, only Entries count is available, if so it is selected by default.
d. In the drop-down list Data, select a column of the page. Its name is used as label.
e. In the drop-down list Secondary data, select another column. It is used to compare to
the Data.
f. In the drop-down list Order by, select how to distribute the data, either by Aggregated
data (descending), Aggregated data (ascending), Data (descending), Data (ascending),
Secondary data (descending) or Secondary data (ascending).
5. Click on PREVIEW if you want to have an overview of the chart you configured.
6. Click on NEXT . The last page opens.
7. In the drop-down list Dashboard, select the dashboard of your choice.
8. Click on OK to complete the operation. The report opens and closes. The chart is visible on
the dashboard you chose to display it on.

216
 Managing Gadgets

Note that:
• Charts remain empty as long as there is no data to retrieve on the page they are added from.
• When you hover over a segment of a chart, a tooltip containing information about the segment
is displayed.
• Chart gadgets provide specific buttons:
• The icon allows to zoom in on the chart in a pop-up window above the page.
• The icon allows to refresh the data displayed.
• From the legend you can click on any entry to hide or display data. For more details, refer
to the section Charts.
• Once a chart is added, you cannot edit it. If the data you configured it with no longer suits to
your needs, you have to delete the gadget and add a new one. For more details, refer to the
section Deleting Gadgets.

Adding a Top List Gadget

The Top List gadget allows you to add a specific list displaying from 5 to 25 items from a listing
page. Once added, it looks like a table composed of a maximum of 4 columns that display the
entries you want. They can match a filtered display of the source page. For instance, a list of the
five most heavily used terminal networks.

Figure 14.8. Example of a Top List

You can add Top List gadgets from most listing page and display as many of them as you want
on each dashboard.

Keep in mind that in the module Administration, you can only add aTop List from the pages
Session tracking, User tracking and Alerts.

To add a Top List gadget

1. Go to the listing page of your choice.
2. Filter the list according to your needs. The data listed on the page affects the content of the
Top List.
3. In the menu, select Alerts, gadgets & Smart Folders > Add a Top List. The wizard
Add a Top List opens.
4. Configure the Top List:
a. In the field Name, specify the name of the gadget.
b. In the drop-down list Dashboard, select the dashboard of your choice.
c. In the list Columns, select a column you want to display in the gadget.
d. Click on . The name is moved to the list Selected columns (Max: 4). Repeat these
steps for all the columns you want to include to the gadget. You cannot include more
than four columns to the gadget, any extra column is ignored.
• To remove a column from the Top List, select it among the Selected columns (Max:
4) and click on . The column is moved back in the list Columns.

217
 Managing Gadgets

• To order the columns of the Top List, select them one by one and click on the arrows
to move them up or down .
e. In the field Limit, specify the number of items to display in the final gadget: 5, 10, 15,
20 or 25.
5. For Top List gadgets added from the DNS page Analytics displaying Guardian data, in the
drop-down list Period, select the overall period of data to retrieve, either the last 1h, 3h or
6h.
6. Click on OK to complete the operation. The report opens and closes. The gadget is visible
on the dashboard you selected. It is named Top X list: <your-gadget-name>, where X is the
Limit you selected.

You can edit the Top List gadgets. For more details, refer to the section Editing a Top List Gadget.

Adding a Quick Search Gadget

The Quick Search gadget allows you to add a filtering tool based on the columns of a page. It is
composed of fields matching the columns search engines in the target listing page. It allows to
filter a page using several columns from any dashboard.

Figure 14.9. Example of a Quick Search gadget

In the gadget, the selected columns are displayed as input fields. When you click on SEARCH , you
execute a search that automatically opens the target page and applies the filters of the gadget
to only return the matching results.

You can add Quick Search gadgets from most listing pages and display as many of them as you
want on each dashboard.

The fields available to configure the Quick Search depend on the list the gadget is set from.

To add a Quick Search gadget

1. Go to the listing page of your choice.
2. In the menu, select Alerts, gadgets & Smart Folders > Add a Quick Search. The
wizard Add a Quick Search opens.
3. Configure the Quick Search:
a. In the field Name, specify the name of the gadget. You should specify a name that in-
dicates the page it is added from.
b. In the drop-down list Dashboard, select the dashboard of your choice.
c. In the list Columns, select the column of your choice.
d. Click on . The column is moved to the list Selected columns.
• To remove a column from the gadget, in the list Selected columns, select it and click
on . The column is moved back in the list Columns.
• To order the search fields of the gadget, select a column in the field Selected columns
and the arrows to move it up or down .

218
 Managing Gadgets

4. For Quick Search gadgets added from the DNS page Analytics displaying Guardian data,
in the drop-down list Period, select the overall period of data to retrieve, either the last 1h,
3h or 6h.
5. Click on OK to complete the operation. The report opens and closes. The Quick Search is
visible on the dashboard you selected.

You can edit the Quick Search gadgets. For more details, refer to the section Editing a Quick
Search Gadget.

Adding a Quick Wizards Gadget

The Quick Wizards gadget is a shortcut gadget. It contains links toward the quick wizards you
saved. It can only be displayed once on each dashboard.

Figure 14.10. Example of a Quick Wizards gadget

You cannot add the gadget Quick Wizards on its own, you must include your quick wizards to
the gadget when you add or edit them.

Note that during the addition of a quick wizard you can only indicate one access location, either
a dashboard for the gadget or the menu Quick Access. However, you can edit the quick wizard
from the My Quick Wizards to specify more dashboards.

For more details regarding the quick wizards themselves, refer to the section Quick Wizards.

To add a link in the Quick Wizards gadget toward the Quick Wizard you are adding
1. On the wizard you want to save, click on in the wizard drag bar. The wizard Add a Quick
Wizard opens.
2. In the field Name, specify the quick wizard name.
3. In the drop-down list Save in, select the dashboard of your choice.
4. In the field Description, you can add a description.
5. Click on OK to complete the operation. The report opens and closes. The Quick Wizards
gadget is now displayed on the selected module dashboard, it contains a button named after
your quick wizard.

To add a link in the Quick Wizards gadget toward the Quick Wizard you are editing
1. From any page, in the top bar, select My account > My Quick Wizards. The page My
Quick Wizards opens.
2. Click on the name of a quick wizard you want to edit. The wizard Edit: Quick Wizard opens.
3. If need be, edit the fields Name and Description.
4. In the list Available, select one by one the dashboards of your choice and click on . The
dashboard is moved to the list Configured.
You can also select Quick access menu to add a shortcut toward the quick wizard in the
menu Quick Access. For more details, refer to the section Accessing Quick Wizards.
5. Repeat this action for as many dashboards as you need.

219
 Managing Gadgets

To remove a dashboard from the list Configured, select it and click on . The dashboard
is moved back to the list Available.
6. Tick or untick the box Share with other users according to your needs. Sharing a quick
wizard makes it available for all users.
7. Click on OK to complete the operation. The report opens and closes. The Quick Wizards
gadget is now displayed on the dashboard of the selected modules and it contains a button
named after your quick wizard.

Once you added the Quick Wizards gadget, you can assign it from any dashboard. For more
details, refer to the section Assigning a Gadget to a Dashboard.

You can edit the content of a Quick Wizards gadget. For more details, refer to the section Editing
a Quick Wizards Gadget.

Adding the Gadget Bookmarks

The gadget Bookmarks is a shortcut gadget. It gathers links toward the existing bookmarks of
your choice, its content is the same on all the dashboards it is displayed on.

Figure 14.11. Example of a gadget Bookmarks

You cannot add the gadget Bookmarks on its own, you must add it when you are bookmarking
a page.

To add a gadget Bookmarks when bookmarking a page

1. On any page, click on in the upper-right corner of the page. The wizard Bookmark this
page opens.
2. In the field Name, the bookmark is named <module>: <page> by default. You can edit it.
3. In the field Bookmark Folder, you can specify a folder name to organize your bookmarks
in the menu Bookmarks. By default, no folder is configured, the field contains /.
a. To add a folder, specify the name of your choice. You can also add sub-folders using
the character / and the structure /folder/sub-folder.
b. To find existing folders, type in the beginning of the folder name and click on REFRESH
to retrieve the matching folder full name.
4. Tick the box Add to the gadget Bookmarks to add the gadget Bookmarks and add it to the
page Gadgets Library.
5. Tick the box Share with the other users to make it available to all users.
6. Click on OK to complete the operation. The report opens and closes. The page is now
bookmarked and marked .
The gadget is not displayed on any dashboard yet, to assign it, refer to the section Assigning
Gadgets.

Keep in mind that:

• You cannot assign the gadget Bookmarks from a dashboard if you have not ticked the box
Add to the gadget Bookmarks for at least one bookmark.

220
 Managing Gadgets

• Every time you tick the box Add to the gadget Bookmarks, you edit the gadget content as you
add extra shortcuts to the gadget. You cannot edit the gadget from a dashboard. To remove
bookmark shortcuts from the gadget, refer to the section Editing the Bookmarks Gadget.

Assigning Gadgets
All gadgets can be assigned, i.e. displayed, on any dashboard from the pages My Gadgets and
Gadgets Library.

In addition, existing charts can be assigned as gadgets. Note that the chart available on the DNS
page Analytics cannot be assigned as a gadget.

To assign a gadget directly from a dashboard, refer to the section Assigning a Gadget to a
Dashboard in the chapter Managing Dashboards.

Assigning a Gadget from the Page My Gadgets

The page My Gadgets contains only the gadgets that are already displayed on at least one
dashboard. Each gadget listed can be displayed on one or more dashboards via the option Assign
a gadget.

To assign a gadget to a dashboard from the page My Gadgets

1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
Each gadget can be displayed several times, if it is assigned to more than one dashboard.
2. In the menu, select Edit > Assign a gadget. The wizard Gadget Configuration opens.
3. Select the Type that suits your needs. Other contains the descriptive gadgets, the gadget
Bookmarks and the Quick Wizards gadget.
4. Click on NEXT . The list Gadget displays the available gadgets of the selected type.
5. Select the gadget you want. If there is no gadget of this type yet, the list is empty.
6. Click on NEXT . The last page opens.
7. In the list Available, double-click on the name of the dashboard of your choice. The name
is moved to the list Configured. You can select several dashboards if you want.
8. Click on OK to complete the operation. The report opens and closes. The gadget is now
displayed on the selected dashboard(s).

Assigning Gadgets from the Page Gadgets Library

From the page Gadgets Library, you can assign one or several gadgets to one or more dashboards
at once.

All the existing gadgets are listed on the page, even if they are not displayed on any dashboard
yet.

To assign gadgets to one or several dashboards from the page Gadgets Library
1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) you want to assign to a dashboard.
4. In the menu, select Edit > Assign Gadget(s). The wizard Gadget configuration opens.

221
 Managing Gadgets

5. In the list Available, double-click on the name of the dashboard you want the gadget to be
displayed on. The name is moved to the list Configured.You can select several dashboards.
Keep in mind that if you selected several gadgets already assigned, their current dashboard
configuration is not displayed and is overwritten if you assign them to a new dashboard.
6. Click on OK to complete the operation. The report opens and closes. The gadget is now
displayed on the selected dashboard(s).

Assigning a Chart of the Page System Statistics as Gadget

Within the module Administration, the page System statistics provides panels containing charts
that can be assigned to any dashboard as gadgets.

All the charts on the page, except Processes state, can be used as a gadget. They provide:
• Traffic information, in the panels DNS traffic, DHCP traffic, HTTP traffic, SNMP traffic and
Database replication traffic.
• System information, in the panels Load average, CPU per process, Memory usage per process,
Disk operations, I/Os per process, SQL queries, Threads, User sessions and Disk Usage.

These charts are not listed on the page Gadgets Library, but once assigned, they are listed on
the page My Gadgets.

To assign a gadget from the page System statistics

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on System statistics. The page System statistics opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure your local appliance is se-
lected. Only the local appliance statistics charts can be used as gadgets.
4. If you want to close the panels, in the upper right corner, click on Collapse all.
5. In the panel of the chart of your choice, click on . The wizard Use the Chart as a Gadget
opens.
6. In the list Dashboard, select the dashboard of your choice.
7. Click on OK to complete the operation. The page refreshes. The gadget is now displayed
on the selected dashboard.

Assigning a Chart on a Properties Page as Gadget

All the charts displayed on the properties page of your resources can be added to any dashboard.

To assign a gadget from a resource properties page

1. Go to the properties page of the object of your choice.
2. Click on Expand all in the upper right corner of the page to open all the panels.
3. In the panel of the chart of your choice, click on . The wizard Use the Chart as a Gadget
opens.
4. In the list Dashboard, select the dashboard of your choice.
5. Click on OK to complete the operation. The page refreshes. The gadget is now displayed
on the selected dashboard.

222
 Managing Gadgets

Displaying or Hiding a Gadget

From the page My Gadgets, you can choose to display or hide a gadget on a particular dashboard.

To hide or display a gadget directly from a dashboard, refer to the section Editing Dashboards
in the chapter Managing Dashboards.

To display/hide a gadget from the page My Gadgets

1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the column Status:
a. To display a gadget, click on Hidden. The wizard Enable Gadget opens.
b. To hide a gadget, click on Visible. The wizard Disable Gadget opens.
3. Click on OK to complete the operation. The report opens and closes. The gadget is marked
as Visible or Hidden.

If you want to display or hide a gadget from several dashboards at once, refer to the section
Enabling or Disabling Gadgets.

Editing Gadgets
You can only edit the gadgets Top List, Quick Search, Quick Wizards and Bookmarks.

Any other type of gadget cannot be edited. You have to add a new gadget again and delete the
one you no longer need.

Editing a Top List Gadget

You can edit a Top List gadget from one of the dashboards it is displayed on. Note that:
• You cannot assign a Top List gadget to a different dashboard when you edit it. To assign it to
a different or more dashboards, refer to the section Assigning Gadgets.
• You can also edit a Top List gadget from its properties page.
• Any changes performed on a Top List gadget apply to all the dashboards it is displayed on.

To edit a Top List from a dashboard

1. Go to the dashboard of your choice.
2. In the drag bar of the Top List gadget of your choice, click on . The wizard Edit a Top List
opens.
3. Edit the fields Name, Columns, Selected columns (Max: 4) and Limit according to your
needs. For more details, refer to the section Adding a Top List Gadget.
4. Click on OK to complete the operation. The report opens and closes. The gadget content is
updated.

Editing a Quick Search Gadget

You can edit a Quick Search gadget either from one of the dashboards it is displayed on. Note
that:
• You can also edit a Quick Search gadget from its properties page.

223
 Managing Gadgets

• Any changes performed on a Quick Search gadget apply to all the dashboards it is displayed
on.

To edit a Quick Search from a dashboard

1. Go to the dashboard of your choice.
2. In the drag bar of the Quick Search gadget of your choice, click on . The wizard Edit a
Quick Search opens.
3. Edit the fields Name, Dashboard, Columns and Selected columns according to your
needs. For more details, refer to the section Adding a Quick Search Gadget.
4. Click on OK to complete the operation. The report opens and closes. The gadget content is
now updated.

Editing a Quick Wizards Gadget

You can edit the content of a Quick Wizards gadget from one of the dashboards it is displayed
on. Note that you cannot edit it from its properties page.

You can make unique changes to a Quick Wizards gadget. Any change performed on the gadget
only apply to the dashboard where you edited the gadget.

To edit a Quick Wizards gadget from a dashboard

1. Go to the dashboard of your choice.
2. In the drag bar of the Quick Wizards gadget of your choice, click on . The wizard Edit a
Quick Wizards gadget opens.
3. Edit the gadget content on this dashboard according to your needs.
All the Configured quick wizards are included to the gadget.
From the lists Configured and Available, select the quick wizards one by one and click on
the buttons and to move them to the other list.
4. Click on OK to complete the operation. The report opens and closes. The changes are only
visible in the Quick Wizards gadget of the current dashboard.

Editing the Gadget Bookmarks

You can only edit the content of the gadget Bookmarks, i.e. add or remove bookmarks, from the
page My Bookmarks.

Any changes performed on the gadget Bookmarks apply to all the dashboards it is displayed on.

To add a bookmark to the gadget Bookmarks

1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. Click on the Name of the bookmark you want to add to the gadget. The wizard Edit a
Bookmark opens.
3. Tick the box Add to the gadget Bookmarks. The bookmark is added to the gadget Book-
marks.
4. Click on OK to complete the operation. The report opens and closes.

224
 Managing Gadgets

To remove a bookmark from the gadget Bookmarks

1. From any page, in the top bar, select My account > My Bookmarks. The page My
Bookmarks opens.
2. Click on the name of the bookmark you want to remove.The wizard Edit a Bookmark opens.
3. Untick the box Add to the gadget Bookmarks. The bookmark is removed from the gadget
Bookmarks.
4. Click on OK to complete the operation. The report opens and closes.

Setting the Gadgets Visibility

On the page Gadgets Library, the column All users indicates if a gadget is visible to every user
or not. Keep in mind that:
• All the users of the group admin can make gadgets visible to all users or only to them.
• The superuser ipmadmin can see all the gadgets no matter who added them or their visibility
configuration.
• The gadgets displayed by default on the Main dashboard are only visible for ipmadmin, unless
they make them visible to all users. For more details, refer to the section Gadgets Displayed
by Default.

To make a gadget visible to all users

Only users of the group admin can perform this operation.
1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) you want to make visible to all the other users.
4. In the menu, select Edit > Visible to all users > Yes. The wizard Gadget visibility
opens.
5. Click on OK to complete the operation. The report opens and closes. In the column All Users,
the gadget is marked Yes.

To make a gadget visible only to you

Only users of the group admin can perform this operation.
1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) you want to make visible only to you.
4. In the menu, select Edit > Visible to all users > No.The wizard Gadget visibility opens.
5. Click on OK to complete the operation. The report opens and closes. In the column All Users,
the gadget is marked No.

Enabling or Disabling Gadgets

From the page My Gadgets, you can enable and disable gadgets. Note that:
• Disabling a gadget allows to hide it from all the dashboards it is displayed on at once. It does
not delete it. The gadget is still listed on the pages Gadgets Library and My Gadgets but its
Status is Disabled.
• Enabling a gadget allows to display it on all the dashboards it is assigned to.

225
 Managing Gadgets

• You can click on a gadget Status to disable (if it is Enabled) or enable it (if it is Disabled).

To enable/disable gadgets
1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) your choice.
4. In the menu:
a. To enable the gadget(s), select Edit > Status > Enable. The wizard opens.
b. To disable the gadget(s), select Edit > Status > Disable. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The gadget is marked
Enabled or Disabled.

Deleting Gadgets
You can only delete gadgets from the page Gadgets Library. Deleting a gadget removes it from
the appliance altogether, and no matter on how many dashboards it is displayed.

To delete a gadget
1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. Tick the gadget(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The gadget is now re-
moved from the dashboard(s) it was displayed on and from the pages Gadgets Library and
My Gadgets.

226
 EAST ASIA
RIO DE
JANEIRO

Part V. IPAM
The Internet Protocol Address Management (IPAM) was designed to plan, track, organize and manage IP
addresses into networks. This organization can rely on IPv4 that manages 32-bit addresses or on IPv6 that
manages 128-bit addresses.

CLIENTS

AMERICA EUROPE ASIA

USA CHINA

NEW YORK BEIJING

BRAZIL INDIA
AFRICA
BRASILIA NEW DELHI

OCEANIA

Figure 102. Overview of an IPAM organization based on geographical distribution

The IP address management requires to add a space, within which you add a block-type network, that
contains at least one subnet-type network that manages your IP addresses. You can also add a pool to
configure some or all of your IP addresses with extra parameters. If you want to import an existing IPAM
organization, refer to the part Imports and Exports.

The IPAM hierarchy can include up to 5 levels of organization:

• Space: the highest level of the hierarchy, the essential entry point of the IP address management. It is
required to add at least one. It defines the addressing space in which all the IP addresses are unique and
can contain both IPv4 and IPv6 address organizations. You can add as many spaces as you need, they
contain block-type networks. For more details, refer to the chapter Managing Spaces.
• Block-type network: the second level of the hierarchy, where you set the range of IPv4 or IPv6 addresses
that you manage within your space. You must add at least one to manage IP addresses. You can add as
many block-type networks as you need within a space, as long as they do not overlap each other. They
contain subnet-type networks. For more details, refer to the chapter Managing Networks.
• Subnet-type network: the third level of the hierarchy, where you can assign IPv4 or IPv6 addresses. It
is required to add at least one to manage IP addresses. You can add as many subnet-type networks as
you need within a block-type network, as long as they do not overlap each other. They contain pools
and/or IP addresses. For more details, refer to the chapter Managing Networks.
• Pool: the pool is an optional fourth level of the hierarchy. It can contain IPv4 or IPv6 addresses and allows
to set them with specific parameters. For more details, refer to the chapter Managing Pools.
• IP address: the lowest level of the hierarchy. They can belong to IPv4 or IPv6 pools and/or subnet-type
networks. For more details, refer to the chapter Managing IP Addresses.

Note that you can customize your organization display in the Tree view. For more details, refer to the section
Tree View of the chapter Understanding the GUI.

The IPAM module also provides:

• Templates for IPv4 organizations. You can add templates to ease up the addition of IPv4 objects with
specific configurations or content. For more details, refer to the chapter Managing IPAM Templates.
• Variable Length Subnet Mask (VLSM). You can delegate and organize on different levels your spaces
and/or networks in IPv4 or IPv6. For more details, refer to the chapter Using VLSM to Manage Your IPAM
Network.
• Automated additions of DHCP, DNS, Device Manager and/or VLAN Manager resources. You can
configure advanced properties to update other modules from the IPAM. For more details, refer to the
Global Policies chapter Managing Advanced Properties.
• SPX networks management. Thanks to a dedicated license, you can configure the connection to the
RIPE or APNIC and manage networks based on the content of the module SPX. For more details, refer
to the part SPX.
• Cloud synchronization. You can retrieve cloud providers objects in the IPAM with a synchronization.
For more details, refer to the chapter Managing Cloud Synchronization.
• Cisco DNA synchronization.You can configure Cisco DNA to synchronize and register its pools, subpools
and IP addresses in the IPAM. For more details, refer to the appendix Synchronizing Cisco DNA.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
15. Managing Spaces .................................................................................................... 231
Browsing Spaces .................................................................................................. 231
Adding Spaces ...................................................................................................... 231
Editing Spaces ...................................................................................................... 232
Automating the IPv4 to IPv6 Transition .................................................................... 233
Exporting Spaces .................................................................................................. 233
Deleting Spaces .................................................................................................... 233
Defining a Space as a Group Resource .................................................................. 234
16. Managing Networks ................................................................................................. 235
Browsing Networks ............................................................................................... 235
Adding Networks ................................................................................................... 237
Editing Networks ................................................................................................... 243
Splitting Networks ................................................................................................. 244
Merging Networks ................................................................................................. 244
Moving Networks .................................................................................................. 245
Discovering the Assigned IP Addresses in a Network .............................................. 246
Using Network Map to Display Assigned IP Addresses ............................................ 246
Managing or Unmanaging Networks ....................................................................... 248
Creating Networks from NetChange ....................................................................... 248
Finding Identity Manager Sessions at Network Level ............................................... 248
Automating the IPv4 to IPv6 Transition .................................................................... 249
Adding Pools from the Page All networks ................................................................ 249
Adding IP Addresses from the Page All networks .................................................... 249
Adding DHCP Scopes from the Page All networks ................................................... 250
Adding or Updating DNS Zones from the Page All networks ..................................... 250
Adding VLANs from the Page All networks .............................................................. 250
Exporting Networks ............................................................................................... 250
Deleting Networks ................................................................................................. 250
Defining a Network as a Group Resource ............................................................... 251
17. Managing Pools ....................................................................................................... 252
Browsing Pools ..................................................................................................... 252
Adding Pools ........................................................................................................ 253
Reserving Pools .................................................................................................... 254
Resizing Pools ...................................................................................................... 254
Adding Pools at Network Level ............................................................................... 254
Adding DHCP Ranges from the Page All pools ........................................................ 255
Exporting Pools ..................................................................................................... 255
Deleting Pools ....................................................................................................... 255
Defining a Pool as a Group Resource ..................................................................... 255
18. Managing IP Addresses ........................................................................................... 256
Browsing IP Addresses .......................................................................................... 256
Adding IP Addresses ............................................................................................. 258
Editing IP Addresses ............................................................................................. 262
Configuring and Managing IP Address Aliases ........................................................ 263
Configuring Multiple A Records for an IP Address ................................................... 266
Renaming IPv4 Addresses Massively ..................................................................... 267
Moving IP Addresses ............................................................................................ 268
Pinging IP Addresses ............................................................................................ 270
Populating Device Manager ................................................................................... 270
Finding Identity Manager Sessions at IP Address Level ........................................... 270
Adding Gateway IP Addresses at Network Level ..................................................... 271

229
 IPAM

Automating the IPv4 to IPv6 Transition .................................................................... 271

Updating DHCP Scopes from the Page All addresses .............................................. 272
Adding DHCP Statics from the Page All addresses .................................................. 272
Adding DNS Records from the Page All addresses .................................................. 272
Adding Devices from the Page All addresses .......................................................... 272
Updating Ports and Interfaces from the Page All addresses ..................................... 272
Adding IP Addresses from the DHCP ..................................................................... 273
Adding IP Addresses from the DNS ........................................................................ 273
Exporting IP Addresses ......................................................................................... 273
Deleting IP Addresses ........................................................................................... 273
Cleaning Invalid IP Addresses ................................................................................ 273
Cancelling Deletions .............................................................................................. 274
19. Managing Raw Data ................................................................................................ 276
Limitations ............................................................................................................ 276
Exporting Raw Data .............................................................................................. 276
Importing Raw Data .............................................................................................. 277
20. Managing IPAM Templates ....................................................................................... 280
1. Adding Template Classes in Class Studio ............................................................ 281
2. Configuring Templates ....................................................................................... 282
3. Deploying Templates .......................................................................................... 288
21. Using VLSM to Manage Your IPAM Network ............................................................... 290
Choosing the Method That Suits Your Needs ........................................................... 290
Managing a Space-Based VLSM Organization ........................................................ 294
Managing a Network-Based VLSM Organization ..................................................... 304
Using the VLSM Hierarchy to Delegate Management ............................................... 309
22. Managing Cloud Synchronization .............................................................................. 312
Prerequisites ........................................................................................................ 312
Limitations ............................................................................................................ 313
Configuring a Proxy Server .................................................................................... 313
Configuring AWS Synchronization .......................................................................... 313
Configuring Azure Synchronization ......................................................................... 317
Configuring GCP Synchronization .......................................................................... 320
Monitoring the Synchronization .............................................................................. 323
Disabling Cloud Synchronization ............................................................................ 324

230
Chapter 15. Managing Spaces
The space is the highest level in the IPAM module's organization, the entry point of any IPv4 or
IPv6 addressing plan. It allows to manage unique ranges of IP addresses.

Browsing Spaces
Spaces are managed on the page All spaces. They contain the networks, pools and IP addresses.

SPACE NETWORK NETWORK POOL ADDRESS

BLOCK SUBNET

ALIAS

Figure 15.1. The space in the IPAM hierarchy

Spaces provide uniformity and consistency check that ensure uniqueness of IP resources: there
cannot be two identical configurations of IP addresses, pools or networks within one space. To
manage identical N address plans, you can add N spaces in the IPAM module.

You can add as many spaces as you want to organize your addressing plan(s) or set up multiple
private networks following RFC 1918. Each space can contain as many block-type networks as
you need, their size defines the number subnet-type network, pools and IP addresses that you
actually manage.

By default, the space Local is present on the page All spaces. It is configured to receive all the
DHCP and DNS resources configured with replication that are not attached to any space.

Browsing the Spaces Database

To display the list of spaces
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. You can filter the list using the columns search engine.

To display a space properties page

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. At the end of the line of the space of your choice, click on . The properties page opens.

Customizing the Display on the Page All Spaces

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding Spaces
Spaces allow to set up addressing plans containing either IPv4 or IPv6 addresses. You can add
as many spaces as you need or use the space Local, added by default.

231
 Managing Spaces

Note that:
• You can also import spaces, for more details refer to the section Importing Spaces in the
chapter Importing Data from a CSV File.
• You can add spaces via the raw data imports, for more details refer to the chapter Managing
Raw Data.
• If you plan on adding different spaces with similar properties, adding a template might be
useful. For more details, refer to the chapter Managing IPAM Templates.
• The page may contain spaces synchronized from another appliance. For more details on
synchronized spaces, refer to the chapter Configuring Space Synchronization.

To add a space
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the menu, click on Add. The wizard Add a space opens.
3. In the list VLSM parent space, select None or one of the existing empty spaces. If you select
an existing space as VLSM parent space, the new space is affiliated to the space you selec-
ted. For more details, refer to the chapter Using VLSM to Manage Your IPAM Network.
4. Click on NEXT . The next page opens.
5. If custom classes are enabled at space level, in the list Space class select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Space name, name the space.
7. In the field Description, you can specify a description of the space.
8. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
9. Click on OK to complete the operation. The report opens and closes. The new space is listed.

Editing Spaces
You can edit any existing space from its properties page or via the contextual menu on the page
All spaces.

Note that you can edit space properties in bulk via the raw data management, for more details
refer to the chapter Managing Raw Data.

To edit a space
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. At the end of the line of the space of your choice, click on . The space properties pages
opens.
3. In the panel Main properties, click on EDIT .
4. The wizard Edit a space opens.
5. In the list VLSM parent space, select a parent space if need be.
6. Click on NEXT . The next page opens.
7. If custom classes are enabled at space level, in the list Space class select a class or None.
Click on NEXT . The last page opens.

232
 Managing Spaces

If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
8. Edit the fields Space name and/or Description according to your needs.
9. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
10. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

Automating the IPv4 to IPv6 Transition

From the page All spaces, All networks and All addresses, the advanced properties allow to
configure the transition to IPv6, adding IPv4 objects also adds the same objects in IPv6.

For more details, refer to the chapter Managing Advanced Properties in the section Configuring
the Transition from IPv4 to IPv6.

Exporting Spaces
From the page All spaces:
• You can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
• You can export spaces as raw data to add or edit them in bulk. For more details, refer to the
chapter Managing Raw Data.

Deleting Spaces
You can delete spaces, before doing so, keep in mind that:
• Deleting a space also deletes all the addresses, pools and networks it contains.
• You cannot delete a space containing other spaces. For more details regarding Variable Length
Subnet Masking, refer to the chapter Using VLSM to Manage Your IPAM Network.
• None of the resources added in the DNS and DHCP from the IPAM, through the advanced
properties, are deleted. This is a safety measure in case a space is deleted by mistake.
• If you delete a synchronized space, it is listed again after the next synchronization. Deleting
synchronized spaces requires to disable the space synchronization between appliances, for
more details refer to the chapter Configuring Space Synchronization.

To delete a space
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Tick the space(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The selected spaces
are no longer listed.

233
 Managing Spaces

Defining a Space as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a space as one of the resources of a specific group allows the users of that group to
manage the space in question as long as they have the corresponding rights granted.

Granting access to a space as a resource also grants access to every item it contains. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

234
Chapter 16. Managing Networks
Within the IPAM hierarchy the networks are a key level where you define ranges of IP addresses
to work with. Their management follows the recommendations introduced with the RFC 950, that
was aimed at providing a solution to the problems that the Internet community was facing with
dual hierarchical address levels.

The networks help you set the organization that suits your needs: it can allow to set a range of
addresses dedicated to your customers, and within that range a network for the customers of
specific country/city; or it can help delegate terminal network management tasks to administrators.

You can manage IPv4 and IPv6 networks, within one space.

To successfully set up your addressing organization, you must add within a space:
1. A block-type network, where you set the range of addresses you want to manage. This net-
work is by essence non-terminal, it must contain subnet-type networks.
2. One or several subnet-type networks. These networks can be terminal so you can assign
the IP addresses they contain, or non-terminal and contain other subnet-type networks. For
more details, refer to the chapter Using VLSM to Manage Your IPAM Network.

At network level, the IP address management follows some basic rules:

• All block-type networks belong to a space.
• Block-type networks cannot overlap each other in a space.
• All subnet-type networks belong to a block-type network.
• Subnet-type networks cannot overlap each other in a block-type network.
• A subnet-type network is defined by an IP address, size and name.

If you want to manage RIPE or APNIC networks and objects, refer to the part SPX.

You can synchronize cloud providers objects with networks. For more details, refer to the chapter
Managing Cloud Synchronization.

You can synchronize Cisco DNA pools and subpools as networks. For more details, refer to the
appendix Synchronizing Cisco DNA.

Browsing Networks
The page All networks manages both block-type and subnet-type networks, these subnet-type
networks can be terminal or not.

Block-type networks, or level 0 networks, belong to spaces and are the second level of the IPAM
hierarchy. They set the range of IPv4 or IPv6 addresses that you can divide into subnet-type
networks. On the page they are preceded by .

SPACE NETWORK NETWORK POOL ADDRESS

BLOCK SUBNET

ALIAS

Figure 16.1. The block-type network in the IPAM hierarchy

235
 Managing Networks

1
Subnet-type networks, or level 1 (to n) networks, belong to block-type networks and are the third
level of the IPAM hierarchy. Terminal networks contain IPv4 or IPv6 addresses that you can assign.
On the page they are preceded by .

SPACE NETWORK NETWORK POOL ADDRESS

BLOCK SUBNET

ALIAS

Figure 16.2. The subnet-type network in the IPAM hierarchy

You can divide the IP addresses of a subnet-type network into pools. For more details, refer to
the chapter Managing Pools.

The icon color provides information on the network. When is blue it indicates small sized network
managing 2 or 1 IP address. It precedes /31 and /32 networks in IPv4, and /127 and /128 networks
in IPv6.

Browsing the Networks Database

To display the list of networks
1. In the sidebar, go to IPAM > Networks. The page All networks opens and displays both
block-type and subnet-type networks.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. To display all networks or networks level by level, on the right-end side of the menu, click
on . If you display networks level by level, all the networks managed by non-terminal
networks are no longer visible.
4. To display the networks of a specific space, in the column Space, click on the name of your
choice. The page refreshes.
5. To display the networks of a specific block-type network, in the column Container, click on
the name of your choice. The page refreshes.

In the column Container, N/A is displayed on the line of block-type networks.

To display a network properties page

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the network of your choice, click on . The properties pages opens.

If IPAM to DHCP advanced properties are configured, some subnet-type networks have a panel
DHCP options on their properties page, to configure DHCP options for the scope associated
with the network. For more details, refer to the chapters Managing Advanced Properties and
Configuring DHCP Options.

1
Subnet-type networks can also belong to non-terminal subnet-type networks. For more details, refer to the chapter Using VLSM to
Manage Your IPAM Network.

236
 Managing Networks

Customizing the Display on the Page All Networks

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

The page also provides columns specific to the management of SPX networks, whether
RIPE or APNIC, such as Waiting state or Assigned networks. For more details, refer to the part
SPX.

Keep in mind that:

• In IPv4 you can display the column Free IP. It indicates the total number of free addresses in
each subnet-type network.
• In IPv6 you can display colored labels above parts of the IP addresses listed. It allows to differ-
entiate at a glance your containers. For more details, refer to the chapter Managing IPv6 Labels.
• In IPv4 and IPv6 you can display the column VLSM space. For space-based VLSM organisa-
tions, it allows to display the name of the child space that receives non-terminal subnet-type
networks as block-type networks. For more details, refer to the chapter Managing a Space-
Based VLSM Organization.

Understanding the Network Statuses

The column Status provides information regarding the terminal networks you manage.

Table 16.1. Terminal subnet-type network statuses

Status Description
Unmanaged The network is not managed.

OK The network is configured and managed.

Creating The delayed status while you wait for the RIPE or APNIC to confirm the network creation.

Deleting The delayed status while you wait for the RIPE or APNIC to confirm the network deletion.

NOT VALID The subnet-type network size does not fit in the block-type network although it was validated
by the RIPE or APNIC. For more details, refer to the part SPX.

Adding Networks
To manage IP addresses, you must define a range of IP addresses to work with, with a block-
type network, and then set the range of addresses you can assign, with a terminal subnet-type
network.

To add a block-type network, refer to the section Adding Networks Manually.

To add a subnet-type network, refer to the section Adding Networks Manually or Adding Networks
Using the Option By Search. The option By search allows to find the first available section of free
IP addresses within a space based on a network size.

Note that:
• You can also import networks from a CSV file, for more details refer to the section Importing
Networks in the chapter Importing Data from a CSV File.
• You can add network via the raw data imports, for more details refer to the chapter Managing
Raw Data.

237
 Managing Networks

• You can add networks from NetChange routes. For more details, refer to the section Creating
Routes in the IPAM.

Adding Networks Manually

You can manually add IPv4 or IPv6 networks from the page All networks:
1. You must add a level 0 network, a block-type network, to define the range of addresses.
2. You can add a terminal subnet-type network. If you add non-terminal networks, you need at
least one terminal network where you can assign IP addresses.

By default, the first and last IP address of a terminal network you add are reserved for the network
and broadcast. The networks managing two or fewer addresses do not reserve any IP address.

Before adding a network keep in mind that:

• Several networks can be named the same.
• Several block-type networks cannot overlap each other in one space.
• Several subnet-type networks cannot overlap each other in one non-terminal network.
• By default in IPv6, you can only manually add /64, /127 or /128 terminal networks. If you want
to configure them with a different prefix, refer to the section Enabling the Addition of IPv6 Ter-
minal Networks with Non-Standard Prefixes.
• You can also use templates to add several networks with similar properties. For more details,
refer to the chapter Managing IPAM Templates.

To add a block-type network manually

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, click on Add. The wizard opens.
4. In the drop-down list Network type, select Block. Click on NEXT . The next page opens.
Note that if your group's permissions do not include the addition of both block-type and
subnet-type networks, the page is automatically skipped.
5. In the list Choose a space, select the space in which you want to add the network. Click on
NEXT . The next page opens.

6. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Add an IPv4 network or Add an IPv6 network opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the field Network Name, name the network.
8. In the field Description, you can specify a description.
9. In the field Address, specify the start address.
10. If you are adding an IPv4 network:
a. In the drop-down list Netmask select a netmask. The netmask value automatically edits
the Prefix.
b. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix
value automatically edits the Netmask.
The network size configuration is visible in the field Comment.

238
 Managing Networks

11. If you are adding an IPv6 network, in the drop-down list Prefix, select a value between /16
and /64. The values depend on the Address you specified.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Addition of IPv6 Terminal Networks with Non-Standard Prefixes.
12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.

Once you added a block-type network, you can add the subnet-type networks it contains.

To add a subnet-type network manually

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, click on Add. The wizard opens.
4. In the drop-down list Network type, select Subnet. Click on NEXT . The next page opens.
Note that if your group's permissions do not include the addition of both block-type and
subnet-type networks, the page is automatically skipped.
5. In the list Choose a parent network, select a non-terminal network among the ones listed
under each space. The + sign left of the spaces' name opens the list of their networks. Click
on NEXT . The next page opens.
6. You can tick the box Allow network reparenting. For more details, refer to the section
Reparenting subnet-type networks in the chapter Using VLSM to Manage Your IPAM Network.
7. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Add an IPv4 network or Add an IPv6 network opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
8. In the field Network Name, name the network.
9. In the field Description, you can specify a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
10. In the field Address, specify the start address. By default, the start address of the block-type
network you selected is displayed in the field.
11. If you are adding an IPv4 network:
a. In the drop-down list Netmask, select a netmask. The netmask value automatically
edits the Prefix.
b. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix
value automatically edits the Netmask.
The network size configuration is visible in the field Comment.
12. If you are adding an IPv6 network, in the drop-down list Prefix, select /64, /127 or /128.

239
 Managing Networks

If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Addition of IPv6 Terminal Networks with Non-Standard Prefixes.
13. The box Terminal network is ticked by default to add a terminal network. You can untick
the box to add a non-terminal network, for more details refer to the section Setting Up a
Network-Based VLSM Organization.
If the box Terminal network is ticked, the network has a Gateway. Depending on what ad-
vanced properties are displayed:
• The field Gateway can be displayed and editable.
• The field Gateway can be hidden but the gateway is added anyway.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.
14. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
15. Click on OK to complete the operation. The report opens and closes. The network is listed.

Adding Networks Using the Option By Search

The option By search assists the addition of IPv4 and IPv6 subnet-type networks using their size.
Based on the selected size, the wizard semi-automates the addition as it finds ranges of available
IP addresses matching the size within the parent network.

Before adding a network using the option By search keep in mind that:
• Several networks can be named the same.
• The option only allows to add subnet-type networks, they can be terminal or non-terminal.
• The wizard offers a list of the available start addresses matching your network size criteria.
These results are displayed in ascending order from the non-terminal network with the most
important fragmentation to the one with the least fragmentation. The hierarchy is symbolized
by stars, three stars being the most.
• Several subnet-type networks cannot overlap each other in one non-terminal network.
• By default in IPv6, you can only add /64, /127 or /128 terminal networks. If you want to configure
them with a different prefix, refer to the section Enabling the Addition of IPv6 Terminal Networks
with Non-Standard Prefixes.

To add an IPv4 network using the option By search

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 . The page refreshes and the button turns
black.
3. In the menu, click on Add an IPv4 network (subnet) by search. The wizard opens.
4. In the list Choose a space, select the space of your choice. Click on NEXT .
5. If custom classes are applied at network level, in the list Parent network class select a
class or None. Your selection narrows the search for a parent network, it allows to only look
for available sections of IP addresses within block-type networks that are configured with a
specific class, any class or no class.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.

240
 Managing Networks

6. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Network size opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. Select a Size, Prefix or Netmask for your network. Selecting one value automatically changes
the other two. Click on NEXT . The page Search result opens.
If the pop-up window No network matching this size is available opens, click on CANCEL . You
can either change the network size details or, click on PREVIOUS to change the Parent network
class, if you selected a specific one, or even change the space if all available addresses are
already managed by terminal networks.
8. In the list Network address, select a start address. Click on NEXT . The page Add an IPv4
subnet opens.
9. In the field Network Name, name the network.
10. In the field Description, you can specify a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
11. The fields Address and Prefix display the values set on the pages Network size and Search
result.
12. The box Terminal network is ticked by default to add a terminal network. You can untick
the box to add a non-terminal network, for more details refer to the section Setting Up a
Network-Based VLSM Organization.
If the box Terminal network is ticked, the network has a Gateway. Depending on what ad-
vanced properties are displayed:
• The field Gateway can be displayed and editable.
• The field Gateway can be hidden but the gateway is added anyway.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.
13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on OK to complete the operation. The report opens and closes. The network is listed.

To add an IPv6 network using the option By search

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V6 . The page refreshes and the button turns
black.
3. In the menu, click on Add an IPv6 network (subnet) by search. The wizard opens.
4. In the list Choose a space, select the space of your choice. Click on NEXT .
5. If custom classes are applied at network level, in the list Parent network class select a
class or None. Your selection narrows the search for a parent network, it allows to only look
for available sections of IP addresses within block-type networks that are configured with a
specific class, any class or no class.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.

241
 Managing Networks

6. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Network size opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. The box Terminal network is ticked by default. You can untick it if you want to add a non-
terminal network that can contain other networks. For more details, refer to the section Setting
Up a Network-Based VLSM Organization.
8. In the drop-down list Network prefix, select the network prefix.
a. If the box Terminal network is ticked, select 64 bits, 127 bits or 128 bits.
b. If the box Terminal network is not ticked, select a prefix between 8 bits and 64 bits.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between 8 bits and 128 bits whether the network is terminal or not. For more
details, refer to the section Enabling the Addition of IPv6 Terminal Networks with Non-
Standard Prefixes.
Click on NEXT . The page Search result opens.
9. In the list Network address, select a start address. Click on NEXT . The page Add an IPv6
network opens.
10. In the field Network Name, name the network.
11. In the field Description, you can specify a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
12. The fields Address and Prefix display the values set on the pages Network size and Search
result.
13. If the box Terminal network was ticked and depending on your administrator's display
configuration:
• The field Gateway can be displayed and editable.
• The field Gateway can be hidden but the gateway is added anyway.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.
14. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
15. Click on OK to complete the operation. The report opens and closes. The network is listed.

Enabling the Addition of IPv6 Terminal Networks with Non-Standard

Prefixes
By default, the IPv6 terminal networks addition wizard offers only three prefixes: /64, /127 and
/128 to comply with RFC 4291.

If want to configure terminal networks with other, non-standard, prefixes, your administrator can
break the compliance with RFC 4291 by enabling the registry database entry module.ip.viol-
ate.rfc4291. Once the registry entry is enabled, any prefix matching the terminal network start
address is returned by the drop-down list Network prefix.

242
 Managing Networks

Note that enabling the registry database also modifies the content of drop-down list Network
prefix for non-terminal networks.

To edit the registry key that enforces the compliance with RFC 4291
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with 4291.
4. Hit Enter. Only the key module.ip.violate.rfc4291 is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 1 to enable it. By default, its value is 0.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

Editing Networks
You can edit networks from the page All networks via the contextual menu or from their properties
page.

Note that:
• You can edit networks added using a template, but this operation is limited. For more details,
refer to the chapter Managing IPAM Templates.
• You can edit network properties in bulk via the raw data management, for more details refer
to the chapter Managing Raw Data.
• To split, merge or move networks, refer to the sections Splitting Networks, Merging Networks
and Moving Networks.

To edit a network
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the network of your choice, click on . The properties pages opens.
4. In the panel Main properties, click on EDIT . The wizard opens.
5. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Edit an IPv4 network or Edit an IPv6 network opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Edit the Network name, Description according to your needs.
7. If you are editing a subnet-type network, the box Terminal network is displayed. You can
either:
a. Tick the box to make the network terminal. In that case, it has a Gateway that may be
displayed or hidden, depending on your administrator display configuration.
b. Untick the box to make the network non-terminal. In that case, it can contain other net-
works. For more details, refer to the section Setting Up a Network-Based VLSM Organ-
ization.

243
 Managing Networks

Keep in mind that you cannot make a terminal network non-terminal or vice versa if they
contain other networks or pools.
8. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
9. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

Splitting Networks
You can split IPv4 or IPv6 networks to manage the IP addresses they contain in separate networks.
Before splitting network, keep in mind that:
• You can split a network into 2, 4 or 8 smaller networks of same size.
• The new networks are all named after the network you split.
• When splitting a terminal network, the new smaller networks all use the first available IP address
as their gateway.
• You can split a network containing other networks only if the operation does not impact the
networks it contains.
• If the networks are configured with advanced properties, splitting them might compromise your
original configuration.
• You cannot split unmanaged networks.

To split a network
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the network(s) you want to split.
4. In the menu, select Edit > Split. The wizard Splitting networks opens.
5. In the drop-down list Number of networks to create, select 2, 4 or 8. By default, 2 is selected.
6. Click on OK to complete the operation. The report opens and closes. The networks are listed.

Merging Networks
You can merge IPv4 or IPv6 subnet-type networks, to manage more addresses. Before merging
networks, keep in mind that:
• You can merge subnet-type networks if:
• They belong to the same non-terminal network, either a non-terminal subnet-type network
or a block-type network.
• They are contiguous networks.
• They are of equal size.
• The new network is named after the very first network in the list that manages all the IP ad-
dresses of the selected networks.
• The number of networks before the merge must be a power of two (2, 4, 8, 16, 32, 64, ...).
• The new larger network uses one of the existing gateway addresses as gateway for the new
network.
• The result of the merge must produce a network with a netmask address boundary.

244
 Managing Networks

• You cannot merge:

• Unmanaged networks or block-type networks.
• Terminal networks and non-terminal subnet-type networks, you can either select only terminal
networks or only non-terminal networks.
• Subnet-type networks that are associated with different VLANs. For more details on IPAM
/ VLAN Manager interactions, refer to the chapter Managing Advanced Properties in the
section Network Advanced Properties.

Unable to merge the network "$subnet_name" ($start_addr - $end_addr) in the space

"$site_name": you cannot merge networks associated with different VLANs

To merge subnet-type networks

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the networks you want to merge.
4. In the menu, select Edit > Merge. The wizard Merging networks opens.
5. Click on OK to complete the operation. The report opens and closes. The new network is
listed, it is named after the first network in the list and has the start address of the first selected
network and the end address of the last selected network.

Keep in mind that if the merge you are trying to execute is impossible, an error message appears
on the report page and only a partial report of some networks is executed.

Moving Networks
You can move IPv4 or IPv6 networks from one space to the other. Before moving a network keep
in mind that:
• The migration of a block-type network also moves the networks, pools and IP addresses it
contains.
• The migration of a subnet-type network is only possible if the target space contains a block-
type network that can receive it.
• You can overwrite an existing network in the target space if both networks have the same size.
• You cannot move a network if it overlaps partially an existing network in the target space.
• You cannot move an unmanaged network.

To move a network from one space to the other

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the network(s) you want to move.
4. In the menu, select Tools > Expert > Migrate to another space. The wizard Migrating
IPv4 networks or Migrating IPv6 networks opens.
5. In the drop-down list Target space, select the space where you want the network to be
moved.
6. In the drop-down list Overwrite, select Yes or No according to your needs.
7. Click on OK to complete the operation. The report opens and closes. The selected network's
space has changed.

245
 Managing Networks

Discovering the Assigned IP Addresses in a Network

Within terminal IPv4 networks, you can find out which IP addresses are being used. The option
Discover networks allows to ping the IP addresses of the terminal network and assign them on
the page All addresses. That way, the IP addresses already in use on your physical network -
computers, servers, etc. - cannot be used. If advanced properties are configured, this addition
may also update the database of other modules. For more details, refer to the section IP Ad-
dress Advanced Properties.

The option Discover networks names the assigned IP addresses if the DNS resolver of the appli-
ance is properly configured and if these IP addresses are declared in a valid PTR record. For
more details, refer to the sections Setting the DNS Resolver and Adding a PTR Record.

Considering that pinging all the IP addresses of a network can take some time, you can choose
to perform this scan at different speeds: it can be fast, normal or slow. The slower the discovery,
the more likely you are to properly scan the network. The discovery mechanism sends 32 ICMP
echoes at once on the network. For more details, refer to the table below.

Table 16.2. The available speeds for the option Discover networks
Speed Timeout Retry
Slow 3 seconds 2 attempts
Normal 2 seconds 1 attempt
Fast 1 second no retry

To discover the assigned IPv4 addresses within a terminal network

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the terminal network(s) of your choice.
4. In the menu, select Edit > Discover networks > Fast, Normal or Slow. The wizard
Discover networks opens.
5. Click on OK to complete the operation. The report opens and displays the results, click on
CLOSE to go back to the page.

When the operation is over, the assigned IP addresses are the ones that responded to the ping.
They are marked In use in the column Status and they have a Name if they are properly de-
clared in a PTR record.

Using Network Map to Display Assigned IP Addresses

From the page All networks of a specific non-terminal network you can access the page Network
map to have an overview of which segments are already managed and in which segments you
can add new subnet-type networks, terminal or not.

Network map allows to see the occupancy rate of IPv4 block-type or subnet-type non-terminal
networks and to make sure you did not forget any IP addresses in your addressing strategy.

To display the page Network map

1. In the sidebar, go to IPAM > Networks. The page All networks opens.

246
 Managing Networks

2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Click on the name of the non-terminal network of your choice.The page refreshes and displays
the networks it contains.
4. In the breadcrumb on the right of the network name, click on to display additional pages.
5. Click on Network map. The page refreshes.
6. To access the properties page of a subnet-type network, click on any blue area.

On the page Network map, non-terminal networks are divided into lines of /24 terminal networks,
where free ranges are gray and used ranges are blue.

Figure 16.3. Example of a Network map

This column indicates the first IP address of the network segments. Every simple line rep-
resents a /24 segment. i.e. 256 consecutive IP addresses. They can be free or belong to a
network.
The first line matches the start address of the non-terminal network.
The blue areas indicate segments of used IP addresses, they belong to networks of the
non-terminal network. The different highlights allow to identify sizes:
• 3.2.7.0-3.2.7.255 is dark blue, this network uses exactly 256 addresses.
• 3.2.12.0-3.2.15.255 is dark and light blue, this network uses more than 256 addresses.
The light area indicates that no IP address is free in this portion of the non-terminal network.
• 3.2.255.0-3.2.255.63 is dark blue and short, this network uses only a portion of the /24
line. Right after the network, the line is gray to highlight all the free IP addresses before
the next network.
The gray areas indicates the free IP addresses within the non-terminal network. Here, all
IP addresses are free in the segment 3.3.4.0-3.3.255.255.
Hover over any blue area to display the network name, start and end IP addresses and size.
If you click on the area, the network properties page opens.
This column indicates the last IP address of the network segments.

247
 Managing Networks

The last line matches the end address of the non-terminal network.

Managing or Unmanaging Networks

You can choose to manage or unmanage IPv4 or IPv6 networks, unmanaging a network prevents
overlapping. By default, all networks are managed, in the column Status they are OK.

The option can be useful, for instance, if you are allocated a particular range of addresses by the
RIPE or APNIC through SPX, especially if you are still waiting on this range to be officially allocated
to you. As any network set as unmanaged is virtually non existent in the database, it gives you
time to add new networks managing the same start IP address and prefix as an existing unman-
aged network and assign in advance the addresses it contains if need be.

Before using the option, keep in mind that:

• You can only use the option on terminal networks, i.e. subnet-type networks.
• Unmanaging a subnet-type network puts the used IP addresses it manages in a container
Orphan addresses.
• It is impossible to manage again an unmanaged network if it uses IP addresses that are already
used by a managed network.
• It is impossible to split or merge unmanaged networks.
• It is impossible to unmanage synchronized networks from cloud providers. For more details,
refer to the section Managing Cloud Synchronization.

To manage/unmanage a subnet-type network

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the subnet-type network(s) of your choice.
4. In the menu, select Tools > Expert > Manage or Unmanage. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. In the column Status,
the selected networks are marked OK or Unmanaged.

Creating Networks from NetChange

You can create subnet-type networks from NetChange routes. For more details, refer to the
section Creating Routes in the IPAM.

Finding Identity Manager Sessions at Network Level

You can look for the active Identity Manager sessions from the IPAM.

A report allows to find the sessions associated with the IP addresses of the networks you manage,
its result can be downloaded in TXT, HTML or EXCEL format.

Note that:
• The report can be generated for IPv4 and IPv6 networks.
• The report only looks for active sessions, it ignores inactive sessions. All inactive sessions are
available on the page All sessions in the module Identity Manager.
• The report finds active sessions and their identity across all directories.

248
 Managing Networks

• The report looks for sessions associated with assigned IP addresses, any address which status
is not Free.You can choose to include free IP addresses. For more details on address statuses,
refer to the section Understanding the IP Address Type and Status in the chapter Managing
IP Addresses.
• The report is designed to find sessions in terminal networks. If you generate it for a block-type
network or a non-terminal subnet-type network, it looks for sessions in the terminal networks
it contains.

If you want to find active sessions at IP address level, refer to the section Finding Identity Manager
Sessions at IP Address Level.

For more details on Identity Manager sessions, refer to the chapter Managing Sessions.

To find active sessions at network level

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the network(s) of your choice.
4. In the menu, select Report > Find Identity Manager sessions. The wizard Find active
sessions in Identity Manager opens.
5. To also take into account the Free IP addresses of the selected network(s), tick the box Also
find sessions associated with free IP addresses.
6. Click on OK . The wizard works for a while. The last page opens, it only displays the first ten
sessions found.
7. At the bottom of the wizard, the section Export format allows to download all the sessions
found. Click on TEXT , HTML or EXCEL to download the result in the corresponding format.
Note that you can also download the result from the top bar, in the window Notifications.
8. Click on CLOSE .

Automating the IPv4 to IPv6 Transition

From the page All spaces, All networks and All addresses, the advanced properties allow to
configure the transition to IPv6, adding IPv4 objects also adds the same objects in IPv6.

For more details, refer to the chapter Managing Advanced Properties in the section Configuring
the Transition from IPv4 to IPv6.

Adding Pools from the Page All networks

The advanced properties allow to add pools during the addition of terminal networks.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Adding IP Addresses from the Page All networks

The advanced properties allow to automatically calculate and add a Gateway IP address
whenever you add terminal networks.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

249
 Managing Networks

Adding DHCP Scopes from the Page All networks

The advanced properties allow to add scopes when you add terminal networks.

The new scope is added in the selected DHCP failover channel and automatically set with the
network Gateway address as value of the option routers. In addition, all the IP addresses you
add within these networks can automatically add statics.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Adding or Updating DNS Zones from the Page All networks

The advanced properties allow to configure terminal networks to automatically update the DNS.
• Adding a terminal network can add a reverse zone. The Gateway of that network also adds a
PTR record in the zone.
• Adding a terminal network can also add an A record in the name zone you set as Domain.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Adding VLANs from the Page All networks

The advanced properties allow to set up an interaction between networks and VLANs of the
module VLAN Manager. When you add or edit a subnet-type network, you can add a VLAN or
associate it with an existing VLAN. This configuration allows several subnet-type networks to
communicate with each other through a common VLAN, no matter what space or network they
belong to.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Exporting Networks
From the page All networks:
• You can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
• You can export networks as raw data to add or edit them in bulk. For more details, refer to the
chapter Managing Raw Data.

Deleting Networks
You can delete networks, before doing so, keep in mind that:
• As a safety measure:
• Deleting a block-type network does not erase it from the database. If it contains objects -
networks, pools, used IP addresses - it is renamed Orphan Network and the objects it con-
tained are managed by the next block-type network added that matches the deleted network
configuration, i.e. the same start IP address, size and advanced properties.

250
 Managing Networks

• Deleting a subnet-type network puts its used IP addresses in an Orphan Network. The free
IP addresses are deleted.
If you really want to delete a network, you must delete its content first, starting with its used IP
addresses and up the IPAM hierarchy until the network you want to delete is empty. For more
details, refer to the chapters Managing IP Addresses and Managing Pools.
• Deleting a network configured with the advanced property DNS server for reverse zones or
DNS view for reverse zones also deletes the corresponding reverse zone from the DNS, if it
only contains the default SOA and NS records.

To delete networks from a VLSM organization, refer to the chapter Using VLSM to Manage Your
IPAM Network.

To delete a network
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the networks(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. Selected networks are
no longer listed, they might be replaced by Orphan networks or Orphan Addresses.

Defining a Network as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a network as one of the resources of a specific group allows the users of that group to
manage the network in question as long as they have the corresponding rights granted.

Granting access to a network as a resource also grants access to every item it contains. For
more details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

251
Chapter 17. Managing Pools
Within the IPAM hierarchy, pools are the fourth level of the IPAM module hierarchy, they are the
last container level. They can be added within terminal networks to manage IP addresses, their
use is optional.

Pools allow reserving IP addresses for restricted usage such as: address provisioning, planning
or migrations. Pools can also be used to delegate one or several ranges of IP addresses to groups
of administrators or to restrict access to users.

Browsing Pools
The pools belong to terminal networks and contain IPv4 or IPv6 addresses. They are managed
in the page All pools.

SPACE NETWORK NETWORK POOL ADDRESS

BLOCK SUBNET

ALIAS

Figure 17.1. The pool in the IPAM hierarchy

Pools are identified by name and start/end IP address.

Browsing the Pools Database

To display the list of pools
1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. To display the list of pools of a specific network, in the column Network, click on the name
of your choice. The page refreshes.

To display a pool properties page

1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the pool of your choice, click on . The properties pages opens.

Customizing the Display on the Page All Pools

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.

252
 Managing Pools

Adding Pools
Within any terminal network, a subnet-type network, you can add pools to organize further your
IP addresses and/or configure them with a common set of options.

Note that:
• You can add pools at pool level. The procedure below details how to add them from the page
All pools.
• You can add pools at network level. Pools can be added either from the properties page of
terminal networks, in the panel IP address pool, or when you add terminal networks configured
with the relevant advanced properties. For more details, refer to the section Network Advanced
Properties in the chapter Managing Advanced Properties.
• You can also import pools, for more details refer to the section Importing Pools in the chapter
Importing Data from a CSV File.
• You can add pools via the raw data imports, for more details refer to the chapter Managing
Raw Data.

To add a pool
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Click on the name of the subnet-type network of your choice. The page All addresses of
this network opens.
4. In the breadcrumb, click on All pools. The page All pools of the network opens.
5. In the menu, click on Add. The wizard opens.
6. If custom classes are enabled at pool level, in the list IP pool class select a class or None.
Click on NEXT . The page Add an IPv4 pool or Add an IPv6 pool opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the field Pool name, name the pool.
8. The box Pool read-only allows to reserve the pool, mark it as read-only. By default, the box
is not ticked. For more details, refer to the section Reserving Pools.
9. In the field Start address, specify the first address of the pool.
10. In the field End address, specify the last address of the pool. By default, the last address
of the parent network is displayed. The value of the End address automatically updates the
value of the field Size, based on the Start address.
11. In the field Size, you can specify the number of IP addresses you want the pool to manage.
The value of the Size automatically updates the value of the field End address, based on
the Start address.
12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The pool is listed. On
the page All addresses, the column Pool indicates the pool name next to all the addresses
it manages.

253
 Managing Pools

Reserving Pools
You can reserve a pool when adding or editing a pool thanks to the box Pool read-only. This re-
servation may be useful to dedicate the use of IP addresses to the DHCP, identify a bunch of
printers, etc.

To reserve an existing pool

1. Go to the properties page of the pool of your choice.
2. In the panel Main properties, click on EDIT . The wizard opens.
3. If custom classes are enabled at pool level, in the list IP pool class select a class or None.
Click on NEXT . The page Edit an IPv4 pool or Edit an IPv6 pool opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Tick the box Pool read-only to reserve the pool.
5. Click on OK to complete the operation. The report opens and closes. The pool is now marked
Yes in the section Read-only of the panel Main properties.

When adding a pool, you can tick the box as well to reserve it.

Resizing Pools
You can resize IPv4 pools to manage more or less addresses than they did when you added
them. Resizing a pool shifts the start and/or end IP address of the pool, you can specify a number
of addresses to include/exclude.

So, if your pool managed the addresses 192.168.100.10-192.168.100.125 you can decide to
resize it to manage the addresses 192.168.100.100-192.168.100.105 indicating a start address
shift of "90" and an end address shift of "-20".

You cannot resize a pool if the addresses you include or exclude are already used or belong to
another pool.

To resize an IPv4 pool

1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the pool(s) of your choice.
4. In the menu, select Edit > Resize Pools. The wizard Resize IPAM pools opens.
5. In the field Start address shift, specify the positive or negative start address shift for the
pool. If you type in 0 (zero), the address stays the same.
6. In the field End address shift, specify the positive or negative end address shift for the pool.
If you type in 0 (zero), the address stays the same.
7. Click on OK to complete the operation. The report opens and closes. The new start/end ad-
dress for the pool(s) is listed.

Adding Pools at Network Level

The advanced properties allow to add pools during the addition of terminal networks.

254
 Managing Pools

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Adding DHCP Ranges from the Page All pools

The advanced properties allow to automatically add a DHCP range every time you add a pool.

The range is added in the DHCP failover channel you configured at network level.

For more details, refer to the chapter Managing Advanced Properties in the section Pool Advanced
Properties.

Exporting Pools
From the page All pools:
• You can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
• You can export pools as raw data to add or edit them in bulk. For more details, refer to the
chapter Managing Raw Data.

Deleting Pools
You can delete pools. Note that if you delete a pool you do not delete the addresses it con-
tains or add an orphan container. You only delete the pool itself and the parameters it was set
with.

If addresses inherited class parameters from the deleted pool, their value and the source of their
value remain the same: the Inheritance property of each class parameter is forced to Inherit or
Set to match the configuration of the deleted pool.

To delete a pool
1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the pool(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The pool is no longer
listed.

On the page All addresses, the free IP addresses managed by a deleted pool are no longer listed.
The addresses In use are still listed but next to them the column Pool is empty.

Defining a Pool as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a pool as one of the resources of a specific group allows the users of that group to manage
the selected pool as long as they have the corresponding rights granted.

Granting access to a pool as a resource also grants access to every item it contains. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

255
Chapter 18. Managing IP Addresses
The IP address is the last level of the IPAM hierarchy, where you assign your IP addresses to
specific users, devices, etc.

The page All addresses provides management options for IPv4 and IPv6.

You can synchronize Cisco DNA IP addresses on the page. For more details, refer to the appendix
Synchronizing Cisco DNA.

Browsing IP Addresses
The IP addresses can belong to terminal subnet-type networks and pools. They can be configured
with one or several aliases.

SPACE NETWORK NETWORK POOL ADDRESS

BLOCK SUBNET

ALIAS

Figure 18.1. The IP address in the IPAM hierarchy

Browsing the IP Addresses Database

To display the list of IP addresses
1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
Only the In use addresses are listed.
3. To display the IP addresses of a specific space, in the column Space, click on the name of
your choice. The page refreshes.
4. To display the IP addresses of a specific network, in the column Network, click on the name
of your choice. The page refreshes.
• If you selected a non-terminal network, only In use IP addresses are displayed.
• If you selected a terminal subnet-type network, In use IP addresses and the first and last
Free ones are displayed, the breadcrumb indicates the parent network(s) of the selected
network.
5. To display the IP addresses of a specific pool, in the column Pool, click on the name of your
choice. The page refreshes.
6. To display more Free addresses, in the column Address, click on left of the address of
your choice. The first or last 13 addresses appear.

For more details regarding statuses, refer to the section Understanding the IP Address Type and
Status.

To display IPv6 addresses in full

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.

256
 Managing IP Addresses

2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. On the right-end side of the menu, click on Uncompress IPv6 addresses. The page
refreshes and all the addresses are displayed entirely.

To display an IP address properties page

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the IP address of your choice, click on . The properties page opens.

Customizing the Display on the Page All Addresses

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that:

• In IPv4 you can display the column Aliases. It provides a complete overview of the aliases
configured on IPv4 addresses.
• In IPv6 you can display colored labels above parts of the IP addresses listed. It allows to differ-
entiate at a glance your containers. For more details, refer to the chapter Managing IPv6 Labels.

Understanding the IP Address Type and Status

The columns Type and Status provide information regarding the IP addresses you manage.

Keep in mind that the Gateway address of terminal networks is different from the other Regular
IP addresses In use. It can be automatically added and named Gateway as you add a terminal
network and it can also be set with an IP address automatically calculated from the Gateway
offset of your choice. For more details, refer to the section Network Advanced Properties.

These columns provide information regarding the IPAM to DHCP interaction that can be set via
the advanced properties or directly when configuring statics. For more details, refer to the chapter
Managing Advanced Properties or the section Adding DHCPv4 Statics.

Table 18.1. IP address types

Type Description
Network Only in IPv4, the first IP address of a terminal network. It should not be assigned, except
in /31 or /32 networks. To make it assignable refer to the section Assigning the Broadcast
and Network Addresses.
Broadcast Only in IPv4, the last IP address of a terminal network. It should not be assigned, except
in /31 or /32 networks. To make it assignable refer to the section Assigning the Broadcast
and Network Addresses.
? Orphan The IP address belonged to a network that was deleted. It was not deleted because it
is assigned.
Regular The IP address is only managed in the IPAM.

DHCP static The IP address was added in the IPAM and configured with the advanced property Add
a DHCP static. For more details, refer to the chapter Managing Advanced Properties.
DHCP lease The IP address belongs to a pool configured with the advanced property Add a DHCP
range. For more details, refer to the chapter Managing Advanced Properties.

257
 Managing IP Addresses

Table 18.2. IP address statuses

Status Description
Non assignable The IP address cannot be assigned, it is the Network or Broadcast address of a
terminal network. For more details, refer to the table IP address types.
Reserved For a DHCP lease, the IP address will be allocated to a DHCP client the next time
they connect to the network.
For a DHCP static, the IP address is assigned to a DHCP client.
In use For a Regular IP address, the address is already assigned.
For a DHCP lease, the IP address was allocated to a DHCP client that connected to
the network.
For a DHCP static, the IP address was assigned to a DHCP client and allocated as
a lease to the client when they connected to the network. This status is only displayed
if your DHCP configuration relies on EfficientIP DHCP servers in version 6.0.0 or higher.
Free The IP address can be assigned.

Read-only / Free The IP address is currently free but cannot be assigned because it belongs to a pool in
read-only. That pool is not configured with DHCP advanced properties.
Read-only / In use The IP address is currently used but cannot be edited because it belongs to a pool in
read-only. That pool is not configured with DHCP advanced properties.
Invalid The IP address does not match any IP address in the DHCP database but it belongs to
an IPv4 network or pool or to an IPv6 network configured with DHCP advanced properties.
The IPAM to DHCP advanced properties are probably misconfigured, for more details
refer to the section Configuring IPAM Advanced Properties.
To delete invalid IP addresses, refer to the section Cleaning Invalid IP Addresses.

Adding IP Addresses
At address level, there are two ways of adding, or assigning, IP addresses:
• Manually: if you already know the IP address you want to assign and are sure that this IP ad-
dress is free. You can add it from the menu Add or from the list All addresses itself.
• By search: if you do not know if there is a free IP address within your terminal networks, you
can use this option to find available IP addresses.

Note that:
• You can also import IP addresses, for more details refer to the section Importing IP Addresses
in the chapter Importing Data from a CSV File.
• You can add IP addresses via the raw data imports, for more details refer to the chapter
Managing Raw Data.

When you add large terminal networks, the Broadcast and Network addresses are auto-
matically assigned. Both addresses are by default Non assignable in large networks, but you
can make them assignable. For more details, refer to the section Assigning the Broadcast and
Network Addresses.

Adding IP Addresses Manually

You can add IP addresses, that is to say assign them a name, and associate them with a specific
MAC address.

From the page All addresses, you can add addresses from the menu or from the list.

258
 Managing IP Addresses

To add an IP address from the menu

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, select Add. The wizard opens.
4. In the list Space, select a space and click on NEXT . The next page opens.
5. If custom classes are applied at network level, in the list Network class select a class, All
or None. Your selection allows to narrow the search for a terminal network, it allows to limit
the list of terminal networks to choose from at the next step, and to only list terminal networks
that are configured with a specific class, any class or no class.
Click on NEXT . The next page opens.
If no class is applied on terminal networks, the class dedicated page is automatically skipped.
6. In the list Network name, select the terminal network of your choice and click on NEXT . The
next page opens.
Note that the list content can change if you had to select a Network class, it can be empty
if the selected class is not applied to any terminal network.
7. If the network contains pools and custom classes are applied at pool level, in the list Pool
class select a class, All or None. Your selection allows to narrow the search for a pool, it
allows to limit the list of pools to choose from at the next step, and to only list pools that are
configured with a specific class, any class or no class.
Click on NEXT . The next page opens.
If no class is applied on terminal networks, the class dedicated page is automatically skipped.
8. If the network contains pools, in the list Pool name select a pool or No pool. Click on NEXT .
9. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
10. On the page Add an IPv4 address or Add an IPv6 address, configure the IP address:

Table 18.3. IP address configuration fields

Field Description
IP address name The complete name of the IP address. This field is required and in read-only.
The field automatically displays the Shortname followed by the Domain, if ad-
vanced properties are configured and you selected one.
IP address The IP address you assign, it must belong to the selected terminal network. This
field is required.
By default, it displays either the first Free and Regular IP address in the network
or the first IP address of the selected pool.
MAC address The MAC address of the IP address. This field is optional.
Keep in mind that in IPv6, the MAC address corresponds to the last twelve
hexadecimal characters of the client DUID.
Shortname The name of the IP address. This field is required.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

259
 Managing IP Addresses

11. Click on NEXT . The page Aliases configuration opens.

12. In the field Add an alias, name your alias(es). Click on ADD to add it to the Aliases list. For
more details regarding aliases, refer to the section Configuring and Managing IP Address
Aliases.
13. Click on OK to complete the operation. The report opens and closes. The address is listed,
its Type and Status depend on your configuration. For more details, refer to the section
Understanding the IP Address Type and Status.

From the page All addresses of any terminal network, you can click on any Free IP address to
name and configure it.

To add an IP address from the list

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the column Network, click on the name of the terminal network of your choice. The page
refreshes and displays all its IP addresses, Free or In use.
4. Click on the Free IP address of your choice. A pop-up window This address is free, do you
want to assign it? opens.
5. Click on OK . The wizard opens.
6. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. On the page Add an IPv4 address or Add an IPv6 address, configure your IP address:

Table 18.4. IP address configuration fields

Field Description
IP address name The complete name of the IP address. This field is required and in read-only.
The field automatically displays the Shortname followed by the Domain, if ad-
vanced properties are configured and you selected one.
IP address The IP address you clicked on. This field is required and in read-only.
MAC address The MAC address of the IP address. This field is optional.
Keep in mind that in IPv6, the MAC address corresponds to the last twelve
hexadecimal characters of the client DUID.
Shortname The name of the IP address. This field is required.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

8. Click on NEXT . The page Aliases configuration opens.

9. In the field Add an alias, name your alias(es). Click on ADD to add it to the Aliases list. For
more details regarding aliases, refer to the section Configuring and Managing IP Address
Aliases.
10. Click on OK to complete the operation. The report opens and closes. The address is listed,
its Type and Status depend on your configuration. For more details, refer to the section
Understanding the IP Address Type and Status.

260
 Managing IP Addresses

Adding IP Addresses Using the Option By search

From the page All addresses you can add addresses using the option By search.This option allows
to automatically find available IP addresses within a terminal network and configure the one that
suits your needs.

To add an IP address using the option By search

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, click on Add an IPv4 address by search or Add an IPv6 address by
search. The wizard opens.
4. In the list Space, select a space and click on NEXT . The next page opens.
5. If custom classes are applied at network level, in the list Network class select a class, All
or None. Your selection allows to narrow the search for a terminal network, it allows to limit
the list of terminal networks to choose from at the next step, and to only list terminal networks
that are configured with a specific class, any class or no class.
Click on NEXT . The next page opens.
If no class is applied on terminal networks, the class dedicated page is automatically skipped.
6. In the list Network name, select the terminal network of your choice and click on NEXT . The
next page opens.
Note that the list content can change if you had to select a Network class, it can be empty
if the selected class is not applied to any terminal network.
7. If the network contains pools and custom classes are applied at pool level, in the list Pool
class select a class, All or None. Your selection allows to narrow the search for a pool, it
allows to limit the list of pools to choose from at the next step, and to only list pools that are
configured with a specific class, any class or no class.
Click on NEXT . The next page opens.
If no class is applied on terminal networks, the class dedicated page is automatically skipped.
8. If the network contains pools, in the list Pool name select a pool or No pool. Click on NEXT .
The page IP address class opens.
9. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
10. In the list IP address, select the IP address of your choice. The first ten available addresses
of the network are listed. Click on NEXT .
11. On the page Add an IPv4 address or Add an IPv6 address, fill in the following fields:

Table 18.5. IP address configuration fields

Field Description
IP address name The complete name of the IP address. This field is required and in read-only.
The field automatically displays the Shortname followed by the Domain, if ad-
vanced properties are configured and you selected one.
IP address The IP address you selected on the previous page. This field is required and in
read-only.
MAC address The MAC address of the IP address. This field is optional.

261
 Managing IP Addresses

Field Description
Keep in mind that in IPv6, the MAC address corresponds to the last twelve
hexadecimal characters of the client DUID.
Shortname The name of the IP address. This field is required.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

12. Click on NEXT . The page Aliases configuration opens.

13. In the field Add an alias, name your alias(es). Click on ADD to add it to the Aliases list. For
more details regarding aliases refer to the section Configuring and Managing IP Address
Aliases.
14. Click on OK to complete the operation. The report opens and closes. The address is listed,
its Type and Status depend on your configuration. For more details, refer to the section
Understanding the IP Address Type and Status.

Assigning the Broadcast and Network Addresses

By default, all IPv4 terminal networks of more than 4 addresses (with a prefix /30 and smaller)
are added with a Network address and Broadcast address that are both Non assignable.

Depending on the way you organized your addressing plan, you might need to assign all the
addresses of your networks, including the Network and Broadcast addresses. A registry database
entry allows to make them both assignable.

To make the Broadcast and Network addresses of a network assignable

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name, with www.display.lock_broadcast_network_addresses .
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the key value. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 0 to remove the restriction on the broadcast and network addresses.
By default, the value of the key is 1.
7. Click on OK to complete the operation. The report opens and closes.

Once the Broadcast and Network addresses are assignable, you can configure them like any
other IP address. Note that on the page All addresses, their Status remains Non assignable but
the IP address itself is underlined to indicate that you can assign them.

Editing IP Addresses
You can edit used IP addresses to change their class, name, MAC address or even their advanced
properties or class parameter configuration. This edition can be done from the list All addresses
or from the IP address properties page.

Note that you cannot edit IP addresses belonging to a pool read-only.

262
 Managing IP Addresses

To edit an IP address
1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Right-click over the Name of the IP address you want to edit. In the contextual menu, click
on Edit. The wizard opens.
4. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the fields MAC address and/or Shortname according to your needs.
You cannot edit the fields IP address and IP address name. IP address name displays the
changes performed in the fields Shortname and/or Domain. For more details, refer to the
relevant section of the chapter Managing Advanced Properties.
6. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
7. Click on NEXT . The page Aliases configuration opens.
8. In the field Add an alias, name your alias(es). Click on ADD to add it to the Aliases list. For
more details regarding aliases, refer to the section Configuring and Managing IP Address
Aliases.
9. Click on OK to complete the operation. The report opens and closes. The address is listed,
its Type and Status depend on your configuration. For more details, refer to the section
Understanding the IP Address Type and Status.

Configuring and Managing IP Address Aliases

The alias allows to register a single IP address under several names in the DNS.

One IP address can have one unique FQDN registered in the DNS, any additional names can
only be registered as IP aliases.

SPACE NETWORK NETWORK POOL ADDRESS

BLOCK SUBNET

ALIAS

Figure 18.2. The alias in the IPAM hierarchy

You can only properly configure IP address aliases if you already configured the IPAM to
DNS advanced properties. Otherwise, the IPAM changes are not replicated in the DNS database.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.

When you configure an alias you are associating an IP addresses in the IPAM with A, AAAA
and/or CNAME record(s) in the DNS. The most commonly configured alias is the CNAME.

263
 Managing IP Addresses

Configuring IP address Aliases

You can configure as many aliases as you need on your IP addresses.

The aliases can be used to associate the IP addresses of a network toward one zone or different
zones:
• Within the same zone, the IP address alias is a CNAME record that follows the DNS standard
use and points to an A or AAAA record.
• Among different zones, the alias name is crucial. The IP address shortname.domain1 adds an
A record of the zone domain1 and a CNAME record in the zone domain2 with the value
shortname.domain2. That way, your alias name links to two of your zones.

You can configure aliases when you add IP addresses, when they are still Free.

To configure an alias on a free IP address

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Click on the Address of the available IP address of your choice. The pop-up window This
address is free, do you want to assign it? opens.
4. Click on OK . The wizard opens.
5. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Shortname, name the IP address.
7. In the drop-down list Domain, select a zone. The list of available zones depends on your
configuration at network level.
8. Make sure that advanced property DNS server is set to All.
9. Click on NEXT . The page Aliases configuration opens.
10. In the field Name, name the alias. Note that the alias cannot have the same name as the IP
address. That way, if they share the same Domain they each add a unique record.
11. In the drop-down list Domain, select an existing domain or None. The alias full name is
displayed in the field Alias following the format: <name>.<domain> .
12. In the drop-down list Type, select CNAME, A or AAAA. By default, CNAME is selected.
13. Click on ADD to move your alias to the Aliases list. Repeat these actions for as many aliases
as you need. In the list, each alias is listed as follows: (<record-type>) <full-alias-name>.
14. Click on OK to complete the operation. The report opens and closes. The address is listed,
its Type and Status depend on your configuration. For more details, refer to the section
Understanding the IP Address Type and Status.
To see its aliases in the list, display the column Aliases. For more details, refer to the section
Managing List Templates.

To configure aliases on an existing IP address, an address In use, you must edit it.

To configure an alias on an IP address in use

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.

264
 Managing IP Addresses

2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the IP address of your choice, click on . The properties page opens.
4. In the panel Aliases, click on EDIT . The wizard opens.
5. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Click on NEXT . The page Aliases configuration opens.
7. In the field Name, name the alias. Note that the alias cannot have the same name as the IP
address. That way, if they share the same Domain they each add a unique record.
8. In the drop-down list Domain, select an existing domain or None. The alias full name is
displayed in the field Alias following the format: <name>.<domain> .
9. In the drop-down list Type, select CNAME, A or AAAA. By default, CNAME is selected.
10. Click on ADD to move your alias to the Aliases list. Repeat these actions for as many aliases
as you need. In the list, each alias is listed as follows: (<record-type>) <full-alias-name>.
11. Click on OK to complete the operation. The report opens and closes. The panel Aliases lists
all aliases.

Editing IP address Aliases

You can edit the aliases of an IP address. Editing an alias also edits the corresponding record
in the DNS.

To edit an IP address alias

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the IP address of your choice, click on . The properties page opens.
4. In the panel Aliases, click on EDIT . The wizard opens.
5. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Click on NEXT . The page Aliases configuration opens.
7. In the Aliases list, select the alias of your choice. All relevant fields display its details.
8. Edit the alias Name, Domain and Type according to your needs. Keep in mind that the alias
cannot have the same name as the IP address.
9. Click on UPDATE . All the changes are displayed in the Aliases list.
Repeat these actions for as many aliases as needed.
10. Click on OK to complete the operation. The report opens and closes. All changes are visible
in the panel Aliases.

265
 Managing IP Addresses

Removing IP address Aliases

You can remove the aliases of an IP address. Deleting an alias also deletes the relevant record
in the DNS.

Note that you can cancel an alias deletion, for more details refer to the section Cancelling Dele-
tions.

To remove an IP address alias

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the IP address of your choice, click on . The properties page opens.
4. In the panel Aliases, click on EDIT . The wizard opens.
5. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Click on NEXT . The page Aliases configuration opens.
7. In the field Aliases list, select the alias of your choice. All relevant fields display its details.
8. Click on DELETE . The alias is no longer available in the Aliases list.
Repeat these actions for as many aliases as needed.
9. Click on OK to complete the operation. The report opens and closes. In the panel Aliases,
the alias(es) is no longer listed.

Configuring Multiple A Records for an IP Address

You can add several A records for one IP address from the IPAM module. That way, one IP ad-
dress can have several aliases in the DNS, this can be especially useful when configuring load
balancing and round-robin. For more details, refer to the section Load Balancing with Round-
Robin.

We strongly recommend against configuring your DNS with one IP address associated
with a set of A aliases. Indeed, a proper configuration of your DNS implies that a name zone
is configured with a reverse zone which allows DNS clients to query your domain, through its
name on the one hand and its IP address on the other.

In this configuration, DNS best practices advise to add a PTR record in the reverse zone for each
A record of the name zone to make sure the domain or sub-domain is accessible through its
name and IP address. If your name zone contains several A records with the same value, your
reverse zone should contain as many PTR records. These records would all be named after the
same IP address (the value of the A records). In this case, the reverse zone would contain sev-
eral PTR records with the same name pointing to different domains. Therefore querying this IP
address to get the corresponding domain or sub-domain is impossible, the server cannot know
which hostname to send when answering the DNS clients query. To make sure that a domain
can be accessed through its name and IP address, there should be one PTR record in the reverse
zone for each A record of the name zone. If you need to provide an alias, you should add a
CNAME record pointing to the A record in the master zone. For more details, refer to the sections
Adding an A Record, Adding a AAAA Record, Adding a PTR Record and Adding a CNAME Record.

266
 Managing IP Addresses

Keep in mind that:

• You can only properly configure IP address aliases if you already configured the IPAM
to DNS advanced properties. Otherwise, the IPAM changes are not replicated in the DNS
database. For more details, refer to the relevant section of the chapter Managing Advanced
Properties.
• If your configuration is not properly set in the IPAM, the A and/or AAAA records are not
added in the DNS and no error message is displayed in the DNS.

Note that you can configure it with several A and AAAA records when you add a Free IP address
or when edit an IP address In use.

To add several A/AAAA records on a free IP address

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Click on the Address of the available IP address of your choice. The pop-up window This
address is free, do you want to assign it? opens.
4. Click on OK . The wizard opens.
5. If custom classes are enabled at IP address level, in the list IP address class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Shortname, name the IP address.
7. In the drop-down list Domain, select a zone. The list of available zones depends on your
configuration at network level.
8. Make sure that advanced property DNS server is set to All.
9. Click on NEXT . The page Aliases configuration opens.
10. In the field Name, name the alias. Note that the alias cannot have the same name as the IP
address. That way, if they share the same Domain they each add a unique record.
11. In the drop-down list Domain, select an existing domain or None. The alias full name is
displayed in the field Alias following the format: <name>.<domain> .
12. In the drop-down list Type, select A or AAAA.
13. Click on ADD to move your alias to the Aliases list. Repeat these actions for as many records
as you need. In the list, each one is listed as follows: (A) <full-alias-name> or (AAAA) <full-
alias-name>.
14. Click on OK to complete the operation. The report opens and closes. The panel Aliases lists
all aliases.

To edit or remove A and AAAA record aliases, refer to the sections Editing IP address Aliases
and Removing IP address Aliases.

Renaming IPv4 Addresses Massively

You can rename several IPv4 addresses at once from the menu Edit.

To massively rename IPv4 addresses

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.

267
 Managing IP Addresses

2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the IP address(es) you want to rename.
4. In the menu, select Edit > Replace > IP address name. The wizard Replace IP ad-
dresses name opens.
5. In the drop-down list Exact search, select Replace, Append or Prepend. By default, Replace
is selected.

Table 18.6. Available methods to rename IP addresses

Method Description
Replace Allows to rename each IP address entirely or partially, via the following fields.
Replace The name or part of the name to look for and replace. This field is required.
Name The characters that replace the value of Replace. This field is optional.
Append Allows to concatenate characters at the end of the name of each IP address, via the following
field. Selecting this method refreshes the page.
Name The characters to append to the name. This field is required.
Prepend Allows to concatenate characters at the beginning of the name each IP address, via the following
field. Selecting this method refreshes the page.
Name The characters to prepend to the name. This field is required.

6. Click on OK to complete the operation. The report opens and closes. The new IP addresses
names are visible in the list.

Moving IP Addresses
SOLIDserver provides several ways of moving, or migrating, IPv4 addresses within your database.
Migrating IP address can be useful when you have to relocate hosts.

Keep in mind that migrating an IP address edits its class parameters inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.

Moving IPv4 Addresses to Another Network

You can massively move IPv4 addresses from one terminal network to the other, i.e. you can
relocate hosts and move them to another network. This operation allocates the first available IP
address in the specified terminal network and keeps their properties and aliases.

Keep in mind that migrating an IP address edits its class parameters inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.

To move an IPv4 address to another network

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the IP address(es) you want to move to another network.
4. In the menu, select Edit > Migrate to another network. The wizard Migrate addresses
to another network opens.

268
 Managing IP Addresses

5. In the drop-down list Target space, select a space.

6. In the field New network IP, specify the start address of the terminal network you want to
move the address(es) to.
7. Click on OK to complete the operation. The report opens and closes.

Moving IP Addresses to Another Space

You can massively move IP addresses from one space to the other and keep their properties
and aliases. To successfully migrate IP addresses to another space, keep in mind that:
• You can migrate IP addresses if the target space contains a terminal network with:
• A start address and prefix that allow it to receive all the selected IP addresses. If the network
is too small, the migration is impossible.
• Enough free addresses to assign the IP addresses you migrate.
• You cannot migrate an IP address if the target network already has the same IP address in
use. The migration would be interrupted.
• You cannot migrate an IP address from or towards a pool in read-only.

Keep in mind that migrating an IP address edits its class parameters inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.

To move an IP address to another space

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the IP address(es) you want to move to another space.
4. In the menu, select Edit > Migrate to another space. The wizard Migrate addresses
to another space opens.
5. In the drop-down list Target space, select the space of your choice.
6. Click on OK to complete the operation. The report opens and closes.

Migrating the Properties of an IPv4 Address

You can migrate the properties and aliases of one IP address individually. This allows to relocate
a host to a different space or network or within the same space.

The wizard provides the possibility to detect an IP address in a source space and change the IP
address itself, while keeping its properties in the target space.

Keep in mind that migrating an IP address edits its class parameters inheritance and propagation
configuration: the value of the parameters is kept but each property configuration is forced to
Set/Propagate.

To migrate the properties of an IPv4 address

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Tools > Migrate a specific IP. The wizard Migrating a specific IP
address opens.

269
 Managing IP Addresses

4. In the drop-down list Source space, select a space or Auto-detection. This option can be
selected only if your IP address exists in only one space.
5. In the field IP address to migrate, specify the IP address you want to migrate.
6. In the drop-down list Target space, select a space or Same as source. This option can be
selected only if you specify a different IP address in the field New IP address.
7. In the field New IP address, specify the IP address of your choice. It can be a different one
or the same as the one specified in the field IP address to migrate.
8. Click on OK to complete the operation. The report opens and closes.

Pinging IP Addresses
From the IPAM module, you can ping IP addresses to check if the host they are associated with
is responding.

The report can display the following messages:

• Notice Ping OK (IP address).
The corresponding host was found and responded to the ping.
• Error Ping Timeout (IP address).
The corresponding host did not respond to the ping. It could mean a number of things, the host
is not running, is an a different network, is configured not to respond to the ping utility, etc.

To ping one or several IP addresses

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the IP address(es) you want to ping.
4. In the menu, select Tools > Ping. The wizard Pinging IP addresses opens.
5. Click on OK to perform the ping. The report opens and displays the results.
6. In the section Export format, you can click on TEXT , HTML or EXCEL to export the result in
the corresponding format. Whether you export the report or not, it is available in the window
Notifications of the top bar.
7. Click on CLOSE to go back to the page All addresses.

Populating Device Manager

From the page All addresses, you can select assigned addresses to add devices and interfaces
in Device Manager. This operation adds a device that contains a set of interfaces based on each
IP address and MAC address in your database.

For more details, refer to the section Automatically Adding Devices from the IPAM in the chapter
Managing devices.

Finding Identity Manager Sessions at IP Address Level

You can look for the active Identity Manager sessions from the IPAM.

A report allows to find the sessions associated with the IP addresses you manage, its result can
be downloaded in TXT, HTML or EXCEL format.

270
 Managing IP Addresses

Note that:
• The report can be generated for IPv4 and IPv6 addresses.
• The report only looks for active sessions, it ignores inactive sessions. All inactive sessions are
available on the page All sessions in the module Identity Manager.
• The report finds active sessions and their identity across all directories.
• The report looks for sessions associated with assigned IP addresses, any address which status
is not Free.You can choose to include free IP addresses. For more details on address statuses,
refer to the section Understanding the IP Address Type and Status.

If you want to find active sessions at network level, refer to the section Finding Identity Manager
Sessions at Network Level.

For more details on Identity Manager sessions, refer to the chapter Managing Sessions.

To find active sessions at IP address level

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the address(es) of your choice.
By default, only In use IP addresses are listed. To also display Free IP addresses, you must
click on the name of a specific Space, Network or Pool to display its content.
4. In the menu, select Report > Find Identity Manager sessions. The wizard Find active
sessions in Identity Manager opens.
5. If you selected Free IP addresses, to take them into account tick the box Also find sessions
associated with free IP addresses.
6. Click on OK . The wizard works for a while. The last page opens, it only displays the first ten
sessions found.
7. At the bottom of the wizard, the section Export format allows to download all the sessions
found. Click on TEXT , HTML or EXCEL to download the result in the corresponding format.
Note that you can also download the result from the top bar, in the window Notifications.
8. Click on CLOSE .

Adding Gateway IP Addresses at Network Level

The advanced properties allow to automate the calculation and addition of a Gateway directly
during the addition of terminal networks.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Automating the IPv4 to IPv6 Transition

From the page All spaces, All networks and All addresses, the advanced properties allow to
configure the transition to IPv6, adding IPv4 objects also adds the same objects in IPv6.

For more details, refer to the chapter Managing Advanced Properties in the section Configuring
the Transition from IPv4 to IPv6.

271
 Managing IP Addresses

Updating DHCP Scopes from the Page All addresses

The advanced properties allow to automatically set or update the option routers on scopes in the
selected DHCP failover channel using the gateway of terminal networks. The option value is the
Gateway address of the network.

If the terminal network adds a scope, the option routers is directly set. If the terminal network
matches an existing scope, the option routers is set or updated.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Adding DHCP Statics from the Page All addresses

The advanced properties allow to automatically add a static when you add an IP address.

The static is added in the DHCP failover channel configured at network level, it shares the same
IP address, MAC address and name as the new IP address.

For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and Configuring DHCP Advanced Properties.

Adding DNS Records from the Page All addresses

The advanced properties allow to automatically add records in the DNS when you add or edit IP
addresses and aliases.

An A, AAAA, CNAME or PTR record is added in the zone configured at network level. The new
record is named after the complete IP address name and zone name.

For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and IP Address Advanced Properties.

Adding Devices from the Page All addresses

The advanced properties allow to automatically add a device and an interface in Device Manager
when you add or edit an IP address. The interface shares the same address and MAC address
as the IP address.

For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.

Updating Ports and Interfaces from the Page All addresses

The advanced properties allow to set the interaction between IP addresses, ports and interfaces
of the module Device Manager. When you add or edit an IP address, you can add an interface,
along with its device, or you can link it with an existing port or interface. If the port is already
linked with an interface, it edits the device topology.

For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.

272
 Managing IP Addresses

Adding IP Addresses from the DHCP

The advanced properties allow to automatically add an IP address for every new DHCP lease.
The IP address shares the same address, MAC address and name as the lease.

This property must be set at server level. For more details, refer to the chapter Managing Advanced
Properties in the section Configuring DHCP Advanced Properties.

Adding IP Addresses from the DNS

The advanced properties allow to automatically add an IP address for every new DNS record.
The IP address shares the same address and name as the record.

This property must be set at server, view or zone level and propagated down to the records. For
more details, refer to the chapter Managing Advanced Properties in the section Configuring DNS
Advanced Properties.

Exporting IP Addresses
From the page All addresses:
• You can export the data listed in a CSV, HTML, XML, XLS or PDF file.
Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.
• You can export IP addresses as raw data to add or edit them in bulk. For more details, refer
to the chapter Managing Raw Data.

Deleting IP Addresses
At IP address level, deleting an address actually frees it. Even though it is no longer listed, you
can assign it again by search or manually. Note that:
• As deleting an address releases it, it is impossible to delete Free addresses.
• You cannot delete Invalid addresses, you need to clean them as detailed in the section
Cleaning Invalid IP Addresses.
• You can cancel IP address deletions. For more details, refer to the section Cancelling Deletions.

To delete an IP address
1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the IP address(es) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The selected addresses
are no longer listed.

Cleaning Invalid IP Addresses

If you configured IPAM to DHCP or DHCP to IPAM advanced properties, IPv4 addresses may
have the status Invalid because their corresponding static or lease is no longer part of the DHCP
database.

273
 Managing IP Addresses

Note that:
• You cannot delete Invalid IP addresses via the menu , you have to clean them via a dedicated
option.
• Cleaning invalid IP addresses is irreversible, it cannot be cancelled like regular deletions.
• Within a pool, you must select all the Invalid IP addresses to clean them. You can select all
the invalid IP addresses of several pools.

To clean one or several invalid IP addresses

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the column Status, filter the list to only display Invalid IP addresses.
4. Tick all the Invalid addresses of the pool of your choice.Your selection can include the invalid
addresses of several pools.
5. In the menu, select Tools > Expert > Clean invalid addresses. The wizard Clean "In-
valid" IP addresses opens.
6. Click on OK to complete the operation. The report opens and closes. The selected addresses
are no longer listed.

Cancelling Deletions
From the page User tracking, you can restore deleted IPv4 and IPv6 IP addresses and aliases,
i.e. cancel their deletion.

Figure 18.3. Cancel options on the page User tracking

This menu allows to cancel one or several IP address and alias deletions.
This link allows to cancel an IP address or alias deletion individually.

Before cancelling a deletion, note that:

• Users can only cancel their own deletions, except ipmadmin.
• Only users with sufficient rights have access to cancel options.
• Cancelling an IP address restores the IP address as well as its aliases. They are all added
again.
• If you restore IP addresses configured with class parameters, only the class parameters which
inheritance property was Set are restored.
• You cannot cancel an IP address deletion if it was added again in the meantime.

274
 Managing IP Addresses

• You cannot cancel the deletion of Invalid IP addresses, they had to be cleaned. Cleaning ad-
dresses is irreversible.
• You cannot cancel an alias deletion if:
• It was added again in the meantime.
• The IP address it is configured on was deleted in the meantime.
• It was deleted when the IP address it is configured on was deleted. You must cancel the IP
address deletion to restore the alias.
• If you upgraded to this version, the IP address and alias deletions history is cleared.You cannot
restore them.

To cancel a deletion
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on User tracking. The page User tracking opens.
3. Filter the column Service to only display the service Delete: IPv4 addresses, Delete: IPv6
addresses, Delete: IPv4 aliases or Delete: IPv6 aliases. Only these services can be canceled.
4. In the column Undo, click on Cancel deletion to restore the deleted object of your choice.
The wizard Cancel object(s) deletion opens.
5. Click on OK to complete the operation. The report opens and closes. In the column Service,
the IP address or alias is listed as Add: <object>.
In the IPAM, it is listed again on the page All addresses.

To cancel one or several deletions

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on User tracking. The page User tracking opens.
3. Tick the operations of your choice. In the column Service, look for the service Delete: IPv4
addresses, Delete: IPv6 addresses, Delete: IPv4 aliases or Delete: IPv6 aliases. Only these
services can be canceled.
4. In the menu, select Edit > Cancel deletion. The wizard Cancel object(s) deletion
opens.
5. Click on OK to complete the operation. The report opens and closes. In the column Service,
the IP addresses or aliases are listed as Add: <object>.
In the IPAM, the corresponding objects are listed again on the page All addresses.

275
Chapter 19. Managing Raw Data
You can export all IPAM objects as raw data to a CSV file, and reimport them later to add or edit
objects in bulk.

Exporting and reimporting objects as raw data allows to:

• Perform mass updates on an IPAM organisation.
• Transfer IPAM data from one space or appliance to another, it allows to add new objects in a
different IPAM organization.

The proper way to import raw data requires to use use a raw data export and edit it to make the
necessary changes before importing the CSV file.You should not create your own raw data import
file.

To simply import and export data via the standard CSV files. For more details, refer to the part
Imports and Exports.

Limitations
• The IP address aliases are ignored.
• The properties of the parent object are not exported, therefore they cannot be reimported.
• The raw data mechanism is not meant for cloud synchronizations or VLSM organisations. The
export includes dedicated columns for the relevant objects, but you cannot edit them.

Exporting Raw Data

Exporting raw data allows to export objects in bulk in raw format. It is meant to reimport all objects
and their properties in order to add or edit them at once, via the dedicated import functionality.

Keep in mind that:

• If the listing page you want to export is empty, the exported CSV file does not contain any data
nor headers. Therefore, you must export a listing page with at least one object.
• Orphan Addresses, Orphan Networks and Free IPs are not exported.
• To export your whole organization, you need to export objects as raw data on all relevant
pages.

To export raw data

1. Take into account the limitations.
2. In the sidebar, go to IPAM > All spaces, All networks, All pools or All addresses. The
corresponding page opens.
3. Tick the objects of your choice or none if you want to export all the objects listed.
4. In the menu, select Report > Export > Raw data. The wizard Export Raw Data opens.
5. Click on OK to complete the operation. The report opens and works for a while.
6. You can click on DOWNLOAD to save the export. The page refreshes when the export is over.
7. Click on CLOSE to go back to the page.
The exported CSV file is named export_raw_csv_<date>-<time>, its delimiter is a comma.

The exported data only includes the essential properties of the objects. Each property is repres-
ented by column in the CSV file.

276
 Managing Raw Data

Importing Raw Data

Raw data import allows to:
• Edit existing objects of the database. By default, the import overwrites the database.
• Add objects in the database. In this case, you must tick the box Only add new objects in the
import wizard.
To import a whole organisation, you need to import your database on each page, following the
hierarchy from the page All spaces to the page All addresses.

You can only import a file containing data exported using the dedicated data export.

Importing raw data requires to prepare the raw data CSV file, and then import the edited file on
the relevant IPAM page.

To prepare the raw data import you must edit the exported raw data file. Keep in mind that:
1. For each object the CSV file contains several columns, some of them are required.
Spaces
• Required columns: site_id, site_name
site_id is only required if you want to edit the database.
• Optional columns: site_is_template, tree_level, site_description, parent_site_name,
site_class_name
tree_level is set to 0 if the space does not belong to a VLSM parent space.
All the other columns are dedicated to the class parameters and advanced properties.
Networks
• For IPv4 networks:
• Required columns: subnet_id, start_hostaddr, end_hostaddr, site_name
subnet_id is only required if you want to edit the database.
• Optional columns: subnet_name, vlmvlan_id, subnet_level, subnet_class_name,
row_enabled, is_terminal, tree_level, vlsm_site_name
tree_level is set to 0 if the space does not belong to a VLSM parent space.
All the other columns are dedicated to the class parameters and advanced properties.
• For IPv6 networks:
• Required columns: subnet6_id, start_hostaddr, end_hostaddr, site_name
subnet6_id is only required if you want to edit the database.
• Optional columns: subnet6_name, vlmvlan_id, subnet_level, subnet6_class_name,
row_enabled, is_terminal, tree_level, vlsm_site_name
tree_level is set to 0 if the space does not belong to a VLSM parent space.
All the other columns are dedicated to the class parameters and advanced properties.
Pools
• For IPv4 pools:
• Required columns: pool_id, start_hostaddr, end_hostaddr, site_name
pool_id is only required if you want to edit the database.
• Optional columns: pool_name, pool_class_name, pool_read_only
All the other columns are dedicated to the class parameters and advanced properties.
• For IPv6 pools:
• Required columns: pool6_id, start_hostaddr, end_hostaddr, site_name
pool6_id is only required if you want to edit the database.

277
 Managing Raw Data

• Optional columns: pool6_name, pool6_class_name, pool6_read_only

All the other columns are dedicated to the class parameters and advanced properties.
IP addresses
• For IPv4 networks:
• Required columns: ip_id, hostaddr, site_name
ip_id is only required if you want to edit the database.
• Optional columns: name, mac_addr, ip_class_name
All the other columns are dedicated to the class parameters and advanced properties.
• For IPv6 networks:
• Required columns: ip6_id, hostaddr, site_name
ip6_id is only required if you want to edit the database.
• Optional columns: ip6_name, ip6_mac_addr, ip6_class_name
All the other columns are dedicated to the class parameters and advanced properties.
In addition, all objects include columns class_parameters___eip_* dedicated to cloud synchron-
ization data. You can delete these columns before the import, they cannot be imported.
2. If you want to edit your database, keep in mind that:
• The relevant *_id columns are required and must be filled out.
• To rename IP addresses, you may need to edit more than the content of the column name
or ip6_name. If IP addresses are configured with advanced properties, their name may include
a domain name. In this case, to rename them you also need to edit the columns domain
and hostname.
• If you need to edit classes, class parameters and advanced properties, go to the class details.
3. If you want to add new objects to your database, keep in mind that:
• The columns *_id of the CSV file are ignored, even if they are filled out.
• If you want to import objects in another appliance that has different classes in Class Studio,
you must delete the class parameter columns on your CSV file beforehand, or add the rel-
evant classes before importing.
• If you need to add classes, class parameters and advanced properties, go to the class details.
4. For classes, class parameters and advanced properties:
• The Label of the class parameters is exported, not their database Name.
• You should not add classes that do not already exist in Class Studio.
• You should not add class parameters that do not already exist in Class Studio. However:
• You can add existing class parameters to your objects, if your file includes the relevant
class and class parameter columns.
• You can edit the value and properties of existing class parameters.
• The class parameters columns cannot be indicated on their own, they belong to a class.
This class must also be part of the import file, in the column *_class_name.
• Each class parameter and advanced property is detailed in three different columns,
class_parameters_<parameter_name>_value, class_parameters_<parameter_name>_in-
heritance and class_parameters_<parameter_name>_propagation. All three columns
must be included in the raw data import file and must contain data, otherwise they are ignored.
For more details about classes and advanced properties, refer to the chapters Configuring
Classes in the part Customization and Managing Advanced Properties in the part Global
Policies.
5. Before saving your changes, make sure that you did not leave any empty rows at the beginning
of the file or between filled rows.

278
 Managing Raw Data

Before importing raw data, keep in mind that you can prepare the target space. If your target
IPAM organization is already set with the relevant classes and advanced properties, the update
is transparent.

To import raw data

1. Take into account the limitations.
2. In the sidebar, go to IPAM > All spaces, All networks, All pools or All addresses. The
corresponding page opens.
3. In the menu, select Import > Raw data. The wizard Import Raw Data opens.
4. Click on BROWSE to select the relevant export_raw_csv_* file. The selected file is visible in
the field File name.
5. To add new objects to your appliance, tick the box Only add new object(s), ignore existing
ones.
By default, the box is not ticked, meaning that all existing objects are overwritten.
6. Click on OK to complete the operation. The report opens and closes. The list is updated with
new objects or edited ones.

279
Chapter 20. Managing IPAM Templates
The IPAM provides a Template Mode where you can save fully preconfigured IPv4 organizations
as templates that can, then, automate the deployment of the addressing structures that suit your
needs.

To successfully deploy templates:

1. Add a template class for the relevant level(s) of the IPAM hierarchy.
2. Configure your organizations and associate them with a template class.
3. Apply your template class when adding objects in Normal Mode. The template class allows
to automatically deploy the template configuration on the object.

For instance, you could add a template for a subnet-type network containing 3 pools and some
assigned IP addresses. Back in Normal Mode, adding a subnet-type network associated with the
same template class automatically deploys the template and configures the network with the
same content as the template.

Template mode Normal mode

SPACE Provisioning SPACE Asia

NETWORK For shops NETWORK Singapore

BLOCK 1.0.0.0/8 BLOCK 15.0.0.0/8

TERMINAL NETWORK NEW NETWORK TERMINAL NETWORK

Class: new-shop [template] Class: new-shop [template]
Name: shop# Class: new-shop [template] Name: shop1
Address + prefix: 1.0.0.0/24 Address + prefix: 15.0.0.0/16
Name: shop1

POOL
Start address: 15.0.0.0 POOL
checkouts 1.0.0.1-1.0.0.10 Read-only: no Size: /16 checkouts 15.0.0.1-15.0.0.10 Read-only: no
IP ADDRESS 1.0.0.1 checkout1 Terminal network: yes IP ADDRESS 15.0.0.1 checkout1
IP ADDRESS 1.0.0.2 checkout2 IP ADDRESS 15.0.0.2 checkout2
POOL POOL
IP phones 1.0.0.11-1.0.0.15 Read-only: no IP phones 15.0.0.11-15.0.0.15 Read-only: no
IP ADDRESS 1.0.0.11 landline IP ADDRESS 15.0.0.11 landline

POOL POOL
printers 1.0.0.16-1.0.0.20 Read-only: yes printers 15.0.0.16-15.0.0.20 Read-only: yes
NETWORK Hong Kong
BLOCK 20.0.0.0/8

NEW NETWORK TERMINAL NETWORK

Class: new-shop [template]
Class: new-shop [template] Name: shop2
Name: shop2 Address + prefix: 20.1.0.0/24

Start address: 20.1.0.0

Configuration of an
addressing template
POOL
Size: /24 checkouts 20.1.0.1-20.1.0.10 Read-only: no
Terminal network: yes IP ADDRESS 20.1.0.1 checkout1
IP ADDRESS 20.1.0.2 checkout2
POOL
IP phones 20.1.0.11-20.1.0.15 Read-only: no
IP ADDRESS 20.1.0.11 landline
Deployment of the POOL
addressing template
printers 20.1.0.16-20.1.0.20 Read-only: yes

Figure 20.1. Example deployment of a network template containing pools and IP addresses

Before going further, keep in mind that:

• Only users of the group admin can add template classes, access the Template Mode and
configure templates.
• Any user with sufficient rights can deploy templates.

Note that you can export all Template Mode data. For more details, refer to the chapter Exporting
Data. However, you cannot export templates as raw data.

280
 Managing IPAM Templates

1. Adding Template Classes in Class Studio

To deploy IPAM templates, you must first add classes and set them as template class. Keep in
mind that:
• Only network and pool classes set as template class can be used to deploy addressing organ-
izations.
• You can add as many network and/or pool template classes as you need. Each template class
can only be applied once in Template Mode.
• On the page Class Studio, you can use the classes Directory to differentiate them. When you
apply templates classes, they are listed as follows: <directory-name>/<class-name> [template].

Adding Network Template Classes

If you want to deploy templates at network level, you must add at least one network class and
set it as template.

To add a network class and use it as template

Only users of the group admin can perform this operation.
1. Add a network class
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Customization, click on Class Studio. The page Class Studio opens.
c. In the menu, click on Add. The wizard Add a new class opens.
d. In the field Filename, name the class.
e. In the field Sub-directory, you can specify a directory name. If it does not exist it is
added.
f. In the drop-down list Module, select IPAM.
g. In the drop-down list Type, select Network.
h. Tick the box Enable class.
i. Click on OK to complete the operation. The report opens and closes. The class is now
listed. Its Status is Enabled.
j. If you want to configure the class with specific class objects, refer to section Configuring
the Classes Content in the class dedicated chapter.
2. Use the class as template
a. Tick the class you just added.
b. In the menu, select Tools > Use as template class. The wizard opens.
c. Click on OK to complete the operation. The report opens and closes. In the column
Template, the class is now marked yes.
3. Repeat these steps for as many network classes as needed.

You can rename or edit the template class as long as it is not applied to any object. For more
details, refer to the chapter Configuring Classes.

Adding Pool Template Classes

If you want to deploy templates at pool level, you must add at least one pool class and set it as
template.

281
 Managing IPAM Templates

To add a pool class and use it as template

Only users of the group admin can perform this operation.
1. Add a pool class
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Customization, click on Class Studio. The page Class Studio opens.
c. In the menu, click on Add. The wizard Add a new class opens.
d. In the field Filename, name the class.
e. In the field Sub-directory, you can specify a directory name. If it does not exist it is
added.
f. In the drop-down list Module, select IPAM.
g. In the drop-down list Type, select Pool.
h. Tick the box Enable class.
i. Click on OK to complete the operation. The report opens and closes. The class is now
listed. Its Status is Enabled.
j. If you want to configure the class with specific class objects, refer to section Configuring
the Classes Content in the class dedicated chapter.
2. Use the class as template
a. Tick the class you just added.
b. In the menu, select Tools > Use as template class. The wizard opens.
c. Click on OK to complete the operation. The report opens and closes. In the column
Template, the class is now marked yes.
3. Repeat these steps for as many pool classes as needed.

You can rename or edit the template class as long as it is not applied to any object. For more
details, refer to the chapter Configuring Classes.

2. Configuring Templates
Once you added template classes, you can configure organizations from the Template Mode.

Before setting up your template organization, keep in mind that:

• The Template Mode is only available in IPv4.
• Templates must respect the IPAM hierarchy.
• The entry point of all templates organization is the space.
• Every template organization must contain at least one space that contains at least one block-
type network. To configure templates at lower levels, the block-type network must contain
at least one subnet-type network that can contain other subnet-type networks, pools and/or
assigned IP addresses.
• The containers Orphan Networks and Orphan Addresses do not exist in Template Mode.
• Only the networks and pools configured with an enabled template class in Template Mode are
available for deployment as template in Normal Mode.
• A template class can only be applied once in Template Mode. It configures a template that can
be deployed as many times as you need in Normal Mode.
• A template can be configured with advanced properties and class parameters that the objects
it contains inherit. All parameters and properties have the Inheritance property and Propagation

282
 Managing IPAM Templates

property configured to Set/Propagate, Set/Restrict or Inherit/Propagate. In Template Mode,

they cannot be configured to Inherit/Restrict.
• At IP address level, template classes are not available.You cannot deploy IP address templates
but all the IP addresses assigned in a network or pool template, are assigned when you deploy
these templates.

Browsing Templates
All templates are added and managed from the Template Mode. This mode is accessible from
all the IPAM pages.

When the mode is displayed, a blue banner above the top bar indicates the mode is on and only
template objects are listed.

Figure 20.2. The page All spaces in Template Mode

Browsing the Templates Databases

To display the list of templates
Only users of the group admin can perform this operation.
1. In the sidebar, go to IPAM > Spaces, Networks, Pools or Addresses. The page opens.
2. On the right-end side of the menu, click on Template Mode. The button turns black and
the page refreshes. Above the top bar, a blue banner indicates that you are in Template
Mode. Only template objects are listed.

To display a template properties page

Only users of the group admin can perform this operation.
1. In the sidebar, go to IPAM > Spaces, Networks, Pools or Addresses. The page opens.
2. On the right-end side of the menu, make sure the button Template Mode is black, oth-
erwise click on it. The page refreshes, above the top bar a blue banner indicates that you
are in Template Mode and the button turns black.
3. At the end of the line of the template of your choice, click on . The properties page opens.

Customizing the Display on the Template Mode Pages

On all pages of the IPAM, the list template you are displaying is kept even when you display the
page in Template Mode.

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

283
 Managing IPAM Templates

Adding Template Spaces

To set up a template organization you must start at space level:
• It is required to add at least one space in Template Mode, a template space, to set up any
template organization.
• Template classes are not available at space level. You cannot deploy space as templates.

If you want to configure a Template space with parameters and properties and propagate them
to lower levels, you must deploy network and/or pool templates within a space in Normal mode
that is configured with the exact same parameters and properties that the Template space. In
that case, the deployed templates can inherit all the parent space configuration details.

To add a space in template mode

Only users of the group admin can perform this operation.
1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. On the right-end side of the menu, click on Template Mode. The button turns black and
a new page opens. Above the top bar, a blue message indicates that you are in Template
Mode.
3. In the menu, click on Add. The wizard Add a space opens.
4. If custom classes are enabled at space level, in the list Space class select a class or None.
That class is not a template class and cannot automate a template deployment.
Click on NEXT . The page Add a space opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field Space name, name the space. That name must be unique, one space name
cannot be used twice in Template mode and Normal Mode.
6. In the field Description, you can specify a description.
Note that this parameter can only be inherited by deployed templates if you add a space in
Normal mode with the exact same value.
7. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
Keep in mind that the configuration you set can only be inherited by deployed templates if
you add a space in Normal mode with the exact same parameters.
8. Click on OK to complete the operation. The report opens and closes. The space is listed.

Once you have one template space, you can add the objects it contains, starting with networks.

Adding Network Templates

Once you added a template space, you can add the network(s) it contains, as template or not.

You need at least one block-type network that can contain subnet-type network(s). These subnet-
type networks can be terminal or not and manage other subnet-type networks, pools and/or IP
addresses.

284
 Managing IPAM Templates

Adding Block-type Network Templates

You can add one or more block-type networks within a template space. Keep in mind that:
• Only the block-type networks configured with an enabled template class in Template Mode
are available for deployment as template in Normal Mode. For more details, refer to the section
Adding Template Classes in Class Studio.
• The Start address and Prefix of a block-type network template are only used to determine a
range of IP addresses to configure.
• You cannot overlap block-type networks, even in Template Mode.
• Any block-type network added in Template Mode that is not configured with a template class
can be used to set up a template organization deployed at a lower level.

To add a block-type network in template mode

Only users of the group admin can perform this operation.
1. On the right-end side of the menu, make sure the button Template Mode is black, oth-
erwise click on it. The page refreshes, above the top bar a blue banner indicates that you
are in Template Mode and the button turns black.
2. In the breadcrumb, click on All spaces. The page opens.
3. Click on the Name of the template space of your choice. The page All networks opens.
4. In the menu, click on Add. The wizard opens.
5. In the drop-down list Network type, select Block.
6. Click on NEXT . The next page opens.
7. In the list Network class, select a template class if you want to add a block-type network
template or None if you want to add a template at lower level.
Click on NEXT . The page Add an IPv4 network opens.
8. In the field Network name, you can name the network.
9. In the field Description, you can specify a description.
10. In the field Address, specify the start address.
11. In the drop-down list Netmask or Prefix, select the value of your choice. The Netmask value
automatically edits the Prefix and vice versa. The final size is displayed in the Comment.
12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.

Once you have a block-type network, you can add the subnet-type network(s) it contains.

If you added a block-type network template, all the objects it contains are added when you deploy
the template.

If your template configuration is complete, you can go to the section Deploying Templates.

Adding Subnet-type Network Templates

Once you added a block-type network, template or not, you can add the subnet-type network(s)
it contains. Keep in mind that:

285
 Managing IPAM Templates

• Only the subnet-type networks configured with an enabled template class in Template Mode
are available for deployment as template in Normal Mode. For more details, refer to the section
Adding Template Classes in Class Studio.
• The Start address and Prefix of a subnet-type network template are only used to determine a
range of IP addresses to configure.
• Subnet-type networks can be non-terminal and contain other subnet-type networks, even in
Template Mode.
• You cannot overlap subnet-type networks, even in Template Mode.
• The IPAM/VLAN interaction advanced properties are limited. You cannot configure a subnet-
type network to Add a VLAN, you can only associate it with an existing VLAN.
• Any subnet-type network added in Template Mode that is not configured with a template class
can either belong to a network template that sets up an organization deployed at higher level,
or can be used to set up a template organization deployed at lower level.

You can add one or more subnet-type networks, manually or using the option By search.

To add a subnet-type network in template mode via the option By search

Only users of the group admin can perform this operation.
1. On the right-end side of the menu, make sure the button Template Mode is black, oth-
erwise click on it. The page refreshes, above the top bar a blue banner indicates that you
are in Template Mode and the button turns black.
2. In the breadcrumb, click on All networks. The page opens.
3. Click on the Name of the network of your choice. The page All networks of the network
opens.
4. In the menu, click on Add an IPv4 network (subnet) by search. The wizard opens.
5. In the list Network class, select a template class if you want to add a subnet-type network
template or None if the network belongs to another template or sets up a template at lower
level.
Click on NEXT . The page Network size opens.
6. Select the Size, Prefix or Netmask of your choice. Selecting one value automatically edits
the value of the other two lists.
Click on NEXT . The page Search result opens.
7. In the list Network address, select a start address.
Click on NEXT . The page Add an IPv4 subnet opens.
8. In the field Network Name, you can name the network.
9. In the field Description, you can specify a description.
The field can display a value inherited from the parent network. To edit the description, you
must change its Inheritance property from Inherit to Set.
10. The fields Address and Prefix display the values set on the page Network size.
11. The box Terminal network is ticked by default to add a terminal network. You can untick
the box to add a non-terminal network, for more details refer to the section Setting Up a
Network-Based VLSM Organization.
If the box Terminal network is ticked, the network has a Gateway. Depending on what ad-
vanced properties are displayed:
• The field Gateway can be displayed and editable.
• The field Gateway can be hidden but the gateway is added anyway.
For more details, refer to the relevant section of the chapter Managing Advanced Properties.

286
 Managing IPAM Templates

12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
Note that the IPAM/VLAN interaction advanced properties are limited. It is impossible to Add
a VLAN in Template Mode, you can only associate a subnet-type network with an existing
VLAN.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.

Once you have a subnet-type network, you can add the other subnet-type network(s), pool(s)
and/or assigned IP addresses it can contains. For more details, refer to the section Adding IP
Addresses in the IP address dedicated chapter.

If you added a subnet-type network template, all the objects it contains are added when you deploy
the template.

If your template configuration is complete, you can go to the section Deploying Templates.

Adding Pool Templates

Once you added a terminal subnet-type networks, you can add the pool(s) it contains, as template
or not. Keep in mind that:
• Only the pools configured with an enabled template class in Template Mode are available for
deployment as template in Normal Mode. For more details, refer to the section Adding Template
Classes in Class Studio.
• You cannot overlap pools, even in Template Mode.
• Any pool added in Template Mode that is not configured with a template class may be part of
another template organization meant to be deployed at higher level. In that case, the Start
address and Size you set are overwritten when you deploy the template, they are only used
to determine the range IP address that the pool manages.

To add a pool in template mode

Only users of the group admin can perform this operation.
1. On the right-end side of the menu, make sure the button Template Mode is black, oth-
erwise click on it. The page refreshes, above the top bar a blue banner indicates that you
are in Template Mode and the button turns black.
2. In the breadcrumb, click on All networks. The page opens.
3. Click on the Name of the terminal network of your choice. The page All addresses of the
network opens.
4. In the breadcrumb, click on All pools. The page opens.
5. In the menu, click on Add. The wizard opens.
6. In the list IP pool class, select the template class if you want to add a pool template or None
if the pool belongs to a network template.
Click on NEXT . The page Add an IPv4 pool opens.
7. In the field Pool name, you can name the pool.
8. If you want to reserve the IP addresses of the pool, tick the box Pool read-only.
9. In the field Start address, specify the first address of the pool. By default, the first address
of the parent network is displayed.

287
 Managing IPAM Templates

10. In the field End address, specify the last address of the pool. By default, the last address
of the parent network is displayed. The value of the End address automatically updates the
value of the field Size, based on the Start address.
11. In the field Size, you can specify the number of IP addresses you want the pool to manage.
The value of the Size automatically updates the value of the field End address, based on
the Start address.
12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The pool is listed.

Once you have a pool, it can contain assigned IP addresses. For more details, refer to the section
Adding IP Addresses in the IP address dedicated chapter.

If you added a pool template, all the IP addresses it contains are added when you deploy the
template.

If your template configuration is complete, you can go to the section Deploying Templates.

3. Deploying Templates
To deploy templates, you must apply the template class they are associated with in Template
Mode to an object you are adding in Normal Mode. You can deploy a template as many times
as you need.

Before deploying templates, keep in mind that:

At all levels
• Deploying a template means automatically configuring an object you add in Normal Mode
with the characteristics of a template object. The values you specify in the addition wizard
are overwritten to match the name, advanced properties configuration, parameters config-
uration and content (networks, pools and/or assigned IP addresses) configured for the
selected template class.
• Template deployments overwrite the Name of the object you are adding in Normal mode,
to match the one set in the template. You can edit the object to rename it.
At network level
• The Start address and Prefix of a network template are only used to determine a range of
preconfigured IP addresses. During the network addition, the Start address you specify is
the one used, the End address is calculated using the network template Size.
• A template network can be deployed in a bigger network, so make sure that the network
you are adding can contain the template network or has the same size.
For instance, you can deploy a terminal network template set for 256 addresses during
the addition of a network managing 512 addresses. In that case, only 256 addresses
within the network you add are configured according to the template, the rest can be con-
figured manually.
• Deploying a network template also deploys its content, or addressing organization.
• Block-type networks can contain subnet-type networks, pools and/or assigned IP ad-
dresses.
• Subnet-type networks can contain other subnet-type networks, pools and/or assigned
IP addresses.

288
 Managing IPAM Templates

• Terminal subnet-type networks can contain pools and/or assigned IP addresses.

At pool level
• To successfully deploy a template pool, you must apply a pool template class to a pool set
with the exact same Size and Pool read-only configuration than the template pool.
• The Start address and Size of a pool belonging to a network template are only used to
determine the range of IP addresses managed by the pool. During the network addition,
the pool start and end addresses are calculated according to the parent network Start ad-
dress and to the configuration of the network template.
• Deploying a pool template also deploys its content, all the assigned IP addresses it contains.

In the procedure below, a block-type template is deployed. The template deployment follows the
same logic at block-type network, subnet-type network and pool level.

To deploy a block-type network template

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, click on Add. The wizard opens.
4. In the drop-down list Network type, select Block. Click on NEXT . The next page opens.
5. In the list Choose a space, select the space in which you want to add the network. Click on
NEXT . The next page opens.

6. In the list Network class, select the class template of your choice. The class name format
is as follows: your-template-name [template] or your-sub-directory/your-template-name
[template].
Click on NEXT . The page Add an IPv4 Network opens.
7. In the field Network Name, name the network. This name is overwritten by the name set in
the selected template.
8. In the field Description, you can specify a description. The field may display an inherited
value.
9. In the field Address, specify the network start address.
10. Set the Netmask and Prefix of your choice. Make sure that the network you are adding
matches the selected template size or can contain it.
If you add a bigger network, the template configuration is deployed within the network only
to the range of addresses configured for the template. The rest of the network can be man-
aged independently like any addition performed without templates.
11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The report opens and closes. The network is listed,
it is automatically named after the network template. You can edit it to rename it.
13. In the column Name, click on the network name to display its content.

289
Chapter 21. Using VLSM to Manage Your
IPAM Network
The Variable Length Subnet Masking (VLSM) is a technique that allows network administrators
to break down the IP address organization on different levels of spaces, networks or pools both
in IPv4 and IPv6.

From the space level you can use the IPAM hierarchy to model the organization of IP resources
and increase its capacity. There are two ways of using VLSM within the GUI, both can be used
to delegate user rights.

SOLIDserver uses specific icons to display VLSM hierarchies:

Table 21.1. VLSM icons on the pages All spaces and All networks
Icon Description

The dot, located left of the space or network icon, indicates that the object belongs to another object.
It specifies the level of the space or network in the VLSM hierarchy: one dot for level 1, two dots for
level 2, three dots for level 3, and so forth depending on how deep your organization is.

This icon indicates that the subnet-type network is non-terminal i.e. using VLSM. In a space-based
VLSM organization it indicates that it is linked to a block-type network of the child space. In a network-
based VLSM organizations, it indicates that the network contains other subnet-type networks.
This icon indicates that the block-type network is part of a space-based VLSM organization and belongs
to a level 2 space, or lower. It shows that the block-type network is linked to a non-terminal subnet-
type network in the parent space, they both share the same name and size.

Choosing the Method That Suits Your Needs

SOLIDserver provides two different implementation techniques for VLSM:
• A Space-Based VLSM Implementation.
• A Network-Based VLSM Implementation.

In both cases, organizing your IPAM network using VLSM provides a way to delegate user rights
as it allows to limit what users belonging to certain groups can display and manage.

You can set up an organization that uses both methods but there are some requirements to meet.
For more details, refer to the section Properly Using Both Methods Simultaneously.

290
 Using VLSM to Manage Your IPAM
Network

Space-Based VLSM Implementation

Your IPAM network can organize spaces, you can add as many spaces as you need and connect
them with each other to set up your organization. The VLSM hierarchy can be as deep as you
need.

VLSM introduces a parent to child dependency relationship between two spaces. A child space
is then attached and related to a parent space, they are affiliated.

SPACE

NETWORK
BLOCK

Space filiation
NETWORK
SUBNET

CHILD
SPACE

CHILD
SPACE

CHILD
SPACE

Figure 21.1. The space filiation in a space-based organization

The resources contained in the parent space can then be allotted to one of its child spaces. When
a non-terminal subnet-type network is added in a parent space, it can be allotted to a child space
where it becomes a block-type networks. This block-type network can then be divided into several
non-terminal subnet-type networks and become block-type networks in "grandchildren" spaces,
and so on.

291
 Using VLSM to Manage Your IPAM
Network

SPACE

NETWORK /21
BLOCK

Space filiation
NETWORK /22
SUBNET

NETWORK /22
BLOCK

NETWORK /24
SUBNET

Figure 21.2. A delegation of networks among affiliated spaces

As spaces can be combined to map your organization, they can help network administrators to
delegate the IP address management per layer of space. For instance, large block-type networks
can be defined as root entries at the top level of the space hierarchy. These networks can be
divided into several non-terminal subnet-type networks to be allotted to child spaces, each non-
terminal subnet-type network becomes a block-type network in the child space. Within these child
spaces, the block-type networks are divided into subnet-type networks matching the size of your
choice to register a network device, manage a specific set of IP addresses within your company...

This hierarchy organizes the spaces, it allows to administer and distribute resources among all
levels. The consistency check of resources and their uniformity are made between all affiliated
spaces.

Figure 21.3. A space-based VLSM organization on the page All spaces

In the example above, the clients IP database is organized based on geography, each country
has a separate space affiliated to the continent it belongs to. These spaces were added before
the networks and pools in order to shape the rest of the IP addresses organization.

With this type of organization, the delegation of rights can be set per continent, per country or
within a country.

292
 Using VLSM to Manage Your IPAM
Network

For more details regarding the manual VLSM implementation, refer to the section Setting Up a
Space-Based VLSM Organization.

Network-Based VLSM Implementation

Your IPAM network can organize subnet-type networks delegation within one space.

SPACE

NETWORK /21
BLOCK

NETWORK /22
SUBNET

NETWORK /23
SUBNET

NETWORK /24
SUBNET

POOL

ADDRESS

Figure 21.4. A network-based organization

Like the space-based implementation, it involves adding non-terminal subnet-type networks but
this time it sets up several levels of hierarchy within one space. Therefore, the semi-automated
VLSM allows you to distribute IP addresses on more than one level within a space without setting
a space affiliation.

Figure 21.5. A network-based VLSM organization on the page All networks

In the example above, the block-type network Internal is divided into departments. Some depart-
ments are also divided into networks to organize their management geographically. As the division
is performed at the lower level, the delegation of rights to different administrators can be all the
more precise with limited access to the database if necessary.

There is no limit to the number of non-terminal subnet-type network levels you can set. It all de-
pends on their size and the size of the block-type network they belong to.

293
 Using VLSM to Manage Your IPAM
Network

For more details regarding the network-based implementation, refer to the section Setting Up a
Network-Based VLSM Organization.

Properly Using Both Methods Simultaneously

To use both methods you must keep in mind that VLSM implementation follows the IPAM
hierarchy logic: spaces contain block-type networks that contain subnet-type networks that
contain pools that contain IP addresses. Which is why you can only set both methods if you respect
the following:
• You cannot set up a space-based organization using a space that already contains non-terminal
subnet-type networks, meaning, a preexisting network-based organization. You can only set
up first a space-based distribution and then a network-based delegation.
• The network-based implementation can only be set at the lowest of the space-based organiz-
ation.

Keep in mind that, in a mixed organization, you can specify the inheritance and propagation
properties depending on your needs. For more details, refer to the section Editing a VLSM Block-
type Network Class Parameters Inheritance.

Managing a Space-Based VLSM Organization

The space-based or manual VLSM implementation must respect a specific order to be properly
set.
1. Add all the spaces one by one.
2. Affiliate all the spaces. As long as they are empty, it can be done upon addition or edition.
3. Add all the block-type networks in the parent space(s).
4. Add the non-terminal subnet-type networks within these block-type networks. They become
the block-type networks of the child space.

Once set up, you can move networks to edit the network links between a parent space and one
of its children but you cannot set up a deeper organization once the spaces contain affiliated
networks.

Note that you can also:

• Import space-based VLSM organizations, for more details refer to the section Importing Spaces
in the chapter Importing Data from a CSV File.
• Export space-based VLSM organizations, for more details refer to the chapter Exporting Data.

However, keep in mind that you cannot export or import space-based VLSM organisations as
raw data.

Setting Up a Space-Based VLSM Organization

Following the IPAM hierarchy, your space-based organization is done in the following order:
1. Adding and Affiliating the Spaces to set the delegation depth.
2. Adding the Block-type Networks in the Parent Space to define a range of IP addresses to
delegate.
3. Adding the Future Block-type Networks in the Child Space that is to say adding non-terminal
subnet-type networks in the parent space.

294
 Using VLSM to Manage Your IPAM
Network

Keep in mind that once the organization is implemented:

• The network display is independent for each space level. From the page All networks of a
parent space you cannot display the networks of spaces at lower levels, however you can
display the column VLSM space to see which child space receives non-terminal subnet-type
networks as blocks.
• Every non-terminal subnet-type network in a parent space becomes a block-type network in
the child space.
• The content of a non-terminal network is common to both affiliated spaces: the terminal net-
works, pools and assigned IP addresses of a non-terminal subnet-type network are added both
in the parent and child spaces.
• The subnet-type networks, pools and assigned IP addresses of a non-terminal subnet-type
network are added both in the parent and child spaces.
• Any object you add in a parent space is added in the child and vice versa.
• Any object you delete in a parent space is deleted in the child and vice versa.
• Every terminal network in a space stays where it is added, even if it was added in a parent
space.
• You cannot edit the space-based organization to make it deeper. However, some operations
may relocate your networks. For more details, refer to the section Editing a Space-Based VLSM
Organization.

Adding and Affiliating the Spaces

The space affiliation is configured in the space addition or edition wizard.

Before adding your space affiliation, keep in mind that:

• You can have one parent space with several children. These children can also be parent to
other spaces.
• The direct VLSM hierarchy affiliation between spaces updates simultaneously both spaces.
• The parameters and advanced properties configured at space level are inherited by the spaces,
networks, pools and IP addresses they contain.
Therefore, the block-type networks of each space inherit the configuration, the subnet-type
networks managed by the block-type network inherit as well, and so forth down to the IP ad-
dresses. You can edit any level of the hierarchy to set a particular parameter or property and
propagate it to the lower level.

Figure 21.6. A space filiation where the space Clients contains the child space America

To set up a space-based VLSM organization

1. Add the top level space
a. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
b. In the menu, click on Add. The wizard Add a space opens.
c. In the list VLSM parent space, select None. This first space is the top level space in
your organization.

295
 Using VLSM to Manage Your IPAM
Network

d. Click on NEXT . The next page opens.

e. If custom classes are enabled at space level, in the list Space class select a class or
None. Click on NEXT . The last page opens.
f. Fill the fields Space name and Description according to your needs.
g. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more
details, refer to the relevant module section in the chapter Managing Advanced Proper-
ties.
h. Click on OK to complete the operation. The space is listed.
2. Add the affiliated child space
a. In the menu, click on Add. The wizard Add a space opens.
b. In the list VLSM parent space, select the top level space you just added.
c. Click on NEXT . The next page opens.
d. If custom classes are enabled at space level, in the list Space class select a class or
None. Click on NEXT . The last page opens.
e. Fill the fields Space name and Description according to your needs.
f. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more
details, refer to the relevant module section in the chapter Managing Advanced Proper-
ties.
g. Click on OK to complete the operation. The level 1 space is listed.
You can repeat step 2 for as many spaces as you need. In the list VLSM parent space, you
can select a space no matter its level in the hierarchy. The spaces display indicates each
space level as detailed in the table VLSM icons on the pages All spaces and All networks.

You can edit some aspects of the space-base organization even after you added networks, pools
and addresses. For more details, refer to the section Editing a Space-Based VLSM Organization.

Adding the Block-type Networks in the Parent Space

Once your space affiliation is set, you can add IPv4 or IPv6 block-type networks:
• The block-type networks must be added in the top level space of the affiliated spaces.
If you add them on a child space, the VLSM organization cannot be set, you would be adding
a block-type network and not setting up a space-based organization.
• If you configured specific parameters or behaviors at space level, the block-type networks in-
herit them.

Figure 21.7. A block-type network added in the space Clients

To add a block-type network manually

1. In the sidebar, go to IPAM > Networks. The page All networks opens.

296
 Using VLSM to Manage Your IPAM
Network

2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, click on Add. The wizard opens.
4. In the drop-down list Network type, select Block. Click on NEXT . The next page opens.
Note that if your group's permissions do not include the addition of both block-type and
subnet-type networks, the page is automatically skipped.
5. In the list Choose a space, select the space in which you want to add the network. Click on
NEXT . The next page opens.

6. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Add an IPv4 network or Add an IPv6 network opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the field Network Name, name the network.
8. In the field Description, you can specify a description.
9. In the field Address, specify the start address.
10. If you are adding an IPv4 network:
a. In the drop-down list Netmask select a netmask. The netmask value automatically edits
the Prefix.
b. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix
value automatically edits the Netmask.
The network size configuration is visible in the field Comment.
11. If you are adding an IPv6 network, in the drop-down list Prefix, select a value between /16
and /64. The values depend on the Address you specified.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Addition of IPv6 Terminal Networks with Non-Standard Prefixes.
12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The network is listed.

To respect the levels of management you set, once you add a subnet-type non-terminal network
in a top level space, if you click on its Name on the page All networks you are redirected to the
content of the block-type network it added in the child space. This allows to navigate from one
level to the other and add your terminal networks, pools and IP addresses.

Once you added a block-type network in the parent space, you can add a non-terminal subnet-
type network(s) it contains.

Adding the Future Block-type Networks in the Child Space

In the parent space, if you add non-terminal subnet-type networks in a block-type network they
become the block-type networks of the child space of your choice. The terminal networks you
add belong to the space, they are not delegated.

On the page All networks of the parent space, you can display the column VLSM space to see
the name of the child space that receives non-terminal subnet-type networks as block-type net-
works.

297
 Using VLSM to Manage Your IPAM
Network

Figure 21.8. A non-terminal network added in the block-type network of the space America

Figure 21.9. In the child space US, the non-terminal network is a block-type network

Keep in mind that, once you link block-type and subnet-type networks in a space affiliation, they
update each other:
• If you add objects in the non-terminal subnet-type network, they are also added in the block-
type network of the child space.
• If you add objects in the block-type network of the child space, they are also added in the
subnet-type network of the parent space.

In the procedures below, we add a non-terminal subnet-type network by search but you can also
add it manually.

To add an IPv4 block-type network in a child space from a parent space

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the Name of the top level space. The page All networks opens.
3. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
4. Click on the Name of the block-type network of your choice to display its networks.
5. In the menu, click on Add an IPv4 network (subnet) by search. The wizard opens.
6. If custom classes are enabled at network level, in the list Network class select a class or
None. Click on NEXT . The page Network size opens.
7. Select a Size, Prefix or Netmask for your network. Selecting one value automatically changes
the other two. Click on NEXT . The page Search result opens.
8. In the list Network address, select a start address. Click on NEXT . The page Add an IPv4
network opens.
9. In the field Network Name, name the network.
10. In the field Description, you can specify a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
11. The fields Address and Prefix display the values set on the pages Network size and Search
result.
12. Untick the box Terminal network. The wizard refreshes and no longer includes the fields
Gateway and pool related fields if they were displayed.

298
 Using VLSM to Manage Your IPAM
Network

13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on NEXT . The page VLSM space opens.
15. In the list VLSM space, select the child space where the non-terminal subnet-type network
becomes a block-type network.
16. Click on OK to complete the operation. The report opens and closes. The network is listed
with the icon . Depending on the organization depth, it is preceded by one or several .
For more details, refer to the table VLSM icons on the pages All spaces and All networks.
On the page All networks of the parent space, the selected child space is displayed in the
column VLSM space.
On the page All networks of the selected child space, the non-terminal subnet-type network
is listed as a block-type network.

To add an IPv6 block-type network in a child space from a parent space

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the Name of the top level space. The page All networks opens.
3. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
4. Click on the Name of the block-type network of your choice to display its networks.
5. In the menu, click on Add an IPv6 network (subnet) by search. The wizard opens.
6. If custom classes are enabled at network level, in the list Network class select a class or
None. Click on NEXT . The page Network size opens.
7. Untick the box Terminal network. The wizard refreshes and no longer includes the fields
Gateway and pool related fields if they were displayed.
8. In the drop-down list Network prefix, select the value of your choice between 16 bits and
64 bits.
9. Click on NEXT . The page Search result opens.
10. In the list Network address, select a start address. Click on NEXT . The page Add an IPv6
network opens.
11. In the field Network Name, name the network.
12. The fields Address and Prefix display the values set on the pages Network size and Search
result.
13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on NEXT . The page VLSM space opens.
15. In the list VLSM space, select the child space where the non-terminal subnet-type network
becomes a block-type network.
16. Click on OK to complete the operation. The report opens and closes. The network is listed
with the icon . Depending on the organization depth, it is preceded by one or several .
For more details, refer to the table VLSM icons on the pages All spaces and All networks.
On the page All networks of the parent space, the selected child space is displayed in the
column VLSM space.

299
 Using VLSM to Manage Your IPAM
Network

On the page All networks of the selected child space, the non-terminal subnet-type network
is listed as a block-type network.

If you add another non-terminal subnet-type network in the parent space, a new block-type network
is added in the child space.

Editing a Space-Based VLSM Organization

Once you set up a space-based organization, you can:
• Edit the VLSM parent of a space.
• Edit subnet-type networks to make them terminal or not in some specific cases.
• Edit VLSM block-type networks to inherit the value of a class parameter from a parent network
or space.
• Delete subnet-type networks in some specific cases.

You cannot set up a deeper organization of spaces once they contain networks linked from one
level to the other.

Editing the VLSM Parent of a Space

You can edit the VLSM parent of a space:
• Only if it does not already contain a block-type network that was added when a non-terminal
subnet-type network was added at higher level.

For more details, refer to the section Editing Spaces.

Editing a Subnet-type Network within a Space-Based Organization

Within a space-based organization, editing a subnet-type network terminal is limited:
• Editing a terminal network to make it non-terminal
• Is only possible in the lowest level of the space organization, if the network contains pools.
You must delete the pools and then edit the subnet-type network.
• Editing a non-terminal network to make it terminal
• Is impossible if the block-type network added at lower level contains networks.
• Is impossible if the non-terminal subnet-type network contains other networks, pools and/or
IP addresses.
• Is only possible if the block-type network added at lower level is empty.
• Editing the target space of a subnet-type network added at lower level
• In an organization where a space manages several child spaces of same level, you can edit
a non-terminal subnet-type network in the managing space to change its VLSM space. In
the example below, this edition would be possible in the space America.
This edition moves the block-type network added in the former child space, along with all
the networks, pools and addresses it contains, to the child space you specified.
• In an organization where a subnet-type network was added at several space levels - the
spaces Clients, Europe and France in the example below - you can edit the VLSM space of
the network and select the space America. As a result, the spaces Europe and France contain
Orphan containers and the space America contains the a new block-type network. From
there you can add again the networks that suit your needs. With such an organization, this
specific edition is only possible because the top space contained several spaces at the same
level.

300
 Using VLSM to Manage Your IPAM
Network

Figure 21.10. A space-based VLSM organization on the page All spaces

Editing a VLSM Block-type Network Class Parameters Inheritance

Once you set a space-based VLSM organization, you can add and edit class parameters at the
different levels of the hierarchy.

Both the parents of a VLSM block-type network, i.e. the space and the non-terminal subnet-type
network, can have different values for the same class parameter. The VLSM block-type network
inherits the parameter that has been configured before the other.

You can edit the class parameters inheritance source of a VLSM block-type network. The class
parameter value can be inherited from:

• Space: the class parameter value is inherited from the lowest space in the organization, the
space where the selected block-type network is located. You cannot choose a space located
at higher level.
• Network: the class parameter value is inherited from the non-terminal subnet-type network it
is linked with, one level up in the space hierarchy. You cannot inherit the value of any subnet-
type network located higher in the hierarchy.

To edit a VLSM network class parameters inheritance

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. Tick the VLSM block-type network(s) of your choice.
3. In the menu, select Tools > Expert > Edit class parameters inheritance source (VLSM
block). The wizard Edit class parameters inheritance source opens.
4. In the drop-down list Parameter, select the class parameter which value you want the selected
network(s) to inherit.
5. In the drop-down list Inherited from, select the inheritance source:
a. Space if you want to inherit the value from the space containing the block-type network
you selected.
b. Network if you want to inherit the value from the network linked with the block-type
network you selected, one level up.
6. In the drop-down list Inheritance property, select Propagate or Restrict.
7. Click on ADD . The value of the drop-down lists refreshes. The class parameter, along with
its source and inheritance option, is moved to the Properties list.
Repeat steps 5 to 7 for as many parameters as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .

301
 Using VLSM to Manage Your IPAM
Network

• To delete an entry from the list, select it and click on DELETE .

• To discard changes, click on CANCEL .

8. Click on OK to complete the operation. The report opens and closes.

Deleting Networks in a Space-Based Organization

As the IP address management in space-based VLSM organization relies on subnet-type and
block-type networks distributed on different levels, deleting the networks has to follow certain
rules.
• You cannot delete a block-type network directly from the space it belongs to.
Deleting a VLSM block-type network can only be done from higher level: when you delete the
non-terminal subnet-type network that added it, the block-type network is deleted as well.
• You can only delete a subnet-type network if the block-type network it added at lower
level is empty.
You cannot delete a subnet-type network in a parent space if the block-type network added in
the child space contains networks
Deleting subnet-type networks automatically deletes the block-type network it added at lower
level.

Unifying the VLSM Networks

In some cases after a migration, you might have a space-based VLSM organization where the
parent and child spaces content do not match. The following two options allow to unify the content
of your spaces especially the link between block-type and subnet-type network networks of two
different levels.

Attaching a Network to its VLSM Parent

After a migration, the content of the parent and child spaces might differ and some objects might
not be associated: you might have a block-type network in a child space that is not associated
with a non-terminal subnet-type network.

Depending on your configuration, you might be able to add the missing non-terminal subnet-type
network in the parent space using the option Attach network to its VLSM parent. This would allow
to continue using VLSM to delegate rights and resources or add and delete objects in both spaces
at once.

Keep in mind that you can only use this option if:
• The block-type network in the child space is not already associated with a non-terminal subnet-
type network of the parent space.
• The parent space can receive the child space block-type network as a non-terminal subnet-
type network:
1. In the parent space, a block-type network can receive the non-terminal subnet-type network.
2. There is no overlap.

To attach a network to its VLSM parent

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the name of the child space of your choice. The page All networks open.
3. Tick the block-type network(s) of your choice.

302
 Using VLSM to Manage Your IPAM
Network

4. In the menu, select Tools > Expert > Attach network to its VLSM parent. The wizard
Attach network to its VLSM parent opens.
5. Click on OK to complete the operation. The report opens and closes. The selected block-
type network is now preceded by .

Aggregating VLSM Networks

After a migration, you can have affiliated spaces which IP addresses are not properly associated:
you might have a missing non-terminal subnet-type network in a parent space even if the block-
type network does exist in the child space.

In this case, you can use the option Aggregate VLSM networks from the page All spaces to add
the missing non-terminal subnet-type networks in the parent space.

To aggregate VLSM networks

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the menu, select Tools > Expert > Aggregate VLSM networks.The wizard Aggregate
VLSM networks opens.
3. In the drop-down list Parent space, select the parent space where the corresponding non-
terminal subnet-type network is missing.
4. Click on OK to complete the operation. The report opens and closes. The missing non-ter-
minal subnet-type network(s) is added on the page All networks list of the space you selec-
ted.

Moving IPv4 Addresses across the VLSM Hierarchy

If you reorganize your space-based hierarchy and plan on adding sub-spaces, you might need
to move IPv4 terminal networks from a top level space to a lower level of the hierarchy. In that
case, the IP addresses must be moved to the sub-space(s). This operation could be performed
by moving IP addresses from one space to the other, as detailed in the section Moving IP Ad-
dresses to Another Space; however, you might have a lot of IPv4 terminal networks to spread
on multiple sub-spaces, and it would take a long time to repeat the operation for each sub-space.

The option Move addresses to VLSM network allows to automate the migration of IPv4 addresses
to the lowest terminal networks across the space hierarchy. It spreads the IP addresses in all the
available terminal networks that can contain them. That is to say, a terminal network at the lowest
level of the hierarchy which start address can receive the selected addresses.

To spread IPv4 addresses across the VLSM hierarchy

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the IP address(es) you want to spread within the lower spaces of your VLSM organization.
4. In the menu, select Tools > Expert > Move addresses to VLSM network. The wizard
Move VLSM IP addresses opens.
5. Click on OK to complete the operation. The report opens and closes. The IP addresses are
listed, the space and networks they belong to have changed.

303
 Using VLSM to Manage Your IPAM
Network

Managing a Network-Based VLSM Organization

The network-based VLSM organization organizes subnet-type networks imbrication within one
space, it can be set within different block-type networks.

You can insert non-terminal subnet-type networks in between a child subnet-type network and
its parent as detailed in the section Reparenting subnet-type networks.

Note that you can also:

• Import network-based VLSM organizations, for more details refer to the section Importing
Networks in the chapter Importing Data from a CSV File.
• Export network-based VLSM organizations, for more details, refer to the chapter Exporting
Data.

However, keep in mind that you cannot export or import network-based VLSM organisations as
raw data.

Setting Up a Network-Based VLSM Organization

Setting up a network-based VLSM organization implies adding non-terminal subnet-type networks
that manage terminal networks, pools and IP addresses on different levels. Note that:
• You can make the network-based VLSM organization go as deep as you need.
• You can use the network-based organization to delegate management, limit permissions or
grant access to specific parts of your network. You can also use it to configure areas of your
network differently, like in the image below.
• You cannot set up a network-based VLSM organization in a parent space. The network-based
VLSM organization implies adding non-terminal subnet-type networks:
• Either in an independent space,
• Or in a child space that is at the lowest level of a space-based VLSM organization. In other
words, in a child space that does not have any child space.
Indeed, adding non-terminal subnet-type networks in a parent space adds block-type networks
in a child space, in which case, your VLSM organization is space-based.

304
 Using VLSM to Manage Your IPAM
Network

SPACE Continent = America

NETWORK Country = USA

BLOCK

NETWORK State = District of Columbia

SUBNET

NETWORK City = Washington

SUBNET

NETWORK Department = Procurement

SUBNET

POOL

ADDRESS

Figure 21.11. Example of a class parameters configuration in a network-based VLSM organization

Contrary to the space-based organization, the network-based VLSM organization allows you to
display the IPAM hierarchy at a glance, in one block-type network. As all the networks can be
listed all together, there is no need to go through different spaces separately to list non-terminal
subnet-type networks and their content.

To add an IPv4 non-terminal subnet-type network

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the Name of the space of your choice. The page All networks of the space opens.
3. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
4. On the right-end side of the menu, make sure the button is black, otherwise click on it to
display all networks. The page refreshes and the button turns black. If you display networks
level by level, all the networks managed by non-terminal networks are no longer visible.
5. Click on the Name of the block-type network of your choice to display its networks.
6. In the menu, click on Add by an IPv4 network (subnet) search. The wizard opens.
7. If custom classes are enabled at network level, in the list Network class select a class or
None. Click on NEXT . The page Network size opens.
8. Select a Size, Prefix or Netmask for your network. Selecting one value automatically changes
the other two. Click on NEXT . The page Search result opens.
9. In the list Network address, select a start address. Click on NEXT . The page Add an IPv4
network opens.
10. In the field Network Name, name the network.
11. The fields Address and Prefix display the values set on the pages Network size and Search
result.
12. Untick the box Terminal network. The wizard refreshes and no longer includes the fields
Gateway and pool related fields if they were displayed.

305
 Using VLSM to Manage Your IPAM
Network

13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on OK to complete the operation.The report opens and closes.The non-terminal subnet-
type network is listed and preceded by .

To add an IPv6 non-terminal subnet-type network

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the Name of the space of your choice. The page All networks of the space opens.
3. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
4. On the right-end side of the menu, make sure the button is black, otherwise click on it to
display all networks. The page refreshes and the button turns black. If you display networks
level by level, all the networks managed by non-terminal networks are no longer visible.
5. Click on the Name of the block-type network of your choice to display its networks.
6. In the menu, click on Add an IPv6 network (subnet) by search. The wizard opens.
7. If custom classes are enabled at network level, in the list Network class select a class or
None. Click on NEXT . The page Network size opens.
8. Untick the box Terminal network. The wizard refreshes and no longer includes the fields
Gateway and pool related fields if they were displayed.
9. In the drop-down list Network prefix, select the value of your choice between 16 bits and
64 bits.
10. Click on NEXT . The page Search result opens.
11. In the list Network address, select a start address. Click on NEXT . The page Add an IPv6
network opens.
12. In the field Network Name, name the network.
13. The fields Address and Prefix display the values set on the pages Network size and Search
result.
14. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
15. Click on OK to complete the operation.The report opens and closes.The non-terminal subnet-
type network is listed and preceded by .

Once you added a non-terminal subnet-type network, it can contain as many non-terminal subnet-
type networks as you need: it all depends on their size. And you can add a hierarchy as deep as
you need.

Within the non-terminal subnet-type networks you can add terminal networks to manage pool
and assign addresses. For more details, refer to the section Adding Networks.

Reparenting Subnet-type Networks

The reparenting option allows to add new levels in your network-based VLSM organization. You
can add a non-terminal subnet-type network that becomes the new parent of existing terminal
or non-terminal networks.

306
 Using VLSM to Manage Your IPAM
Network

Keep in mind that, in space-based VLSM organizations, this option can only be used in independ-
ent spaces or in spaces at the lowest level. For more details, refer to the section Properly Using
Both Methods Simultaneously.

To reparent an IPv4 subnet-type network

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the Name of the space of your choice. The page All networks of the space opens.
3. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
4. On the right-end side of the menu, make sure the button is black, otherwise click on it to
display all networks. The page refreshes and the button turns black. If you display networks
level by level, all the networks managed by non-terminal networks are no longer visible.
5. In the menu, click on Add. The wizard opens.
1
6. In the drop-down list Network type, select Subnet . Click on NEXT . The next page opens.
7. In the list Choose a parent space, select a non-terminal network among the ones listed
under each space. The + sign left of the spaces' name opens the list of their networks.
8. Tick the box Allow network reparenting. Click on NEXT . The next page opens.
9. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Add an IPv4 Network opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
10. In the field Network Name, name the network.
11. In the field Description, you can specify a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
12. In the field Address, specify the start address. By default, the start address of the block-type
network you selected is displayed in the field.
13. In the drop-down list Netmask, select a netmask. The netmask value automatically edits the
Prefix.
14. In the drop-down list Prefix, select a value if you did not choose a netmask. The prefix value
automatically edits the Netmask. The network size configuration is visible in the field
15. Untick the box Terminal network.
16. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
17. Click on OK to complete the operation. The report opens and closes. The network is listed.
The reparented network is now listed at a lower level in the VLSM hierarchy.

To reparent an IPv6 subnet-type network

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the Name of the space of your choice. The page All networks of the space opens.

1
If your group's permissions do not include the addition of both block-type and subnet-type networks, the page is automatically skipped.

307
 Using VLSM to Manage Your IPAM
Network

3. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
4. On the right-end side of the menu, make sure the button is black, otherwise click on it to
display all networks. The page refreshes and the button turns black. If you display networks
level by level, all the networks managed by non-terminal networks are no longer visible.
5. In the menu, click on Add. The wizard opens.
2
6. In the drop-down list Network type, select Subnet . Click on NEXT . The next page opens.
7. In the list Choose a parent space, select a non-terminal network among the ones listed
under each space. The + sign left of the spaces' name opens the list of their networks.
8. Tick the box Allow network reparenting. Click on NEXT . The next page opens.
9. If custom classes are enabled at network level, in the list Network class select a class or
None.
Click on NEXT . The page Add an IPv6 Network opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
10. In the field Network Name, name the network.
11. In the field Description, you can specify a description. The field may be in read-only if at a
higher level, its Inheritance property is Inherit. If you want to specify a different description
and/or restrict its propagation to lower levels, you must Set its Inheritance property and/or
Restrict its Propagation property before being able to specify any value in the field. For more
details, refer to the chapter Inheritance and Propagation.
12. In the field Address, specify the start address. By default, the start address of the block-type
network you selected is displayed in the field.
13. In the drop-down list Prefix, select /64, /127 or /128.
If your administrator disabled the RFC 4291 compliance registry database entry, you can
select a prefix between /16 and /128. For more details, refer to the section Enabling the
Addition of IPv6 Terminal Networks with Non-Standard Prefixes.
14. Untick the box Terminal network.
15. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
16. Click on OK to complete the operation. The report opens and closes. The network is listed.
The reparented network is now listed at a lower level in the VLSM hierarchy.

Editing a Network-Based VLSM Organization

You can edit a network-based organization by editing the networks themselves, or deleting non-
terminal networks.

Editing a Subnet-type Network to Make it Terminal or Non-Terminal

To make a subnet-type network terminal or not, you must tick or untick the box Terminal network
in the addition/edition wizard. For more details, refer to the section Setting Up a Network-Based
VLSM Organization above.

Keep in mind that:

2
If your group's permissions do not include the addition of both block-type and subnet-type networks, the page is automatically skipped.

308
 Using VLSM to Manage Your IPAM
Network

• Making a terminal network non-terminal

• You cannot edit a terminal network to make it non-terminal if it contains pools. You must first
delete the pools.
• You can edit a terminal network to make it non-terminal even if it manages addresses. The
assigned addresses it manages, including the gateway address, are moved to an Orphan
Addresses container. This container is deleted once its content is deleted or the IP addresses
are managed by another terminal network.
Note that if the network you edit belongs to a space that has child spaces, you can select a
VLSM space.This action sets up a space-based delegation. In this case, a block-type network
is added in the specified child space and it contains the same Orphan Addresses container.
• Editing a non-terminal network to make it terminal
• You cannot edit a non-terminal subnet-type network to make it terminal if it contains any
network. It must be empty.

Deleting Subnet-type Networks in a Network-Based Organization

Deleting non-terminal subnet-type networks simply removes one level in the organization:
• In an organization with a non-terminal subnet-type network managing several terminal networks,
these terminal networks and their content are managed directly by the block-type network.
• In a deep network-based organization, one level is removed. All the lower level networks it
managed are moved up one level. If they inherited class parameters from the deleted container,
for each class parameter:
• The Inheritance property is forced to Inherit or Set to match the configuration of the deleted
parent network. The value and the source of the value remain the same.
• The Propagation property remains the same.

Using the VLSM Hierarchy to Delegate Management

You can use the different levels of the VLSM hierarchy to organize, divide or limit the different
users' rights in the IPAM module. Through the menu Edit menu you can make some spaces,
networks or pools a resource for as many groups of users as you need. That way you can give
them the possibility to add/delete/duplicate/move... the objects they contain.

If you make the different pieces of a space organization resources to specific groups, you can
delegate the management one level at a time and whoever has access to the whole hierarchy
can keep track of all the changes.

For more details regarding users, groups and delegation within SOLIDserver, refer to the part
Rights Management.

309
 Using VLSM to Manage Your IPAM
Network

Delegating Management in a Space-Based Organization

In a space-based VLSM organization, the delegation could be done as follows.

Figure 21.12. An example of a space-based VLSM organization

In the example above, the hierarchy of VLSM spaces could be used to grant a group of users:
• Access and management permissions to the content of the space USA. That is to say, make
all the block-type networks of that space a resource of the group and grant them the relevant
rights over them. That way, the users of the group:
• Can display the space USA, as it is the container of the block-type networks they have on
the page Resources.
• Can access the content of the block-type networks they have among their resources. However,
they cannot display the content of the subnet-type networks and pools of these block-type
networks as they are not listed among their resources.
• Can manage the block-type networks listed among their resources, as they were granted
the relevant permissions.
Note that, if you grant the group access to the subnet-type networks and pools of the space
USA, users can display the entire space content, down to the IP addresses. With the relevant
permissions, they can manage these objects as well. For more details, refer to the section
Adding Resources to a Group.
• Access to the space America. That is to say, make that space a resource of the group. That
way, the users of the group:
• Can display the content of the space America, i.e. all the spaces it contains, including USA.
And therefore, see all changes performed in the spaces USA and America.

Keep in mind that granting access to a resource does not grant access to its container. Therefore,
if you grant users access to the space USA, they cannot display the content of America. In the
same ways, if you grant them access to America, they cannot display the content of Clients.

To delegate management, you could for instance grant access to these spaces to two different
groups of users. That way, one group could perform specific operations, while the other could
supervise these operations.

For more details on users, groups and rights, refer to the part Rights Management.

310
 Using VLSM to Manage Your IPAM
Network

Delegating Management in a Network-Based Organization

In a network-based VLSM organization, the delegation could be done as follows.

Figure 21.13. An example of a network-based VLSM organization

In the example above, the hierarchy of VLSM networks could be used to grant a group of users:
• Access and management permissions to all the terminal networks of the non-terminal subnet-
type network New York City. That is to say, make that network a resource of the group and
grant them the relevant rights over it. That way, the users of the group:
• Can display the network NY, as it is the container of the network they have on the page
Resources.
• Can display the terminal networks it contains. However, they cannot display the content of
the pools they may contain, as they are not listed among their resources.
• Can manage the objects listed among their resources if they were granted the relevant rights.
For more details, refer to the section Adding Resources to a Group.
• Grant access to the non-terminal subnet-type network East Coast. That is to say, make that
network a resource of the group. That way, the users of the group:
• Can display the content of the non-terminal subnet-type network New York City and see that
it contains another network named FL.
• Can see all changes performed within the network.

To delegate management, you could for instance grant access to these subnet-type networks to
two different groups of users. That way, one group could perform specific operations, while the
other could supervise these operations.

For more details on users, groups and rights, refer to the part Rights Management.

311
Chapter 22. Managing Cloud
Synchronization
The IPAM allows to synchronize addressing plans stored on some cloud providers. The module
Ecosystem provides a rule that allows to identify your addressing plans stored on AWS cloud,
Azure cloud and GCP environments.

From AWS, you can synchronize:

• Virtual Private Clouds (VPCs).
• Subnets.
• Instances and their Virtual NIC information.

From Azure, you can synchronize:

• Virtual Networks (VNs).
• Subnets.
• VMs and their Virtual NIC information.

From GCP, you can synchronize:

• Virtual Private Clouds (VPCs).
• Instance interfaces.

To properly synchronize cloud addressing plans, i.e. all IP related information, you must:
1. Meet the prerequisites.
2. Take into account the limitations.
3. Configure the rule that suits your needs.
• For AWS, refer to the section Configuring AWS Synchronization.
• For Azure, refer to the section Configuring Azure Synchronization.
• For GCP, refer to the section Configuring GCP Synchronization.

Prerequisites
• Having all cloud provider details ready:
• For AWS, you need your AWS Account ID, Access key ID and an Access secret key. In
addition, you can specify a tag for VPCs, subnets and IP addresses, the tag is used to name
the objects synchronized in the IPAM.
• For Azure, you need your Azure tenant ID, Subscription ID, Client ID and Client secret key.
In addition, you must name Azure VNs and subnets.
• For GCP, you need your service account email and private key. From GCP console, you
must download your private key JSON file to retrieve them.
Depending on the size of you GCP data, you may need to adjust the Quota of your Read
request to avoid synchronization errors.
• Having an independent space ready to receive the data you want to synchronize. You cannot
synchronize cloud objects if they match existing IPAM networks delegated to another space.
• If your internal network policies do not allow cloud synchronization, you can configure a proxy.
For more details, refer to the section Configuring a Proxy Server.

312
 Managing Cloud Synchronization

Limitations
• All the changes you perform in the IPAM on synchronized objects are overwritten during the
next synchronization.
• All synchronization error messages can only be seen on the page Syslog. For more details,
refer to the section Monitoring the Synchronization.
• For GCP environment synchronization:
• Only IPv4 GCP data are synchronized to the IPAM.
• VPC networks cannot be synchronized because they are not associated with any address.
• The aliases of the instance interfaces are not synchronized to the IPAM.

Configuring a Proxy Server

If your internal network policies prevent you from accessing cloud providers services directly,
you might need to configure a proxy server via a registry database entry to handle the synchron-
ization.

To configure a proxy server for cloud synchronizations

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with ecosystem.cloud.proxy .
4. Hit Enter. Only this key is listed.
5. In the column Value, click on its value. The wizard Registry database Add an item opens.
6. In the field Value, specify the server configuration as follows: <user>:<password>@<proxy-
FQDN-or-IP>:<tcp-port-number>.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the key is listed.

Configuring AWS Synchronization

To configure AWS synchronization you must:
1. Meet the prerequisites and take into account the limitations.
2. Add the rule 402 in the module Administration to identify the data to retrieve and configure the
synchronization, as detailed in the section Adding AWS Synchronization Rule.
3. Check the synchronization result in the IPAM and make sure it was successful, as detailed in
the section Checking AWS Synchronization.

When the rule is configured, your data is available in the IPAM, it evolves at every synchronization.

Adding AWS Synchronization Rules

Before adding the rule, note that:
• You cannot add the same rule several times with the same AWS Account ID.
• The AWS data retrieved is synchronized as follows in the IPAM:

313
 Managing Cloud Synchronization

Table 22.1. How AWS objects are synchronized in the IPAM

AWS objects IPAM objects
Virtual Private Clouds (VPCs) IPv4/IPv6 block-type networks or subnet-type networks
Subnets IPv4/IPv6 terminal networks. In each synchronized terminal network, the
second IP address is assigned as gateway
Instances and their Virtual NIC IPv4/IPv6 addresses
information

• You can specify a tag for VPCs, subnets and IP addresses, before you add the rule. The tag
is used to name the objects synchronized in the IPAM.
• You must have an independent space ready to receive the data you want to synchronize. You
cannot synchronize cloud objects if they match an existing IPAM network delegated to another
space.
• A new VPC is always added in the IPAM at the lowest level.
• If no blocks can contain the subnets, the VPC is added as a block. However, it is recommended
to add a space containing blocks able to receive AWS objects before the synchronization.

To add the rule 402 that retrieves AWS data

Only users of the group admin can perform this operation.
1. Make sure to meet the prerequisites and limitations.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. In the menu, click on Add. The wizard Add a rule opens.
5. In the drop-down list Module, select Ecosystem.
6. In the drop-down list Event, select Execution of a scheduled rule.
7. In the list Rule, select (402) Retrieve AWS Cloud data into the IPAM.
8. In the field Rule name, name the rule. That name is then listed in the column Instance.
9. In the field Comment, you can specify a comment.
10. Click on NEXT . The page Rule filters opens.
11. Set the synchronization frequency of the rule.
If you do not set a frequency, the synchronization happens only once and the information is
only retrieved during the rule addition.

Table 22.2. Available synchronization filters for the rule

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

12. Click on NEXT . The page Rule parameters opens.

13. Specify your AWS credentials:
a. In the field AWS Account ID, specify an AWS account ID. It must contain only digits.
You cannot use the same Account ID in several rules.

314
 Managing Cloud Synchronization

b. In the field Access key ID, specify an access key ID. It cannot contain special characters.
c. In the field Access secret key, specify its secret key.
14. Configure the VPC(s) you want to synchronize:
a. In the drop-down list Associated IPAM Space, select a space that can receive the AWS
data.
Note that within a space, networks and IP addresses cannot overlap. Each network has
a unique start and end address, and each IP address is unique.
b. In the field VPC region, specify the code of the AWS region containing the VPC(s) to
synchronize. For instance, for the region Europe (Paris) you must type in eu-west-3.
c. In the field VPC, you can specify one or several VPC names and/or IDs, separated by
a semi-colon as follows: <VPC-ID-1>;<VPC-name-2>;<VPC-ID-3> or a regex, for instance
/^vpc-33.*/.
If you leave the field empty, all the VPCs of the specified VPC region are synchronized.
d. Once a VPC is configured, click on ADD . The entry is moved to the VPCs list.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these steps for as many VPCs as you want.
15. Click on OK to complete the operation. The report opens and closes. The rule is listed. To
make sure the synchronization is successful, refer to the section Checking AWS Synchron-
ization.

Once the configuration is ready, keep in mind that the following behaviors can occur:
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If a synchronized object is deleted from the IPAM during the synchronization, its children are
deleted too.
• If an object fails to be synchronized, its children are ignored.
• If an AWS IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.

Note that you can edit the synchronization frequency, account details or VPCs list of the rule
from its properties page. Any change triggers a new synchronization and can edit the content of
the space configured for the rule. If you delete a space, all synchronized objects are deleted from
the configured space.

Checking the AWS Synchronization in the IPAM

Once you configured the rule, you can go to the IPAM module to make sure the synchronization
is successful.

All synchronized information is available on the pages All networks and All addresses of the
configured space and on the properties page of the new objects.

On the page All networks, a set of Class param: columns are dedicated to AWS information.
Any user can display a list template containing these columns via the button List template,
on the right-end side of the menu. However, only users of the group admin can add or edit list
templates, for more details refer to the section Managing List Templates.

315
 Managing Cloud Synchronization

Keep in mind that manual operations are limited:

• You cannot edit or rename synchronized networks.
• You cannot add or delete subnet-type networks and IP addresses within synchronized networks.
• You cannot unmanage synchronized networks.
• You can delete networks and their content but they may be added again during the next syn-
chronization if they still exist in AWS database.

To check if the synchronization is successful in the IPAM

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the column Name, click on the name of a space configured for the synchronization. The
page All networks opens.
3. In the column Name, the added networks are listed.
If you specified a tag for your AWS objects, the networks are named after this tag. Otherwise,
they are named as follows: <IP_address>/<prefix>.
4. In the breadcrumb, click on All addresses. The content of the networks is listed.
If you specified a tag for your AWS objets, the IP addresses are named after this tag. If the
tag is empty, they are named according to the parameter PrivateDnsName. If the tag and
the parameter are empty, the IP addresses have no Name.

Some objects may be missing from either pages as the data listed depend on the synchronization:
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If a synchronized object is deleted from the IPAM during the synchronization, its children are
deleted too.
• If an object fails to be synchronized, its children are ignored.
• If an AWS IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.

On the properties page of synchronized objects, all AWS parameters you configured for the rule
are listed in the panel Ecosystem.

To check if the synchronization is successful on the properties page

1. In the sidebar, go to IPAM > Networks or Addresses. The pages open.
2. At the end of the line of the synchronized object of your choice, click on . The properties
page opens.
3. In the panel Ecosystem, all AWS parameters are listed.

On non-terminal network properties page, the panel contains AWS owner ID (Account ID), AWS
VPC region and VPC ID.

On terminal network properties page, the panel contains AWS availability zone, AWS subnet
ID and parameters inherited from the parent network.

On IP address properties page, the panel contains AWS instance ID and parameters inherited
from the terminal network and the parent network.

316
 Managing Cloud Synchronization

Configuring Azure Synchronization

To configure Azure synchronization you must:
1. Meet the prerequisites and take into account the limitations.
2. Add the rule 403 in the module Administration to identify the data to retrieve and configure the
synchronization, as detailed in the section Adding Azure Synchronization Rule.
3. Check the synchronization result in the IPAM and make sure it was successful, as detailed in
the section Checking Azure Synchronization.

When the rule is configured, your data is available in the IPAM, it evolves at every synchronization.

Adding Azure Synchronization Rules

Before adding the rule, note that:
• You cannot add the same rule several times with the same Azure subscription ID.
• The Azure data retrieved is synchronized as follows in the IPAM:

Table 22.3. How Azure objects are synchronized in the IPAM

Azure objects IPAM objects
Virtual Networks (VNs) IPv4/IPv6 block-type networks or subnet-type networks
Subnets IPv4/IPv6 terminal networks. In each synchronized terminal network, the
second IP address is assigned as gateway
VMs and their Virtual NIC inform- IPv4/IPv6 addresses
ation

• You must name VNs and subnets before you add the rule. The tag is used to name the objects
synchronized in the IPAM.
• You must have an independent space ready to receive the data you want to synchronize. You
cannot synchronize cloud objects if they match an existing IPAM network delegated to another
space.
• A new VN is always added in the IPAM at the lowest level.
• If no blocks can contain the subnets, the VN is added as a block. However, it is recommended
to add a space containing blocks able to receive Azure objects before the synchronization.

To add the rule 403 that retrieves Azure data

Only users of the group admin can perform this operation.
1. Make sure to meet the prerequisites and limitations.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. In the menu, click on Add. The wizard Add a rule opens.
5. In the drop-down list Module, select Ecosystem.
6. In the drop-down list Event, select Execution of a scheduled rule.
7. In the list Rule, select (403) Retrieve Azure Cloud data into the IPAM.
8. In the field Rule name, name the rule. That name is then listed in the column Instance.
9. In the field Comment, you can specify a comment.
10. Click on NEXT . The page Rule filters opens.
11. Set the synchronization frequency of the rule.

317
 Managing Cloud Synchronization

If you do not set a frequency, the synchronization happens only once and the information is
only retrieved during the rule addition.

Table 22.4. Available synchronization filters for the rule

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

12. Click on NEXT . The page Rule parameters opens.

13. Specify your Azure credentials:
a. In the field Azure tenant ID, specify an Azure tenant ID.
b. In the field Subscription ID, specify a subscription ID. You cannot use the same sub-
scription ID in several rules.
c. In the field Client ID, specify the client ID.
d. In the field Client secret key, specify the secret key.
14. Configure the VN(s) you want to synchronize:
a. In the drop-down list Associated IPAM Space, select a space that can receive the
Azure data.
Note that within a space, networks and IP addresses cannot overlap. Each network has
a unique start and end address, and each IP address is unique.
b. In the field Resource group name, you can specify the name of a resource group
containing the VN(s) to synchronize. It can be one or several names separated by a
semi-colon as follows: <group-name-1>;<group-name-2> or a regex, for instance
/^myRG-33.*/.
If you leave the field empty, all the resource groups of the specified Subscription ID are
synchronized.
c. In the field Virtual network name, you can specify the name of a virtual network. It can
be one or several names separated by a semi-colon as follows: <VN-name-1>;<VN-
name-2> or a regex, for instance /^vn-33.*/.
If you leave the field empty, all the VNs of the specified Resource group name are
synchronized.
d. Once a VN is configured, click on ADD . The entry is moved to the Virtual network list.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these steps for as many VNs as you want.
15. Click on OK to complete the operation. The report opens and closes. The rule is listed. To
make sure the synchronization is successful, refer to the section Checking Azure Synchron-
ization.

Once the configuration is ready, keep in mind that the following behaviors can occur:

318
 Managing Cloud Synchronization

• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If an object fails to be synchronized, its children are ignored.
• If an Azure IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.

Note that you can edit the synchronization frequency, account details or Virtual network list of
the rule from its properties page. Any change triggers a new synchronization and can edit the
space configured for the rule. If you delete a space, all synchronized objects are deleted from
the configured space.

Checking the Azure Synchronization in the IPAM

Once you configured the rule, you can go to the IPAM module to make sure the synchronization
is successful.

All synchronized information is available on the pages All networks and All addresses of the
configured space and on the properties page of the new objects.

On the page All networks, a set of Class param: columns are dedicated to Azure information.
Any user can display a list template containing these columns via the button List template,
on the right-end side of the menu. However, only users of the group admin can add or edit list
templates, for more details refer to the section Managing List Templates.

Keep in mind that manual operations are limited:

• You cannot edit or rename synchronized networks.
• You cannot add or delete subnet-type networks and IP addresses within synchronized networks.
• You cannot unmanage synchronized networks.
• You can delete networks and their content but they may be added again during the next syn-
chronization if they still exist in Azure database.

To check if the synchronization is successful in the IPAM

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the column Name, click on the name of a space configured for the synchronization. The
page All networks opens.
3. In the column Name, the added networks are listed. The name of all networks is automatically
retrieved from the VN names in Azure.
4. In the breadcrumb, click on All addresses. The content of the networks is listed. The syn-
chronized addresses are named as follows: <NIC_name>-<IP_name>.

Some objects may be missing from either pages as the data listed depend on the synchronization:
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If an object fails to be synchronized, its children are ignored.
• If an Azure IPv4 object fails to be synchronized, it does not prevent its IPv6 counterpart from
being successfully synchronized, and vice-versa.

319
 Managing Cloud Synchronization

On the properties page of synchronized objects, all Azure parameters you configured for the rule
are listed in the panel Ecosystem.

To check if the synchronization is successful on the properties page

1. In the sidebar, go to IPAM > Networks or Addresses. The pages open.
2. At the end of the line of the synchronized object of your choice, click on . The properties
page opens.
3. In the panel Ecosystem, all Azure parameters are listed.

On non-terminal network properties page, the panel contains Azure virtual network location,
Azure resource group, Azure tenant ID, Azure virtual network ID and Azure subscription
ID.

On terminal network properties page, the panel contains Azure subnet ID and parameters inher-
ited from the parent network.

On IP address properties page, the panel contains Azure instance ID and parameters inherited
from the terminal network and the parent network.

Configuring GCP Synchronization

To configure GCP synchronization you must:
1. Meet the prerequisites and take into account the limitations.
2. Add the rule 415 in the module Administration to identify the data to retrieve and configure the
synchronization, as detailed in the section Adding GCP Synchronization Rules.
3. Check the synchronization result in the IPAM and make sure it was successful, as detailed in
the section Checking the GCP Synchronization in the IPAM.

When the rule is configured, your data is available in the IPAM, it evolves at every synchronization.

Adding GCP Synchronization Rules

Before adding the rule, note that:
• The GCP data retrieved is synchronized as follows in the IPAM:

Table 22.5. How GCP objects are synchronized in the IPAM

GCP objects IPAM objects
Subnets Pv4 terminal subnet-type networks
A GCP subnet can add two terminal networks if it is configured with a second-
ary IP range
Instance interfaces and their IPv4 addresses
Virtual NIC information

• GCP projects and Virtual Private Clouds (VPCs) are only used to identify subnets.
• You must have an independent space ready to receive the data you want to synchronize. You
cannot synchronize cloud objects if they match an existing IPAM network delegated to another
space.
• If no block-type network can receive the subnets, the corresponding terminal networks are
added in a container Orphan Networks.
• A new subnet is always added in the IPAM at the lowest level.

320
 Managing Cloud Synchronization

• Within synchronized subnets:

• IP addresses are only added if the subnet was successfully synchronized.
• The gateway of the synchronized subnet adds a Gateway IP address.
• There are as many IP addresses as there are interfaces configured on the instances of the
synchronized subnet. Each IP address has the same name as its parent instance within
GCP. The properties page of each IP address displays the interface unique name in the field
Network interface.

To add the rule 415 that retrieves GCP data

Only users of the group admin can perform this operation.
1. Make sure to meet the prerequisites and limitations.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. In the menu, click on Add. The wizard Add a rule opens.
5. In the drop-down list Module, select Ecosystem.
6. In the drop-down list Event, select Execution of a scheduled rule.
7. In the list Rule, select (415) Retrieve Google Cloud data into the IPAM.
8. In the field Rule name, name the rule. That name is then listed in the column Instance.
9. In the field Comment, you can specify a comment.
10. Click on NEXT . The page Rule filters opens.
11. Set the synchronization frequency of the rule.
If you do not set a frequency, the synchronization happens only once and the information is
only retrieved during the rule addition.

Table 22.6. Available synchronization filters for the rule

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

12. Click on NEXT . The page Rule parameters opens.

13. Specify your GCP authentication details:
a. In the field Service account email, specify the account email address, the client_mail
of the JSON file.
b. In the field Service account private key, specify the corresponding private key, the
private_key of the JSON file.
c. In the field Token URI, https://oauth2.googleapis.com/token is already displayed.
14. Configure the VPC(s) you want to synchronize:
a. In the drop-down list Associated IPAM Space, select a space that can receive the GCP
data.
Note that within a space, networks and IP addresses cannot overlap. Each network has
a unique start and end address, and each IP address is unique.

321
 Managing Cloud Synchronization

b. In the field Project ID, you can specify the identifier of a GCP project containing the
VPC(s) to synchronize. It can be one or several IDs separated by a semi-colon as follows:
<project-id-1>;<project-id-2> or a regex, for instance /^my-sample-project-.*/.
If you leave the field empty, all the projects of the specified Service account email are
synchronized.
c. In the field VPC network name, you can specify the name of a VPC containing the
subnet(s) to synchronize. It can be one or several names separated by a semi-colon as
follows: <VPC-name-1>;<VPC-name-2> or a regex, for instance /^unique-vpc-name-.*/.
If you leave the field empty, all the VPCs of the specified Project ID are synchronized.
d. Once a VPC is configured, click on ADD . The entry is moved to the VPC networks list.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these steps for as many VPCs as you want.
15. Click on OK to complete the operation. The report opens and closes. The rule is listed. To
make sure the synchronization is successful, refer to the section Checking the GCP Syn-
chronization in the IPAM.

Once the configuration is ready, keep in mind that the following behaviors can occur:
• If a GCP subnet is configured with a secondary IP range during a synchronization, it is possible
that only one network is added, the other one should be added at the next synchronization.
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If a GCP subnet synchronization fails, the interfaces of its instances are ignored. Therefore,
an instance may be partially synchronized, only the interfaces belonging to a subnet successfully
synchronized are taken into account.

Note that you can edit the synchronization frequency, account details or VPC networks list of the
rule from its properties page. Any change triggers a new synchronization and can edit the content
of the space configured for the rule. If you delete a space, all synchronized objects are deleted
from the configured space.

Checking the GCP Synchronization in the IPAM

Once you configured the rule, you can go to the IPAM module to make sure the synchronization
is successful.

All synchronized information is available on the pages All networks and All addresses of the
configured space and on the properties page of the new objects.

On the page All networks, a set of Class param: columns are dedicated to GCP information.
Any user can display a list template containing these columns via the button List template,
on the right-end side of the menu. However, only users of the group admin can add or edit list
templates, for more details refer to the section Managing List Templates.

Keep in mind that manual operations are limited:

• You can edit or rename synchronized networks or IP addresses but your changes may be
overwritten during the next synchronization.

322
 Managing Cloud Synchronization

• You cannot unmanage synchronized networks.

• You cannot add IP addresses within synchronized networks.
• You can delete synchronized networks and IP addresses but they may be added again during
the next synchronization if they still exist in GCP database.

To check if the synchronization is successful in the IPAM

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. In the column Name, click on the name of a space configured for the synchronization. The
page All networks opens.
3. In the column Name, the added networks are listed. The name of all networks is automatically
retrieved from the subnets in GCP.
4. In the breadcrumb, click on All addresses. The content of the networks is listed.
The Name of the gateway IP address of each GCP subnet is Gateway.
All other synchronized addresses are named after the parent instance of each interface. To
see the name of the interfaces within GCP, you can display the column GCP network inter-
face.

Some objects may be missing from either pages as the data listed depends on the synchronization:
• If a GCP subnet is configured with a secondary IP range during a synchronization, it is possible
that only one network is added, the other one should be added at the next synchronization.
• If any object no longer exists in the cloud providers, any IPAM object added during a previous
synchronization is deleted after the next one.
• If an object is deleted from the IPAM during the synchronization, its children are deleted too.
• If a GCP subnet synchronization fails, the interfaces of its instances are ignored. Therefore,
an instance may be partially synchronized, only the interfaces belonging to a subnet successfully
synchronized are taken into account.

On the properties page of synchronized objects, all GCP parameters you configured for the rule
are listed in the panel Ecosystem.

To check if the synchronization is successful on the properties page

1. In the sidebar, go to IPAM > Networks or Addresses. The pages open.
2. At the end of the line of the synchronized object of your choice, click on . The properties
page opens.
3. In the panel Ecosystem, all GCP parameters are listed.

On terminal network properties page, the panel contains VPC network, Project ID, VPC network
region, Subnet ID, Subnet unique ID and Sync ID. Note that the Subnet unique ID and Sync
ID are only used for synchronization purposes, they do not come from GCP.

On IP address properties page, the panel contains Instance ID, Network interface, the unique
instance name, Availability zone and parameters inherited from the terminal network.

Monitoring the Synchronization

You can monitor synchronization error messages through the service ipmserver, on the page
Syslog of the Administration module. For more details, refer to the section Managing the Logs.

Note that you can filter the page via the filter constructor of the column Log:

323
 Managing Cloud Synchronization

• To monitor AWS error messages, on one line you must select contains and specify the keyword
AWS, and on the second line you must select the filter parameter AND and then select contains
and specify the keyword Unable.
• To monitor Azure error messages, on one line you must select contains and specify the keyword
Azure, and on the second line you must select the filter parameter AND and then select contains
and specify the keyword Unable.
• To monitor GCP error messages, on one line you must select contains and specify the keyword
GCP, and on the second line you must select the filter parameter AND and then select contains
and specify the keyword Unable.

You can even add an alert dedicated to the synchronization. For more details, refer to the section
Managing Alerts.

Disabling Cloud Synchronization

You can disable the synchronization. You can either disable a synchronization rule, if you intent
to enable it again, or delete it altogether.

If you disable or delete a rule, the synchronized objects remain listed in the IPAM but are no
longer updated. Note that to delete all synchronized data from the IPAM, you should start with
IP addresses and follow the module hierarchy up to block-type networks.

To disable a rule
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. Filter the list through the column Rule# of your choice and hit Enter.
4. Tick the rule of your choice.
5. In the menu, select Edit > Disable. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. In the column Status,
the rule is marked Disabled.

To enable a rule again, follow the procedure above and select Enable. In the column Status,
the rule is marked Enabled.

To delete a rule
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. Filter the list through the Rule# of your choice and hit Enter.
4. Tick the rule of your choice.
5. In the menu, click on Delete. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. The rule is no longer
listed.

324
 Part VI. DHCP
The Dynamic Host Configuration Protocol (DHCP) is a network protocol which role is to automate the as-
signment of parameters to the clients connecting to the network, from a valid IP address to specific DHCP
options.

It allows to set up specific connection behaviors for current devices and new devices on the network. The
connection can be temporary, through dynamic addressing, or permanent, through fixed reservation. If
you want to import an existing DHCP configurations, refer to the part Imports and Exports.

The DHCP grants users access to the network following four steps:
1. Discovery: the DHCP client (host) broadcasts a DHCPDISCOVER packet on its physical subnet (usually
255.255.255.255) to discover the available DHCP servers;
2. Offer: all the available DHCP servers receiving the request respond to the host with a DHCPOFFER
packet containing their own IP address and valid connection settings, dynamic or fixed;
3. Request: the host sends a DHCPREQUEST packet to inform all the DHCP servers that offered an IP of
the acceptance. That packet includes the IP address of the DHCP server delivering access by the host,
the other servers can return the offered IP address to their pool of available addresses;
4. Acknowledge: the selected server sends all the configuration data to the host in a DHCPACK packet.

Discover
The client broadcasts a request for an IP address

Offer
The DHCP server offers an IP address

Request
The client broadcasts their IP address acceptance
DHCP client DHCP server
Acknowledge
The DHCP server confirms the IP address allocation

Figure 126. Representation of the DHCP IP address assignation process

The DHCP hierarchy can include up to 4 levels of organization. These levels depend on the connection
behaviors you set, dynamic addressing or fixed reservation:
• Servers: the highest level of the hierarchy. It allows to set up fixed reservation and/or dynamic addressing.
It can contain shared networks, scopes, groups, ranges, leases and/or statics. For more details, refer to
the chapter Managing DHCP Servers. One or several servers can be managed via a smart architecture
to ensure service availability and prevent data or configuration loss. For more details, refer to the chapters
Understanding DHCP Smart Architectures and Managing DHCP Smart Architectures.
• Groups: an optional level of fixed reservation that belongs to a server and contains static reservations.
It allows to apply specific DHCP options to the statics of your choice. For more details, refer to the chapter
Managing DHCP Groups.
• Shared networks: an optional level of the hierarchy. They allow different scopes to serve a common
network segment. In DHCPv6, they can contain prefix delegations. For more details, refer to the chapter
Managing DHCP Shared Networks.
• Scopes: the second level of the hierarchy. It can contain ranges for dynamic addressing or directly statics
for static allocation. For more details, refer to the chapter Managing DHCP Scopes.
• Ranges: the third level of the hierarchy for dynamic addressing. They contain the IP addresses that are
randomly allocated to hosts for a limited period of time, the leases. When the lease time expires, the address
is returned to the range and can be reallocated. Ranges can be configured with Access Control Lists
(ACLs) to restrict or authorize access to specific users. For more details, refer to the chapter Managing
DHCP Ranges.
• Leases: the lowest level of the hierarchy for dynamic addressing. Each lease is an IP address belonging
to a range that is currently being allocated or was allocated to a host, you can track the leases history.
For more details, refer to the chapter Managing DHCP Leases.
• Statics: the lowest level of the hierarchy for fixed reservation. Static reservation ensures that a host always
gets the same access details when they connect to the network. A static identifies a host using their MAC
address and always provides them with an IP address and/or a set of DHCP options. For more details,
refer to the chapter Managing DHCP Statics.

The DHCP module also provides:

• Failover channels. The synchronization mechanism between two DHCP servers managing IPv4 address-
ing. It prevents allocation conflicts and depending on the configuration, it also allows disaster recovery.
For more details, refer to the chapter Managing DHCP Failover Channels.
• DHCP ACLs. Two pages are dedicated to Access Control Lists (ACLs) and their entries. These ACLs
can be set at server level to restrict or authorize access to specific users. For more details, refer to the
chapter Managing DHCP ACLs and ACL Entries.
• DHCP options. They can be set on servers, groups, scopes, ranges and statics. If set on a container,
they are inherited. For more details, refer to the chapter Managing DHCP Options.
• IPv6 delegated prefixes. They can be set on servers and associated with a DHCP shared network. They
contain delegated prefixes that can be displayed on a dedicated listing page. For more details, refer to
the chapter Configuring DHCPv6 Prefix Delegation.
• Monitoring and Reporting. There are many ways for the reporting and monitoring of DHCP servers
traffic and activity. For more details, refer to the chapter Monitoring and Reporting DHCP Data.
• Automation of IPAM and DNS resources addition. The advanced properties allow to automate additions
in the IPAM or DNS when you add DHCP resources. For more details, refer to the chapter Managing
Advanced Properties.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
23. Understanding DHCP Smart Architectures ................................................................ 330
Implementing DHCP Smart Architectures ............................................................... 331
DHCP Vendors Compatible with Smart Architectures ............................................... 334
Building a Highly Available Service With Smart Architectures ................................... 335
24. Managing DHCP Smart Architectures ....................................................................... 336
Browsing DHCP Smart Architectures ...................................................................... 336
Adding DHCPv4 Smart Architectures ..................................................................... 337
Adding DHCPv6 Smart Architectures ..................................................................... 344
Editing DHCP Smart Architectures ......................................................................... 348
Handling the Status Locked Synchronization ........................................................... 353
Exporting DHCP Smart Architectures ..................................................................... 355
Deleting DHCP Smart Architectures ....................................................................... 355
Defining DHCP Smart Architectures as Group Resources ........................................ 355
25. Managing DHCP Failover Channels .......................................................................... 356
DHCP Failover Principles and Operational States .................................................... 356
Browsing DHCP Failover Channels ........................................................................ 359
Switching DHCP Servers to Partner-down .............................................................. 362
Exporting DHCP Failover Channels ........................................................................ 363
26. Managing DHCP Servers ......................................................................................... 364
Browsing DHCP Servers ....................................................................................... 364
Managing EfficientIP DHCP Servers ....................................................................... 366
Managing Microsoft Windows DHCP Servers .......................................................... 371
Managing ISC DHCP Servers on Linux ................................................................... 377
Synchronizing DHCP Servers ................................................................................ 386
Editing DHCP Servers ........................................................................................... 386
Repairing Leases .................................................................................................. 387
Configuring DHCP Options at Server Level ............................................................. 387
Exporting DHCP Servers ....................................................................................... 389
Deleting DHCP Servers ......................................................................................... 389
Defining DHCP Servers as Group Resources ......................................................... 389
27. Managing DHCP Shared Networks ........................................................................... 390
Browsing Shared Networks .................................................................................... 390
Adding DHCP Shared Networks ............................................................................. 391
Editing DHCP Shared Networks ............................................................................. 391
Exporting Shared Networks ................................................................................... 392
Deleting DHCP Shared Networks ........................................................................... 392
28. Managing DHCP Scopes .......................................................................................... 393
Browsing DHCP Scopes ........................................................................................ 393
Adding DHCP Scopes ........................................................................................... 394
Editing DHCP Scopes ........................................................................................... 395
Configuring DHCP Options at Scope Level ............................................................. 396
Defining a Specific IPAM Space for a Scope ........................................................... 398
Defining a Specific Failover Channel for Scopes ...................................................... 398
Replicating Scope Data in the IPAM ....................................................................... 399
Configuring Multiple Scopes for a Network Segment ............................................... 400
Copying or Moving DHCPv4 Scopes ...................................................................... 401
Configuring DHCP Relay Agents ............................................................................ 401
Adding DHCP Scopes from the IPAM ..................................................................... 402
Updating DHCP Scopes from the IPAM .................................................................. 403
Exporting DHCP Scopes ....................................................................................... 403
Deleting DHCP Scopes ......................................................................................... 403

327
 DHCP

Defining DHCP Scopes as Group Resources .......................................................... 403

29. Managing DHCP Ranges ......................................................................................... 404
Browsing DHCP Ranges ........................................................................................ 404
Adding DHCP Ranges ........................................................................................... 405
Editing DHCP Ranges ........................................................................................... 408
Replicating Range Data in the IPAM ....................................................................... 409
Configuring DHCP Options at Range Level ............................................................. 410
Adding DHCP Ranges from the IPAM ..................................................................... 412
Exporting DHCP Ranges ....................................................................................... 412
Deleting DHCP Ranges ......................................................................................... 412
30. Managing DHCP Leases .......................................................................................... 413
Browsing DHCP Leases ........................................................................................ 413
Defining the DHCP Leases Duration ....................................................................... 416
Converting DHCPv4 Leases into Statics ................................................................. 417
Blacklisting DHCPv4 Leases .................................................................................. 418
Repairing DHCPv4 Leases at Server Level ............................................................. 419
Displaying the Relay Agent Information (Option 82) ................................................. 419
Adding IP Addresses from the Page All leases ........................................................ 420
Adding DNS Records from the Page All leases ....................................................... 420
Exporting DHCP Leases ........................................................................................ 420
Purging the DHCP Leases History ......................................................................... 420
Deleting DHCPv4 Leases ...................................................................................... 422
31. Managing DHCP ACLs and ACL Entries ................................................................... 423
Managing DHCP ACLs .......................................................................................... 424
Managing DHCP ACL Entries ................................................................................ 429
32. Managing DHCP Groups .......................................................................................... 432
Browsing DHCP Groups ........................................................................................ 432
Adding DHCP Groups ........................................................................................... 433
Configuring DHCP Options at Group Level ............................................................. 433
Exporting DHCP Groups ........................................................................................ 434
Deleting DHCP Groups ......................................................................................... 434
33. Managing DHCP Statics ........................................................................................... 435
Browsing DHCP Statics ......................................................................................... 436
Adding DHCP Statics ............................................................................................ 437
Editing DHCP Statics ............................................................................................ 440
Replicating Static Data in the IPAM ........................................................................ 440
Configuring DHCP Options at Static Level .............................................................. 441
Copying DHCPv4 Statics Without IP ....................................................................... 443
Adding DHCP Statics from the IPAM ...................................................................... 443
Exporting DHCP Statics ........................................................................................ 443
Deleting DHCP Statics .......................................................................................... 444
34. Managing DHCP Options ......................................................................................... 445
Browsing DHCP Options ........................................................................................ 446
Configuring DHCP Options .................................................................................... 447
Customizing DHCP Options ................................................................................... 448
Setting Advanced Option Configurations ................................................................. 451
Exporting DHCP Options ....................................................................................... 458
Deleting DHCP Options ......................................................................................... 459
35. Configuring DHCPv6 Prefix Delegation ..................................................................... 460
Prerequisites ........................................................................................................ 460
Specificities .......................................................................................................... 460
Limitations ............................................................................................................ 461
Managing DHCPv6 Prefix Delegations ................................................................... 461
Managing DHCPv6 Delegated Prefixes .................................................................. 463

328
 DHCP

36. Monitoring and Reporting DHCP Data ....................................................................... 465

Monitoring DHCP Servers from their Properties Page .............................................. 465
Monitoring DHCP Servers from the Page Analytics .................................................. 467
Monitoring DHCP Servers Using Rules ................................................................... 473
Generating DHCP Reports .................................................................................... 475

329
Chapter 23. Understanding DHCP Smart
Architectures
The DHCP can quickly become an essential piece of any network data organization. Once
properly set up, it is usually hardly noticed, silently and faithfully performing its duties, day in and
day out.

The DHCP clients' needs must be considered, including which DHCP options are supported by
the client's operating system and which options and values need to be assigned. In large-scale
DHCP implementations, the topology of the network becomes a very important factor.The network
topology dictates where DHCP servers and/or relay agents must be placed. A final consideration
is planning for fault tolerance.

To ensure that the DHCP service is available at all times and that you do not lose specific config-
urations if a DHCP server crashes, we strongly recommend that you manage physical servers
through smart architectures. To understand the possible configurations of your service availability,
refer to the section Building a Highly Available Service With Smart Architectures.

Smart architecture pre-built DHCP configurations including backup and failover features with
IPv4 addressing. Their implementation reduces the risk of misconfiguration.

There are several architectures and possible configurations to choose from both for DHCPv4
and DHCPv6. In DHCPv6, smart architectures simply provide a configuration backup.

For IPv4, four types smart architectures are available:

• One-to-One: in this DHCP configuration, two servers share the ranges of dynamic IP addresses.
• One-to-Many: this DHCP configuration is based on a central DHCP server with several peri-
pheral DHCP servers as backup.
• Split-Scope: two DHCP servers are running in active/active mode and distribute the ranges
management.
• Single-Server: this configuration manages one DHCP server. It provides a backup of the con-
figuration that is pushed onto a new DHCP server if ever the original server crashed or stopped
responding.

For IPv6, three types smart architectures are available:

• Single-Server: this configuration manages one DHCP server. It provides a backup of the con-
figuration that is pushed onto a new DHCP server if ever the original server crashed or stopped
responding.
• Split-Scope: two DHCP servers are running in active/active mode and distribute the ranges
management.
• Stateless: this configuration provides a number of options to the servers managed through the
architecture. The defined options, and not any other, are accessible to the DHCP clients. There
is no limitation in the number of DHCP servers managed as this mode only provides options.
Being based on DHCP options, stateless servers do not provide leases or include ranges or
statics.

SOLIDserver supports a set of vendors detailed in the section DHCP Vendors Compatible with
Smart Architectures.

330
 Understanding DHCP Smart
Architectures

Implementing DHCP Smart Architectures

We strongly recommend that you manage every DHCP server from a smart architecture. Indeed,
one of the main goals of this virtual management tool is to back up your configuration. If the
server(s) you are managing from the smart architecture were to crash, the architecture would
save the configuration and allow you to push it on some new server(s) automatically. In addition,
you can change the type of smart architecture and the physical server(s) it manages.

Unlike DHCPv4 architecture, DHCPv6 architectures have some limitations and specificities:
• The failover protocol is not available in IPv6. Thus, the page All failover channels in v6 is merely
a list linking servers through the defined ports. For more details, refer to the chapter Managing
DHCP Failover Channels.
• IPv6 addressing is only possible from the EfficientIP servers.
• DHCPv6 servers operate on an appliance running in IPv4.
• In IPv6 there is no compatibility with the numerous vendors providing IP addressing.

DHCPv4 One-to-One Smart Architecture

The DHCP One-to-One smart architecture allows you to quickly build a peer of two DHCP servers
managing IPV4 addresses with a pre-built high availability mechanism. When you implement the
One-to-One smart architecture, you drastically reduce the DHCP service downtime if one of your
DHCP servers is out of service.

DHCP DHCP
Master Backup

Figure 23.1. DHCPv4 One-to-One smart architecture

The One-to-One smart architecture allows two DHCP servers to share a range of common ad-
dresses. Should a server stop working, the second server would take over, depending on your
failover configuration. For more details regarding failover, refer to the section DHCP Failover
Principles and Operational States of the chapter Managing DHCP Failover Channels.

DHCPv4 One-to-Many Smart Architecture

Functionally, the DHCP One-to-Many smart architecture is a replication of several One-to-One
smart architectures, which is why it is only available for DHCP servers managing IPv4 addresses.
The One-to-Many smart architecture is based on a set of DHCP servers that are all linked to only
one Master DHCP server.

331
 Understanding DHCP Smart
Architectures

DHCP
Master
DHCP DHCP
Backup Backup

Figure 23.2. DHCPv4 One-to-Many smart architecture

This architecture is particularly relevant for organizations that have many sites and need to have
a dedicated DHCP service per site. It looks like a star configuration, where N DHCP servers, no
matter their location, share a failover channel with the central DHCP server of the smart architec-
ture: it is a N+1 servers configuration.

DHCPv4 Split-Scope Smart Architecture

The Split-Scope smart architecture allows you to share ranges between two EfficientIP DHCP
servers in an active/active configuration.You can define the proportion of IP addresses managed
by each server. One server is set as a master and the other one as a backup. The main goal of
this architecture is the availability of the services at all times thanks to the shared load.

Split-Scope Split-Scope
80% 20%

Figure 23.3. DHCPv4 Split-Scope smart architecture

There is no failover protocol between the two servers but being a smart architecture, the Split-
Scope provides a backup of the configuration: if anything were to happen to any of the managed
servers, installing them back to SOLIDserver would apply the smart architecture on both servers
again.

DHCPv4 Single-Server Smart Architecture

The Single-Server architecture provides a backup of the management configuration of any of the
available DHCP servers, EfficientIP, EfficientIP Package and Microsoft. Therefore, if it were to
crash, you could install it again and let SOLIDserver push automatically the smart architecture
configuration back onto your server.

332
 Understanding DHCP Smart
Architectures

Single
DHCP

Figure 23.4. DHCPv4 Single-Server smart architecture

DHCPv6 Single-Server Smart Architecture

The DHCPv6 Single-Server architecture only provides a backup of the management configuration
of an EfficientIP DHCP server. Therefore, if the physical server were to crash, you could install
it again and let SOLIDserver push automatically the smart architecture configuration back onto
your server.

Single
DHCP

DHCPv6

Figure 23.5. DHCPv6 Single-Server smart architecture

DHCPv6 Split-Scope Smart Architecture

The Split-Scope smart architecture allows you to share ranges between two EfficientIP DHCPv6
servers in an active/active configuration.You can define the proportion of IP addresses managed
by each server. One server is set as a master and the other one as a backup. The main goal of
this architecture is the availability of the services at all times thanks to the shared load.

Split-Scope Split-Scope
80% 20%

DHCPv6

Figure 23.6. DHCPv6 Split-Scope smart architecture

333
 Understanding DHCP Smart
Architectures

There is no failover protocol between the two servers but being a smart architecture, the Split-
Scope provides a backup of the configuration: if anything were to happen to any of the managed
servers, installing them back to SOLIDserver would apply the smart architecture on both servers
again.

DHCPv6 Stateless Smart Architecture

The Stateless smart architecture allows you to set up a number of options to the scopes of the
servers you manage. The DHCP clients have access to a set of options that you define for the
architecture. Which is why you can add as many servers as you need in this configuration.

There is no master or backup servers per se in this configuration. By default, they all are inde-
pendent master servers sharing the same options configuration.

Stateless

DHCPv6

Figure 23.7. DHCPv6 Stateless smart architecture

Keep in mind that the Stateless smart architecture only has an impact on the options available
to the DHCPv6 clients, therefore it is impossible to add ranges and static through this configuration.
In the same way, no leases are provided or managed.

DHCP Vendors Compatible with Smart Architectures

SOLIDserver supports a set of DHCP Servers Managing IPv4 Addressing. In DHCP Servers
Managing IPv6 Addressing, only EfficientIP servers are supported.

DHCP Servers Managing IPv4 Addressing

SOLIDserver appliances support both EfficientIP and other vendor DHCP servers, allowing you
to configure and deploy IP services across your distributed network and synchronize data updates
in real time from the GUI.

Table 23.1. DHCPv4 supported vendors

Smart Architecture
Vendor
One-to-One One-to-Many Split-Scope Single-Server
EfficientIP DHCP X X X X
EfficientIP DHCP Package X X X X
Microsoft (all types) X X X X

SOLIDserver supports almost all features delivered by each vendor but does not add additional
features at service level.Thus, limitations depend on each vendor. For instance, Microsoft Windows
DHCP services do not provide failover, so you cannot configure it from the appliance.

334
 Understanding DHCP Smart
Architectures

You can manage any supported vendor on one page from the GUI. SOLIDserver is an abstraction
layer that masks the specific processes of each DHCP vendor to network administrators. DHCP
services are not managed one server at a time but as a global service. It is possible to simultan-
eously configure Microsoft Windows running DHCP servers and Linux running ISC DHCP servers,
modify VoIP options on all DHCP servers or generate transversal reports to get an immediate
comprehensive understanding of network services configurations.

Each and every one of these servers can be managed by SOLIDserver smart architecture to
ease the management configuration and provide a backup of the chosen configuration. For more
details, refer to the chapter Managing DHCP Smart Architectures.

DHCP Servers Managing IPv6 Addressing

With DHCPv6 addressing, the choice is more limited. For now, you can only manage EfficientIP
DHCP servers but there are a number of architectures that allow you to manage either one or
several EfficientIP DHCP servers at once.

For more details, refer to the chapter Adding DHCPv6 Smart Architectures.

Building a Highly Available Service With Smart

Architectures
A way of maintaining DHCP service in case of a partial power loss or network outage is to set
up two DHCP servers and enable them to both serve the same network. You can set up each
server on different networks. In this case, if you lose connectivity or power on one network but
not the other, the DHCP service continues.

Two active DHCP servers cannot share an IP address pool since they have no way of knowing
with certainty which IP addresses are being distributed. Therefore, two active DHCP servers
cannot perform dynamic DHCP which is why scope splitting is necessary to separate IP address
ranges per server. This configuration, the Split-Scope, is available for both DHCPv4 and DHCPv6.

With a traditional active/passive pair of DHCP servers, if the active server fails, the network ad-
ministrator is required to manually turn on the passive DHCP server so that it can take over until
the initial active server is restored. DHCP High Availability with IP address scope splitting provides
failover but with the risk of meeting downtime as addresses are leased to more than one client
and have potential manual intervention to clean up the lease database. In order for two DHCP
servers to provide DHCP services for the same network segments, the servers must coordinate
their behavior. Each server must either know what the other is doing or be configured so that it
can operate without knowing what the other is doing. In order for each server to know what the
other is doing, the DHCP safe failover protocol can be implemented.

As the failover protocol is not available in DHCPv6, the DHCP Safe failover protocol is only
available for DHCPv4 servers.

335
Chapter 24. Managing DHCP Smart
Architectures
Once you determined the smart architecture(s) that suit your needs in the chapter Understanding
DHCP Smart Architectures, you can manage them.

From the page All servers, you can add, edit and delete DHCPv4 and DHCPv6 smart architectures.

Browsing DHCP Smart Architectures

Smart architectures are managed from the page All servers, listed like physical servers and
preceded by the icon . For more details, refer to the section Browsing DHCP Servers.

Browsing the Smart Architectures Database

To display the list of DHCP smart architectures
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. To display or hide the physical server(s) managed by each smart architecture, on the right-
end side of the menu, click on .

In the column Name, all the smart architectures are preceded by the icon . They are listed with
the physical servers.

To display a DHCP smart architecture properties page

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
pages opens.

Understanding the Smart Architecture Statuses

The columns Sync and Status return status details on the smart architectures.

The column Status provides information on the configuration of each smart architecture.

Table 24.1. DHCP smart architecture statuses

Status Description
OK The smart architecture is operational.

Invalid settings The smart architecture does not contain any physical server, is missing one or sev-
eral physical servers or is not configured properly (it may contain objects incompatible
with at least one of the physical servers it manages).

The column Sync provides synchronization details on the exchanges between the smart archi-
tecture and its physical server(s).

Table 24.2. DHCP smart architecture synchronization statuses

Sync status Description
Synchronized The smart architecture has successfully synchronized the server(s) it manages.

336
 Managing DHCP Smart
Architectures

Sync status Description

Busy The smart architecture is synchronizing the server(s).

Locked synchronization The synchronizing failed, the smart architecture cannot send its configuration file to
the physical server(s) it manages. The configuration of one of its EfficientIP or Effi-
cientIP Package server is not viable. For more details, refer to the section Handling
the Status Locked Synchronization.

Adding DHCPv4 Smart Architectures

A smart architecture can be configured without DHCP servers. It allows you to add the architecture
that suits your needs before applying it to one or more DHCP servers. It also provides a backup
of the management configuration of the server it manages. If your DHCP server crashes, you
delete it and add a new one on which you apply the same architecture, SOLIDserver remembers
the former server's configuration and apply it to the new one.

With DHCPv4, there are four different kinds of smart architectures: One-to-One, One-to-Many,
Split-Scope and Single-Server. As for DHCPv6 smart architectures, SOLIDserver proposes the
Single-Server, Split-Scope and Stateless architectures. In the procedures below, we are going
to describe the configuration of the DHCP smart architectures with the DHCP servers they
manage, but you can go through the configuration without adding any server and do it later. For
more details, refer to the part Adding a DHCP Server into a Smart Architecture.

Once the configuration is completed, the DHCP smart architecture appears on the page All
servers as a server.

As you can see, the column Type mentions the kind of smart architecture applied, the DHCP
smart members column is marked N/A and for that reason, the server status is Invalid settings.

DHCPv4 One-to-One Smart Architecture

The One-to-One Smart Architecture allows you to set up a failover channel between two DHCP
servers, one is set as master server and the other one as backup. Note that, if the master server
crashes, you have to manually set up the partner-down mode to reclaim the available IP addresses,
refer to the section Operating in Partner-down State in the chapter Managing Failover Channels.
This architecture also provides a shared management of the leases that you can configure ac-
cording to your needs.

To add a DHCPv4 One-to-One smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server > Smart architecture. The wizard Add a DHCP
server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the fields according to the table below:

Table 24.3. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.

337
 Managing DHCP Smart
Architectures

Parameter Description
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

5. Click on NEXT . The next page opens.

6. In the list DHCP smart architecture, select One-to-One.

DHCP DHCP
Master Backup

Figure 24.1. DHCPv4 One-to-One smart architecture

7. Click on NEXT . The next page opens.

8. In the list Available DHCP servers, you can select one by one the two DHCP servers that
you want to manage through the smart architecture.
9. Click on . The selected server is moved to the list Selected DHCP servers. Repeat these
actions for the second server.
10. Click on NEXT . The next page opens.
11. In the drop-down list Master DHCP server, select the Master server in the smart architecture
configuration.
12. Click on NEXT . The last page opens.
13. Configure the failover channel between the servers of the smart architecture.

Table 24.4. DHCPv4 One-to-One failover parameters

Parameter Description
Peering name The name of the failover channel. By default, it is named failover-<architec-
ture.name>, you can edit it. This field is required.
Failover port The number of the port on the master server dedicated to the failover. By default,
the port 847 is used. This field is optional.
Failover peer port The number of the port on the backup server dedicated to the failover. By default,
the port 647 is used. This field is optional.

338
 Managing DHCP Smart
Architectures

Parameter Description
Maximum client lead time The MCLT of your choice for the failover channel, a value between 0 and 65535
(MCLT) seconds. By default it is set to 0, and uses the MCLT set on the appliance. This
field is optional.
The parameter MCLT allows to specify for how long each DHCP server can ex-
tend the lease of a client, beyond the time known by its partner server.
Automatic switch to part- The amount of time after which a failover channel in Communications-interrupted
ner-down delay (in hours) state should automatically switch to Partner-down, a value between 4 and 65535
hours. By default, it is disabled and set to 0. This field is optional.
Peer DHCP server The name of the backup server. This field is grayed out.
Split leases The distribution of the leases among the servers of the smart architecture, either
Balanced, Prefer backup or Prefer master. By default, Balanced is selected. This
field is optional.
Balanced The leases are delivered to the clients by both servers equally.
Prefer backup The leases are delivered to the clients by the backup server only.
Prefer master The leases are delivered to the clients by the master server only.

14. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (one-to-one) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.

DHCPv4 One-to-Many Smart Architecture

The One-to-Many Smart Architecture, which is basically a star network topology of the DHCP
servers of your choice, allows you to set up several failover channels between one master server
and at least two backup servers to be used as backup. You actually can include as many servers
as you want in this configuration as long as there are no power limitations or overload of the
equipment managing the flow of information between the servers. This architecture also provides
a shared management of the leases that you can configure according to your needs.

To add a DHCPv4 One-to-Many smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server > Smart architecture. The wizard Add a DHCP
server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the fields according to the table below:

Table 24.5. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules

339
 Managing DHCP Smart
Architectures

Parameter Description
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

5. Click on NEXT . The next page opens.

6. In the list DHCP smart architecture, select One-to-Many.

DHCP
Master
DHCP DHCP
Backup Backup

Figure 24.2. DHCPv4 One-to-Many smart architecture

7. Click on NEXT . The next page opens.

8. In the list Available DHCP servers, you can select one by one the DHCP servers to manage
via the smart architecture. Ideally, it should manage at least three DHCP servers.
9. Click on . The selected server is moved to the list Selected DHCP servers. Repeat these
actions as many times as needed.
10. Click on NEXT . The next page opens.
11. In the drop-down list Master DHCP server, select the Master server in the smart architecture
configuration.
12. Click on NEXT . The last page opens.
13. At the bottom of the page, in the list DHCP peering assignment, select the default failover
channel named Peering: failover-<smart_server_name> on DHCP ().
a. Configure the failover channel between the master server and the first backup server.

Table 24.6. DHCPv4 One-to-Many failover parameters

Field Description
Peering name The name of the failover channel. By default, it is named failover-<architec-
ture.name>, you can edit it. This field is required.
Failover port The number of the port on the master server dedicated to the failover. By
default, the port 847 is used, you can only use it once. This field is optional.
Failover peer port The number of the port on the backup servers dedicated to the failover. By
default the port 647 is used, you can use it on each backup server if you
want. This field is optional.

340
 Managing DHCP Smart
Architectures

Field Description
Maximum client lead The MCLT of your choice for the failover channel, a value between 0 and
time (MCLT) 65535 seconds. By default it is set to 0, and uses the MCLT set on the appli-
ance. This field is optional.
The parameter MCLT allows to specify for how long each DHCP server can
extend the lease of a client, beyond the time known by its partner server.
Automatic switch to part- The amount of time after which a failover channel in Communications-inter-
ner-down delay (in rupted state should automatically switch to Partner-down, a value between
hours) 4 and 65535 hours. By default, it is disabled and set to 0. This field is optional.
Peer DHCP server The backup server of your choice for this failover. By default, None is selec-
ted. This field is optional.
Split leases The distribution of the leases among the servers of the smart architecture,
either Balanced, Prefer backup or Prefer master. By default, Balanced is
selected. This field is optional.
Balanced The leases are delivered to the clients by both servers
equally.
Prefer backup The leases are delivered to the clients by the backup server
only.
Prefer master The leases are delivered to the clients by the master server
only.

b. Click on UPDATE to save your configuration. The failover details are moved to the list
DHCP peering assignment.
14. Configure the remaining failover channels.
a. Follow the table One-to-Many failover parameters to configure the failover between the
master and each backup server.
b. Click on ADD to save your configuration. The failover details are moved to the list DHCP
peering assignment.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
c. Repeat these steps for as many failover channels as needed. There should be a failover
channel between each backup server and the master.
15. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (one-to-many) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.

DHCPv4 Split-Scope Smart Architecture

The Split-Scope Smart Architecture allows you to distribute the management of ranges (and
therefore leases) between two DHCP servers. They are set in an active/active configuration that
ensures availability of the services at all times: if one server fails, the other can still lease IP ad-
dresses to the clients. You can actually choose the proportion of IP addresses (in percent)
managed by each one of them.

To add a DHCPv4 Split-Scope smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.

341
 Managing DHCP Smart
Architectures

2. In the menu, select Add > Server > Smart architecture. The wizard Add a DHCP
server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the fields according to the table below:

Table 24.7. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

5. Click on NEXT . The next page opens.

6. In the list DHCP smart architecture, select Split-Scope.

Split-Scope Split-Scope
80% 20%

Figure 24.3. DHCPv4 Split-Scope smart architecture

7. Click on NEXT . The next page opens.

8. In the list Available DHCP servers, you can select one by one the two DHCP servers if
want to manage through the smart architecture.
9. Click on . The selected server is moved to the list Selected DHCP servers. Repeat these
actions for the second server.
10. Click on NEXT . The next page opens.
11. In the drop-down list Master DHCP server, select the Master server in the smart architecture
configuration.

342
 Managing DHCP Smart
Architectures

12. In the field Distribution ratio (in percent), specify the ratio of IP ranges to be managed by
the Master DHCP server you just selected. By default, 80 is proposed, meaning that the re-
maining 20% are listed and managed by the backup server.
13. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (split-scope) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
Note that a virtual failover channel is automatically added with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.

DHCPv4 Single-Server Smart Architecture

The Single-Server Smart Architecture allows you to manage one single DHCP server that provides
a backup. If the DHCP server crashes, the smart architecture configuration is saved and automat-
ically applied to the new DHCP server managed through the Single-Server smart architecture.

To add a DHCPv4 Single-Server smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server > Smart architecture. The wizard Add a DHCP
server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the fields according to the table below:

Table 24.8. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

5. Click on NEXT . The next page opens.

6. In the list DHCP smart architecture, select Single-Server.

343
 Managing DHCP Smart
Architectures

Single
DHCP

Figure 24.4. DHCPv4 Single-Server smart architecture

7. Click on NEXT . The next page opens.

8. In the list Available DHCP servers, select the DHCP server that you want to manage through
the smart architecture.
9. Click on . The selected server is moved to the list Selected DHCP servers.
10. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (single-server) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
Note that a virtual failover channel is automatically added with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.

Adding DHCPv6 Smart Architectures

A smart architecture can manage IPv6 addresses and just like DHCPv4 can be configured without
DHCP servers. Note that, with a DHCP v6 smart architecture, you still apply your configuration
to a DHCP server managed on a SOLIDserver appliance running on an IPv4 address.

With DHCPv6, there are three different kinds of smart architectures: Single-Server, Split-Scope
and Stateless. In the procedures below, we are going to describe the configuration of DHCPv6
smart architectures with DHCP servers but you can go through the configuration without adding
any server and do it later. For more details, refer to the part Adding a DHCP Server into a Smart
Architecture.

DHCPv6 Single-Server Smart Architecture

The Single-Server Smart Architecture has the same advantages in DHCPv6 and DHCPv4, it allows
you to manage one single DHCP server that provides a backup. If the DHCP server crashes, the
smart architecture configuration is saved and automatically applied to the new DHCP server
managed through the Single-Server smart architecture.

To add a DHCPv6 Single-Server smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server (v6) > Smart architecture. The wizard Add a DHCPv6
server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.

344
 Managing DHCP Smart
Architectures

If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the fields according to the table below:

Table 24.9. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

5. Click on NEXT . The next page opens.

6. In the list DHCP smart architecture, select Single server.

Single
DHCP

DHCPv6

Figure 24.5. DHCPv6 Single-Server smart architecture

7. Click on NEXT . The next page opens.

8. In the list Available DHCP servers, select the DHCPv6 server that you want to manage
through the smart architecture.
9. Click on . The selected server is moved to the list Selected DHCP servers.
10. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (single-server) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
Note that a virtual failover channel is automatically added with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.

345
 Managing DHCP Smart
Architectures

DHCPv6 Split-Scope Smart Architecture

The Split-Scope Smart Architecture allows you to distribute ranges of IP addresses between two
DHCP servers. The active/active configuration ensures availability of the leasing service to clients.
You can actually choose the proportion of IP addresses (in percent) managed by each one of
them.

To add a DHCPv6 Split-Scope smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server (v6) > Smart architecture. The wizard Add a DHCPv6
server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the fields according to the table below:

Table 24.10. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

5. Click on NEXT . The next page opens.

6. In the list DHCP smart architecture, select Split-Scope.

Split-Scope Split-Scope
80% 20%

DHCPv6

Figure 24.6. DHCPv6 Split-Scope smart architecture

346
 Managing DHCP Smart
Architectures

7. Click on NEXT . The next page opens.

8. In the list Available DHCP servers, you can select one by one the two DHCP servers if
want to manage through the smart architecture.
9. Click on . The selected server is moved to the list Selected DHCP servers. Repeat these
actions for the second server.
10. Click on NEXT . The next page opens.
11. In the drop-down list Master DHCP server, select the Master server in the smart architecture
configuration.
12. In the field Distribution ratio (in percent), specify the ratio of IP ranges to be managed by
the Master DHCP server you just selected. By default, 80 is proposed, meaning that the re-
maining 20% are listed and managed by the backup server.
13. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (split-scope) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
Note that a virtual failover channel is automatically added with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.

DHCPv6 Stateless Smart Architecture

The Stateless Smart Architecture allows you to set up a number of options to the scopes of the
servers you choose to manage. The clients then have access to the options defined in the archi-
tecture. Keep in mind that you cannot add ranges and statics or provide leases in a stateless
architecture.

To add a DHCPv6 Stateless smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server (v6) > Smart architecture. The wizard Add a DHCPv6
server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the fields according to the table below:

Table 24.11. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.

347
 Managing DHCP Smart
Architectures

Parameter Description
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

5. Click on NEXT . The next page opens.

6. In the list DHCP smart architecture, select Stateless.

Stateless

DHCPv6

Figure 24.7. DHCPv6 Stateless smart architecture

7. Click on NEXT . The next page opens.

8. In the list Available DHCP servers, you can select one by one as many DHCP servers as
you want.
9. Click on . The selected server is moved to the list Selected DHCP servers. Repeat these
actions as many times as needed.
10. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DHCP server and marked Smart (stateless) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
Note that a virtual failover channel is automatically added with the smart architecture, it is
named failover-<smart_architecture_name> and listed on the page All failover channels.

Editing DHCP Smart Architectures

You can edit smart architectures to change the servers they manages, edit the server roles,
change the smart architecture type or convert a server into a smart architecture.

Adding a DHCP Server into a Smart Architecture

Once a smart architecture is properly configured and applied, you can add DHCP servers
whenever you want. First, to add a DHCP server, refer to the section Managing DHCP Servers.
According to the DHCP smart architecture chosen, if you do not complete the architecture with
all the necessary servers, the smart architecture may not work properly. Make sure that you have
added all the necessary DHCP servers into the smart architecture.

When you add one or more DHCP servers into a smart architecture, the smart data is
automatically replicated from the architecture to the DHCP servers it manages. So if the
smart architecture is empty (first use), the DHCP server added is totally overwritten.

348
 Managing DHCP Smart
Architectures

To add a DHCP server into DHCP smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DHCP server or Edit a DH-
CPv6 server opens.
4. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the list DHCP server type, make sure DHCP smart architecture is selected. Click on NEXT .
The Manage a DHCP server page opens.
6. You can edit the smart architecture basic parameters if need be.

Table 24.12. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

7. Click on NEXT . The next page opens.

8. In the list DHCP smart architecture, modify the type of your DHCP smart architecture if
need be. Click on NEXT . The next page opens.
9. In the list Available DHCP servers, select a server to add in the smart architecture and click
on . The server has been moved to the list Selected DHCP servers. Repeat this action
for as many servers as needed. You can remove any of them from the selected servers list
by clicking on .
10. For a Single-Server smart architecture, go to the last step of this procedure. Otherwise, click
on NEXT . The next page opens.
11. In the drop-down list Master DHCP server, edit the master server if need be.
12. For a Split-Scope architecture, in the field Distribution ratio (in percent), specify the ratio
of IP ranges to be managed by the selected Master DHCP server, the rate is managed by
the backup server.
13. If need be, edit the existing failover ports and split leases parameters between the master
and backup servers.

349
 Managing DHCP Smart
Architectures

14. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu. The DHCP Smart members column of the smart architecture displays the
name of the new master server between brackets next to the name of the other backup
servers.

Removing a DHCP Server from a Smart Architecture

Whenever you want, you can remove one or more DHCP servers from a DHCP smart architecture.
When you remove one, the configuration applied on this server is conserved on the DHCP
server previously removed.

To remove a DHCP server from a smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DHCP server or Edit a DH-
CPv6 server opens.
4. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Click on NEXT . The next page opens.
6. Click on NEXT . The next page opens.
7. The servers managed by the smart architecture are listed in the list Selected DHCP servers.
You can remove any of them by clicking on . The server(s) is moved to the list Available
DHCP servers.
8. For a Single-Server smart architecture, go to the last step of this procedure. Otherwise, click
on NEXT . The next page opens.
9. If the smart architecture is still managing servers, in the list Master DHCP server change
the master server if need be. Click on NEXT . The next page opens.
10. If the smart architecture is still managing servers, edit the failover ports on each server and/or
the split leases parameters if need be.
11. Click on OK to complete the operation. The report opens and closes. The servers that have
been removed are listed as DHCP servers of whatever kind in the list Type. If your smart
architecture is still managing physical servers, you can display or hide them using the button
on the right-end side of the menu.

Changing the DHCP Server Roles within a Smart Architecture

You can change the role of DHCP servers within a smart architecture. For instance, you can
change a master server into a slave server within a One-to-One smart architecture at any given
time.

To change the role of DHCP servers within a smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.

350
 Managing DHCP Smart
Architectures

3. In the panel Main properties, click on EDIT . The wizard Edit a DHCP server or Edit a DH-
CPv6 server opens.
4. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Click on NEXT . The page Manage a DHCP server opens.
6. Click on NEXT . The next page opens.
7. Click on NEXT . The next page opens.
8. The servers managed by the smart architecture are listed in the list Selected DHCP servers.
You can remove any of them and add a new one by clicking on or . The server(s) is
moved accordingly between the lists Selected DHCP servers and Available DHCP servers.
9. For a Single-Server smart architecture, go to the last step of this procedure. Otherwise, click
on NEXT . The next page opens.
10. In the drop-down list Master DHCP server, select the master server.
11. For a Split-Scope architecture, in the field Distribution ratio (in percent), specify the ratio
of IP ranges to be managed by the selected Master DHCP server, the rate is managed by
the backup server.
12. If need be, edit the existing failover ports and split leases parameters between the master
and backup servers.
13. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu. The column DHCP Smart members of the smart architecture displays the
name of the new master server between brackets next to the name of the other backup
servers.

Changing the Type of a DHCP Smart Architecture

You can change the type of a smart architecture while keeping all DHCP configuration and data
you already set. For instance, you already have a DHCP smart architecture configured in One-
to-One that includes two DHCP servers -one in master and the other in slave- and you plan to
change your smart architecture type into Split-Scope. By editing the smart architecture, you can
change its type and configure the role of servers.

To edit the type of a DHCP smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DHCP server or Edit a DH-
CPv6 server opens.
4. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the list DHCP server type, make sure DHCP smart architecture is selected. Click on NEXT .
The Manage a DHCP server page opens.

351
 Managing DHCP Smart
Architectures

6. You can edit the smart architecture basic parameters if need be.

Table 24.13. DHCP smart architecture basic parameters

Parameter Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

7. Click on NEXT . The next page opens.

8. In the list DHCP smart architecture, select a different smart architecture type.
9. Click on NEXT . The next page opens.
10. If your smart architecture manages servers, they are listed in the list Selected DHCP servers.
You can select them one by on and click on . They are moved to the list Selected DHCP
servers.
11. For a Single-Server smart architecture, go to the last step of this procedure.
12. For any other smart architecture type, click on NEXT . The next page opens.
a. In the drop-down list Master DHCP server, select the Master server in the smart archi-
tecture configuration.
b. For a Split-Scope architecture, in the field Distribution ratio (in percent), specify the
ratio of IP ranges to be managed by the selected Master DHCP server. The rest is
managed by the backup server.
c. If need be, edit the existing failover ports and split leases parameters between the
master and backup servers. For more details, refer to the relevant procedure of the
section Adding DHCPv4 Smart Architectures or Adding DHCPv6 Smart Architectures.
13. Click on OK to complete the operation. The report opens and closes. The column Type dis-
plays the modification you performed on the smart architecture.

Converting a DHCP Server into a Smart Architecture

You can convert DHCP servers into smart architectures to automatically apply the current config-
uration of the server on a smart architecture without having to manually configure each setting.

Note that, during the conversion of Microsoft servers, any DHCPv4 scope not belonging to a
shared network automatically adds a shared network. Each new shared network is named after
a scope start_address/prefix.

Keep in mind that once you converted a server, it is no longer listed on the page All servers.
Therefore:

352
 Managing DHCP Smart
Architectures

• You must add it again to manage it, for more details refer to the section Adding EfficientIP
DHCP Servers.
• Once it is listed on the page again, if you want to manage it from the new smart architecture,
you must edit the architecture as detailed in the section Adding a DHCP Server into a Smart
Architecture.

To convert a DHCP server into a smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Right-click over the Name of the server of your choice. The contextual menu appears.
3. Click on Edit. The wizard Edit a DHCP server or Edit a DHCPv6 server opens.
4. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the list DHCP server type, select DHCP smart architecture.
6. Click on NEXT . The next page opens. It displays the server details.
7. Click on NEXT . The next page opens.
8. In the field DHCP smart architecture, select the DHCP or DHCPv6 smart architecture of
your choice.
9. Click on NEXT . The next page opens.
10. In the list Available DHCP servers, you can select one by one the DHCP server(s) that you
want to manage and click on . The selected server is moved to the list Selected DHCP
servers. Depending on the architecture you selected, repeat this action for any additional
server.
If you are converting the server into a Single-Server or Stateless smart architecture, go to
the last step of this procedure.
11. Click on NEXT . The last page opens.
a. For a conversion to One-to-One smart architecture, you can configure the failover
channel with a specific Failover port, Failover peer port, Automatic switch to partner-
down delay and Split lease distribution.
b. For a conversion to One-to-Many smart architecture, you can configure the failover
channels listed in the field DHCP peering assignments. Select them one by one to load
their details in the fields and click on UPDATE to save your changes.
If you are converting a Microsoft server, you cannot have more than 31 failover channels
listed. Any extra channel is ignored.
c. For a conversion to Split-Scope smart architecture, you can select a Master DHCP
server and set the Distribution ratio (in percent) of the Master.
For more details regarding the smart architecture configuration, refer to the section Adding
DHCPv4 Smart Architectures or Adding DHCPv6 Smart Architectures.
12. Click on OK to complete the operation. The report opens and closes. In the column Type,
the server is now listed as a smart architecture.

Handling the Status Locked Synchronization

SOLIDserver provides a consistency check for the smart architectures. Once you configured a
smart architecture with the server(s) you want to manage, the smart configuration is checked

353
 Managing DHCP Smart
Architectures

before it is sent to the physical server(s): this ensures the consistency of the configuration and
avoids pushing useless information to the server:
• If the check is conclusive, the information is sent to the server and, on the page All servers,
its status is Synchronized.
• If any error is found, the verification stops and the server Sync status changes to Locked
Synchronization once the page is refreshed. To get a valid synchronization status again, you
need to "undo" the latest changes. This action loads a new synchronization and uploads the
status accordingly.

Once the server is in Locked synchronization, the corrupted configuration file is automatically
stored locally on the appliance and available for download in the Local files listing. It is named
<server_name>-dhcpd.conf. We advice that you take a look at this file because after the first
found error, the check stops and returns the Locked synchronization status. So if there are sev-
eral errors, the status is returned over and over again until the file is conclusive and can be sent
to the physical server.

The check for failure in the configuration file can be done though CLI (we recommend it) or from
the GUI.

To check for failure in a DHCPv4 configuration file through CLI

1. Open an SSH session.
2. Use the following command to retrieve the list of corrupted files:
# ls -la /data1/exports/*-dhcpd.conf

3. Use the following command to get a precise list of all the errors:
# /usr/local/nessy2/bin/dhcpd -t -4 -cf /data1/exports/<server_name>-dhcpd.conf

4. Adjust identified statements, once the check runs again, the Locked Synchronization status
disappears if you now have a valid configuration.

To check for failure in a DHCPv6 configuration file through CLI

1. Open an SSH session.
2. Use the following command to retrieve the list of corrupted files:
# ls -la /data1/exports/*-dhcpd6.conf

3. Use the following command to get a precise list of all the errors:
# /usr/local/nessy2/bin/dhcpd -t -6 -q -cf /data1/exports/<server_name>-dhcpd6.conf

4. Adjust identified statements, once the check runs again, the Locked Synchronization status
disappears if you now have a valid configuration.

To look for DHCP errors on the page Syslog of the local appliance
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Syslog. The page Syslog opens.
3. In the SOLIDserver drop-down list, verify that the local appliance is selected. Only the host-
name appears with no IP address.
4. In the Services filed, select dhcpd. The logs appear.

354
 Managing DHCP Smart
Architectures

Exporting DHCP Smart Architectures

From the page All servers, you can export the smart architectures in a CSV, HTML, XML, XLS
or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP Smart Architectures

You can decide to stop managing your DHCPv4 or DHCPv6 servers through the smart architec-
tures. You might not need to delete smart architectures, editing them might be enough. For more
details, refer to the section Changing the Type of a DHCP Smart Architecture.

Before deleting a smart architecture, keep in mind that:

• Deleting a smart architecture does not delete any data from the physical server: it means that
you stop managing the server via the smart architecture. However, the configuration backup
of the smart architecture is deleted. Therefore, if the server crashes after the smart architec-
ture deletion, you have to configure everything again manually.
• You cannot delete a smart architecture if it is still managing DHCP servers. For more
details, refer to the section Removing a DHCP Server from a Smart Architecture.

To delete a DHCP smart architecture

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Tick the smart architecture(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The smart architecture
is no longer listed on the page All servers.

Defining DHCP Smart Architectures as Group Resources

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding smart architectures as resources of a specific group allows the users of that group to
manage the architectures in question as long as they have the corresponding rights granted.

Granting access to smart architectures as resources also grants access to every physical server
they contain. For more details, refer to the section Adding Resources to a Group in the chapter
Managing Groups.

355
Chapter 25. Managing DHCP Failover
Channels
Failover channels establish the synchronization mechanism between DHCPv4 physical servers.

From the page All failover channels, you can only display the failover channels of servers managed
via smart architectures.

Note that from the page All scopes, you can associate a failover channel with one or several
scopes. For more details, refer to the section Defining a Specific Failover Channel for Scopes.

DHCP Failover Principles and Operational States

The synchronization mechanism is called failover because it was initially intended to allow one
DHCPv4 server to act as a primary server and for a second server to act as a backup. In basic
failover configurations, the secondary server does not reply to the DHCP client requests when it
is in contact with the primary, it simply synchronizes updates from the primary.

With EfficientIP DHCP servers, both the primary and secondary servers simultaneously provide
the DHCP service by default. You can change this configuration to ensure that only the primary
or the secondary server responds via Master/backup and Load balancing configurations. For
more details, refer to the section Operating in Normal State.

Keep in mind that the failover mechanism is virtual for DHCPv6 servers.

DHCP Safe Failover Principles

The failover based on load balancing involves three principles:
1. The primary and the secondary failover servers divide the dynamic ranges of free addresses
that they have to serve into free and backup addresses. Free addresses are available for the
primary server to allocate to its clients and backup addresses are available for the secondary
server to allocate to its clients.
2. Until the servers have not exchanged leases allocation details, they can still allocate or renew
leases within the range of addresses they manage but the lease time always corresponds to
the Maximum Client Lead Time (MCLT). By default, it is set to 1 hour. Therefore, as long as
the servers do not communicate or have not exchanged information - during the first allocation,
in communications-interrupted... - all leases are set to 1 hour.
3. In normal operation, an address that has been assigned to one client cannot be assigned to
another client unless both DHCP servers agree that the first client is no longer using it.

By default, the failover is based on load balancing, it is Balanced, on One-to-One and One-to-
Many smart architectures.

DHCP Failover Operational States

There are several DHCP operational states in the failover protocol: Operating in Normal State,
Operating in Communications-interrupted State and Operating in Partner-down State.

356
 Managing DHCP Failover Channels

In the GUI, the page All failover channels provides the column State that includes detailed inform-
ation regarding each state. For more details regarding this column, refer to the table The different
failover states

Operating in Normal State

In Normal state, only one server responses to the messages sent by DHCP clients. The failover
configuration you chose when setting up the failover defines which server responses to clients.

Failover Channel

DHCP 1 DHCP 2

local range local range

1 allocates 14 15 responds 28 1 responds 14 15 allocates 28

new addresses to existing to existing new addresses
addresses addresses

16 1

19 2

Figure 25.1. DHCP failover operating in normal state

When configuring a One-to-One or One-to-Many smart architecture, the drop-down list Split
leases allows to choose if the primary server, Master, or the secondary server, Backup, should
respond to the DHCP clients requests or choose to balance the responses between the servers.
In other words, when configuring your smart architecture, you can set the failover to respect a
master/backup configuration or a load balancing configuration.

Which is why in Normal state, a server might seem to ignore a client request.
• Master/Backup Configuration
If you choose this configuration, you can decide which server of the failover answers to all the
requests, either the primary (Prefer master) or the secondary (Prefer backup). For more details,
refer to the sections DHCPv4 One-to-Many Smart Architecture and DHCPv4 One-to-One Smart
Architecture.
• Load Balancing Configuration
If you choose this configuration, you can balance the responses equally and make both servers
respond to the DHCP clients' requests. The standard load balancing algorithm specifies which
server answers DHCP requests: this deterministic hash algorithm operates on the clients' in-
formation, their MAC address, to equally assign a set of clients to one server and the rest to
the other server. The hash is performed on every broadcast message sent out by DHCP clients,

357
 Managing DHCP Failover Channels

it produces a number between 0 and 255 that the servers are able to interpret and divide
equally. In addition, when configured in load balancing, EfficientIP DHCP servers are able to
detect if a client has not received a response yet from its failover peer. Thanks to the field secs
of the DHCP client message, the server identifies which clients are making a request for the
first time (the field value is zero) or if it is a retry (the field value is nonzero). In the case of a
retry, the first available server responds no matter the DHCP client hash number.

Operating in Communications-interrupted State

When operating in Communications-interrupted state, each server is operating independently
but assumes that its partner is still operating.

The secondary server might be operating and simply unable to communicate with the other
server or might not be operating. Each server responds to the full range of DHCP client messages
that it receives, but in such a way that graceful reintegration is always possible when its partner
comes back and contacts it again.

Communications-interrupted

DHCP 1 DHCP 2

local range local range

1 allocates 14 15 responds 28 1 responds 14 15 allocates 28

new addresses to existing to existing new addresses
addresses addresses

20 5 23 3

16 1 19 2
Site A Site B

Figure 25.2. DHCP failover operating in communications-interrupted state

Operating in Partner-down State

For a variety of reasons, is it possible that one member of a DHCP failover pair might stop oper-
ating. This could be the result of a planned or unplanned outage. In order to provide the best
possible service when one member of a failover pair is down, the other can be placed in the
Partner-down state.

When operating in Partner-down state, a server assumes that its partner is not currently operating
but does make allowances for the other server's set of DHCP clients as long as the MCLT has
not passed. That way, any lease that was allocated by the other server while they were in com-
munication-interrupted state has expired and the remaining server can safely allocate leases to

358
 Managing DHCP Failover Channels

all the DHCP clients of the failover. Once the MCLT expires, the server responds to all DHCP
client requests, it can reclaim any available IP address that belongs to its peer.

Partner-down

DHCP 1 DHCP 2

local range local range

1 allocates new addresses 28 1 28

and responds to
existing addresses

16 1

19 2

Figure 25.3. DHCP failover operating in partner-down state

Once the peer server comes back up, it automatically connects to its failover channel to change
back to the Normal operational state. Once again, it has to wait until the MCLT passes to reclaim
its DHCP clients.

You can manually switch a server to Partner-down. It allows to better control the DHCP service,
for instance before moving a server: the administrator can manually switch the secondary server
of a failover channel to Partner-down. For more details regarding this option, refer to the section
Switching DHCP Servers to Partner-down.

In a One-to-One DHCP smart architecture, the administrator can also set an Automatic switch
to partner-down delay (in hours) after which a server in Communications-interrupted state should
automatically switch to Partner-down. For more details, refer to the section DHCPv4 One-to-One
Smart Architecture of the chapter Managing DHCP Smart Architectures.

Browsing DHCP Failover Channels

The page All failover channels allows to manage DHCPv4 and DHCPv6 failover channels.

In IPv4, only the One-to-One and One-to-Many smart architectures provide mutiple failover
channels, both include as many failover channels as physical secondary servers. For Single-
Server or a Split-Scope smart architectures, the failover channel is virtual. It links the physical
server(s) of the smart architecture and acts as a configuration backup for the file dhcpd.conf. For
more details, refer to the section DHCP Failover Principles and Operational States.

359
 Managing DHCP Failover Channels

In IPv6, the concept of failover channels is not very widespread. Awaiting its implementation,
SOLIDserver already provides a dedicated listing page for the virtual failover channels. These
channels provide a backup of the smart architectures configuration. For more details, refer to the
DHCPv6 architectures of the section Implementing DHCP Smart Architectures.

Browsing the Failover Channels Database

To display the list of failover channels
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All failover channels. The page refreshes.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.

To display a failover channel properties page

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All failover channels. The page refreshes.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. At the end of the line of the failover channel of your choice, click on . The properties page
opens.

Customizing the Display on the Page All Failover Channels

The page can display DHCPv4 or DHCPv6 failover channels. All the columns are displayed by
default, you can filter, sort or hide them.

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

The DHCPv4 Failover Channels Columns

The DHCPv4 page All failover channels provides 10 columns described below.

Note that Split-Scope and Single-Server smart architectures provide little information. For these
architectures, the failover is virtual and therefore cannot be edited. Only the columns Name,
Smart DHCP and Status return data, other columns return None.

Table 25.1. The columns on the page All failover channels in IPv4
Column Description
Name The name of the failover channel, it is set during the smart architecture configuration.
Server The name of the server or smart architecture.
Type The failover channel type, either Primary or Secondary.
Local address The IP address of the primary server, or Master, in the smart architecture.
Local port The port number dedicated to the failover on the smart architecture primary server.
Remote address The IP address of the secondary server of the smart architecture.
Remote port The port number dedicated to the failover on the smart architecture secondary server.

360
 Managing DHCP Failover Channels

Column Description
Split The leases' split configuration between the servers: Balanced, Prefer backup or Prefer
master.
State The failover operational state, either Normal, Startup, Recovering, Partner-Down, Commu-
nications-interrupted, Down, Unknown state or N/A. For more details, refer to the table
The different failover states below.
Multi-status The emergency, warning, critical, error and/or informational message(s) regarding the
failover channel. For more details, refer to the section Understanding the Column Multi-
Status or Multi-Status Messages.
Status The failover channel status, either OK, Delayed create or Delayed delete.

The column State indicates the failover operational state:

Table 25.2. The different failover states

Failover state Description
Normal The server is configured and functions properly. The failover channel is opera-
tional.
Startup The failover channel is synchronizing. The failover channel is operational.

Recovering The server is recovering from a partner-down state. The failover channel is
operational.
! Partner-down The other server of the failover is Down. The failover channel is operational.

Communications-interrupted The server is in communications-interrupted.The failover channel is operational.

Down The server is down. The failover channel is not operational.

Unknown state The failover configuration for the smart architecture is incorrect. The failover
channel is not operational.
N/A The failover channel is virtual, therefore returning a state is not applicable, as
is the case of Split-Scope and Single-Server smart architectures.

The DHCPv6 Failover Channels Columns

The DHCPv6 page All failover channels provides 9 columns. As DHCPv6 failover channels are
basically virtual, the column State is empty.

Note that the Split-Scope and Single-Server smart architectures provide little information. For
these architectures, the port related columns return N/A.

Table 25.3. The columns on the page All failover channels in IPv6
Column Description
Name The name of the failover channel, it is set during the smart architecture configuration.
Type The failover channel type, either Primary or Secondary.
Local address The IP address of the primary server, or Master, in the smart architecture.
Local port The port number on the smart architecture primary server dedicated to the failover.
Remote address The IP address of the secondary server in the smart architecture.
Remote port The port number of the smart architecture secondary server dedicated to the failover.
State The connection state between the two servers. As nowadays there is no failover per se
in IPv6, this column is empty.
DHCP name The smart architecture name.
Multi-status Messages regarding the failover channel: emergency, warning, critical, error or informa-
tional, if relevant. For more details, refer to the section Understanding the Column Multi-
Status.

361
 Managing DHCP Failover Channels

Column Description
Status The failover channel status, either OK, Delayed create or Delayed delete.

Understanding the Failover Channels Statuses

The column Status provides information regarding your failover channels.

Table 25.4. Failover channels statuses

Status Description
OK The failover channel is operational.

Delayed create The creation or update is delayed until the failover channel is created on the physical
server(s) of the DHCPv4 smart architecture. The creation is automatically done after a
maximum of 1 minute.
Delayed delete The deletion is delayed until the failover channel is deleted from the physical server(s) of
the smart architecture. The deletion is automatically done after a maximum of 1 minute.

Switching DHCP Servers to Partner-down

The DHCPv4 operational states of the failover protocol are Normal, Communications-interrupted
and Partner-down. For more details, refer to the section DHCP Failover Operational States.

When one of the servers of the smart architecture is unable to communicate with the other, or is
down, the failover channel switches to the Communications-interrupted state. At that point, you
can choose to place the other server in the Partner-down state and keep making allowances.

You can switch servers to partner-down, automatically or manually:

• To automate the switch, your servers must be managed via a One-to-One smart architectures.
These architectures allow to set an Automatic switch to partner-down delay (in hours) after
which a server in Communications-interrupted state should automatically switch to Partner-
down. For more details, refer to the section DHCPv4 One-to-One Smart Architecture of the
chapter Managing DHCP Smart Architectures.
• To manually switch servers to partner-down, you can simply break the failover channel as de-
tailed below, SOLIDserver automatically switches the right server to Partner-down.

To manually switch a server to partner-down

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All failover channels. The page refreshes.
4. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
5. Tick the failover channel(s) you want to break.
6. In the menu, select Edit > Switch to partner-down. The wizard Switch to partner-down
opens.
7. Click on OK to complete the operation. The report opens and closes. In the column State,
the failover channel has switched to Partner-down.

362
 Managing DHCP Failover Channels

Exporting DHCP Failover Channels

From the page All failover channels, you can export the data listed in a CSV, HTML, XML, XLS
or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

363
Chapter 26. Managing DHCP Servers
Servers are the entry point of any DHCP configuration. They contain all the necessary information
to provide IP addresses to DHCP clients. They allow to set up dynamic addressing or fixed
reservation organizations.

DHCP servers can provide IPv4 or IPv6 addresses. Both protocol versions intend to provide IP
addresses to client, but they each provide specific configurations and options that may only be
available in one version.

You can manage as many servers as you need to set up your DHCP organizations, each server
must:
1. Be configured with a unique IPv4 address, no matter if it delivers IPv4 or IPv6 addresses.
2. Contain at least one scope that listens on a particular network segment in order to discovers
clients request and answers them at the best of its capacity. If you manage large networks,
DHCP servers can rely on DHCP relays (also called helpers), for more details refer to the
section Configuring DHCP Relay Agents in the chapter Managing Scopes.

From the page All servers, you can manage DHCPv4 and DHCPv6 servers. Note that:
• In IPv4, you can add EfficientIP, EfficientIP Package and Microsoft DHCP servers.
• In IPv6, you can only add EfficientIP and EfficientIP Package servers.
• You can either manage your servers independently or a via a smart architecture. Smart archi-
tectures provide a backup of your configuration and a dedicated failover between a master
server and its backup(s) servers. For more details regarding the available smart architectures
for DHCPv4 or DHCPv6, refer to the chapters Understanding DHCP Smart Architectures and
Managing DHCP Smart Architectures.

Keep in mind that any parameter and/or option set at a lower level overwrites the configuration
set at server level.

Browsing DHCP Servers

The servers are the highest level of the DHCP hierarchy. They can contain shared networks,
scopes, groups, ranges, leases and/or statics.

SHARED
SCOPE RANGE LEASE
NETWORK

SERVER

GROUP STATIC

Figure 26.1. The server in the DHCP hierarchy

Browsing the Servers Database

To display the list of DHCP servers
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. To list the IPv4 DHCP servers:
a. In the column Protocol, right-click over IPv4. The contextual menu.

364
 Managing DHCP Servers

b. Click on . Only the IPv4 DHCP servers are listed.

3. To list the IPv6 DHCP servers:
a. In the column Protocol, right-click over IPv6. The contextual menu.
b. Click on . Only the IPv6 DHCP servers are listed.

To display a DHCP server properties page

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties pages opens.

Customizing the Display on the Page All Servers

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Understanding the Server Statuses

The columns Multi-Status, Sync and Status return status details on the servers. For more details
on the smart architectures statuses, refer to the section Understanding the Smart Architecture
Statuses.

The column Status provides information on each server.

Table 26.1. DHCP server statuses

Status Description
OK The server is operational.

Unknown An error occurred that SOLIDserver could not identify.

Invalid credentials The SSL credentials are invalid or the server is already managed by another appliance
and you need to specify your credentials again. For more details, refer to the section
Editing DHCP Servers.
If the appliance database is encrypted, it may be that the Active key is missing. For
more details, refer to the section Troubleshooting the Database Encryption of the
chapter Securing.
Insufficient privileges The account configured for the Microsoft Windows DHCP server does not have
enough privileges to manage it.
Syntax error The server configuration contains syntax errors, it is not viable.

Timeout The server is unreachable.

License The server is compatible with the license applied to your appliance. For more details
on licenses and their metrics, refer to the chapter Managing Licenses.
Not running The service DHCP server or DHCPv6 server is stopped on the appliance.

The column Sync provides the synchronization details of each server.

Table 26.2. DHCP server synchronization statuses

Sync status Description
Synchronized The server was successfully synchronized.

Busy The server synchronizing is ongoing. While the server is busy, the column Status
may return inaccurate information.

365
 Managing DHCP Servers

Sync status Description

Locked synchronization For EfficientIP or EfficientIP Package servers, the server configuration is not viable.
If the server is managed from a smart architecture, the architecture cannot push its
configuration to the physical servers, for more details refer to the section Handling
the Status Locked Synchronization.

The column Multi-status provides you with emergency, warning, critical, error or informational
messages regarding the server compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.

Managing EfficientIP DHCP Servers

SOLIDserver embeds a proprietary EfficientIP DNS server that allows to manage your local
server configuration and data.

From the GUI, you can:

• Add EfficientIP servers. For more details, refer to the section Adding EfficientIP DHCP Servers.
• Edit the SNMP monitoring parameters or properties of EfficientIP servers. For more details,
refer to the sections Editing the SNMP Monitoring Parameters of EfficientIP DHCP Servers
and Editing DHCP Servers.
• Configure EfficientIP DHCP servers with a reverse proxy server, if they are running in a con-
tainer whose HTTP or HTTPS port is only accessible through a reverse proxy. For more details,
refer to the section Configuring a Reverse Proxy for an EfficientIP DHCP Server.
• Delete EfficientIP servers. For more details, refer to the section Deleting DHCP Servers.

Configuring the Listening Network Interfaces

1
The DHCP server selects the listening network interfaces via the DHCP scopes . To make the
server listen on an interface, you have to add a scope that includes one or several local interfaces
of the DHCP server to allow the server to reply to the DHCP client requests.

For instance, your DHCP server has 2 network interfaces configured: 192.168.10.3 and
192.168.10.5.To listen to both interfaces, you have to configure a scope with the network address
192.168.10.0 and the netmask 255.255.255.0. For more details regarding scope management,
refer to the chapter Managing DHCP Scopes.

EfficientIP DHCP server implements the safe DHCP failover protocol. For more details, refer to
the chapter Managing DHCP Failover Channels.

Adding EfficientIP DHCP Servers

From the page All servers, you can add EfficientIP DHCP servers to manage their configuration,
all their data and monitor them. Before adding servers, keep in mind that:
• EfficientIP DHCP servers can provide IPv4 or IPv6 addressing.
• The SNMP protocol is no longer supported as managing protocol for a server. Therefore:
• You can no longer add a server managed via SNMP.
• EfficientIP DHCP servers prior to version 4.0.x are no longer supported.

1
If you do not set a listening scope, you must configure a relay to communicate with DHCP clients.

366
 Managing DHCP Servers

• SSL is used to manage a server while SNMP is used to monitor it. Therefore, you can
configure the SNMP monitoring parameters of the server. For more details, refer to the section
Editing the SNMP Monitoring Parameters of EfficientIP DHCP Servers.
• EfficientIP DHCP servers manage the IPv4 static reservations like leases.The MAC address
specified during the static reservation identifies the clients' IP address and allocates it a lease
as well as soon as they are visible on the network. Once the lease is allocated, if the IPAM
and DNS replication are configured, the data is sent to the IPAM and adds the corresponding
DNS entries. For more details, refer to the section Adding DHCPv4 Statics.
• You should not set a VIP as management address of your DHCP server.
• When you add a server, a random password is generated to secure the communication between
the appliance and the server. The default SSH credentials of the account admin are no longer
used to manage the server but to generate this random password.
For servers added before the upgrade to version 7.0, switching to this new management system
is not automatic. You need to edit the servers. For more details, refer to the section Editing
DHCP Servers.
• If your server is running in a container whose HTTP(S) port is only accessible through a reverse
proxy, refer to the section Configuring a Reverse Proxy for an EfficientIP DHCP Server.

To add an EfficientIP DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server or Server (v6) > EfficientIP. The wizard Add a DHCP
server or Add a DHCPv6 server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the following fields to set up the basic server configuration:

Table 26.3. DHCP server basic parameters

Field Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Management IP address The IPv4 address of the server you want to manage. This field is required. If you
already configured a resolver for the appliance, you can specify a name and click
on SEARCH , the matching IP address is retrieved from the DNS and displayed.
For more details, refer to the section Setting the DNS Resolver.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.

5. If you have changed the default SSH password of the appliance embedding the DHCP
server, you must update the enrollment parameters.
a. Tick the box Configure enrollment parameters. The field "Admin" account password
appears, it contains the default admin account password.

367
 Managing DHCP Servers

b. Empty the field "Admin" account password and specify your SSH password.
6. If you want to edit the server SNMP parameters, tick the box Configure SNMP monitoring
parameters.
A set of fields appear, configure them to monitor and retrieve the server statistics.

Table 26.4. SNMP monitoring parameters available when you add a server
Field Description
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
Use TCP The network communication protocol, either TCP (ticked) or UDP (unticked). By default,
the box is unticked. You should tick the box to use TCP instead of UDP if the network
link is unreliable. This field is optional.
SNMP profile The SNMP profile used to retrieve the statistics. By default, standard v2c is selected.
This field is optional. The list contains the default profiles (standard v1, standard v2c and
standard v3) and the ones you may have added. Each profile has its own level of security
and enables the definition of a global security policy. For more details, refer to the section
Managing SNMP Profiles.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1, 2, 3, 4, 5, 10 or 30.
By default, it is set to 5. This field is required.

7. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
8. Click on OK to complete the operation. The report opens and closes. The server is listed.

Editing the SNMP Monitoring Parameters of EfficientIP DHCP

Servers
Once added to the page All servers, you can edit the SNMP monitoring parameters of EfficientIP
DHCP servers.

The SNMP protocol is no longer supported as managing protocol for a server.

To edit the SNMP monitoring parameters of an EfficientIP DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties pages opens.
3. In the panel SNMP monitoring parameters, click on EDIT . The wizard SNMP parameters
opens.
4. Edit the SNMP parameters according to your needs:

Table 26.5. SNMP monitoring parameters available when you edit a server
Field Description
SNMP version The version of the SNMP protocol used to retrieve the statistics. It can be either v1, v2c
or v3. By default, v2c is selected. This field is required.

368
 Managing DHCP Servers

Field Description
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1s, 2s, 3s, 4s, 5s, 10s
or 30s. By default, it is set to 5s. This field is required.
Use bulk For SNMP version v2c or v3. Allows to send several requests at once, it uses a bulk
transfer of data. This compact SNMP request method accelerates transfers. By default,
it is set to Yes. This field is required.
Use TCP The network communication protocol, either TCP (Yes) or UDP (No). By default, No is
selected. You should use TCP instead of UDP if the network link is unreliable. This field
is required.
SNMP transfer The number of minutes above which the SNMP transfer is aborted when you add or refresh
timeout (minutes) a device, a value between 0 and 999. By default, it is set to 0. This field is optional.

5. Click on NEXT . The page SNMP profile opens.

6. In the drop-down list SNMP profile, choose a profile using the same version of the SNMP
protocol as the one you selected in the field SNMP version.
If you added SNMP profiles, you can choose one of your profiles. They are listed only if they
use the same version of the SNMP protocol as the one you selected on the previous page.
Note that the SNMP profiles you can choose from must be configured on the appliance you
are currently working with. For more details, refer to the section Managing SNMP Profiles.
7. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

Configuring a Reverse Proxy for an EfficientIP DHCP Server

You can configure a reverse proxy server when you add EfficientIP or EfficientIP Package servers
if your server is running in a container whose HTTP(S) port is only accessible through a reverse
proxy server. The reverse proxy server transfers requests to the container via HTTP or HTTPS.

To configure the reverse proxy server you must:

1. Enable the key module.system.enable_reverse_proxy_config.
2. Specify the URL of a reverse proxy server when you add the server.

Note that you cannot edit an existing server to configure it with a reverse proxy server.

To enable the registry key that allows to configure a reverse proxy server
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.system.enable_reverse_proxy_config.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 1 to enable it. By default, its value is 0.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

369
 Managing DHCP Servers

Once you enabled the registry key, you can add an EfficientIP or EfficientIP package server and
configure it with a reverse proxy server.

To configure a reverse proxy for an EfficientIP DHCP server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Server or Server (v6) > EfficientIP or EfficientIP Package.
The wizard Add a DHCP server or Add a DHCPv6 server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the following fields to set up the basic server configuration:

Table 26.6. DHCP server basic parameters

Field Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Management IP address The IPv4 address of the server you want to manage. This field is required. If you
already configured a resolver for the appliance, you can specify a name and click
on SEARCH , the matching IP address is retrieved from the DNS and displayed.
For more details, refer to the section Setting the DNS Resolver.
Management URL The URL of the reverse proxy server that forwards client requests to the DHCP
server via HTTP or HTTPS.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.

5. If you have changed the default SSH password of the appliance embedding the DHCP
server, you must update the enrollment parameters.
a. Tick the box Configure enrollment parameters. The field "Admin" account password
appears, it contains the default admin account password.
b. Empty the field "Admin" account password and specify your SSH password.
6. If you want to edit the server SNMP parameters, tick the box Configure SNMP monitoring
parameters.
A set of fields appear, configure them to monitor and retrieve the server statistics.

Table 26.7. SNMP monitoring parameters available when you add a server
Field Description
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
Use TCP The network communication protocol, either TCP (ticked) or UDP (unticked). By default,
the box is unticked. You should tick the box to use TCP instead of UDP if the network
link is unreliable. This field is optional.

370
 Managing DHCP Servers

Field Description
SNMP profile The SNMP profile used to retrieve the statistics. By default, standard v2c is selected.
This field is optional. The list contains the default profiles (standard v1, standard v2c and
standard v3) and the ones you may have added. Each profile has its own level of security
and enables the definition of a global security policy. For more details, refer to the section
Managing SNMP Profiles.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1, 2, 3, 4, 5, 10 or 30.
By default, it is set to 5. This field is required.

7. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
8. Click on OK to complete the operation. The report opens and closes. The server is listed.

Managing Microsoft Windows DHCP Servers

You can add Microsoft Windows DHCP servers to manage them from the page All servers. They
can be included into an Active Directory (AD) domain or not.

Once you manage a Microsoft Windows server, you can also manage its superscopes, scopes,
ranges, statics, leases. Note that superscopes are listed on the page All shared networks. De-
pending on the version of Windows and if you add the server to a smart architecture, you can
manage its failover relationships.

The management of Microsoft DHCP servers is based on Microsoft Remote Procedure Calls
(MS RPC). It allows to retrieve and display data is real-time without installing any WinDHCP
agent.

Before managing a Microsoft Windows DHCP server, keep in mind that:

• You must meet SOLIDserver prerequisites and take into account Microsoft Windows DHCP
servers limitations.
• SOLIDserver and Microsoft do not manage DHCP ranges in the same way, for more details
refer to the section Understanding the Range Management on Microsoft Servers.

Prerequisites
• A Microsoft Windows Server 2008, 2008 R2, 2012 R2, 2016 or 2019. The server must:
• Have the TCP ports 135 and 445 open. They are used by the port mapper interface, the
service that indicates to the clients which port provides access to each service.
• Have Firewall policies that allow traffic between SOLIDserver and the Microsoft servers it
manages. For more details, refer to the section Microsoft Windows DHCP Servers in the
appendix Matrices of Network Flows.
• In Windows Server, RPC uses by default the dynamic port range 49152-65535. Note that
you can reduce the number of available ports, using netsh, as long as the range of ports
2
contains at least 255 ports .
• The credentials of a member of the group DHCP Administrators. Users with insufficient privileges
cannot manage the server.

2
For information, refer to http://support.microsoft.com/kb/929851 .

371
 Managing DHCP Servers

• The service DHCP must be properly started. For more details, refer to the chapter Configuring
the Services.

Limitations
Server Limitations
• To add or manage Microsoft servers from SOLIDserver, a user must have administrator
rights over the Microsoft server in your Windows environment.
• To display Microsoft servers in SOLIDserver, a user must have reading rights over the
Microsoft server in your Windows environment.
• You cannot manage Microsoft servers that are Master in one configuration and backup in
another in your Windows environment. Once added to the GUI, they take on one role or
the other.
• Changes performed directly on the Microsoft server are not automatically transferred to
SOLIDserver. You must synchronize the server, as detailed in the section Synchronizing
DHCP Servers.
• The synchronization of a Microsoft server within SOLIDserver is impossible if the server
is managed via a smart architecture, the smart configuration overwrites the new data.
• Microsoft policies are not supported, any policy configured on a Microsoft server is ignored.
• The statistics of Microsoft servers are not retrieved, the page Analytics does not include
them.
Scope and Superscope Limitations
• You can only manage active scopes from SOLIDserver, deactivated scopes are ignored.
• You can only manage DHCPv4 superscopes.
• You can only manage superscopes that contain at least one active scope. Empty super-
scopes and superscopes containing only deactivated scopes are ignored.
DHCP Options Limitations
• Encapsulated DHCP options are not supported by Microsoft DHCP servers.
Lease Limitations
• The start date of a lease is unknown. SOLIDserver displays an arbitrary start date that
corresponds to the moment when the lease is detected.
• DHCP configurations involving a very large number of leases trigger refresh problems. By
default, the registry database entry module.dhcp.refresh_server_time refreshes leases
every 10 seconds, when there are a lot of leases it can overload the service and create a
loop. To avoid this problem, you need to increase the value of the registry entry.
ACL Limitations
• You cannot configure ACLs on Microsoft servers.

For more details regarding the Microsoft Windows limitations, refer to their documentation.

Understanding the Range Management on Microsoft Servers

The way to manage the ranges within SOLIDserver and Microsoft is different.

SOLIDserver offers the same services as Microsoft but displays them differently from the Windows
Administrative Tools of your Microsoft DHCP server. You can add as many ranges as you need
from SOLIDserver GUI but only one is actually added on the Microsoft server.

Therefore, when SOLIDserver overwrites the configuration of the Microsoft DHCP server you
manage:

372
 Managing DHCP Servers

• The unique Microsoft range start and end addresses match the assignable start and end ad-
dresses of the scope it belongs to.
• A number of exclusion ranges are added on the Microsoft server to match the ranges you added
from SOLIDserver.

DHCP server content in SOLIDserver GUI

SCOPE 192.168.10.0/24

Configuration pushed
RANGE
192.168.10.25 - 192.168.10.100
RANGE
192.168.10.5 - 192.168.10.10

DHCP server content in Microsoft GUI

SCOPE 192.168.10.0/24

RANGE 192.168.10.1 - 192.168.10.254

EXCLUSION RANGE
192.168.10.101 - 192.168.10.254
EXCLUSION RANGE
192.168.10.11 - 192.168.10.24
EXCLUSION RANGE
192.168.10.1 - 192.168.10.4

Figure 26.2. SOLIDserver DHCP configuration vs. Microsoft DHCP configuration

As illustrated above, the scope management is exactly the same on SOLIDserver and Microsoft,
on both sides you have a 192.168.10.0/24 scope. However, the range management differs:
• Within SOLIDserver, if you add the two following ranges:
• First range: 192.168.10.5 - 192.168.10.10
• Second range: 192.168.10.25 - 192.168.10.100
• The configuration pushed on the Microsoft DHCP configuration looks as follows:
• One unique range: 192.168.10.1 - 192.168.10.254. A range managing all the assignable
addresses of the scope.
• Three exclusion ranges: 192.168.10.1 - 192.168.10.4, 192.168.10.11 - 192.168.10.24 and
192.168.10.101 - 192.168.10.254.

Adding Microsoft Windows DHCP Servers

Before adding Microsoft Windows DHCP servers, you must take into account the prerequisites
and limitations. Once listed on the page All servers, you can manage their superscopes, scopes,
ranges, statics and leases.

If your Microsoft DHCP server is integrated to an AD with several forests, you can use the Expert
mode during the server addition to specify the AD domain you want to authenticate.

Note that:
• If you manage a Microsoft Windows DHCP server 2012 R2 or higher from a smart architecture,
you can manage its failover relationships. For more details, refer to the section Managing the
Failover Channels of Microsoft Windows DHCP Servers.

373
 Managing DHCP Servers

• Superscopes are managed as shared networks in the GUI. For more details, refer to the section
Managing Microsoft Windows Superscopes.
• Once you manage a Microsoft server from SOLIDserver, you should no longer edit it from
Windows DHCP Manager. If you do, you must synchronize it. For more details, refer to the
section Synchronizing DHCP Servers.

To add a Microsoft Windows DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server > Microsoft. The wizard Manage a DHCP server
opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the following fields to set up the basic server configuration:

Table 26.8. Microsoft DHCP server basic parameters

Field Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Management IP address The IPv4 address of the server you want to manage. This field is required. If you
already configured a resolver for the appliance, you can specify a name and click
on SEARCH , the matching IP address is retrieved from the DNS and displayed.
For more details, refer to the section Setting the DNS Resolver.
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.

5. Click on NEXT . The last page opens.

6. In the field Login, specify the name of user with sufficient managing privileges over the
Windows DHCP server.
7. In the field Password, specify the corresponding password.
8. If your Microsoft DHCP server is integrated to Active Directory and contains several forests:
a. Tick the box Expert mode (AD). The field Domain appears
b. In the field Domain, specify the full domain or subdomain.
9. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
10. Click on OK to complete the operation. The report opens and closes. The server is listed,
the column Version indicates the Microsoft server version.

374
 Managing DHCP Servers

Managing the Failover Channels of Microsoft Windows DHCP

Servers
Within SOLIDserver, Microsoft failover relationships are called failover channels.

To manage Microsoft failover channels, you must manage Microsoft servers from a smart
architecture. As managing servers from a smart erases their content, you must either prepare
the smart architecture before managing server with it or convert the server into a smart architecture
to keep its configuration.

Once you manage a Microsoft server with a smart architecture, you can even associate its scopes
with a specific failover. For more details, refer to the section Defining a Specific Failover Channel
for Scopes.
Prerequisites
• Meeting Microsoft prerequisites.
• Microsoft DHCP servers 2012 R2 or higher.
• All the Microsoft servers you manage in a smart architecture must use the same NTP pool.
Limitations
• Taking into account Microsoft limitations.
• Within SOLIDserver a failover is between two servers.
• SOLIDserver cannot add failover channels for Microsoft servers if they do not manage
valid ranges. Without a valid range, no failover can be added from SOLIDserver and pushed
to the server.
• Only the failover mode Load balance is supported:
• Three ratios are supported 100-0 (Prefer Master), 0-100 (Prefer Backup) and 50-50
(Balanced). Any other ratio is overwritten by the closest ratio we support.
• If you manage failovers in mode Hot standby, their mode is switched to Load balance.
• If you manage Microsoft servers from a smart architecture:
• It must only manage Microsoft servers.
• It must be One-to-One or One-to-Many smart architecture.You cannot manage Microsoft
failovers from a Single-Server smart architecture.
• In One-to-Many smart architectures, you can only have one Master server in the smart
architecture. It takes on the role of primary server.
• In One-to-Many smart architectures, you cannot manage more than 31 failover channels,
i.e. 32 Microsoft servers.
• The unique port numbers that you must specify in the GUI are actually ignored. Microsoft
automatically sets the proper port for the communication.
• If you manage Microsoft servers outside a smart architecture:
• You can manage their content but not their failover channels. You can only display them
on the page All failover channels.
• You cannot configure advanced properties between the IPAM and the DHCP as they
rely on failover channels. For more details, refer to the chapter Managing Advanced
Properties.

To manage your Microsoft failover channels from a smart architecture we recommend to:
1. Add all the Microsoft Windows DHCP servers that you want to manage from SOLIDserver.
For more details, refer to the section Adding Microsoft Windows DHCP Servers.

375
 Managing DHCP Servers

2. Convert one Microsoft server into a One-to-One or One-to-Many smart architecture. We

recommend converting the Master server as it contains all the configuration data. During the
conversion, you can configure the failover channels:
• On One-to-One smart architectures, you cannot have more than one failover channel.
• On One-to-Many smart architectures, you cannot have more than 31 failover channels.
For more details, refer to the section Converting a DHCP Server into a Smart Architecture.
3. Add again the server you converted into a smart architecture, if you want to manage it
and not only use its configuration.
For more details, refer to the section Adding Microsoft Windows DHCP Servers.
4. Edit the smart architecture to make it manage all the Microsoft servers and specify the
Master.
For more details, refer to the section Adding a DHCP Server into a Smart Architecture.

Managing Microsoft Windows Superscopes

Within SOLIDserver, superscopes are managed as shared networks, from the page All shared
networks.

When you add a Microsoft Windows server, its superscopes are retrieved. Note that:
• Only DHCPv4 superscopes are supported.
• Only superscopes containing at least one active scope are retrieved. Empty superscopes and
superscopes containing only deactivated scope(s) are ignored.
• Once in the GUI, superscopes cannot be configured with DHCP options because shared net-
works cannot be configured with DHCP options.

You can edit them, add new ones and delete them, all changes are sent to Microsoft. For more
details, refer to the chapter Managing DHCP Shared Networks.

If you managed Microsoft servers before upgrading to this version. Note that:
• The superscopes configured directly from Windows DHCP Manager are retrieved and manage-
able from the GUI.
The retrieval depends on your configuration:
On Microsoft servers managed outside a smart architecture
• Only the superscopes containing at least one scope are added as shared networks.
On Microsoft servers managed via a smart architecture
• The superscope configuration set in Windows DHCP Manager prevails and overwrites
the smart architecture configuration:
• If the smart architecture contained shared networks that do not match the configuration
of the Microsoft server, they may be updated.
• If the smart architecture contained empty shared networks, they are deleted.
• Only the superscopes of the master server(s) are retrieved. The configuration of the
master server is pushed to the backup server(s).
• If you managed Microsoft servers not configured with superscopes via a smart architecture, a
shared network is automatically added for each scope. Each shared network is named after
the scope start_address/prefix.

376
 Managing DHCP Servers

Managing ISC DHCP Servers on Linux

SOLIDserver provides its software versions through native packages of operating system. Installing
the DNS package allows you to use the module DHCP at the best of its potential on Linux, it allows
you to manage your ISC server through an EfficientIP DHCP server, which incidentally provides
all the options that come with it (statistics retrieved via SNMP...).

To successfully install the DHCP packages on Linux, you must follow the prerequisites and pro-
cedures in the section that matches your environment:
• Installing an EfficientIP DHCP Package on Debian 8 or Higher.
• Installing an EfficientIP DHCP package on RedHat 6 and Higher.

Once your package is installed you can add an EfficientIP DHCP Package in the GUI as detailed
in the section Adding an ISC DHCP Server.

If you need to upgrade your package, refer to the section Upgrading EfficientIP DHCP Packages.

Installing an EfficientIP DHCP Package on Debian 8 or Higher

You must take into account the prerequisites before installing a DHCP package on Debian.

Prerequisites
• The DHCP package file, ipmdhcpxx-y.y.y-debianxx-amd64.deb, whose name provides you
with a number of information separated by hyphens: the type of package (ipmdhcpxx: a DHCP
package with a DHCP in version xx where xx is x dot x), the version of SOLIDserver (y.y.y);
the version of Debian (debianxx where xx is x dot x) and finally the Debian architecture (amd64).
In the procedure below, this file is referred to as <ipmdhcpxx-y.y.y-debianxx-amd64.deb>.
• The EfficientIP ISC package platform must have at least 20 Mb of free disk space.
• The EfficientIP ISC package may need certain libraries of your operating system, you must
3
have a shell access with root login in local, via ssh on the server to be installed.
• You must make sure that no other DNS/DHCP service on your Linux is running : it would inter-
fere with the BIND/ISC package installation.
• You must make sure that SOLIDserver and Debian are set to the same time and date.
• You must make sure that Apache server is up-to-date.
• You must make sure that the service dbus is installed.
• You must make sure that HTTPS (port 443), the DHCP service (port 67) and the failover ports
(647-667 and 847-867) are not blocked by a network filtering process (firewall).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.

Installing EfficientIP DHCP Package on Debian

Once you have taken into account the prerequisites, you can install an EfficientIP DHCP Package
on Debian.

If you have not installed the DNS packages yet, you need to:
1. Follow the procedure To install the EfficientIP DHCP Package on Debian.

3
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.

377
 Managing DHCP Servers

2. Follow the procedure To complete the DHCP package installation on Debian if the DNS
package is not installed.

If you already installed the DNS packages, you only need to follow the procedure To install
the EfficientIP DHCP Package on Debian below.

The installation procedure below includes the commands that make the web services configurable.

To install the EfficientIP DHCP Package on Debian

1. Open an SSH session.
2. Stop and disable your DHCP software, using the following commands:
# service isc-dhcp-server stop
# update-rc.d -f isc-dhcp-server remove

3. Install the dependency packages, ONLY if you have not installed the EfficientIP DNS package,
using the following commands:
a. For Debian 8:
# apt-get install php5
# apt-get install sudo
# apt-get install snmpd
# apt-get install sqlite
# apt-get install php5-sqlite

b. For Debian 9 and 10:

# apt-get install php
# apt-get install sudo
# apt-get install snmpd
# apt-get install sqlite
# apt-get install php-sqlite3

4. Install the EfficientIP DHCP package, using the following command:

# dpkg -i <ipmdhcpxx-y.y.y-debianxx-amd64.deb>

5. Make the web services configurable: in the directory /etc/sudoers.d , create the file ipmdhcp
containing the line below.
www-data ALL = NOPASSWD: /usr/local/nessy2/script/install_dhcpd_conf.sh, \
/usr/local/nessy2/script/install_dhcpd6_conf.sh

6. Set the users access rights as follows:

# chmod 440 /etc/sudoers.d/ipmdhcp

Note that you can change the password admin of the web service using the command below:
# htpasswd /usr/local/nessy2/www/php/cmd/dhcp/.htpasswd admin

If you have not installed the DNS package or are not planning on installing it, you must
now follow the procedure below.

To complete the DHCP package installation on Debian if the DNS package is not
installed
1. If relevant, open an SSH session.

378
 Managing DHCP Servers

2. Allow SNMP access to the DNS statistics: append the file /etc/snmp/snmpd.conf with the
following line.
view systemview included .1.3.6.1.4.1.2440

3. Start the SNMP daemon, using the following command:

# service snmpd start

4. Create a self-signed certificate for Apache, using the following commands:

# cd /etc/apache2
# openssl genrsa -des3 -out server.key 4096
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# openssl rsa -in server.key -out server.key.insecure
# mv server.key server.key.secure
# mv server.key.insecure server.key

5. Activate the SSL mode in Apache using the following command:

# a2enmod ssl

6. Make sure that a symbolic link to the default VirtualHost SSL configuration file is located in
the folder sites-enabled/ . If not, use the following command:
# a2ensite default-ssl

7. Configure the web services by editing the file /etc/apache2/sites-enabled/default-ssl.conf to

replace the FULL section <VirtualHost *:443> with the following configuration:
<VirtualHost *:443>

ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>

# Please note that the following, from "php_admin_value" to

"site:/usr/local/share/pear",
# represents and must be written on a single line.
php_admin_value include_path
/usr/local/nessy2/www/php/include:/usr/local/nessy2/lib/php:/usr/local/nessy2/www/site:/usr/local/share/pear
php_admin_value file_uploads 1
php_admin_value upload_max_filesize 300000000
php_admin_value post_max_size 300000000
php_admin_value memory_limit 150000000
php_admin_value register_globals 0
php_admin_value short_open_tag 1
php_admin_value safe_mode 0
php_admin_value magic_quotes_gpc 0

SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

# Please note that the following, from "SetEnvIf" to "force-response-1.0", represents

and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0

379
 Managing DHCP Servers

force-response-1.0

</VirtualHost>

8. Disable the default site in Debian Apache configuration using the following command:
# a2dissite 000-default

9. Restart Apache using the following command:

# service apache2 restart

10. Make sure that the ipmdhcp package is running using the following command:
# service ipmdhcp status

If it is not running, use the following command:

# service ipmdhcp start

Once the configuration is complete, you can add an EfficientIP Package DHCP server to manage
your ISC server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding an ISC DHCP Server.

Installing an EfficientIP DHCP package on RedHat 6 and Higher

You must take into account the prerequisites before installing a DHCP package on RedHat or
CentOS.

Prerequisites
• The DHCP package file, ipmdhcpxx-y.y.y-redhatx.x86_64.rpm, whose name provides you with
a number of information separated by hyphens or a point: the type of package (ipmdhcpxx: a
DHCP package with a DHCP in version xx where xx is x dot x), the version of SOLIDserver
(y.y.y); the version of RedHat (redhatx) and finally the RedHat architecture (x86_64).
In the procedure below, this file is referred to as <ipmdhcpxx-y.y.y-redhatx.x86_64.rpm>.
• The EfficientIP ISC package platform must have at least 20 Mb of free disk space.
• The EfficientIP ISC package may need certain libraries of your operating system, you must
4
have a shell access with root login in local, via ssh on the server to be installed.
• You must make sure that no other DNS/DHCP service on your Linux is running : it would inter-
fere with the BIND/ISC package installation.
• You must make sure that SOLIDserver and RedHat/CentOS are set to the same time and date.
• You must make sure that Apache server is up-to-date.
• You must make sure that HTTPS (port 443), the DHCP service (port 67) and the failover ports
(647-667 and 847-867) are not blocked by a network filtering process (firewall).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.

Installing the EfficientIP DHCP Package

Once you have taken into account the prerequisites, you can install the EfficientIP DHCP Package
on RedHat or CentOS.

4
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.

380
 Managing DHCP Servers

If you have not installed the DNS packages yet, you need to:
1. Follow the procedure To install the EfficientIP DHCP Package on RedHat.
2. Follow the procedure To complete the DHCP package installation on RedHat if the DNS
package is not installed.

If you already installed the DNS packages, you only need to follow the procedure To install
the EfficientIP DHCP Package on RedHat below.

The installation procedure below includes the commands that make the web services configurable.

To install the EfficientIP DHCP Package on RedHat

1. Open an SSH session.
2. Stop and disable your DHCP software, using the commands below.
• On RedHat:
# service isc-dhcp-server stop
# update-rc.d -f isc-dhcp-server remove

• On CentOS:
# service dhcpd stop
# chkconfig dhcpd off

3. Install the dependency packages using the following commands:

# yum install mod_ssl php php-pdo sudo net-snmp sqlite

4. Install the EfficientIP DHCP package, using the following command:

# rpm -ivh <ipmdhcpxx-y.y.y-redhatx.x86_64.rpm>

5. Make the web services configurable: in the directory /etc/sudoers.d , create the file ipmdhcp
containing the line below.
apache ALL = NOPASSWD: /usr/local/nessy2/script/install_dhcpd_conf.sh, \
/usr/local/nessy2/script/install_dhcpd6_conf.sh

6. Set the users access rights as follows:

# chmod 440 /etc/sudoers.d/ipmdhcp

Note that you can change the password admin of the web service using the command below:
# htpasswd -c /usr/local/nessy2/www/php/cmd/dhcp/.htpasswd admin

If you have not installed the DNS package or are not planning on installing it, you must
now follow the procedure below.

To complete the DHCP package installation on RedHat if the DNS package is not
installed
1. If relevant, open an SSH session.
2. Disable the firewall using the following commands.
a. For RedHat 6:
# service iptables stop
# chkconfig iptables off

381
 Managing DHCP Servers

b. For RedHat 7 and 8:

# service firewalld stop
# chkconfig firewalld off

3. Disable selinux by editing its dedicated line, SELINUX=enforcing, in the file

/etc/selinux/config to match the following:
SELINUX=disabled

4. Reboot the system to take into account the selinux policy changes :
# reboot

5. In the file /etc/sudoers, disable requiretty by making it a comment as follows:

#Defaults requiretty

6. Allow SNMP access to the DHCP statistics. In the file /etc/snmp/snmpd.conf, in the section
entitled Access Control, enter the lines:
master agentx
view systemview included .1.3.6.1.4.1.2440
#You may need to specify another view, AllView or a custom one,
#if you edited the default SNMP configuration.

7. Start the SNMP daemon, using the following command:

# service snmpd start

8. Create a self-signed certificate for Apache, using the following commands:

# cd /etc/httpd
# openssl genrsa -des3 -out server.key 4096
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# openssl rsa -in server.key -out server.key.insecure
# mv server.key server.key.secure
# mv server.key.insecure server.key

9. Configure the web services. In the file /etc/httpd/conf.d/ssl.conf, replace the FULL section
<VirtualHost *:443> with the configuration below.
a. For RedHat 6:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
AllowOverride All
</Directory>

# Please note that the following, from "php_admin_value" to

"site:/usr/local/share/pear",
# represents and must be written on a single line.
php_admin_value include_path
/usr/local/nessy2/www/php/include:/usr/local/nessy2/lib/php:/usr/local/nessy2/www/site:/usr/local/share/pear
php_admin_value file_uploads 1
php_admin_value upload_max_filesize 300000000
php_admin_value post_max_size 300000000
php_admin_value memory_limit 150000000
php_admin_value register_globals 0
php_admin_value short_open_tag 1
php_admin_value safe_mode 0
php_admin_value magic_quotes_gpc 0

382
 Managing DHCP Servers

SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

# Please note that the following, from "SetEnvIf" to "force-response-1.0",

represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0

</VirtualHost>

b. For RedHat 7:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>

# Please note that the following, from "php_admin_value" to

"site:/usr/local/share/pear", represents and
# must be written on a single line.
php_admin_value include_path
/usr/local/nessy2/www/php/include:/usr/local/nessy2/lib/php:/usr/local/nessy2/www/site:/usr/local/share/pear
php_admin_value file_uploads 1
php_admin_value upload_max_filesize 300000000
php_admin_value post_max_size 300000000
php_admin_value memory_limit 150000000
php_admin_value register_globals 0
php_admin_value short_open_tag 1
php_admin_value safe_mode 0
php_admin_value magic_quotes_gpc 0

SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

# Please note that the following, from "SetEnvIf" to "force-response-1.0",

represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0

</VirtualHost>

c. For RedHat 8:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>

SSLEngine on
SSLCertificateFile /etc/httpd/server.crt

383
 Managing DHCP Servers

SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

# Please note that the following, from "SetEnvIf" to "force-response-1.0",

represents and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0

</VirtualHost>

10. Restart Apache using the following command line:

# service httpd start

11. Make sure that the ipmdhcp package is running using the following command line:
# service ipmdhcp status

If it is not running, use the following command line:

# service ipmdhcp start

Once the configuration is complete, you can add an EfficientIP Package DHCP server to manage
your ISC server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding an ISC DHCP Server.

Adding an ISC DHCP Server

Once you successfully installed your EfficientIP DHCP Package on Linux, you can add your ISC
server to the page All servers in the GUI, as an EfficientIP Package, and configure it according
to your needs.

Note that the EfficientIP package is only available for DHCPv4 servers managed with SSL.

To add an ISC DHCP server for a Linux package

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the menu, select Add > Server or Server (v6) > EfficientIP Package. The wizard Add
a DHCP server opens.
3. If custom classes are enabled at server level, in the list DHCP server class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. Fill in the following fields to set up the basic server configuration:

Table 26.9. DHCP server basic parameters

Field Description
DHCP server name The name of the server, it must have a valid FQDN. This field is required.
Management IP address The IPv4 address of the server you want to manage. This field is required. If you
already configured a resolver for the appliance, you can specify a name and click
on SEARCH , the matching IP address is retrieved from the DNS and displayed.
For more details, refer to the section Setting the DNS Resolver.

384
 Managing DHCP Servers

Field Description
Isolated Tick the box Isolated if you want to isolate the server within SOLIDserver. This
prevents the server, and its content, from executing any configured replication
rule or advanced property. The server still receives data if your network config-
uration allows it.
This field is optional and mainly useful during migrations. When the server con-
figuration is ready and you untick the box, you must manually execute the rules
and/or advanced properties, at all relevant levels of the module hierarchy, via
the menu Tools > Initialize rules.
Description A description, it is returned in the corresponding column on the page All servers.
This field is optional.

5. If you have changed the default SSH password of the appliance embedding the DHCP
server, you must update the enrollment parameters.
a. Tick the box Configure enrollment parameters. The fields Login and Password ap-
pear. By default they both contain admin.
b. Edit the fields to make sure that the SSL credentials match your SSH credentials.
6. If you want to edit the server SNMP parameters, tick the box Configure SNMP monitoring
parameters.
A set of fields appear, configure them to monitor and retrieve the server statistics.

Table 26.10. SNMP monitoring parameters available when you add a server
Field Description
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
Use TCP The network communication protocol, either TCP (ticked) or UDP (unticked). By default,
the box is unticked. You should tick the box to use TCP instead of UDP if the network
link is unreliable. This field is optional.
SNMP profile The SNMP profile used to retrieve the statistics. By default, standard v2c is selected.
This field is optional. The list contains the default profiles (standard v1, standard v2c and
standard v3) and the ones you may have added. Each profile has its own level of security
and enables the definition of a global security policy. For more details, refer to the section
Managing SNMP Profiles.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1, 2, 3, 4, 5, 10 or 30.
By default, it is set to 5. This field is required.

7. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
8. Click on OK to complete the operation. The report opens and closes. The server is listed.

Once the EfficientIP Package server is added, you can manage your ISC server in Linux from
the GUI.

Upgrading EfficientIP DHCP Packages

No matter the package version, to upgrade packages:
1. You must uninstall your current packages.

385
 Managing DHCP Servers

2. You must install the new package following the relevant section:
• Installing an EfficientIP DHCP Package on Debian 8 or Higher.
• Installing an EfficientIP DHCP package on RedHat 6 and Higher.

Synchronizing DHCP Servers

By default, all DHCP physical servers and smart architectures are synchronized periodically.

If you edit a server directly, and not from the GUI, you must manually synchronize it to ensure
all data is up-to-date.

Keep in mind that the column Sync allows to monitor the synchronization. For more details, refer
to the section Understanding the Server Statuses.

To synchronize DHCP servers

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Tick the server(s) you want to synchronize.
3. In the menu, select Edit > Synchronize. The wizard Synchronization opens.
4. Click on OK to complete the operation. The report opens and closes. The page reloads.

Editing DHCP Servers

To edit any kind of DHCP server configuration, you need to open its properties page and edit the
relevant panel(s). Before proceeding, note that:
• The panels that do not contain the button EDIT cannot be edited.
• The basic server parameters are detailed in the addition procedure of each kind of physical
server.
• The class configuration of a server can only be changed from the panel Main properties.
• For servers managed via a smart architecture, some parameters can only be edited when you
edit the smart. For instance, on EfficientIP servers managed via a smart, the box Isolated and
the advanced properties parameters are only available when you edit the smart.
• The SNMP protocol is no longer supported as managing protocol for a server, so editing it
automatically changes the management protocol to use SSL instead of SNMP. This op-
eration is non-reversible.
• DHCP servers in version 7.0 are managed through a dedicated service account using a randomly
generated password. Note that:
• A server can be managed by only one appliance. To switch the appliance managing the
server, you need to edit your server and type in your credentials again.
• For servers added in previous versions, after an upgrade to version 7.0, to switch to this new
management system, you need to edit the servers.

If you want to add, edit or delete DHCP options, refer to the next section Configuring DHCP Options
at Server Level.

To edit a DHCP server from its properties page

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open all the panels using .

386
 Managing DHCP Servers

4. In the panel of your choice, click on EDIT . The corresponding wizard opens.
5. Make all the changes you need. For an EfficientIP server, from the panel Main Properties
you can:
a. If you changed the default SSH password of the appliance embedding the DHCP server
or if you want to switch to the new management system, tick the box Configure enroll-
ment parameters. The field "Admin" account password appears.
b. In the field "Admin" account password, replace the value displayed with the relevant
SSH password.
6. Click on NEXT , if need be, until you get to the last page of the wizard.
7. Click on OK to complete the operation. The report opens and closes.

Repairing Leases
An option allows to check for lease inconsistencies between physical servers managed by a
common DHCP smart architecture.

The option Repair leases generates a file to compare the leases of the selected server. If any
error or inconsistency is found, it generates a file leasedb-patch-<smart-name>.tar.gz that you
must concatenate to the lease file of the relevant server.

Before repairing leases, keep in mind that:

• You can only repair DHCPv4 leases.
• You can only repair leases of physical servers managed by a common smart architecture.
They must share a failover channel.
• You must select at least two servers:
• For a One-to-One architecture, you must select both physical servers.
• For a One-to-Many architecture, you must select the master server and at least one backup
server.
• For a Split-Scope architecture, you must select both physical servers.
• You cannot repair the leases of a physical server managed from a Single-Server smart archi-
tecture or managed outside a smart architecture.

To repair the leases of a failover

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Select at least two physical servers belonging to the same smart architecture. For more de-
tails, refer to the introduction of the section.
3. In the menu, select Tools > Expert > Repair leases. The wizard Repair lease files
opens.
4. Click on OK to complete the operation. The report opens.
If no inconsistencies are returned, you can close the wizard.
If inconsistencies are returned, you can DOWNLOAD and save the file directly from the wizard.
The file leasedb-patch-<smart-name>.tar.gz is available in the module Administration, on
the page Local files listing. You must concatenate this file to the lease file of the servers.

Configuring DHCP Options at Server Level

You can configure DHCP options at server level, one server at a time. Keep in mind that:

387
 Managing DHCP Servers

• The DHCP options of a server are inherited by the scopes, groups, ranges, leases and/or
statics it manages.
• On Microsoft DHCP servers, encapsulated DHCP options are not supported.
• You can aggregate range or static options on the scopes of a server.

For more details regarding the DHCP options configuration, refer to the chapter Managing DHCP
Options and/or to the appendix DHCP Options.

Editing the DHCP Options of a Server

From the properties page of your EfficientIP servers, you can configure DHCP options.

To edit the DHCP options of a server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties pages opens.
3. In the upper right corner, click on .
4. In the panel DHCP Options, click on EDIT . The wizard Configure DHCP options opens.
5. For DHCP options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, Most Used Option
is selected.
6. For DHCPv6 options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, DHCPv6 is selec-
ted.
7. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details, refer to the section Configuring DHCP Options in the chapter Managing
DHCP Options.
8. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

Aggregating DHCP Options from Ranges or Statics

If you imported an external DHCP configuration and/or a specific DHCP option is configured
across all the ranges or statics of a scope, you can aggregate it, is apply it, on the scope managing
the ranges or statics.

This aggregation automates a homogeneous configuration of DHCP options on each of the

scopes of a specific server. Keep in mind that it:
1. Analyzes the DHCP options configured on the ranges or statics with IP address of a scope.
2. If one DHCP option is configured and has the same value on all the ranges or statics with IP
address of a scope:
a. The DHCP option is applied to the parent scope.
b. The DHCP option is deleted at range or static level, as it is automatically propagated from
the scope down.
3. If one DHCP option is configured on all the ranges or statics with IP address of a scope, but
their value is not the same on all the objects, the option is not aggregated at scope level.

To aggregate range options

1. In the sidebar, go to DHCP > Servers. The page All servers opens.

388
 Managing DHCP Servers

2. Tick the server(s) of your choice.

3. In the menu, select Edit > Aggregate range options. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes.

To aggregate static options

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Tick the server(s) of your choice.
3. In the menu, select Edit > Aggregate static options. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes.

Exporting DHCP Servers

From the page All servers, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP Servers

You can delete servers to stop managing them from SOLIDserver.

Keep in mind that you cannot delete a physical server if it is managed by a smart architecture.

To delete a DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. Tick the server(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The server might be
marked Delayed delete until it is no longer listed.

Defining DHCP Servers as Group Resources

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding servers as resources of a specific group allows the users of that group to manage the
servers in question as long as they have the corresponding rights granted.

Granting access to servers as a resource also grants access to every item they contain. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

389
Chapter 27. Managing DHCP Shared
Networks
Shared networks allow to make several scopes serve an entire IPv4 or IPv6 network segment
as a single entity. They are part of dynamic addressing organizations.

From the page All shared networks, you can add, edit or delete them.

You can manage DHCP and DHCPv6 shared networks on EfficientIP servers and smart architec-
tures. On Microsoft servers, you can only manage DHCP shared networks.

Browsing Shared Networks

The shared networks are an optional level of the dynamic addressing organization. They can
contain scopes and, only in DHCPv6, prefix delegations.

SHARED
SCOPE RANGE LEASE
NETWORK

SERVER

GROUP STATIC

Figure 27.1. The shared network in the DHCP hierarchy

Browsing the Shared Networks Database

To display the list of shared networks
1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. To display or hide the DHCP smart members, on the right-end side of the menu click on .
3. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
4. To display the shared networks of a specific server, in the column Server, click on the
server of your choice. The page refreshes.

To display a shared network properties page

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the scope of your choice, click on . The properties pages opens.

Customizing the Display on the Page All Shared Networks

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

390
 Managing DHCP Shared Networks

All the columns, except Multi-status, are displayed by default, they can be ordered and filtered.
For more details regarding the column Multi-status, refer to the section Understanding the Column
Multi-Status.

Understanding the Shared Network Statuses

The column Status provides information regarding the shared networks you manage.

Table 27.1. Shared network statuses

Status Description
OK The shared network is operational. Both the shared network and the scope(s) it
contains were added to the physical server, whether it belongs to a smart architecture
or not.
Delayed create The creation or update is delayed until the shared network and the scope it contains
are created on the physical server(s) of the smart architecture. The creation is
automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the shared network is deleted from the physical server(s)
of the smart architecture. The deletion is automatically done after a maximum of 1
minute.

Adding DHCP Shared Networks

You can add as many shared networks as you need on the page All shared networks if you want
to make several scopes serve an entire network segment as a single entity. Note that:
• Adding scopes can automatically add shared networks. For more details, refer to the section
Adding DHCP Scopes.
• The page may contain shared networks automatically retrieved from Microsoft servers. Adding
a Microsoft server retrieves its superscopes as shared networks. Note that any server configured
with superscopes before upgrading to this version can also add shared networks. For more
details, refer to the section Managing Microsoft Windows Superscopes.
• Within a server, several shared networks cannot share the same name.
• If you add a shared network to a smart architecture, it is only pushed to the physical server(s)
once it contains at least one scope.

To add a DHCP shared network

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, click on Add. The wizard Add a DHCP shared network or Add a DHCPv6
shared network opens.
4. In the list DHCP server, select the DHCP server in which you want to add the shared network.
5. Click on NEXT . The last page opens.
6. In the field Name, name your shared network. The name must not exceed 255 characters.
7. Click on OK to complete the operation. The report opens and closes. The shared network
is listed. It is marked Delayed create before being marked OK.

Editing DHCP Shared Networks

You can edit shared networks from the contextual menu or their properties page. Note that:

391
 Managing DHCP Shared Networks

• You can only rename shared networks.

• Within a server, several shared networks cannot share the same name.
• If you edit a shared network belonging to a smart architecture, the corresponding shared network
in the smart architecture is also edited.

To edit a shared network from its properties page

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the shared network of your choice, click on . The properties page
opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a DHCP shared network or
Edit a DHCPv6 shared network opens.
5. The field Name displays the current shared network name, you can edit it. The name must
not exceed 255 characters.
6. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
Back on the page All shared networks, the shared network is marked Delayed create
before being marked OK.

Exporting Shared Networks

From the page All shared networks, you can export the data listed in a CSV, HTML, XML, XLS
or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP Shared Networks

You can delete the shared networks you manage. Before deleting a shared network, keep in
mind that:
• You cannot delete a shared network if it contains at least one scope.
• You cannot delete a DHCPv6 shared network if it is associated with at least one prefix deleg-
ation.
• Within Microsoft servers managed outside a smart architecture, a shared network is automat-
ically deleted when the last scope it contains is deleted.
• Within smart architectures, a shared network is automatically deleted when the last scope it
contains is deleted.

To delete a DHCP scope

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the shared network(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The shared network
is no longer listed.

392
Chapter 28. Managing DHCP Scopes
Scopes are used to determine the topology of the network, apply DHCP options for a routable
domain, describe network clients, and indicate the addresses to be allocated to certain clients.
They can be part of dynamic addressing and/or fixed reservation organizations.

In order to use the DHCP service, each terminal network to be served must have a DHCP scope
that matches its IP address and its netmask (size). When a DHCP server serves clients with
local physical networks, the scope is easily assimilated to its broadcast domain. A scope belongs
to a DHCP server and can contain several DHCP ranges.

Browsing DHCP Scopes

The scopes are the second level of the DHCP hierarchy, they are required in a dynamic address-
ing. They are added directly within a DHCP server and can belong to shared networks.

SHARED
NETWORK SCOPE RANGE LEASE

SERVER

GROUP STATIC

Figure 28.1. The scope in the DHCP hierarchy

Browsing the Scopes Database

To display the list of scopes
1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. You can filter the list to display a specific scope. Specify the data you are looking for in the
search engine of the columns Name and/or Address and click on REFRESH to only display
the scope matching your search.
4. To display the scopes of a server, in the column Server, click on the server of your choice.
The page refreshes.
5. To display the scopes of a shared network, in the column Shared network, click on the
name of your choice. The page refreshes.

To display a scope properties page

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the scope of your choice, click on . The properties pages opens.

393
 Managing DHCP Scopes

Customizing the Display on the Page All Scopes

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.

Understanding the Scope Statuses

The column Status provides information regarding the scopes you manage.

Table 28.1. Scope statuses

Status Description
OK The scope is added and active on the physical server(s) and the failover channel.

Delayed create The creation or update is delayed until the scope is created on the physical server(s) of
the smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed addition Only for Microsoft DHCPv4 servers. The addition is delayed until the scope is associated
(to failover) with the failover channel. Once associated, the scope is disabled by default.

Delayed enable Only for Microsoft DHCPv4 servers. The scope remains disabled until the servers of the
failover channel both receive the information. The scope is then enabled and marked
OK.
Delayed delete The deletion is delayed until the scope is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.

Adding DHCP Scopes

Adding scopes on a DHCP server defines a new extension to the network topology. Thanks to
the scopes, a server is ready to receive a range of dynamic addresses. You can add as many
scopes as you need on the page All scopes. Note that:
• You can also import scopes, for more details refer to the section Importing Scopes in the
chapter Importing Data from a CSV File.
• On Microsoft servers:
• The scopes you add are only active when they contain ranges. Deactivated scopes in Mi-
crosoft DHCP Manager are ignored in the GUI.
• Adding a scope can automatically add a shared network if the server is managed via a smart
architecture.

To add a DHCP scope

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, click on Add. The wizard Add a DHCP scope or Add a DHCPv6 scope
opens.
4. In the list DHCP server, select the DHCP server in which you want to add the scope.
5. Click on NEXT . The next page opens.

394
 Managing DHCP Scopes

6. If custom classes are enabled at scope level, in the list DHCP scope class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. Click on NEXT . The next page opens.
8. Fill in the following fields to configure the scope parameters:

Table 28.2. DHCP scope configuration parameters

Field Description
Name The name of the scope. This field is required.
Network address The scope address. This field is required.
Netmask The shared physical network. This field is only available for V4, it is required.
Prefix The scope prefix. By default, the prefix is selected depending on the netmask
you chose. The prefix selected edits the value of the field Netmask. This field is
required.
Shared network The shared network of your choice. Type in the first digits of the address or the
first letters of the name of an existing shared network, the auto-completion
provides a list matching your search.
On EfficientIP servers and smart architectures managing EfficientIP or Microsoft
server(s), if you leave the field empty, a shared network is automatically added
and named after the scope start_address/prefix.
Failover Only for a One-to-Many smart architectures, select a failover channel. The list
only returns the failover channels set during the smart architecture configuration
in the field DHCP peering assignment. For more details, refer to the section
DHCPv4 One-to-Many Smart Architecture. This field is optional and by default
set to None. If you do not select any failover, the scope details, and its content,
are never pushed to any of the physical servers managed by the architecture.
DHCP scope space name The IPAM space to associate with the scope. This field is optional.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

9. Click on OK to complete the operation. The report opens and closes. The scope is listed.

Editing DHCP Scopes

You can edit scopes from the contextual menu or their properties page.

Keep in mind that you cannot edit the field Shared network of a scope if it is the only one belonging
to a shared network associated with a prefix delegation.

To edit a scope from its properties page

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the scope of your choice, click on . The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a DHCP scope or Edit a DH-
CPv6 scope opens.

395
 Managing DHCP Scopes

5. If custom classes are enabled at scope level, in the list DHCP scope class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Edit the Name, Shared network and DHCP scope space name according to your needs.
7. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
8. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

Configuring DHCP Options at Scope Level

You can configure DHCP options at scope level, individually or in bulk. Keep in mind that:
• The DHCP options of a scope may be inherited from its server.
• The options set at scope level override the options set on at server level.
• All the DHCP options you configure at scope level are inherited by all the ranges, leases and/or
statics it manages.
• You can only edit DHCP options of several scopes at once on DHCPv4 servers.

Note that the DHCP option boot-unknown-clients can be set at scope level.

For more details regarding the DHCP options configuration, refer to the chapter Managing DHCP
Options and/or to the appendix DHCP Options.

Editing the DHCP Options of a Scope

From the properties page of a scope, you can configure DHCP options.

To edit the DHCP options of a scope

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the scope of your choice, click on . The properties pages opens.
4. In the upper right corner, click on .
5. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
6. For DHCP options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, Most Used Option
is selected.
7. For DHCPv6 options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, DHCPv6 is selec-
ted.
8. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details, refer to the section Configuring DHCP Options in the chapter Managing
DHCP Options.

396
 Managing DHCP Scopes

9. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

Performing Option Changes on Several Scopes At Once

From the page All scopes, you can set, replace or delete DHCP options on all the DHCPv4 scopes
you select at once.

To add a DHCP option to one or several scopes

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the scope(s) of your choice.
4. In the menu, select Edit > Option > Add. The wizard Add DHCP scope options opens.
5. In the drop-down list Option name, select an option.
6. In the field Value, specify the option value.
7. Click on OK to complete the operation. The report opens and closes, the page refreshes.
On the scope properties page, the panel DHCP options lists the new DHCP option and its
value.

To edit the value of a DHCP option on one or several scopes

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the scope(s) of your choice.
4. In the menu, select Edit > Option > Replace.The wizard Replace DHCP scope options
opens.
5. In the drop-down list Option name, select the option which value you want to replace.
6. In the field Replace, specify the value you want to edit.
7. In the field By, specify the new option value.
8. Click on OK to complete the operation. The report opens and closes, the page refreshes.
On the scope properties page, the panel DHCP options displays the new value of the DHCP
option.

To remove a DHCP option from one or several scopes

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the scope(s) of your choice.
4. In the menu, select Edit > Option > Delete. The wizard Delete DHCP scope options
opens.
5. In the drop-down list Option name, select an option.
6. In the field Option value filter, type in the option value.
7. Click on OK to complete the operation.The report opens and closes. On the scope properties
page, the panel DHCP options no longer displays the DHCP option.

397
 Managing DHCP Scopes

Defining a Specific IPAM Space for a Scope

You can associate a scope with an IPAM space, either to define a space if you did not when you
added the scope or to set a different one.

Defining a specific space at scope level allows to apply policy rules from the IPAM module to
several addresses and avoid any overlapping of ranges and spreads of reserved addresses.

You can associate scopes with a space one scope at a time or several scopes at once.

To edit the space associated with a scope

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the scope of your choice, click on . The properties pages opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a DHCP scope opens.
5. In the drop-down list DHCP scope space name, select the space of your choice or None
to remove the association.
6. Click on OK to complete the operation. The report opens and closes. The panel displays the
new space name.

To set the space of one or several scopes

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the scope(s) you want to edit. The scope(s) can already be associated with a space.
4. In the menu, select Edit > Set > Space. The wizard Edit the scope space opens.
5. In the drop-down list Space, select the space you want to associate with your scope(s) or
None to remove the association.
6. Click on OK to complete the operation. The report opens and closes. The new space is listed
in the column Scope space.

Once a scope is associated with a space, you can execute the DHCP to IPAM replication and
associate scopes with existing networks or add the corresponding network. As you can add
several terminal networks managing the same IP addresses in separate spaces, you can associate
these networks with scopes belonging to distinct DHCP servers.

Defining a Specific Failover Channel for Scopes

You can associate DHCPv4 scopes with a specific failover if they belong to a One-to-Many smart
architecture. For more details regarding failover channels, refer to the chapter Managing DHCP
Failover Channels.

You can associate scopes with a failover channel one scope at a time or several scopes at once.

To edit a failover channel associated with a scope

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.

398
 Managing DHCP Scopes

3. At the end of the line of the scope of your choice, click on . The properties pages opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a DHCP scope opens.
5. In the drop-down list Failover, select the failover of your choice or None to remove the as-
sociation.
6. Click on OK to complete the operation. The report opens and closes. The panel displays the
new space name.

To set the failover channel of one or several scopes

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the scope(s) you want to edit. The scope(s) can already be associated with a space.
4. In the menu, select Edit > Set > Failover channel.The wizard Configure DHCP scopes
failover opens.
5. In the drop-down list Failover, select the failover channel you want to associate with the
scope(s) or None to remove the association.
6. Click on OK to complete the operation. The report opens and closes. The new space is listed
in the column Scope space.

Replicating Scope Data in the IPAM

The option IPAM replication allows to decide in which space you want to replicate scope data. If
you want to associate a scope with a space or change the space it is associated with, refer to
the section Defining a Specific IPAM Space for a Scope.

Before replicating your DHCP data into the IPAM, keep in mind that:
• The option IPAM replication behaves as follows:
• If you specify a space that has no matching network, a network is added, it is named like
the scope.
• If you do not specify any space, with the value None, SOLIDserver automatically adds a
network matching the scope in the first space that can receive it.
• The option IPAM replication can only specify a target space for scopes that are not configured
with any space yet.
Either no space was specified when you added it or you set the space of a scope and selected
None, as detailed in the procedure To set the space of one or several scopes.
• The option IPAM replication does not change the associated space, it sets a replication asso-
ciation. If you want to change the target of a scope already associated with a space, you must
edit as detailed in the section Defining a Specific IPAM Space for a Scope.

To replicate scope data in the IPAM

1. Take into account the behavior details of the option.
2. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
3. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
4. Tick the scope(s) of your choice.
5. In the menu, select Edit > IPAM replication. The wizard IPAM replication opens.
6. In the drop-down list Target space, select a space or None.

399
 Managing DHCP Scopes

7. Click on OK to complete the operation. The report opens and closes. The new space is listed
in the column Scope space.

Note that you can also replicate DHCP range and static data to the IPAM. For more details, refer
to the sections Replicating Range Data in the IPAM and Replicating Static Data in the IPAM.

Configuring Multiple Scopes for a Network Segment

You can make several scopes serve an entire network segment as a single entity with shared
networks.

For instance, if you configured multinetting on your network and one DHCP server answers client
requests on a single physical network that has multiple IP networks in use. With a shared network
containing several scopes, the server identifies that a client request was sent from one of the
scopes and that it has many available IP addresses to choose from and assign to the client.

If dynamic DHCP ranges appear within scopes using the same shared network, all ranges of
addresses are offered independently. Once the first range is full, the ranges that are declared
within the same shared network are used one after the other until all addresses are used.

You can set a shared network on one or several IPv4 scopes. In IPv6, you can only set it from
the scopes properties page.

To set the shared network of a DHCP scope

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the scope of your choice, click on . The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a DHCP scope opens.
5. If you added classes at scope level, in the list DHCP scope class select a class if need be.
6. Click on NEXT . The last page opens.
7. In the field Shared network, specify the shared network of your choice. You can type in the
first digits of the address or the first letters of the name of an existing shared network, the
auto-completion provides a list matching your search.
If you did not set a shared network during the scope addition, the start IP address and the
prefix of the scope you are editing are displayed.
8. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

To set the shared network of one or several DHCPv4 scopes

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, select Edit > Set > Shared network. The wizard Configure a shared
network between DHCP scopes opens.
4. You can tick the box Add a shared network using the Address and Prefix to name the
shared network with the IP address and prefix of the scope.
If you tick the box, the field Shared network disappears.

400
 Managing DHCP Scopes

5. In the field Shared network, specify the shared network of your choice. You can type in the
first digits of the address or the first letters of the name of an existing shared network, the
auto-completion provides a list matching your search.
6. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

Copying or Moving DHCPv4 Scopes

To assist you in the management, scopes can be copied and moved from one server to the other.
In both cases, make sure that the IP addresses they manage is not already managed by another
scope in the target space.

Migrating a scope also migrates the DHCP ranges and statics with IP address it contains. As for
the statics without IP migration, refer to the section Copying DHCPv4 Statics Without IP.

Keep in mind that if your physical server is managed via a smart, only the scope added on the
smart can be copied or moved.

To copy a scope to another server

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the scope(s) you want to duplicate.
4. In the menu, select Edit > Migrate. The wizard Copying/Moving scopes opens.
5. In the drop-down list Method, select Copy.
6. In the drop-down list Target server, select the server or smart architecture of your choice.
7. Click on OK to complete the operation. The report opens and closes. Both scopes are listed
and they share the same name, start address and end address. The duplicate scope is in
Delayed create in the target server.

To move a scope to another server

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the scope(s) you want to duplicate.
4. In the menu, select Edit > Migrate. The wizard Copying/Moving scopes opens.
5. In the drop-down list Method, select Move.
6. In the drop-down list Target server, select the server or smart architecture of your choice.
7. Click on OK to complete the operation. The report opens and closes. The scope is no longer
listed as part of the first server. It now belongs to the selected target server.

Configuring DHCP Relay Agents

Rather than directly connecting the DHCP server to every network segment it serves, it is possible
to configure a DHCP relay agent on each network segment.

Relay agents are configured with a list of one or more DHCP servers, two servers must be con-
figured for the DHCP failover. When a relay agent receives a message from a DHCP client on a
particular network segment, it records the IP address of the interface on which it received the

401
 Managing DHCP Scopes

request in the field GiAddr of the message, and then it forwards the message to the DHCP
server. From there, the server directly responds to the client.

The DHCP relay is a mechanism that allows the transfer of DHCP/BOOTP messages between
clients and servers of different networks. The routers used to interconnect these networks possess
for the most part the functionality of TCP/IP relay agents. To conform to RFC 1542 and deal with
the relay agent, each router must be able to recogne BOOTP and DHCP messages and relay
them in an appropriate manner. A router equipped with the capacities of a BOOTP relay agent
generally relays DHCP packets, as well as all BOOTP packets transmitted on the network.

SOLIDserver supports DHCP relay transparently, if a scope has the same network address as
one of the interfaces of the DHCP server, then it is a local scope. This means that it belongs to
the same broadcast domain as the DHCP server. Otherwise, it is a relay scope.

BOOTP / DHCP relay on Cisco devices (IP helper)

If we consider two DHCP servers, with one on the network 191.24.1.0 and the other one on
110.44.0.0. To allow the IP broadcast from all hosts to be forwarded in unicast toward both
servers, set the configuration below.
interface ethernet1
ip helper-address 191.24.1.45
ip helper-address 110.44.0.125

BOOTP / DHCP relay on Juniper devices (IP helper)

If we consider that a DHCP server is in VLAN 20 with the IP address 20.20.20.2, the DHCP client's
computer is in VLAN 10 and a Juniper switch is configured as DHCP relay and performs inter
VLAN routing between the VLANs 10 and 20, set the configuration below.
set vlans vlan10 vlan-id 10 set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan
members vlan10 set vlans vlan10 l3-interface vlan.10 set interfaces vlan unit 10 family
inet address 10.10.10.1/24 set vlans vlan20 vlan-id 20 set interfaces ge-0/0/1 unit 0
family ethernet-switching vlan members vlan20 set interfaces vlan unit 20 family inet
address 20.20.20.1/24 set vlans vlan20 l3-interface vlan.20 set forwarding-options helpers
bootp server 20.20.20.2 set forwarding-options helpers bootp interface vlan.10

BOOTP / DHCP relay on HP devices (IP helper)

If we consider a DHCP server with the IP address 10.10.20.3 IP and a DHCP client's computer
is in VLAN 40, set the configuration below.
vlan 40 ip helper-address 10.10.20.3

Adding DHCP Scopes from the IPAM

The advanced properties allow to add scopes when you add terminal networks in the IPAM.

The new scope is added in the selected DHCP failover channel and automatically set with the
network Gateway address as value of the option routers. In addition, all the IP addresses you
add within these networks can automatically add statics.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

402
 Managing DHCP Scopes

Updating DHCP Scopes from the IPAM

The advanced properties allow to automatically configure or update the option routers on scopes
in the selected DHCP failover channel. The option takes as value the Gateway address of the
terminal network you add in the IPAM.

If the terminal network adds a scope, the option routers is directly set. If the terminal network
matches an existing scope, the option routers is set or updated.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Exporting DHCP Scopes

From the page All scopes, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP Scopes

You can delete scopes, this operation restricts the network topology. Note that:
• If you delete a scope, the ranges and leases it contains are also deleted.
• If you delete the last scope belonging to a shared network, the shared network is also deleted.
• You cannot delete a DHCPv6 scope if it is the only one belonging to a shared network associated
with a prefix delegation.

To delete a DHCP scope

1. In the sidebar, go to DHCP > Scopes. The page All scopes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the scope(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The scope is no longer
listed.

Defining DHCP Scopes as Group Resources

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding scopes as resources of a specific group allows the users of that group to manage the
scopes in question as long as they have the corresponding rights granted.

Granting access to scopes as resources also grants access to every item they contains. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

403
Chapter 29. Managing DHCP Ranges
DHCP ranges are a contiguous suite of valid IP addresses within a scope and allow to allocate
leases to clients. They are part of dynamic addressing organizations.

EfficientIP DHCP servers manage the statics with IP address like leases. Therefore the statics
added also add a lease whenever the MAC address declared is active on the network, these
leases can belong to your ranges and are listed on the page All leases. If you configured the
IPAM and DNS replication, they also add DNS entries. For more details, refer to the section
Adding DHCPv4 Statics.

Browsing DHCP Ranges

Ranges are the third level of a DHCP dynamic addressing organization. They belong to a scope
and contain the leases.

SHARED
SCOPE RANGE LEASE
NETWORK

SERVER

GROUP STATIC

Figure 29.1. The range in the DHCP hierarchy

Browsing the Ranges Database

To display the list of DHCP ranges
1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. To display the list of ranges of a DHCP scope, in the Scope column, click on the name of
the DHCP scope of your choice. The page refreshes.

To display a DHCP range properties page

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the range of your choice, click on . The properties page opens.

Customizing the Display on the Page All Ranges

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.

404
 Managing DHCP Ranges

Understanding the Range Statuses

The column Status provides information regarding ranges you manage.

Table 29.1. DHCP range statuses

Status Description
OK The range is operational.

Delayed create The creation or update is delayed until the range is created on the physical server(s) of
the smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the range is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.

Adding DHCP Ranges

The addition of new ranges provides free addresses to DHCP clients. You can add IPv4 or IPv6
ranges from the page All ranges, each range is defined by its first and last address.

Note that you can also import ranges, for more details refer to the section Importing Ranges in
the chapter Importing Data from a CSV File.

Keep in mind that if IPAM to DHCP advanced properties are configured, new ranges may be
added for every pool added in the IPAM. For more details, refer to the relevant section of the
chapter Managing Advanced Properties.

Adding DHCPv4 Ranges

You can add as many DHCPv4 ranges as you need within a scope, as long as they do not
overlap each other.

Note that by default:

• The DHCP range addition wizard provides a page dedicated to configuring Access Control
Lists (ACL) for EfficientIP DHCP servers. Keep in mind that the order of the elements of the
range's ACL list is important as each restriction or permission is reviewed following the
order you set in the list.
• You cannot add a range containing more than 1 million addresses. To edit this limit, refer to
the procedure To edit the registry key that defines the ranges maximum size.

To add a DHCPv4 range

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, click on Add. The wizard Add a DHCP range opens.
4. In the list DHCP Server, select a server.
5. Click on NEXT . The scope selection page opens.
6. In the list DHCP Scope, select a scope.
7. Click on NEXT . The next page opens.
8. If custom classes are enabled at range level, in the list DHCP range class select a class or
None.
Click on NEXT . The next page opens.

405
 Managing DHCP Ranges

If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
9. Configure the DHCP range parameters following the fields below:

Table 29.2. DHCPv4 range parameters

Field Description
Start address The first address of the range.
End address The last address of the range. If you edit this address, the field Size is automat-
ically updated.
a
Size The number of addresses in the range. If you edit this field, the field End address
is automatically updated.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.
a
Note that you cannot add a DHCP range containing more than a million IP addresses.

10. If you are adding a range on an EfficientIP DHCP server, click on NEXT . The ACLs configur-
ation page opens, depending on the classes configured by your administrator.
You can set the ACL configuration of your choice, using the following fields.
a. In the field Specific ACL, configure ACLs using the table below.

Table 29.3. Specific ACL configuration fields

Field Description
Specific ACL The ACL of your choice. Type in the first letters of the name of an existing ACL,
the auto-completion provides a list matching your search. Select the ACL of your
choice.
Allow This box allows to grant (tick) or deny (do not tick) access to the selected ACL.
The permission you choose edits the content of the field ACL.
ACL This field displays the configuration for the specified ACL: deny members of
"<ACL>" or allow members of "<ACL>". Once the configuration suits your needs
click on . The configuration is moved to the list DHCP range ACL.

b. In the field General ACL, configure ACLs using the table below.

Table 29.4. General ACL configuration fields

Field Description
General ACL The ACL of your choice. Select unknown clients, known clients, all clients or dy-
namic bootp clients.
Allow This box allows to grant (tick) or deny (do not tick) access to the selected ACL.
The permission you choose edits the content of the field ACL.
ACL This field displays the configuration for the specified ACL: deny "<ACL>" or allow
"<ACL>". Once the configuration suits your needs click on . The configuration
is moved to the list DHCP range ACL.

c. In the list DHCP range ACL, all the configured ACLs are listed. To reorder the entries,
select them one by one and click on the arrows to move them up or down .
To delete an ACL, select it and click on .
11. Click on OK to complete the operation. The report opens and closes. The ACLs are listed in
the ACL panel of the range properties page.

406
 Managing DHCP Ranges

If you want to add ranges containing more than a million addresses, you must edit the dedicated
registry database key.

To edit the registry key that defines the ranges maximum size
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.dhcp.range_max_size.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the value of your choice. The default value is 1000000 IPv4 ad-
dresses. For performance purposes, we strongly advise against setting a value greater than
7000000.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

Adding DHCPv6 Ranges

You can add as many DHCPv6 ranges as you need. Note that the ACL configuration in not
available on IPv6 ranges.

To add a DHCPv6 range

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, click on Add. The wizard Add a DHCPv6 range opens.
4. In the list DHCP Server, select a server.
5. Click on NEXT . The next page opens.
6. In the list DHCP Scope, select a scope.
7. Click on NEXT . The next page opens.
8. If custom classes are enabled at range level, in the list DHCP range class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
9. Configure the DHCPv6 range following the table below:

Table 29.5. DHCPv6 range parameters

Field Description
Start address The range start address, it edits the content of the field Size. By default, the field
automatically displays the selected scope start address. This field is required.
End address The range end address, it edits the content of the field Size. By default, the field
automatically displays the selected scope end address. This field is required.
Size The number of addresses you want in the range.The number you specify modifies
the range end address.
Advanced properties Default is selected, so only the fields/options included in the wizard default display
are visible. This field is optional.

407
 Managing DHCP Ranges

Field Description
You can display All available fields, but you may not be able configure them. For
more details, refer to the relevant module section in the chapter Managing Ad-
vanced Properties.

10. Click on OK to complete the operation. The report opens and closes. The range is listed.

Editing DHCP Ranges

You can only edit one property of DHCPv4 ranges, their ACL configuration, and resize them.

Editing the Properties of a Range

You can edit the ACLs of DHCPv4 ranges from their properties page. Depending on your rights,
you may also be able to edit their advanced properties.

You cannot edit DHCPv6 ranges. The properties page displays all the available information.

To edit a DHCPv4 range from its properties page

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. At the end of the line of the range of your choice, click on . The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a DHCP range opens.
5. If custom classes are enabled at range level, in the list DHCP Range class select a class
or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. You cannot edit the range Start address, End address and Size.
7. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
8. Click on NEXT . The page ACL configuration opens.
9. You can configure or edit ACL following the table below.
For more details regarding the ACLs, refer to the section Managing DHCP ACLs.

Table 29.6. ACL configuration options

Field Description
Specific ACL The name of the ACL of your choice, you must select a Restriction for it. Type
in the first letters of the name, the auto-completion allows to find existing ACLs.
General ACL The exceptions of your choice.You can allow or deny access to unknown clients,
known clients, all clients or dynamic bootp clients.
Restriction The restriction applied to the Specific ACL and General ACL, you can allow or
deny access to the ACL at this level.
ACL This field displays each ACL section configuration. It is gray by default because
its content depends on what you configured above. Once your configuration is

408
 Managing DHCP Ranges

Field Description
visible and suits your needs, click on . The configuration is then listed the
DHCP range ACL list.
DHCP range ACL This list sums up all the ACLs configured through the wizard.

10. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel.

Resizing Ranges
With DHCPv4, you can resize ranges. Basically, you can edit the ranges start and/or end address
so that they include more or less addresses. This shift in addresses is only possible if the ad-
dresses included or excluded are not already used or part of another range.

So if your range is 192.168.0.10-192.168.0.125 you can decide to resize to 192.168.0.100-

192.168.0.105 indicating a start address shift of "90" and an end address shift of "-20".

To resize a DHCPv4 range

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the range(s) of your choice.
4. In the menu, select Edit > Resize DHCP ranges. The wizard Resize ranges opens.
5. In the field Start address shift, specify the positive or negative shift for the range start ad-
dress that suits your needs. If you type in 0 (zero), the address stays the same.
6. In the field End address shift, specify the positive or negative shift for the range end address
that suits your needs. If you type in 0 (zero), the address stays the same.
7. Click on OK to complete the operation. The report opens and closes. The new range(s) size
is visible.

Replicating Range Data in the IPAM

At range level, the option IPAM replication allows to replicate range data in IPAM pools. Before
replicating your DHCP data in the IPAM, keep in mind that:
• The range data is replicated in pools of the IPAM.
• The option IPAM replication behaves as follows:
• If the range belongs to a scope for which the IPAM replication has been set, its data is rep-
licated as a pool that belongs to the same terminal network.
• If the range belongs to a scope for which no replication has been set, its data is replicated
as a pool in the first terminal network that can receive it.
• You can replicate the range data in the IPAM if:
• No pool exists yet: a read-only pool is added and named DHCP.
• An existing matching the range size already exists. If the pool was not in read-only it is
marked read-only, the pool is renamed DHCP.
• You cannot replicate a range data in the IPAM if an existing pool already manages some of
the IP addresses of the range you selected.

409
 Managing DHCP Ranges

• The option IPAM replication is independent at range level, replicating scopes does not auto-
matically replicates to the ranges they contain. You must select ranges and execute the option
to update the IPAM pools with range data.
For more details regarding scope replication, refer to the section Defining a Specific IPAM
Space for a DHCPv4 Scope.

To replicate range data in the IPAM

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the range(s) of your choice.
4. In the menu, select Edit > IPAM replication. The wizard IPAM replication opens.
5. Click on OK to complete the operation. The report opens and closes.
The matching pool is visible on the IPAM page All pools.

Configuring DHCP Options at Range Level

You can configure DHCP options at range level, individually or in bulk. Keep in mind that:
• You can only edit DHCP options at range level on DHCPv4 servers.
• The DHCP options of a range may be inherited from its server or scope.
• The options set at range level override the options set on its container.
• All the DHCP options you configure at range level are inherited by all leases it delivers.
• The DHCP options configuration at range level is not supported on Microsoft DHCP servers.

For more details regarding the DHCP options configuration, refer to the chapter Managing DHCP
Options and/or to the appendix DHCP Options.

Editing the DHCP Options of a Range

From the properties page of a range, you can configure DHCP options.

To edit the DHCP options of a DHCPv4 range

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. At the end of the line of the range of your choice, click on . The properties page opens.
4. In the upper right corner, click on .
5. In the panel DHCP Options, click on EDIT . The wizard Configure DHCP options opens.
6. In the drop-down list Option category, you can select a category. The page refreshes and
only displays the options of the category. By default, Most Used Option is selected.
7. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details, refer to the section Configuring DHCP Options in the chapter Managing
DHCP Options.
8. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

410
 Managing DHCP Ranges

Performing Option Changes on Several Ranges At Once

From the page All ranges, you can set, replace or delete DHCP options on all the ranges you
select at once.

To add a DHCP option to one or several DHCPv4 ranges

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the range(s) of your choice.
4. In the menu, select Edit > Option > Add. The wizard Add DHCP range options opens.
5. In the drop-down list Option name, select an option.
6. In the field Value, specify the relevant value.
7. Click on OK to complete the operation. The report opens and closes, the page refreshes.
On the range properties page, the panel DHCP options lists the new DHCP option and its
value.

To edit the value of a DHCP option on one or several DHCPv4 ranges

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the range(s) of your choice.
4. In the menu, select Edit > Option > Replace. The wizard Replace DHCP range options
opens.
5. In the drop-down list Option name, select the option which value you want to replace.
6. In the field Replace, specify the value you want to change.
7. In the field By, specify the new option value.
8. Click on OK to complete the operation. The report opens and closes, the page refreshes.
On the range properties page, the panel DHCP options displays the new value of the DHCP
option.

To remove a DHCP option from one or several DHCPv4 ranges

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the range(s) of your choice.
4. In the menu, select Edit > Option > Delete. The wizard Delete DHCP range options
opens.
5. In the drop-down list Option name, select an option.
6. In the field Option value filter, type in the option value.
7. Click on OK to complete the operation. The report opens and closes. On the range properties
page, the panel DHCP options no longer displays the DHCP option.

411
 Managing DHCP Ranges

Adding DHCP Ranges from the IPAM

The advanced properties allow to automatically add DHCP ranges when you add pools in the
IPAM. The range is added in the DHCP failover channel you configured at network level.

For more details, refer to the chapter Managing Advanced Properties in the section Pool Advanced
Properties.

Exporting DHCP Ranges

From the page All ranges, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP Ranges

When a network is no longer used, or whenever you wish, you can delete ranges. The deletion
procedure is identical for IPv4 and IPv6 ranges.

To delete a DHCP range

1. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the range(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The range is no longer
listed.

412
Chapter 30. Managing DHCP Leases
Leases correspond to an IP address. They belong to a range, and are therefore part of dynamic
addressing organizations.

Just like its name indicates it, a lease is limited in time. When a client requests an IP address to
a DHCP server, the server delivers an IP address that belongs to the scope that listens to the
network area where the client asked for an address. Which is why it is important to properly set
up the DHCP server.

As each lease allocates an IP address, you can display the corresponding IP address in the
IPAM.

Keep in mind that:

• Managing leases requires a DHCP server containing one scope and one range.
• If the appliance time is incorrect, you cannot retrieve any leases. For more details, refer
to the section Configuring NTP Servers.
• DHCPv4 leases maximum lease time is 24 hours (86400 seconds). By default, the lease time
is of 12 hours (43200 seconds). You can obviously change these parameters either one a
particular lease individually or at the range, scope or server level.
• DHCPv6 leases can only be configured at server or scope level.

EfficientIP DHCP servers manage the statics with IP address like leases. Therefore in IPv4:
• On the DHCP page All leases, all the clients are listed whether they requested access to the
server on parts of the network - defined through your scopes and ranges - or whether they
were identified through their MAC address. For more details, refer to the section Adding DHCPv4
Statics.
• On the IPAM page All addresses, if the IP address leased is also managed in the IPAM, the
columns Type and Status of the IP address reflect its use in the DHCP. For more details, refer
to the section Understanding the IP Address Type and Status.

Browsing DHCP Leases

Leases are the last level of the dynamic addressing hierarchy.

SHARED SCOPE RANGE LEASE

NETWORK

SERVER

GROUP STATIC

Figure 30.1. The lease in the DHCP hierarchy

Browsing the Leases Database

All active leases are listed on the page All leases.

To display the list of active leases

1. In the sidebar, go to DHCP > Leases. The page All leases opens.

413
 Managing DHCP Leases

2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. To display the list of leases of a specific server, in the column Server, click on the name of
the server of your choice. The page refreshes.
4. To display the list of leases of a specific scope, in the column Scope, click on the name of
the scope of your choice. The page refreshes.
5. To display the list of leases of a specific range, in the column Range, click on the name of
the range of your choice. The page refreshes.

To display an active lease properties page

1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the lease of your choice, click on . The properties page opens.

Once leases have expired, are released or are deleted, they are moved to the page Lease
history or Lease history (v6).

Theses pages allow to track the leases delivered by all the DHCP servers you manage, they also
display active leases.

To display and track expired, released and deleted leases

1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. On the right-end side of the menu, click on DHCP lease history. The page Lease history
opens.
4. To track a specific lease you can filter the list. All columns are detailed in the section Cus-
tomizing the Display on the Pages Lease History and Lease History (v6).

To display an expired, released and deleted lease properties page

1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. On the right-end side of the menu, click on DHCP lease history. The page Lease history
opens.
4. In the column End, filter the list to exclude currently active leases.
5. At the end of the line of the lease of your choice, click on . The properties page opens.

Note that the pages Lease history and Lease history (v6) are regularly purged, you can edit the
purge frequency. For more details, refer to the section Purging the DHCP Leases History.

Customizing the Display on the Page All Leases

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

414
 Managing DHCP Leases

The columns on the page allow to display information on all active IPv4 or IPv6 leases, including
specific information:

Table 30.1. Available columns on the page All leases

Column Description
Full MAC address The full MAC address of the lease, a concatenation of its Type and short MAC address.
MAC vendor The name of the network interface vendor of the MAC address
Client identifier Only available on the page V4. The value of the option client-identifier sent by the client
that requested the DHCPv4 lease.
Client DUID Only available on the page V6. The DHCP Unique Identifier (DUID) sent by the client that
requested the DHCPv6 lease. For more details regarding the existing DUID structures,
refer to the section Managing DHCP Statics.
Name The name of the lease as specified on the server, unless you chose to retrieve the option
domain-name sent by the DHCP clients instead. For more details, refer to the section
Using ACLs to Automatically Retrieve the DHCPv4 Lease Option domain-name.
Client name The name of lease sent by the client that requested the lease.
GIADDR The gateway IP address of the relay agent of the lease.
Remote ID Only available on the page V4. The remote identifier provided by the relay agent that re-
ceived the DHCPv4 lease request and sent it to the server.
Circuit ID Only available on the page V4.The circuit identifier provided by the relay agent that received
the DHCPv4 lease request and sent it to the server.
Vendor ID Only available on the page V4. The vendor identifier sent by the client that requested the
DHCPv4 lease.
OS name Only available on the page V4.The OS name and version of the client to which the DHCPv4
lease was allocated. The information is based on SOLIDserver fingerprint database.
Parameter list Only available on the page V4. The list of parameters requested with the DHCPv4 lease
returned by the server, integers separated by a comma.

Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.

Customizing the Display on the Pages Lease History and Lease

History (v6)
Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

The columns on the page allow to display detailed information on each IPv4 and IPv6 lease
whether it expired, was released or was deleted:

Table 30.2. The columns available on the pages Lease History and Lease History (v6)
Field Description
IP address The IP address allocated.
MAC address The MAC address of the client that used the lease.
Client DUID Only available on the page V6. The DHCP Unique Identifier (DUID) sent by the client that
requested the DHCPv6 lease. For more details regarding the existing DUID structures,
refer to the section Managing DHCP Statics.
Start The lease allocation start time and date.
End The lease expiration time and date.

415
 Managing DHCP Leases

Field Description
Server The name of the server that delivered the lease.
Client identifier Only available on the page V4. The value of the option client-identifier sent by the client
that requested the DHCPv4 lease.
GIADDR The gateway IP address of the relay agent of the lease.
Remote ID Only available on the page V4. The remote identifier provided by the relay agent that re-
ceived the DHCPv4 lease request and sent it to the server.
Circuit ID Only available on the page V4.The circuit identifier provided by the relay agent that received
the DHCPv4 lease request and sent it to the server.
Period Only available on the page V4. The total lifespan of the DHCPv4 lease.
Name The name of the lease as specified on the server, unless you chose to retrieve the option
domain-name sent by the DHCP clients instead. For more details, refer to the section
Using ACLs to Automatically Retrieve the DHCPv4 Lease Option domain-name.
OS name Only available on the page V4.The OS name and version of the client to which the DHCPv4
lease was allocated. The information is based on SOLIDserver fingerprint database.

Understanding the Lease Statuses

On the page All leases, the column Status provides information regarding the leases you manage.

Table 30.3. Lease statuses

Status Description
OK The lease is operational.

Delayed create The creation or update is delayed until the lease is created on the physical server(s) of
the smart architecture. The creation is automatically done after maximum of 1 minute.
Delayed delete The deletion is delayed until the lease is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.

Defining the DHCP Leases Duration

When a DHCP client requests an IPv4 or an IPv6 address, it may suggest a lease duration in
the DHCPDISCOVER message. If the client requests a particular lease duration, the server
makes sure the requested lease time is within a range specified by the min-lease-time and max-
lease-time parameters. If the requested lease time is not within the specified range, it is set to
the value of min-lease-time if it is too short or to the value of max-lease-time if it is too long. If
the client does not request a specific lease duration, the lease duration specified in the default-
lease-time is used, and the same limits are applied.

EfficientIP DHCP server allows administrators to specify a default lease duration, a minimum
lease duration, and a maximum lease duration as defined below:
• default-lease-time specifies the duration of the lease that the DHCP server assigns if the client
requesting the lease does not ask for a specific expiration time.
• minimum-lease-time duration is used to force the DHCP client to take a longer lease than
the lease duration that it requests.
• maximum lease-time duration is used to define the longest lease that the DHCP server can
allocate. If a DHCP client asks for a longer lease than the maximum lease duration, then the
server limits the lease to the maximum lease duration.
Note that the maximum lease times does not apply to dynamic BOOTP leases. These
leases are not specified by the client and can exceed the maximum lease time configured.

416
 Managing DHCP Leases

You can set up the lease duration at server, scope, range, group and static level in IPv4 and
at server and scope level in IPv6.You can also configure a DHCP class to set the lease duration.

DHCP lease duration is a topic of discussion among network administrators. Some use a lease
time of 6 months, some use lease time of 5 minutes. The right lease duration depends on each
network's context. Default lease duration on EfficientIP DHCP server is 12 hours.You can change
this default according to your requirements and set leases time at different levels, based on dif-
ferent factors. You can set a default lease time at the server, scope, range, group, DHCP class,
or static level of the EfficientIP DHCP organization.

To configure the DHCPv4 leases duration

1. In the sidebar, go to DHCP > Servers, Groups, Scopes, Ranges or Statics depending
on your needs. The page opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. At the end of the line of the object of your choice, click on . The properties page opens.
4. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
5. In the field Default lease time, you can set a default lease time in seconds. The lease time
is respected unless the client specifies another one when requesting a lease.
6. In the field Max lease time, you can set the maximum lease time in seconds.
7. In the field Min lease time, you can set the minimum lease time in seconds.
8. Click on OK to complete the operation. The report opens and closes. The edited information
is now listed in the panel.

To configure the DHCPv6 leases duration

1. In the sidebar, go to DHCP > Servers, Scopes or Statics depending on your needs. The
page opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. At the end of the line of the object of your choice, click on . The properties page opens.
4. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
5. In the field Default lease time, you can set a default lease time in seconds. The lease time
is respected unless the client specifies another one when requesting a lease.
6. In the field Max lease time, you can set the maximum lease time in seconds.
7. In the field Min lease time, you can set the minimum lease time in seconds.
8. Click on OK to complete the operation. The report opens and closes. The edited information
is now listed in the panel.

Converting DHCPv4 Leases into Statics

SOLIDserver allows you to convert leases to static reservations in order to register a MAC address
in one or several DHCP servers. No matter how you distributed the leases among servers, the
moment you convert a lease into a static, all the servers on the failover are notified and can grant
the MAC address the DHCP options you configured.

It is not possible to convert an IPv6 lease into a static but you can add IPv6 statics.

When you convert a lease to static, a static reservation is added with the same name as the
lease. This reservation can have an IP address or not:

417
 Managing DHCP Leases

• Converting into a static without IP address: the MAC address of the lease now connects
to the first available IP address on the network - no matter the server, scope or range managing
it. The purpose of the conversion is to configure DHCP options for the static reservation that
applies to the MAC address whenever it connects to the network.
• Converting into a static with IP address: the MAC address of the lease always connects to
the same IP address. The purpose of this conversion is to configure the same specific DHCP
options for a specific MAC address, or client, whenever they connect to the part of the network
that manages their IP address.

To convert an IPv4 lease into a static

1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Filter the list to find the lease(s) you want to convert.
4. Tick the lease(s) to be converted.
5. To convert a lease into a static without IP address, in the menu select Edit > Convert
to static > Without IP address. The wizard Convert lease to static without IP address
opens.
6. To convert a lease into a static with IP address, in the menu, select Edit > Convert to
static > With IP address. The wizard Convert DHCP lease to DHCP static opens.
7. Click on OK to complete the operation. The report opens and closes.
The converted IP addresses are no longer listed on the page All leases. They are now on
the page All statics, accessible via the breadcrumb.

Blacklisting DHCPv4 Leases

Once delivered, you can blacklist a DHCPv4 lease. This converts the lease into a static without
IP. From that point on, the client MAC address cannot access to the DHCP servers or the failover
channel and therefore can no longer be delivered a lease.

Once a lease is blacklisted, the corresponding static without IP is immediately added. The client
MAC address is saved in the DHCP server configuration as blacklist-<MAC_address> to ensure
that any lease request is denied. This static is automatically configured with a set of ACL restric-
tions that prevent the connection to the server and its failover. In the meantime, the lease remains
valid until it expires, the next client request for renewal is denied. Once the lease duration is up,
the client MAC address is disconnected and unable to connect again.
1
EfficientIP DHCP servers manage the statics with IP address like leases . The static reservations
add leases, identified via their MAC address, that you can also blacklist: a static without IP address
automatically replaces the static with IP address you blacklisted.

To blacklist a DHCPv4 lease

1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the lease(s) you want to blacklist.

1
For more details, refer to the section Adding DHCPv4 Statics.

418
 Managing DHCP Leases

4. In the menu, select Edit > Blacklist lease. The report opens and closes. The lease is
still visible on the page All leases and disappears once it has expired. On the page All
statics, every blacklisted MAC address as the following Name: blacklist.

Repairing DHCPv4 Leases at Server Level

If you manage servers from a smart architecture, you can repair DHCPv4 leases at server level.

An option on the page All servers allows to look for lease inconsistencies on the physical servers
of a smart architecture. For more details, refer to the section Repairing Leases in the chapter
Managing DHCP Servers.

Displaying the Relay Agent Information (Option 82)

DHCPv4 option 82 is the DHCP Relay Agent Information option. The DHCP relay agent and
option 82 are defined in RFC 3046. Option 82 was designed to allow a DHCP relay agent to insert
circuit specific information into the request forwarded to a DHCP server.

This information is only available on EfficientIP DHCP servers, it is not available for the
other vendors.

The option relies on the sub-options Circuit ID, Remote ID and GIADDR:
• The Circuit ID generally contains information describing the port location that the DHCP request
is coming in from. It may contain additional information that helps describe which IP address
should be assigned, like a VLAN ID, wireless modem or ATM virtual circuit.
This value must be unique for a particular switch or router that is providing the Relay Agent
function. The value must also stay the same if modules are installed or removed in the Switch
or Router that implements the Relay Agent. Therefore, having subfields representing the
Module, Slot and Port is highly recommended.
• The Remote ID is intended to carry information describing the device at the remote end of the
link. However, in Ethernet systems, this is typically the MAC address of the Relay Agent. This
is not particularly useful since the MAC address would change if the Relay Agent was ever
replaced. Building a DHCP server database using the MAC address of the Relay Agent would
require that the table be rebuilt every time one of the Relay Agents was replaced. Some vendors
have modified this field to use the IP address of the Relay Agent or some other string describing
the Relay Agent.
This field must be unique to the entire network.
• The GIADDR (or Gateway IP Address) is part of the normal DHCP message. It contains the
IP address of the Relay Agent.
Since IP addresses must be unique, this field is unique for the entire network.

By combining the GIADDR and the Circuit ID, a network wide unique string can be added. This
string can be used for table lookup in the DHCP server. We call this string a pseudo MAC address,
as most DHCP servers establish a MAC to IP address mapping in their databases.

In its default configuration, the DHCP Relay Agent Information option passes along port and
agent information to SOLIDserver DHCP server. It is useful in statistical analysis for instance, as
it indicates where an assigned IP address physically connects to the network. It may also be
used to make DHCP decisions based on where the request is coming from or even which user
is making the request. For more details regarding its implementation, refer to the chapter Managing
DHCP Options.

419
 Managing DHCP Leases

Note that the pages All leases and Lease history allow to display, sort and filter the Circuit ID,
Remote ID and GIADDR information in dedicated columns. For more details on how to add or
display customized list templates, refer to the section Managing List Templates.

The Relay Agent Information in DHCPv6

DHCPv6 does not support the client ID, circuit ID and remote ID. Therefore, it is impossible to
retrieve these pieces of information separately, much less display them in a list template on the
page All leases. This information might be delivered by the agent in DHCPv6 but the appliance
does not retrieve it at server level.

The equivalent of the option 82 relay agent would be the DHCPv6 option 9 (relay message option)
and the option 47 (relay data option).

Adding IP Addresses from the Page All leases

The advanced properties allow to configure every new lease to automatically add an IP address.

The new IP address shares the same address, MAC address and name as the new lease.

This property must be set at server level. For more details, refer to the chapter Managing Advanced
Properties in the section Configuring DHCP Advanced Properties.

Adding DNS Records from the Page All leases

The advanced properties allow to configure every new lease to automatically add an A record in
the DNS.

Note that all DHCP to DNS properties rely on the IPAM and can only be configured if you set
DHCP to IPAM and IPAM to DNS advanced properties.

To configure DHCP to IPAM advanced properties, refer to the chapter Managing Advanced
Properties in the section Configuring DHCP Advanced Properties.

Exporting DHCP Leases

From the page All leases, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Purging the DHCP Leases History

By default, the leases on the pages Lease history and Lease history (v6) are purged after 60
days. All the leases that expired, were released or were deleted more than 60 days ago are
erased.

Two rules are dedicated to this purge, one in DHCPv4 and the other in DHCPv6, you can change
their frequency.

Editing the DHCP Leases Purge Frequency

The purge frequency of the leases of the page Lease history are defined by the rule 012.

420
 Managing DHCP Leases

By default, it erases all leases older than 60 days, you can change this frequency.

To edit the rule 012 that sets the automatic purge frequency of DHCPv4 leases
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule # search field, type in 012. The rule Purge DHCP leases history is listed.
4. In the column Instance, click on auto_purge_histo_dhcplease. The rule properties page
opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. Click on NEXT . The page Rule filters appears.
7. Configure the purge according to your needs.

Table 30.4. Rule filters parameters

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 23 is selected. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, 15 is selected. This field is optional.

8. Click on NEXT . The Rule parameters appears.

9. In the field Number of days, specify the number of days beyond which an expired lease
should be removed from the logs. By default, the value is 60.
10. Click on OK to complete the operation. The report open and closes.

Editing the DHCPv6 Leases Purge Frequency

The purge frequency of the leases of the page Lease history (v6) are defined by the rule 384.

By default, it erases all leases older than 60 days, you can change this frequency.

To edit the rule 384 that sets the automatic purge frequency of DHCPv6 leases
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule # search field, type in 384. The rule Purge DHCPv6 leases history is
listed.
4. In the column Instance, click on auto_purge_histo_dhcplease6. The rule properties page
opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. Click on NEXT . The page Rule filters appears.
7. Configure the purge according to your needs.

421
 Managing DHCP Leases

Table 30.5. Rule filters parameters

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 23 is selected. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, 15 is selected. This field is optional.

8. Click on NEXT . The page Rule parameters appears.

9. In the field Number of days, specify the number of days beyond which an expired lease
should be removed from the logs. By default, the value is 60 days.
10. Click on OK to complete the operation. The report open and closes.

Deleting DHCPv4 Leases

You can delete DHCPv4 leases from the page All leases. In case of ranges overloading, deleting
lease helps to free the database is critical cases. This operation asks the DHCP server to simulate
a DHCP release.

Keep in mind that:

• You cannot delete DHCPv6 leases from the page All leases.
• At range level, releasing leases should not be done on a daily basis to resolve a lack of
free space. In this case, it is best to extend the range capacity as soon as possible, for more
details refer to the section Resizing Ranges.
• A lease deletion can create IP addresses overlapping. Before proceeding with the lease
deletion, make sure that the impacted DHCP client is not liable to connect to the network where
the addresses were deleted.

To delete a DHCPv4 lease

1. In the sidebar, go to DHCP > Leases. The page All leases opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Filter the list to find the lease(s) of your choice.
4. Tick the lease(s) of your choice.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The selected leases
are no longer listed.

422
Chapter 31. Managing DHCP ACLs and
ACL Entries
In standard DHCP configurations, a client requests an IP address and the server offers in response
an IP address belonging to a range associated with the network segment of that client.

Within DHCP organizations, you can use Access Control Lists (ACLs) to tailor your dynamic
addressing configuration, set at server level. ACLs allow to identify clients and decide which
addresses to allocate them based on more than their location.

DHCP clients become members of an ACL when their request matches the ACL content, may
that be a rule or an ACL entry.

The ACL is a succession of checks that ultimately make sure that all the parameters you want
or refuse from your DHCP clients toward the DHCP server or smart architecture of your choice
are respected.

Note that one ACL can be used several times to set the access permissions to an object. For
instance, you can control the access to leases or restrict IP address allocation to unknown DHCP
clients. Using ACLs, one network can dynamically allocate known clients with IP addresses from
a particular segment and allocate addresses from another segment to unknown clients.

Keep in mind that:

• ACLs are only supported on EfficientIP DHCP and EfficientIP DHCP package servers.
• Microsoft Windows servers do not support ACLs.
• Some operations are only available in DHCPv4.
• You can configure ACLs at range level when you add or edit them. For more details, refer to
the chapter Managing DHCP Ranges.

To restrict access to your dynamic addressing organization using ACLs, refer to the section
Managing DHCP ACLs.

To customize ACLs using ACL entries, refer to the section Managing DHCP ACL Entries.

423
 Managing DHCP ACLs and ACL
Entries

Managing DHCP ACLs

At server level, from the page All ACLs, you can add, edit, copy or delete ACLs.

Browsing DHCP ACLs

ACLs are at the lowest level of the DHCP dynamic addressing hierarchy, they can belong to a
server or a range.

SHARED
NETWORK SCOPE RANGE LEASE

SERVER ACL

ACL GROUP STATIC

Figure 31.1. The ACL in the DHCP hierarchy

The page All ACLs is accessible from any page in the DHCP, in the breadcrumb, it is part of the
additional pages right of All servers.

Browsing the ACL Database

To display the list of DHCP ACLs
1. In the sidebar, click on DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page opens.

All the columns are displayed by default, you can filter and sort them but you cannot change their
order.

To display a DHCP ACL properties page

1. In the sidebar, click on DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page opens.
4. At the end of the line of the ACL of your choice, click on . The properties page opens.

On the properties page, the panels Main properties and DHCP options are available.

Understanding the ACL Statuses

On the page All ACLs, the column Status provides information regarding the ACLs you manage.

Table 31.1. DHCP ACL statuses

Status Description
OK The ACL is operational, whether it belongs to a smart architecture or not.

Delayed create The creation or update is delayed until the ACL is created on the physical server(s) of the
smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the ACL is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.

424
 Managing DHCP ACLs and ACL
Entries

Adding DHCP ACLs

From the page All ACLs you can add ACLs that grant or deny access. Each ACL is associated
with a specific DHCP server or smart architecture. To associate an ACL with another server, you
can copy it.

You can use predefined ACLs available upon addition if you want to apply specific behaviors, or
simply reuse the syntax and configure a custom-made ACL. Among them, only the MAC address
checks a list of data rather than parameters.

To add an ACL
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. In the menu, click on Add. The wizard opens.
6. In the list DHCP server, select one of your DHCP servers.
7. Click on NEXT . The next page opens.
8. In field ACL name, name the ACL.
9. In the drop-down list Predefined ACL, you can select one of the available ACLs. The ACL
syntax is displayed in the field Match expression and can be edited. By default, None is
selected.
10. In the field Match expression, type in or edit the syntax if need be.
11. Click on OK to complete the operation. The report opens and closes. The ACL is listed.

Once you added the ACL, you can configure it with ACL entries. For more details, refer to the
section Managing DHCP ACL Entries.

Granting Access to Known Clients

You can configure an ACL that only provides dynamic addressing to known clients, to do so you
need to:
1. Declare static reservations for these clients via client-identifier or MAC address, without spe-
cifying any IP address for them.
2. Configure the DHCP server not to provide IP addresses to unknown clients, in order to limit
access to DHCP clients for which static reservations exist.
3. Apply this mechanism via the ACL Allow Known Client on the relevant DHCP ranges.

To grant DHCP access only to known clients

1. Make sure your static reservation and DHCP server are properly set.
2. In the sidebar, go to DHCP > Ranges. The page All ranges opens.
3. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
4. At the end of the line of the range of your choice, click on . The properties page opens.
5. In the panel ACL, click on EDIT . The wizard Edit a DHCP range or Edit a DHCPv6 range
opens.
6. Click on NEXT to skip the range main information. The next page opens.

425
 Managing DHCP ACLs and ACL
Entries

7. In the section Specific ACL, do not edit anything.

8. In the section General ACL, in the drop-down list select known clients.
a. In the drop-down list Restriction, select allow. The field ACL displays allow known cli-
ents.
b. Click on . The list DHCP range ACL displays allow known clients.
9. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the panel ACL.

Editing DHCP ACLs

From the page All ACLs you can edit existing ACLs. For instance, if you used the MAC address
ACL or an ACL comparing a list of information, you can define an ACL entry to set up the corres-
ponding parameters, and make sure that the access list is granted or denied only to the MAC
address of your choice.

Keep in mind that you cannot rename an ACL.

To edit an ACL from its properties page

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. At the end of the line of the ACL of your choice, click on . The properties page opens.
6. In the panel Main properties, click on EDIT . The wizard opens.
7. Edit the fields Predefined ACL and Match expression according to your needs.
8. Click on OK to complete the operation. The report opens and closes.

Copying DHCPv4 ACLs

From the page All ACLs you can copy ACLs, and their ACL entries, from one server to the other.
Keep in mind that:
• Once copied, you still have to assign each new ACL in the target server to use it.
• If the ACL is used in a range, it is not copied in any range of the target server. Once copied in
another server, you still have to manually assign it to a range.
• You can only copy ACLs in DHCPv4.
• If your physical server is managed via a smart, only the ACL added on the smart can be duplic-
ated.

To copy an ACL
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
5. Tick the ACL(s) of your choice.
6. In the menu, select Edit > Migrate. The wizard Copying ACLs (v4) opens.

426
 Managing DHCP ACLs and ACL
Entries

7. In the drop-down list Target server, select the server or smart architecture of your choice.
8. Click on OK to complete the operation. The report opens and closes. The copied ACLs are
listed, you may need to unset filters to display them.

If you copy an ACL to a smart architecture that manages physical servers, it is copied to the
smart and then pushed to the physical servers. The ACL remains in Delayed create until it is
successfully pushed.

Using ACLs to Automatically Retrieve the DHCPv4 Lease Option

domain-name
You can automatically retrieve the DHCPv4 option domain-name, communicated by DHCP clients
receiving a lease from the DHCP servers you manage. This configuration allows to ensure that,
for specific domain names, the lease information always has precedence over any configuration
that may have been set and inherited from the range, scope or server.

Once your configuration is set, on the page All leases, the value of the option domain-name is
displayed in the column Name (DHCP lease name).

To configure this retrieval behavior you must:

1. Enable the dedicated registry database entry.
2. Add and configure an ACL with the name of the domain of your choice as value of the DHCP
option domain-name.

When your configuration is complete, any request matching the ACL you added sets the domain-
name you configured to the lease and automatically overwrites any inherited value.

Note that if your DHCP objects are set with advanced properties to update the IPAM and DNS
databases, the domain name you configure is sent to the IPAM and potentially the DNS as well.
For more details, refer to the chapter Managing Advanced Properties.

To configure an automatic retrieval of the option domain-name from Leases

1. Enable the registry database entry
Only users of the group admin can perform this operation.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the column Name with module.dhcp.get_domain_name_from_lease.
d. Hit Enter. Only this key is listed.
e. In the column Value, click on the value listed. The wizard Registry database Edit a
value opens.
f. In the field Value, type in 1 or 0. The key value is set to 0 by default, it is disabled.
g. Click on OK to complete the operation.The report opens and closes.The page refreshes
and the new value is displayed.
2. Add an ACL
a. In the sidebar, go to DHCP > Servers. The page All servers opens.
b. In the breadcrumb on the right of All servers, click on to display additional pages.
c. Click on All ACLs. The page refreshes.

427
 Managing DHCP ACLs and ACL
Entries

d. On the right-end side of the menu, make sure the button V4 is black, otherwise click on
it. The page refreshes and the button turns black.
e. In the menu, click on Add. The wizard opens.
f. In the list DHCP server, select one of your DHCP servers.
g. Click on NEXT . The next opens.
h. In field ACL name, specify the name of the ACL.
i. In the drop-down list Predefined ACL, select None.
j. In the field Match expression, specify the match of your choice.
k. Click on OK to complete the operation. The report opens and closes. The ACL is listed.
3. Configure the ACL with the option domain-name
a. At the end of the line of the ACL you just added, click on . The properties page opens.
b. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
c. In the field Domain name (15), specify the name of the domain of your choice.
d. Click on OK to complete the operation. The report opens and closes. The DHCP option
is listed.

Exporting DHCP ACLs

From the page All ACLs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP ACLs

From the page All ACLs you can delete ACLs. Keep in mind that:
• Deleting an ACL also deletes the ACL entries it contains.
• You cannot delete an ACL from a physical server managed via a smart architecture. You have
to delete it from the smart architecture.
• When you delete an ACL from a smart architecture managing physical servers, it is first removed
from the architecture and then from the physical servers.

To delete an ACL
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. Tick the ACL(s) of your choice.
6. In the menu, click on Delete. The wizard Delete opens.
7. Click on OK to complete the operation. The report opens and closes. The ACL is no longer
listed.
If you selected an ACL that belongs to a smart architecture managing physical servers, it
remains in Delayed delete until it is successfully removed from the architecture and the
server(s).

428
 Managing DHCP ACLs and ACL
Entries

Managing DHCP ACL Entries

ACL entries belong to ACLs. They define the ACL rules.

You can only add or delete ACL entries, you cannot edit them.

Browsing DHCP ACL Entries

The page ACL Entries is only accessible from the page All ACLs.

Browsing the ACL Entries Database

To display the list of DHCP ACL entries
1. In the sidebar, click on DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page opens.
4. In the breadcrumb, click on ACL Entries. The page opens.

All the columns are displayed by default, you can filter and sort them but you cannot change their
order.

To display a DHCP ACL entry properties page

1. In the sidebar, click on DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page opens.
4. In the breadcrumb, click on ACL Entries. The page opens.
5. At the end of the line of the ACL entry of your choice, click on . The properties page opens.

On the properties page, the panels Main properties and DHCP options are available.

Understanding the ACL Entries Statuses

On the page ACL Entries, the column Status provides information regarding the ACL entries you
manage.

Table 31.2. DHCP ACL entries statuses

Status Description
OK The ACL entry is operational, whether it belongs to a smart architecture or not.

Delayed create The creation or update is delayed until the ACL entry is created on the physical server(s)
of the smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the ACL entry is deleted from the physical server(s) of the
smart architecture. The deletion is automatically done after a maximum of 1 minute.

429
 Managing DHCP ACLs and ACL
Entries

Adding DHCP ACL Entries

Once you added an ACL, you can add ACL entries to define the rule that governs the ACL.

To add an ACL entry

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. In the breadcrumb, click on ACL Entries. The page ACL Entries opens.
5. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
6. In the menu, click on Add. The wizard opens.
7. In the list DHCP server, select one of your DHCP servers.
8. Click on NEXT . The next page opens.
9. In the list DHCP ACL, select the ACL of your choice.
10. Click on NEXT . The last page opens.
11. In the drop-down list Entry type, select either Hexadecimal or Text.
12. In the field ACL Entry, specify the value of your choice.
If you selected Hexadecimal, specify your condition following the MAC format of two hexa-
decimal characters separated by a semi-colon.
If you selected Text, specify the matching MAC address.
13. Click on OK to complete the operation. The report opens and closes. The entry is listed, it
is named after the server it belongs to, its Value is the one you specified in the field ACL
entry.

Exporting DHCP ACL Entries

From the page ACL Entries, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP ACL Entries

From the page ACL Entries you can delete ACL entries. Keep in mind that:
• Deleting an ACL also deletes the ACL entries it contains.
• You cannot delete an ACL entry from a physical server managed via a smart architecture. You
have to delete it from the smart architecture.
• When you delete an ACL entry from a smart architecture managing physical servers, it is first
removed from the architecture and then from the physical servers.

To delete an ACL entry

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. In the breadcrumb, click on ACL Entries. The page ACL Entries opens.

430
 Managing DHCP ACLs and ACL
Entries

5. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
6. Tick the ACL entry of your choice, you can tick several.
7. In the menu, click on Delete. The wizard Delete opens.
8. Click on OK to complete the operation. The report opens and closes. The ACL entry is no
longer listed.
If you selected an ACL entry that belongs to a smart architecture managing physical servers,
it remains in Delayed delete until it is successfully removed from the architecture and the
server(s).

431
Chapter 32. Managing DHCP Groups
DHCP groups allow to configure specific parameters and DHCP options for the DHCPv4 or DH-
CPv6 statics they contain.They constitute an optional level within fixed reservation organizations.

They can manage statics with or without IP, therefore they allow configuring parameters not
strictly related to a per-network basis. For instance, they can be used to provide a consistent set
of parameters to clients that connect on more than one IP network.

Before adding DHCP groups keep in mind that:

• You can only add DHCP groups on EfficientIP DHCP servers.
• You can add as many DHCP groups as you want but you cannot edit groups. However, you
can delete them and replace them with new ones.

Browsing DHCP Groups

The DHCP groups are an optional level of the DHCP fixed reservation organization. They can
be used to manage the statics DHCP options.

SHARED
SCOPE RANGE LEASE
NETWORK

SERVER

GROUP STATIC

Figure 32.1. The group in the DHCP hierarchy

Browsing the Groups Database

To display the list of DHCP groups
1. In the sidebar, go to DHCP > Groups. The page All groups opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. To display the list of groups of a specific DHCP server or smart architecture, in the column
Server, click on the name of your choice. The page refreshes.

To display a DHCP group properties page

1. In the sidebar, go to DHCP > Groups. The page All groups opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the group of your choice, click on . The properties page opens.

Customizing the Display on the Page All Groups

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

432
 Managing DHCP Groups

Understanding the Group Statuses

The column Status provides information regarding the groups you manage.

Table 32.1. DHCP group statuses

Status Description
OK The group is operational.

Delayed create The creation is delayed until the group is created on the physical server(s) of the smart
architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the group is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.

Adding DHCP Groups

You can add DHCPv4 and DHCPv6 groups to manage statics on EfficientIP DHCP servers or
smart architectures managing EfficientIP DHCP servers.

You can edit existing statics to manage them via the group of your choice, for more details refer
to the section Editing DHCP Statics.

Before adding a group, keep in mind that you cannot edit it. You need to delete it and replace it
with another one.

To add a DHCP group

1. In the sidebar, go to DHCP > Groups. The page All groups opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the menu, click on Add. The wizard Add a DHCP group or Add a DHCPv6 group
opens.
4. In the list DHCP server, select the EfficientIP DHCP server or smart architecture of your
choice.
5. Click on NEXT . The next page opens.
6. If custom classes are enabled at group level, in the list DHCP group class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the field DHCP group name, specify the name of the group.
8. Click on OK to complete the operation. The report opens and closes. The group is listed.

Configuring DHCP Options at Group Level

At group level, you can configure DHCP options. They are inherited by statics it manages.

For more details regarding DHCP options, refer to the chapter Managing DHCP Options and/or
to the appendix DHCP Options.

To edit the DHCP options of a group

1. In the sidebar, go to DHCP > Groups. The page All groups opens.

433
 Managing DHCP Groups

2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the group of your choice, click on . The properties page opens.
4. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
5. For DHCP options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, Most Used Option
is selected.
6. For DHCPv6 options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, DHCPv6 is selec-
ted.
7. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details, refer to the section Configuring DHCP Options in the chapter Managing
DHCP Options.
8. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

Exporting DHCP Groups

From the page All groups, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCP Groups

At any point you can delete DHCP groups if you no longer use them or if their configuration no
longer suits your needs.

Keep in mind that you cannot delete a group if it contains statics. You must first remove the
statics from the group and then follow the procedure below.

To delete a DHCP group

1. In the sidebar, go to DHCP > Groups. The page All groups opens.
2. On the right-end side of the menu, click on V4 to display the DHCPv4 groups or on V6 to
display the DHCPv6 groups.
3. Tick the group(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The selected group is
no longer listed.

434
Chapter 33. Managing DHCP Statics
DHCP statics are essentially lease reservations that ensure a specified client always uses the
same IP address on a network. They are part of fixed reservation organizations.

For clients who require a constant IP address, you can manually configure an IP address or assign
a DHCP static reservation, reserving a static allows to take advantage of the DHCP options.

Static reservations can match DHCP, PXE or BOOTP clients based on their MAC address or
DHCP-client-identifier . These reservations can belong to a DHCP server directly, a group, a
scope or a range. All the DHCP options set on these containers apply to the reservations, so if
you edit the DHCP options, the devices configured with the options are automatically updated
when they request the lease renewal.

Every DHCP static reservation must have a unique name which is usually used to identify it but,
in particular contexts, can be used to enforce the client's hostname.

When it comes to statics, there is a main difference between DHCP managing IPv4 and IPv6
addresses. DHCPv6 introduces a new piece of information, the DHCP Unique Identifier (DUID).
It should not exceed 128 bits in total and allows to identify a client rather than an equipment. It
contains the MAC address, therefore this address is not a unique independent set of numbers
anymore, it corresponds to the last 48 to 64 bits of the DUID depending on its type.

There are three different types of DUID:

• DUID based on Link Layer (LL).
• DUID based on Link-Layer Address Plus Time (LLT).
• DUID Assigned by Vendor Based on Enterprise Number (EN).

The DUID default structure goes like this:

DUID-LLT
DUID type Hardware Time Stamp MAC Address

DUID-EN
DUID type Enterprise Vendor Vendor Identifier

DUID-LL
DUID type Hardware MAC Address

0 8 16 24 32 40 48 56 64 72 80 88 96 104 112 120 128

bits

Figure 33.1. Three different structures of DUID

DHCP servers in IPv4 use the MAC address specified during the static reservation to identify the
clients' IP address and allocate them a lease as well as soon as they are visible on the network.
Once the lease is allocated, if the IPAM and DNS replication are configured, the data is sent to
the IPAM and the DNS.

435
 Managing DHCP Statics

Browsing DHCP Statics

Statics are the end point of a DHCP fixed reservation strategy. They can belong to a DHCP group
or directly to a DHCP server.

SHARED
SCOPE RANGE LEASE
NETWORK

SERVER

GROUP STATIC

Figure 33.2. The static in the DHCP hierarchy

Browsing the Statics Database

To display the list of statics
1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. To display the list of statics of a specific DHCP server or smart architecture, in the column
Server, click on the name of your choice. The page refreshes.

To display a static properties page

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the static of your choice, click on . The properties page opens.

On the statics properties page you can display and set DHCP options from the dedicated panel.
None of the default options are listed in the panel, except for the type of DHCP server. For more
details, refer to the chapter Managing DHCP Options.

Customizing the Display on the Page All Statics

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

As EfficientIP DHCP servers manage IPv4 static reservations like leases, two new columns were
added to the page All statics: Last seen that indicates the last time the client was connected and
Expiration that indicates when the lease expires.

Keep in mind that in IPv6 you can display colored labels above parts of the IP addresses listed.
It allows to differentiate at a glance your containers. For more details, refer to the chapter Managing
IPv6 Labels.

436
 Managing DHCP Statics

Understanding the Static Statuses

The column Status provides information regarding the statics you manage.

Table 33.1. Static statuses

Status Description
OK The static is operational.

Delayed create The creation or update is delayed until the static is created on the physical server(s) of
the smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the static is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.

Adding DHCP Statics

Static reservation follows the same process in DHCPv4 and DHCPv6, clients are identified through
their MAC and granted permanent access to a server and a set of DHCP options inherited from
their container. You can associate the client's MAC address with a specific IP address on your
network or associate it with a static without IP address, this grants them access to one server or
to the servers connected to a failover channel.

During any static reservation you must specify a MAC address, or DUID in DHCPv6, and MAC
address type, this type is visible in the column Full MAC address. For more details, refer to the
appendix MAC Address Types References.

Keep in mind that:

• Statics can be imported, for more details refer to the section Importing Statics in the chapter
Importing Data from a CSV File.
• If the IPAM to DHCP advanced properties are configured, new statics may be added for every
new IP address added in the IPAM. For more details, refer to the IPAM section of the chapter
Managing Advanced Properties.

Adding DHCPv4 Statics

Before adding DHCP statics keep in mind that:
• A static reservation requires a MAC address to identify the user or equipment, that MAC
address can be associated with an IP address or not.
• One MAC address can be associated with several static reservations as long as you set them
each with a different IP address.
• EfficientIP DHCP servers manage the statics with IP address like leases:
• Only EfficientIP DHCP servers, EfficientIP DHCP Package servers and smart architectures
containing only EfficientIP servers manage statics with IP address like leases.
• Adding a static with IP address also adds the corresponding lease whenever the client is
active on the network.
• Once the lease is active, if you set DHCP to DNS and DHCP to IPAM advanced properties,
the corresponding entries are added in the DNS. When the lease expires, the DNS entries
are removed. For more details, refer to the chapter Managing Advanced Properties.
• If you set DHCP to IPAM advanced properties, the IP address of the static is added in the
IPAM with a specific Type and Status. For more details, refer to the section Understanding
the IP Address Type and Status.

437
 Managing DHCP Statics

Only EfficientIP DHCP servers, EfficientIP DHCP Package servers and smart architectures
containing only EfficientIP servers manage statics with IP address like leases.

To add a DHCPv4 static

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, click on Add. The wizard Add a DHCP static opens.
4. In the list DHCP server, select the DHCP server or smart architecture of your choice.
5. Click on NEXT . The next page opens.
6. In the list DHCP scope, select a scope or None if you do not want to assign an IP address
to your static. A static without IP inherits the DHCP options of a server or group.
7. Click on NEXT . The next page opens.
8. If custom classes are enabled at static level, in the list DHCP static class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
9. Configure the static using the table below:

Table 33.2. DHCPv4 static configuration parameters

Field Description
Name The name of the static. This name is also used as value of the DHCP option host-
name. This field is optional.
IP address The IPv4 address of the static. This field is only displayed if you selected a scope.
MAC address The MAC address of the static. This field is required.
MAC address type The type, or protocol, of the specified MAC address. By default, Ethernet is selected.
This field is required. If you select Unknown, the field Type reference appears. Note
that each type corresponds to a reference displayed in the column Full MAC address,
for more details refer to the appendix MAC Address Types References.
Type reference The reference number of the MAC address of type Unknown. This field is required.
Host identifier The option and value to look for to identify clients and assign them the static, specified
as follows: option <option-name> "expected value".
Group name The name of an existing DHCP group. Selecting a group applies its DHCP options to
the static. The list only contains None if no group has been not added yet.

10. Click on OK to complete the operation. The report opens and closes. The static is listed.

If you added a static in a range on an EfficientIP DHCP server, or a smart architecture managing
EfficientIP DHCP server(s), set with DHCP to DNS and DHCP to IPAM advanced properties,
once the client is connected to the network the static is listed on the page All leases. That lease
information updates the DNS with a new record. For more details, refer to the chapter Managing
Advanced Properties.

438
 Managing DHCP Statics

Adding DHCPv6 Statics

Before adding DHCPv6 statics keep in mind that:
• A static reservation requires a client DUID to identify the user or equipment, that MAC ad-
dress can be associated with an IP address or not.
• You can specify the DUID in full or only specify the DHCPv4 equivalent of the MAC address,
that is to say the last 48 to 64 bits, looking like xx : xx : xx : xx : xx : xx or xx : xx : xx : xx : xx :
xx : xx. For more details, refer to the introduction of the section Managing DHCP Statics.

To add a DHCPv6 static

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the menu, click on Add. The wizard Add a DHCPv6 static opens.
4. In the drop-down list DHCP server, select the DHCP server or smart architecture of your
choice.
5. Click on NEXT . The next page opens.
6. In the list DHCP scope, select a scope or None if you do not want to assign an IP address
to your static. A static without IP inherits the DHCP options of a server or group.
7. Click on NEXT . The next page the wizard opens.
8. If custom classes are enabled at static level, in the list DHCP static class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
9. Configure the static using the table below:

Table 33.3. DHCPv6 static configuration parameters

Field Description
Name The name of the static. This field is optional.
IP address The IPv6 address of the static. This field is only displayed if you selected a scope.
Client DUID The DUID (DHCP Unique Identifier) of the static. If you do not specify a Client DUID,
you must specify a MAC address.
MAC address The MAC address of the static, the last 48 to 64 bits (6 sets of hexadecimal digits) of
the equipment DUID. If you do not specify a MAC address, you must specify a Client
DUID.
MAC address type The type, or protocol, of the specified MAC address. By default, Ethernet is selected.
This field is required. Note that each type corresponds to a reference displayed in the
column Full MAC address, for more details refer to the appendix MAC Address Types
References.
Group name The name of an existing DHCPv6 group. Selecting a group applies its DHCP options
to the static. The list only contains None if no group has been not added yet.

10. Click on OK to complete the operation. The report opens and closes. The static is listed.

If you added a static in a range on an EfficientIP DHCP server, or a smart architecture managing
EfficientIP DHCP server(s), set with DHCP to DNS and DHCP to IPAM advanced properties,
once the client is connected to the network the static is listed on the page All leases. That lease
information updates the DNS with a new record. For more details, refer to the chapter Managing
Advanced Properties.

439
 Managing DHCP Statics

Editing DHCP Statics

You can edit DHCPv4 and DHCPv6 statics from the contextual menu or their properties page.

To edit a DHCPv4 static from its properties page

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. At the end of the line of the static you chose, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DHCP static opens.
4. If custom classes are enabled at static level, in the list DHCP static class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Name, MAC address, MAC address type and/or Group name according to your
needs.
6. Click on OK to complete the operation. The report open and closes. The changes are visible
in the panel.

To edit a DHCPv6 static from its properties page

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. At the end of the line of the static you chose, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DHCPv6 static opens.
4. If custom classes are enabled at static level, in the list DHCP static class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Name, IP address, Client DUID, MAC address, MAC address type and/or Group
name according to your needs.
6. Click on OK to complete the operation. The report open and closes. The changes are visible
in the panel.

Replicating Static Data in the IPAM

At static level, the option IPAM replication allows to replicate static data in IPAM addresses. Before
replicating your DHCP data in the IPAM, keep in mind that:
• You can only replicate statics with IP in the IPAM.
• The option IPAM replication behaves as follows:
• The replicated DHCP information overwrites the IPAM information.
• If the static belongs to a scope for which the IPAM replication has been set, its data is replic-
ated as an IP address that belongs to the same terminal network.
Depending on your IPAM configuration, this IP address can belong to a pool, even if the
pool is read-only.
• If the static belongs to a scope for which no replication has been set, its data is replicated
as an IP address in the first terminal network or pool that can receive it. The pool can be
read-only.
• If you replicate a static with IP that matches an existing IP address:

440
 Managing DHCP Statics

• The IP address is renamed, it takes the name of the static.

• The MAC address of the IP address is edited, it takes the MAC address of the static.
• If you replicate a static with IP that has no corresponding IP address, an IP address is added.
It has the same name and MAC address as the static with IP.
• All the statics replicated edit the IP addresses Type to DHCP static and Status to Reserved.
• The option IPAM replication is independent at static level, replicating scopes or ranges does
not automatically replicates to the statics they contain. You must select statics and execute
the option to update the IPAM IP addresses with range data.
For more details regarding scope and range replication, refer to the sections Defining a Specific
IPAM Space for a DHCPv4 Scope and Replicating Range Data in the IPAM.

To replicate static data in the IPAM

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the static(s) of your choice.
4. In the menu, select Edit > IPAM replication. The wizard IPAM replication opens.
5. Click on OK to complete the operation. The report opens and closes.
Each matching IP address is visible on the IPAM page All addresses. Their parent network
and/or pool depend on the selected statics.

Configuring DHCP Options at Static Level

You can configure DHCP options at static level, individually or in bulk. Keep in mind that:
• The DHCP options of a static may be inherited from its server, group, scope or range.
In DHCPv6, the statics can only inherit options from a server, group or scope.
• The options set at static level override the options set on its container.
• By default, statics added on an EfficientIP DHCP server are configured with the option host-
name, its value is the static name.
• If your statics belong to a DHCP group, editing the DHCP options of the group also edits the
options of the statics. For more details, refer to the chapter Managing DHCP Groups.

For more details regarding the DHCP options configuration, refer to the chapter Managing DHCP
Options and/or to the appendix DHCP Options.

Editing the DHCP Options of a Static

From the properties page of a static, you can configure DHCP options.

To edit the DHCP options of a static

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the static of your choice, click on . The properties page opens.
4. In the upper right corner, click on .
5. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.

441
 Managing DHCP Statics

6. For DHCP options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, Most Used Option
is selected.
7. For DHCPv6 options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, DHCPv6 is selec-
ted.
8. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details, refer to the section Configuring DHCP Options in the chapter Managing
DHCP Options.
9. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

Performing Option Changes on Several Statics At Once

From the page All statics, you can set, replace or delete DHCP options on all the statics you select
at once.

To add a DHCP option to one or several DHCPv4 statics

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the static(s) of your choice.
4. In the menu, select Edit > Option > Add. The wizard Add DHCP options to statics
opens.
5. In the drop-down list Option name, select an option.
6. In the field Value, specify its value.
7. Click on OK to complete the operation. The report opens and closes, the page refreshes.
On the static properties page, the panel DHCP options lists the new DHCP option and its
value.

To edit the value of a DHCP option on one or several DHCPv4 statics

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the static(s) of your choice.
4. In the menu, select Edit > Option > Replace. The wizard Replace DHCP options of
statics opens.
5. In the drop-down list Option name, select the option which value you want to replace.
6. In the field Replace, specify the value you want to change.
7. In the field By, specify the new option value.
8. Click on OK to complete the operation. The report opens and closes, the page refreshes.
On the static properties page, the panel DHCP options displays the new value of the DHCP
option.

To remove a DHCP option from one or several DHCPv4 statics

1. In the sidebar, go to DHCP > Statics. The page All statics opens.

442
 Managing DHCP Statics

2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the static(s) of your choice.
4. In the menu, select Edit > Option > Delete. The wizard Delete DHCP options from
statics opens.
5. In the drop-down list Option name, select the option you want to delete.
6. In the field Option value filter, specify the option value.
7. Click on OK to complete the operation. The report opens and closes. On the static properties
page, the panel DHCP options no longer displays the DHCP option.

Copying DHCPv4 Statics Without IP

You can copy statics without IP from one server to the other, even if their MAC addresses are
already declared in the target server. Keep in mind that if your physical server is managed via a
smart, only the static added on the smart can be duplicated.

Statics with IP address are copied or moved when you migrate the scope they belong to.

To copy a static without IP in another server

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Tick the static(s) without IP you want to duplicate.
4. In the menu, select Edit > Migrate. The wizard Copying statics opens.
5. In the drop-down list Target server, select the server or smart architecture of your choice.
6. Click on OK to complete the operation. The report opens and closes. The static is displayed
twice, in two different servers.

Adding DHCP Statics from the IPAM

The advanced properties allow to automatically add a static when you add an IP address in the
IPAM.

The static is added in the DHCP failover channel you configured at network level, it shares the
same IP address, MAC address and name as the new IP address.

For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and Configuring DHCP Advanced Properties.

Exporting DHCP Statics

From the page All statics, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

443
 Managing DHCP Statics

Deleting DHCP Statics

At any point, you can delete statics reservations. Keep in mind that:
• If IPAM to DHCP advanced properties are configured, deleting IP addresses in the IPAM also
deletes the corresponding DHCP statics. For more details, refer to the chapter in the section
IPAM Advanced properties of the chapter Managing Advanced Properties.
• If IPAM to DHCP and IPAM to DNS advanced properties are configured, adding a static with
IP adds a lease on the page All leases when the client is active, once the IPAM database is
updated it updates the DNS to add the corresponding entries. When you delete a static with
IP, the corresponding DNS entries are deleted as well once the lease expires.

To delete a DHCP static

1. In the sidebar, go to DHCP > Statics. The page All statics opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the static(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The static is no longer
listed.

444
Chapter 34. Managing DHCP Options
DHCP options allow to provide extra information, e.g. specific configurations and/or access details,
on the clients or to the clients connecting to your servers. They can contains ACLs and/or option
definitions and can be set at several levels of the DHCP hierarchy. They can be configured in
dynamic addressing and fixed reservation organizations.

Most standard DHCP options are currently detailed in the RFC 2132 recommendation, "DHCP
Options and BOOTP Vendor Extensions". Even if most DHCP servers offer several options, the
vast majority of DHCP clients are generally conceived to request and take charge of just a sub-
part of the ensemble of standard RFC options.

SOLIDserver offers to manage 4 types of DHCP options:

• Internal options of the DHCP server: these options allow to configure the global behavior of
the DHCP server when it processes DHCP requests. These options do not have DHCP option
code number and they are only available on the EfficientIP's DHCP engine provided with
SOLIDserver appliances or ISC DHCP software. These options are not sent to the DHCP client.
For more details regarding internal server options, refer to the section Server Parameters in
the appendix DHCP Options.
• Client side options: these options are sent from the DHCP client to the DHCP server to
achieve predefined series of actions, for instance vendor-class or hostname options. If these
options can be processed by the server, their content cannot be configured from the server
side.
• Predefined server side options: these options are predefined and they cannot be modified.
Most of these options are common and include options like: routers, domain-name, name-
server. These options sent from the server to the client describe network configuration settings
and various services available on the network.
• Custom server side options: these options can be added and/or modified according to the
DHCP clients requirements. These options sent from the server to the client describe network
configuration settings and various services available on the network.

You can configure and delete DHCP options on servers, groups, scopes, ranges and statics.

You can customize the option definitions of your servers.

Keep in mind that:

• Microsoft DHCP servers do not allow options configuration on DHCP ranges.
• DHCP options cannot be configured at lease level, they are inherited.
• In DHCPv6, you cannot configure options at range level.

445
 Managing DHCP Options

Browsing DHCP Options

You can configure DHCP options at server, group, scope, range and static level.

SHARED
SCOPE RANGE LEASE
NETWORK

SERVER OPTION OPTION

OPTION GROUP STATIC

OPTION OPTION

Figure 34.1. The option in the DHCP hierarchy

In addition, at server level, you can customize option definitions.

Browsing the Options Database

DHCP options are only accessible from the properties page of each object.

To display the DHCP options of an object from its properties page

1. In the sidebar, go to DHCP > Servers, Groups, Scopes, Ranges or Statics depending
on your needs. The page opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
Note that you cannot configure DHCP options on DHCPv6 ranges.
3. At the end of the line of the object of your choice, click on . The properties page opens.
4. In the panel DHCP options, all the options are listed.

Browsing the Option Definitions Database

Option definitions are available on a dedicated page, they are set at server level.

To display the list of option definitions

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. In the breadcrumb on the right of All servers, click on to display additional pages.
4. Click on All option definitions. The page refreshes.

The page contains default option definitions, you cannot edit them but you can add new ones.

Customizing the Display on the Page All Option Definitions

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

446
 Managing DHCP Options

Understanding the Option Definitions Statuses

The column Status provides information regarding the option definitions you manage.

Table 34.1. Option definitions statuses

Status Description
OK The option definition is operational.

Delayed create The creation or update is delayed until the option definition is created on the physical
server(s) of the smart architecture. The creation is automatically done after a maximum
of 1 minute.
Delayed delete The deletion is delayed until the option definition is deleted from the physical server(s) of
the smart architecture. The deletion is automatically done after a maximum of 1 minute.

Configuring DHCP Options

DHCP options can be configured from the properties pages of several objects.
• In DHCPv4, they can be configured on servers, groups, scopes, ranges, statics and ACLs.
• In DHCPv6, they can be configured on servers, groups, scopes, statics and ACLs.

All options are propagated following the DHCP hierarchy. To avoid configuring the same
options on each object, you should start by configuring your servers with a default set of options.
To match specific clients, you can then set customize the options configuration at lower levels.

DHCP options apply to DHCP clients according to a defined precedence. The options hier-
archy is the following:
• An option set at ACL level overrides all other options.
• An option set at static level overrides options at the following levels: group, range, scope and
server.
• An option set at group level overrides options at scope and server level.
• An option set at range level overrides options at scope and server level.
• An option set at scope level overrides options at server level.
• An option set at server level is overridden by all other options.

Keep in mind that:

• Options can be indifferently applied to the DHCP objects, but the devices/clients connected to
the network can have an impact on the configuration efficiency. Some options may not be applied
depending on the technical constraints of the devices of your network.
• All the supported DHCP vendors do not share the same internal architecture and cannot be
managed in the same way. For instance, contrary to EfficientIP DHCP server, Microsoft DHCP
server does not support the configuration of options at range level. Besides, only the options
identified by a number are supported by the Microsoft DHCP service.
• You can aggregate range and static options on scopes. For more details, refer to the Aggreg-
ating DHCP Options from Ranges or Statics.
• You can tailor DHCP options to specific clients. For more details, refer to the section Custom-
izing DHCP Options.

To configure DHCP options in DHCPv4

1. In the sidebar, go to DHCP > Servers, Groups, Scopes, Ranges or Statics depending
on your needs. The page opens.

447
 Managing DHCP Options

2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. At the end of the line of the object of your choice, click on . The properties page opens.
4. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
5. In the drop-down list Option category, you can select Most Used Options, Basic, Server
Parameters, Lease Information, WINS/NetBIOS, Host IP, Interface, Servers, BOOTP Com-
patible, DHCP Packet Fields, Microsoft DHCP Client, NetWare Client, NIS/NISplus, Miscel-
laneous or any Vendor dedicated category.
The page refreshes and only displays the options of the category. By default, Most Used
Option is selected.
6. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details, refer to the appendix DHCP Options.
7. Repeat these steps for as many options as needed.
8. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

To configure DHCP options in DHCPv6

1. In the sidebar, go to DHCP > Servers, Scopes or Statics depending on your needs. The
page opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. At the end of the line of the object of your choice, click on . The properties page opens.
4. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
5. In the drop-down list Option category, you can select DHCPv6 or Miscellaneous.
The page refreshes and only displays the options of the category. By default, DHCPv6 is
selected.
6. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details, refer to the appendix DHCP Options.
7. Repeat these steps for as many options as needed.
8. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

Customizing DHCP Options

You can define DHCP custom options for specific DHCP clients like special terminal devices or
IP phones. Each value of DHCP option is built by the DHCP server according to a predefined
data type, structure of data types or array of types. The graphical user interface allows the admin-
istrator of a DHCP server to define the custom data type according to the requirements of the
DHCP clients.

To add an option definition to a DHCPv4 server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All option definitions. The page refreshes.

448
 Managing DHCP Options

4. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
5. In the menu, click on Add. The wizard opens.
6. In the list DHCP server, select the server on which you want to specify the custom option.
7. Click on NEXT . The next page opens.
8. In the field Option name, name the custom option. The option is named option <your-option-
name> in the column Name.
9. In the field Option space, you can fill in the option space parameter that is used to build
encapsulated options.
If the space name you chose does not exist, it is added. If you do not you specify anything,
the default space dhcp is used.
10. In the field Option code, enter an option code. This code is a number between 1 and 255.
Keep in mind that if you are adding a code within the dhcp space, you must define a code
greater than 128. The option codes included between 1 and 128 are usually reserved: using
a code included in that range of numbers would overwrite existing options.
11. In the drop-down list Parameter counter, select the number of parameters you want to set
for that option. You can select up to 6 parameters with the corresponding number of fields
appearing.
12. In the drop-down list Parameter <number>, you have to choose one of the parameters below:

Table 34.2. DHCP options parameter types

Parameter type Description
IP address An IPv4 address.
Boolean A flag accepting a value of either true or false (or yes or no).
Text An ASCII text string (the same as the text data type) or a list of hexadecimal characters
separated by colons Formatting to distinguish an ASCII text string from a hexadecimal
string is important.
8 bits value A numeric range of the following possible values 8-bit unsigned integer: from 0 to 255
or signed: from -128 to 127.
16 bits value A numeric range of the following possible values 16-bit signed integer: from -32,768
to 32,767
32 bits value An ASCII text string (the same as the text data type) or a list of hexadecimal characters
separated by colons Formatting to distinguish an ASCII text string from a hexadecimal
string is important. For more details, refer to the section below.
Encapsulate ... The option parameter Encapsulate <option space> is only available for smart architec-
tures managing DHCPv4 servers. It allows to encapsulate options and information,
for instance Encapsulate MSFT, Encapsulate MSUCClient, etc. The <option space>
available in the list may vary.

Keep in mind that the encapsulated options' type is binary but equivalent to the text format.
Its value is set in hexadecimal and looks as follows: \x01\xA2\x45\x12.
If you selected more than one Parameter counter, you need to repeat this step for each
one them.
13. In the drop-down list Type is array, select one of the values below.

Table 34.3. DHCP options array configuration

Parameter type Description
No None of the configured options is an array.
Type is array The last parameter is an array.
Type is global array Several parameters are arrays.

449
 Managing DHCP Options

14. The field Type sums up the selected parameters. Each letter that appears in this field cor-
responds to a parameter. For instance, if you specify an array of IP addresses the type
should be IA, if you specify an array of repeated addresses plus a boolean the type should
be IfA.
15. Click on OK to complete the operation. The report opens and closes. The option is listed.

With DHCPv6, you also have the possibility to add custom options. However, there are fewer
parameters available.

To add an option definition to a DHCPv6 server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All option definitions. The page refreshes.
4. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
5. In the menu, click on Add. The wizard opens.
6. In the list DHCP server, select the server on which you want to specify the custom option.
7. Click on NEXT . The next page opens.
8. In the field Option name, name the custom option. The option is named "option youroption-
name" in the Name column.
9. In the field Option space, you can fill in the option space parameter that is used to build
encapsulated options.
If the space name you chose does not exist, it is added. If you do not you specify anything,
the default space dhcp6 is used.
10. In the field Option code, enter an option code. This is a number from 1 to 255.
If you are adding a code within the dhcp space, you must define a code greater than 128.
The option codes included between 1 and 128 are usually reserved: using a code included
in that range of numbers would overwrite existing options.
11. In the drop-down list Parameter counter, select the number of parameters you want to set
for that option. You can select up to 6 parameters with the corresponding number of fields
appearing. In each drop-down list, you have to choose one of the parameters below:

Table 34.4. DHCPv6 options parameter types

Parameter type Description
IP address An IPv4 address.
Boolean A flag accepting a value of either true or false (or yes or no).
Text An ASCII text string (the same as the text data type) or a list of hexadecimal characters
separated by colons Formatting to distinguish an ASCII text string from a hexadecimal
string is important.
8 bits value A numeric range of the following possible values 8-bit unsigned integer: from 0 to 255
or signed: from -128 to 127.
16 bits value A numeric range of the following possible values 16-bit signed integer: from -32,768
to 32,767
32 bits value An ASCII text string (the same as the text data type) or a list of hexadecimal characters
separated by colons Formatting to distinguish an ASCII text string from a hexadecimal
string is important. For more details, refer to the section below.
Encapsulate server With DHCPv6, only the Encapsulate server option is available to the servers managed
via a smart architecture.

450
 Managing DHCP Options

12. For each parameter, one or several boxes are available. Tick the boxes of your choice:

Table 34.5. DHCP options array configuration

Parameter type Description
No None of the configured options is an array.
Type is array This parameter is an array.
Type is global array Several parameters are arrays.

13. The Type field sums up the selected parameters. Each letter that appears in this field cor-
responds to a parameter. For instance, if you specify an array of IP addresses the type
should be IA, if you specify an array of repeated addresses plus a boolean the type should
be IfA.
14. Click on OK to complete the operation. The report opens and closes. The option is listed.

Setting Advanced Option Configurations

You can set advanced option configurations at server level by:
• Configuring the PXE,
• Preventing IP Address Duplication,
• Configuring the DHCP Vendor Class Identifier,
• Configuring the Option 82: Relay Agent Information,
• Configuring the Option 43: Vendor Specific Information.

Configuring the PXE

Within DHCP dynamic addressing organizations, the PXE (Preboot eXecution Environment) is
used to boot hosts using a network interface independently of available data storage devices or
installed operating systems. The PXE protocol is a combination of DHCPv4 and TFTP protocol.
Note that there is no Preboot eXecutable Environment boot standard for IPv6 yet.

DHCP is used to locate the appropriate boot server or servers, with TFTP used to download the
initial bootstrap file. After it downloads the file, the host reboots and sends another IP address
request. When such a PXE client starts up, it first requests an IP address in order to download
the file it needs to boot.

The client, wishing to remotely boot an operating system image, broadcasts a DHCPDISCOVER
packet as per the DHCP protocol. This packet is transmitted to acquire an IP address. The client
also sends PXE protocol specific DHCP option 60 (Vendor Class Identifier) along with this
packet. The DHCP server responds to the above DHCPDISCOVER packet by sending a DH-
CPOFFER packet that contains the IP Address allocated to the client. In a PXE remote boot, the
DHCP server also sends:
• A special tag (option 60, with the value set to the string "PXEClient") to identify that it is capable
of configuring a PXE client.
• The next server to specify the server host address from which the initial boot file is to be
loaded.
• The filename to specify the name of the initial boot file to be loaded by a DHCP client.

The client downloads the executable file using either standard TFTP (port69) or MTFTP (port
assigned in Boot Server Ack packet). The file downloaded and the placement of the downloaded

451
 Managing DHCP Options

code in memory is dependent on the client's CPU architecture. After it downloads the boot file,
the client reboots and sends a new DHCPDISCOVER.

You can set a different lease time for PXE boot requests to manage your dynamic ranges better.
The DHCP server can allocate an IP address with a shorter lease time to hosts that send PXE
boot requests in order to release IP addresses faster.

Necessary Parameters for PXE

Usually, to implement the PXE protocol, DHCP options and/or BOOTP parameters must be
configured:
• Next-server (BOOTP parameter) specifies the host address of the server from which the initial
boot file (specified in the filename statement) is to be loaded. The value of this option should
be a numeric IP address. If no next-server parameter applies to a given client, the DHCP
server IP address is used.
• TFTP-server-name (DHCP option #66) is used to identify a TFTP server when the Next-
server (BOOTP parameter) field in the DHCP header has been used for DHCP options.
• Filename (BOOTP parameter) specifies the name of the initial boot file to be loaded. The value
of this option should be the name of a file that is recognizable to whatever file transfer protocol
the client is expected to use to load the file. Some clients might prefer to receive this information
in the bootfile-name option.
• Bootfile (DHCP option #67) specifies the name of the boot file to be used when the file field
is used to carry options.

These options can be configured at multiple levels: server, scope, static reservation, DHCP group
or dynamic range.

The PXE parameters configuration only applies to DHCPv4. For now, it is impossible to set
them with IPv6 addressing.

To configure the next-server and the filename options in DHCPv4

1. In the sidebar, go to DHCP > Servers, Groups, Scopes, Ranges or Statics depending
on your needs. The page opens.
2. At the end of the line of the object of your choice, click on . The properties page opens.
3. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
4. In the drop-down list Option category, select BOOTP Compatible. The page refreshes.
5. In the field next-server, specify the IP address of the server from which the initial boot file
should be loaded.
6. In the field filename, specify the name of the initial boot file to be loaded.
7. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

Duplicated Lease with PXE

The PXE client uses two stages in its IP address request. The first is done by the hardware
firmware, and the second one by the operating system. On some configuration the hardware can
request IP address by using DHCP parameters that differ from the operating system, and then
have two different DHCP leases for the same device. For instance, the first DHCP lease is de-
livered by the PXE stage by using the MAC address as lease identifier, and the operating system
receives another DHCP lease based on a client identifier (sent by the client) instead of the MAC

452
 Managing DHCP Options

address. In this case the DHCP server believes it negotiates IP addresses for two different clients,
one based on its MAC address and the other one on its client identifier.

To avoid this issue, SOLIDserver manages leases by setting a different lease time for PXE boot
request. SOLIDserver allows you to allocate an IP address with a shorter lease time to hosts that
send PXE boot requests, so IP addresses are not leased longer than necessary. By default the
lease duration for PXE client is set to 5 minutes (300 seconds). It can be changed by following
the next procedure.

To change the lease time for PXE client

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. In the search engine of the column Name, type in PXE. The PXE clients ACLs are listed.
5. At the end of the line of the ACL of your choice, click on . The properties page opens.
6. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
7. In the drop-down list Option category, Most used option is selected.
8. In the field Default lease time, specify a value in seconds. It is usually set to 300 (5 minutes).
9. In the field Max lease time, specify a value in seconds. It is usually set to 300 (5 minutes).
10. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

Preventing IP Address Duplication

Within DHCP dynamic addressing organizations, you can avoid IP address overlapping thanks
to the option ping check. It tells the server to send a ping request to check an IP address before
offering it to a DHCP client, using either IPv4 or IPv6.

When the DHCP server is considering dynamically allocating an IP address to a client, it first
sends an ICMP echo request (a ping) to the address being assigned. It waits for a second, and
if no ICMP echo response has been heard, it assigns the address. If a response is heard, the
lease is abandoned, and the server selects another free IP address and sends it a ping. The
DHCP server continues this process until it finds an IP address that does not respond to the ping.
The DHCP server then sends a DHCPOFFER message with the unused IP address to the DHCP
client.

You can configure the ping check with DHCPv4 and DHCPv6 options.

To enable the ping check with DHCPv4 options

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the DHCPv4 server or smart architecture of your choice, click on .
The properties pages opens.
3. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
4. In the drop-down list Option category, select Server Parameters. The page refreshes.
5. In the drop-down list ping-check, select Yes.
6. In the field ping-timeout, you can specify a value in seconds.
If the DHCP server determines that it should send an ICMP echo request (a ping) because
the ping-check statement is true, ping-timeout allows to configure how many seconds the
DHCP server should wait for an ICMP Echo response to be heard. If no ICMP Echo response

453
 Managing DHCP Options

has been received before the timeout expires, it assigns the address. If a response is heard,
the lease is abandoned, and the server does not respond to the client. If no value is set, the
ping-timeout is of 1 second by default.
7. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

To enable the ping check with DHCPv6 options

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the DHCPv6 server or smart architecture of your choice, click on .
The properties pages opens.
3. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
4. In the drop-down list Option category, DHCPv6 is selected.
5. In the drop-down list ping-check, select Yes.
6. In the field ping-timeout, you can specify a value in seconds.
If the DHCP server determines that it should send an ICMP echo request (a ping) because
the ping-check statement is true, ping-timeout allows to configure how many seconds the
DHCP server should wait for an ICMP Echo response to be heard. If no ICMP Echo response
has been received before the timeout expires, it assigns the address. If a response is heard,
the lease is abandoned, and the server does not respond to the client. If no value is set, the
ping-timeout is of 1 second by default.
7. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

DHCP Vendor Class Identifier

The vendor class identifier option is used by DHCP clients to specify their vendor type and con-
figuration if need be. The information is a string of n octets, interpreted by servers. Vendors may
choose to define specific vendor class identifiers to convey particular configuration or other
identification information about a client. For example, the identifier may encode the client's
hardware configuration. Servers not equipped to interpret the class-specific information sent by
a client must ignore it (although it may be reported). On the contrary, the servers that respond
should only use option 43 to return the vendor-specific information to the client.

With DHCPv6, the RFC 3315 defines the Vendor-specific Information Option. SOLIDserver
provides it through the option dhcp6.vendor-opts (option 17) in the list All option definitions.

Option 82: Relay Agent Information

To put it simply, DHCPv4 Option 82 is the option for DHCP Relay Agent Information. The DHCP
relay agent and Option 82 are defined in RFC 3046. Option 82 was designed to allow a DHCP
relay agent to insert circuit specific information into a request that is being forwarded to a DHCP
server. Specifically the option works by setting three sub-options: circuit ID, remote ID and GIAD-
DR.
• The field circuit ID generally contains information describing the port location that the DHCP
request is coming in from. It may contain additional information that helps describe which IP
address should be assigned out, such as the VLAN ID, a wireless modem or an ATM virtual
circuit. This value must be unique for a particular switch or router that is providing the Relay
Agent function. The value must also stay the same if modules are installed or removed in the
Switch or Router that implements the Relay Agent. Therefore, having subfields representing
the Module, Slot and Port is highly recommended.

454
 Managing DHCP Options

• The field remote ID is intended to carry information describing the device at the remote end of
the link. However, in Ethernet systems, this is typically the MAC address of the Relay Agent.
This is not particularly useful since the MAC address would change if the Relay Agent was
ever replaced. Building a DHCP server database using the MAC address of the Relay Agent
would require that the table be rebuilt every time one of the relay agents was replaced. Some
vendors have modified this field to use the IP address of the Relay Agent or some other string
describing the relay agent. This field must be unique to the entire network.
• The GIADDR (or Gateway Address) field is part of the normal DHCP message. It contains the
IP address of the Relay Agent. Since IP addresses must be unique, this field is unique for the
entire network.

By combining the GIADDR and the circuit ID, a network wide unique string can be created. This
string can be used for table lookup in the DHCP server. We called this string a pseudo MAC ad-
dress, since most DHCP servers do a MAC to IP mapping in their databases.

In its default configuration, the DHCP Relay Agent Information option passes along port and
agent information to SOLIDserver DHCP server. It is useful in statistical analysis, as well as, in-
dicating where an assigned IP address physically connects to the network. It may also be used
to make DHCP decisions based on where the request is coming from or even which user is
making the request.

The following actions should be performed by the SOLIDserver DHCP when receiving a DHCP-
DISCOVER or DHCPREQUEST message with Option 82 set:
1. Relay Agent Information option is inserted by the DHCP relay agent when forwarding client-
originated DHCP packets to a DHCP server.
2. Relay Agent Information option is inserted by the DHCP relay agent when forwarding client-
originated DHCP packets to a DHCP server.
3. Servers recognizing the Relay Agent Information option may use the information to select the
IP address or other parameter assignment policies through the SOLIDserver ACL.
4. Switch or Router (as the DHCP relay agent) intercepting the DHCP requests, appends the
circuit ID with remote ID into the option 82 fields and forwards the request message to
SOLIDserver DHCP server.

The following procedure explains how to add an ACL rule allowing to restrict the IPv4 address
range to select or to send specific DHCP options according to the option 82 sent to the SOLID-
server DHCP server.

To add an ACL based on the option 82: Circuit ID within the leases user interface
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the column Name, click on the server or smart architecture of your choice to display the
scopes it contains.
4. In the breadcrumb on the right of All servers, click on to display additional pages.
5. Click on All ACLs. The page refreshes.
6. In the menu, click on Add. The wizard DHCP ACL parameters opens.
7. In the field ACL name, name your ACL.
8. In the drop-down list Predefined ACL, select None.
9. In the field ACL rule, type in the command below.
match if (substring(option agent.remote-id,0,6) = "dslam1");

455
 Managing DHCP Options

It sets up an ACL that filters the DHCP option 82 as long as the first letters of the client's
remote-id match dslam1. You can set the keyword of your choice instead.
10. Click on OK to complete the operation. The report opens and closes. The ACL is listed.

Once the ACL is added, you can apply it to a DHCPv4 range to allow or restrict the access to all
clients that match this ACL rule. ACL can also be used to send specific DHCP options to the clients
that match this ACL rule. Edit the properties of the ACL to setup its DHCP option policies.

The Relay Agent Information in DHCPv6

DHCPv6 does not support the client ID, circuit ID and remote ID. Therefore, it is impossible to
retrieve these pieces of information separately, much less display them in a list template on the
page All leases. This information might be delivered by the agent in DHCPv6 but the appliance
does not retrieve it at server level.

The equivalent of the option 82 relay agent would be the DHCPv6 option 9 (relay message option)
and the option 47 (relay data option).

Option 43: Vendor Specific Information

Option 43 was designed to exchange vendor-specific information between DHCPv4 servers and
clients. It was defined in the RFC 2132 as part of the DHCP Options and BOOTP Vendor Exten-
sions.

By default, when you add a DHCP smart architecture or an EfficientIP DHCP server, the option
43 is added. This default option cannot be edited.

Within SOLIDserver, the vendor-specific information is stored in an ACL. Any client matching the
vendor information is attributed a set of options that you can configure through option definitions.
To properly setup option 43 on a DHCPv4 server in the GUI you need to:
1. Retrieve the vendor-class identifier from the DHCP handshake.
2. Add a new ACL that contains the vendor-class identifier.
3. Add as many DHCP option definitions as needed using the ACL as option space.
4. Configure the server ACL DHCP options to:
a. Set the Vendor option space that triggers the option 43 behavior on all the clients matching
the vendor-class identifier.
b. Set the value of your choice on all the option definitions you added.

Once the configuration is complete, the clients matching the vendor-class identifier are automat-
ically attributed the option definitions specified.

To retrieve the vendor-class identifier

1. With a packet analyzer, perform a network capture of the DHCP handshake.
2. Open the network capture.
3. In the Bootstrap Protocol section, look for the Vendor class identifier. It is listed between
double quotes among the options, as illustrated below.
Bootstrap Protocol
Message type: Boot Request (1)
Hardware type: Ethernet
Hardware address length: 6
Hops: 1
Transaction ID: 0x12adb727

456
 Managing DHCP Options

Seconds elapsed: 0
Bootp flags: 0x8000 (Broadcast)
Client IP address: 0.0.0.0 (0.0.0.0)
Your (client) IP address: 0.0.0.0 (0.0.0.0)
Next server To address: 0.0.0.0 (0.0.0.0)
Relay agent IP address: 172.16.206.2 (172.16.206.2)
Client MAC address: Polycom_e5:fa:69 (00:04:f2:e5:fa:69)
Client hardware address padding: 00000000000000000000
Server host name not given
Boot file name not given
Magic cookie: DHCP
Option: (t=53,l=1) DHCP Message Type = DHCP Discover
Option: (t=57,l=2) Maximum DHCP Message Size = 1456
Option: (t=55,l=20) Parameter Request List
Option: (t=12,l=16) Host Name - "SEP0004f2e5fa69"Option: (t=60,l=14) Vendor class
identifier = "Nortel-223x-A"
Option: (t=61,l=7) Client identifier
End Option

To add a new ACL that includes the vendor-class identifier

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. In the menu, click on Add. The wizard opens.
5. In the list DHCP server, select the DHCPv4 server or smart architecture of your choice.
6. Click on NEXT . The page DHCP ACL parameters opens.
7. In the field ACL name, name your ACL.
8. In the drop-down list Predefined ACL, select None.
9. In the field ACL rule, type in the command below.
match if option vendor-class-identifier = "<%found-value>";

To add a DHCP option definition that uses the ACL value as option space
1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All option definitions. The page refreshes.
4. In the menu, click on Add. The wizard DHCP Option Definition opens.
5. In the list DHCP server, select the DHCPv4 server for which you configured the ACL.
6. Click on NEXT . The page DHCP option definition opens.
7. Configure the option. The accepted code, parameter counter, and type should be mentioned
in your device documentation.
a. In the field Option name, name your option.
b. In the field Option space, specify the ACL name.
c. In the field Option code, specify a code following your device documentation.
d. In the drop-down list Parameter counter, select a value following your device document-
ation.
e. In the drop-down list Parameter 1, select a value following your device documentation.
f. In the drop-down list Type is array, select one of the values below.

457
 Managing DHCP Options

Table 34.6. DHCP options array configuration

Parameter type Description
No None of the configured options is an array.
Type is array The last parameter is an array.
Type is global array Several parameters are arrays.

8. Click on OK to complete the operation. The report opens and closes. The option is listed as
follows: <option-space-name>.<option-name>.

Repeat this procedure for as many option definitions as needed, each definition adds a field in
the DHCP options configuration wizard which value you can set in the procedure below.

To configure the server with your DHCP option

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on All ACLs. The page refreshes.
4. At the end of the line of the ACL of your choice, click on . The properties page opens.
5. Click on to expand all the panels.
6. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
7. In the drop-down list Option category, select Basic. The page refreshes.
8. Configure the vendor-specific identifier match:
a. In the drop-down list Option category, select Basic. The wizard refreshes.
b. In the drop-down list Vendor option space, select your option, it is listed as follows
Vendor <your-option-name>.
9. Configure the value of your option definitions:
a. In the drop-down list Option category, select Vendor <your-option-name>. The wizard
refreshes.
b. Fill in all the option definition fields you added. They are all displayed as follows: <your-
option-definition-name> (<your-option-code>). The value expected in each field depends
on what settings your configured when adding the option definition.
10. Click on OK to complete the operation. The report opens and closes.
In the panel Main properties, the field Rule contains the value of your ACL: the vendor-
specific identifier match conditions.
In the panel DHCP options, you can see:
• The field Vendor option space that displays your option name.
• A field for each of your option definitions named as follows: <your-option-name>.<your-
option-definition-name> followed by the value you just set in the DHCP option configur-
ation wizard.

Exporting DHCP Options

From the page All option definitions, you can export the data listed in a CSV, HTML, XML, XLS
or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

458
 Managing DHCP Options

Deleting DHCP Options

From the objects properties pages, you can delete the options you manage.

To delete a DHCP option

1. In the sidebar, go to DHCP > Servers, Groups, Scopes, Ranges or Statics depending
on your needs. The page opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the object of your choice, click on . The properties page opens.
4. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
5. In the drop-down list Option category, you can select a category. The wizard refreshes and
only displays the options of the category. By default, Most Used Option is selected.
6. Delete the option(s) of your choice.
You must empty out input fields or set drop-down lists to Unset to delete them.
For more details, refer to the appendix DHCP Options.
7. Repeat these steps for as many options as needed.
8. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

459
Chapter 35. Configuring DHCPv6 Prefix
Delegation
DHCPv6 prefix delegation allows to delimit a number of IPv6 addresses, a delegation range, that
you distribute using a specific prefix and deliver independently in dynamic addressing organiz-
ations. The Customer Premises Equipment (CPE) can then use it to allocate addresses to their
clients.

2001:db8:0:1::1 2001:db8:0:1:: /64 2001:db8:0:1::42

abc::456a 2001:db8:0:1::a
2001:db8:0:1:: /64

The router requests The router requests

dhcp.mycorp.com an IP address a prefix to delegate
DHCPv6
SERVER

DELEGATED
PREFIX abc::456b
2001:db8:0:2:: /64 2001:db8:0:2::8e
Start: 2001:db8:0:1::
End: 2001:db8:0:ffff:ffff:ffff:ffff:ffff
Prefixes: /64

2001:db8:0:2::1 2001:db8:0:2:: /64 2001:db8:0:2::5

Figure 35.1. Overview of an implementation of DHCPv6 Prefix Delegation

This replaces the need for Network Address Translation (NAT) in an IPv6 network and is widely
required when implementing IPv6 network. DHCPv6 prefix delegation is currently detailed in the
RFC 3633 available on IETF website at https://tools.ietf.org/html/rfc3633.

You can manage prefix delegations and delegated prefixes on two dedicated pages.

Prerequisites
• Defining the delegation range. You must set the start address and end addresses to define
the number of IP addresses available for prefix delegation.
• Specifying a shared network that corresponds to one or more scopes. Any scope included in
a shared network can use any of the prefix delegations configured.
• Specifying a prefix that sets the size of the IP address segments delegated between the start
and end IP addresses.
• Belonging to a group of users configured with the proper rights and resources. Having a DHCPv6
server as group resource grants users access to the pages All prefix delegations (v6) and All
delegated prefixes (v6).

Specificities
• DHCPv6 prefix delegations are compatible with DHCP relay mechanisms.
• DHCPv6 prefix delegations must be associated with a shared network that contains at least
one scope.

460
 Configuring DHCPv6 Prefix
Delegation

Limitations
• DHCPv6 prefix delegations are incompatible with DHCPv6 failover mechanisms since they
are not yet implemented in DHCPd 4.3 nor 4.4. For more details, refer to the RFC 8156 on
IETF website at https://tools.ietf.org/html/rfc8156.
• DHCPv6 prefix delegations:
• Cannot have a start address and end address that match existing DHCP ranges on the page
All ranges of the parent DHCPv6 server.
• Cannot be imported or edited, they can be added, exported and deleted.
• Cannot be configured on Split-scope smart architectures.
• DHCPv6 delegated prefixes can only be displayed and exported.
• The leases allocated within your delegated prefixes cannot be managed from the appliance.

Managing DHCPv6 Prefix Delegations

From the page All prefix delegations (v6), you can add, delete and export prefix delegations.

The columns on the page provide details on each delegation. You can sort and filter them but
you cannot change their layout.

Browsing the DHCPv6 Prefix Delegations

To display the list of DHCPv6 prefix delegations
1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the breadcrumb on the right of All shared networks, click on to display additional
pages.
4. Click on All prefix delegations (v6). The page opens.

To display a DHCPv6 prefix delegation properties page

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the breadcrumb on the right of All shared networks, click on to display additional
pages.
4. Click on All prefix delegations (v6). The page opens.
5. At the end of the line of the prefix delegation of your choice, click on . The properties page
opens.

Adding DHCPv6 Prefix Delegations

DHCPv6 prefix delegations belong to a server. Adding prefix delegations means defining a spe-
cific range of IP addresses and prefix on the server that can be delegated. All prefix delegations
are associated with a shared network that contains one or more scopes, that way an equipment
can be delivered a prefix delegation by any scope belonging to the selected shared network.

461
 Configuring DHCPv6 Prefix
Delegation

Keep in mind that:

• The DHCP prefix delegation is pushed to the physical server(s) only after it belongs to a shared
network that contains at least one scope.
• You cannot edit DHCPv6 prefix delegations.

To add DHCPv6 prefix delegation

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the breadcrumb on the right of All shared networks, click on to display additional
pages.
4. Click on All prefix delegations (v6). The page opens.
5. In the menu, click on Add. The wizard Add a prefix delegation opens.
6. In the drop-down list DHCP server, select the DHCP server or smart architecture of your
choice.
7. Click on NEXT . The next page opens.
8. In the field Start address, specify the first IPv6 address of the prefix delegation range.
9. In the field End address, specify the last IPv6 address of the prefix delegation range.
10. In the field Prefix, specify the prefix to delegate. It defines the size of network segments to
delegate.
The number of segments depends on the number of IP addresses in the delegation range.
The total number of IP addresses contained in all the segments is inferior or equal to the
number of IP addresses contained in the range you specified in the fields above.
11. In the field Shared network, specify the name of a shared network. The field auto-completes.
Note that for every scope without selecting an existing shared network, one is automatically
added anyway. So you may already have shared network available, they are named after
the scope start_address/prefix.
This field is not displayed if you selected a shared network in the breadcrumb.
12. Click on OK to complete the operation. The report opens and closes. The prefix delegation
is listed.
On the properties page of the scope, the prefix delegation is listed in the panel Related
prefix delegations.

Exporting DHCPv6 Prefix Delegations

From the page All prefix delegations (v6), you can export the data listed in a CSV, HTML, XML,
XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DHCPv6 Prefix Delegations

You can delete DHCPv6 prefix delegations.

Keep in mind that deleting prefix delegations automatically deletes all their delegated prefixes.

To delete DHCPv6 prefix delegation

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.

462
 Configuring DHCPv6 Prefix
Delegation

2. On the right-end side of the menu,make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the breadcrumb on the right of All shared networks, click on to display additional
pages.
4. Click on All prefix delegations (v6). The page opens.
5. Tick the prefix delegation(s) of your choice.
6. In the menu, click on Delete. The wizard Delete opens.
7. Click on OK to complete the operation. The report opens and closes. The prefix delegation
is no longer listed.

Managing DHCPv6 Delegated Prefixes

Once you added prefix delegations, you can display all the delegated prefixes.

From the page All delegated prefixes (v6), you can see how delegated prefixes are distributed.
Each delegated prefix has a unique MAC address, client DUID and lifespan.

Keep in mind that you can only display and export the delegated prefixes.

Browsing the DHCPv6 Delegated Prefixes

The page All delegated prefixes (v6) is empty if no prefix delegation is configured.

Several delegated prefixes can match one client. For each connection, clients obtain a new del-
egated prefix.

All expired delegated prefixes are available on the page Delegated prefix history.

Browsing the DHCPv6 Delegated Prefixes Database

To display the list of DHCPv6 delegated prefixes
1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the breadcrumb on the right of All shared networks, click on to display additional
pages.
4. Click on All delegated prefixes (v6). The page opens.
5. To display the list of delegated prefixes of a specific prefix delegation, in the column Range,
click on the name of your choice. The page refreshes.

To display the delegated prefix history

1. In the sidebar, go to DHCP > Shared networks. The page All shared networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
The page refreshes and the button turns black.
3. In the breadcrumb on the right of All shared networks, click on to display additional
pages.
4. Click on All delegated prefixes (v6). The page opens.
5. On the right-end side of the menu, click on Delegated prefix history. The page opens.

463
 Configuring DHCPv6 Prefix
Delegation

Customizing the Display on the Page All delegated prefixes (v6)

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

All the columns of the page All delegated prefixes (v6) can be sorted and filtered. The last two
columns of the table below are hidden by default.

Some columns are also available on the page Delegated prefix history, note that on this page
you cannot change their layout.

Table 35.1. The columns on the page All delegated prefixes (v6) and Delegated prefixes history
Column Description
Address The start address of the delegated prefix.
Prefix The prefix of the delegated range of IP addresses.
Client DUID The DHCP Unique Identifier (DUID) sent by the client that requested the delegated prefix.
For more details regarding DUID structures, refer to the section Managing DHCP Statics.
Full MAC address The full MAC address of the delegated prefix, a concatenation of its Type and short MAC
address.
MAC vendor Only on the page All delegated prefixes (V6). The MAC address of the network interface
vendor.
First seen The date when the prefix is first delivered to the client. Note that the client can connect
several times, and each time obtain a different prefix.
Start Only on the page All delegated prefixes (V6). The delegated prefix start time and date.
End The delegated prefix end time and date.
Server The name of the server that contains the shared network associated with the delegated
prefix.
Shared network The name of the shared network associated with the parent prefix delegation.
Range Only on the page All delegated prefixes (V6). The parent prefix delegation of the delegated
prefix.
Percent Only on the page All delegated prefixes (V6). The delegated prefix elapse time graph,
when it reaches 100 % the delegated prefix has expired.
Expires in Only on the page All delegated prefixes (V6). The time left before the expiration of the
delegated prefix.
Period Only on the page All delegated prefixes (V6). The total lifespan of the delegated prefix.
Related scopes Only on the page All delegated prefixes (V6). The name of the scopes that belong to the
shared network associated with the parent prefix delegation.

Exporting DHCPv6 Delegated Prefixes

From the page All delegated prefixes (v6), you can export the data listed in a CSV, HTML, XML,
XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

464
Chapter 36. Monitoring and Reporting
DHCP Data
SOLIDserver provides tools dedicated to monitoring DHCP servers and generating reports. Note
that these tools only apply to DHCP objects managing IPv4 addressing:
• The alerts that you can set on the DHCP pages allow to customize your monitoring. For more
details, refer to the chapter Managing Alerts.
• A set of statistics are available in dedicated panels of the properties page of DHCP servers,
as detailed in the section Monitoring DHCP Servers from their Properties Page.
• A set of data sampling analytics are available on the page Analytics, as detailed in the section
Monitoring DHCP Servers from the Page Analytics.
• A set of rules allow to monitor your servers, as detailed in the section Monitoring DHCP
Servers Using Rules.
• A number of reports on IPv4 servers and scopes are available, as detailed in the section
Generating DHCP Reports.

Monitoring DHCP Servers from their Properties Page

On the properties page of a physical or smart DHCP server, some panels are dedicated to
monitoring queries and changes. The monitoring panels are the following:
DHCP server leases <server-name>
Displays a lease dedicated chart for physical servers, if relevant.
DHCP server statistics <server-name>
Displays query dedicated charts for the physical servers.
State log
Displays the server logs.
Audit
Displays all the latest changes performed on the server by the user logged in.

Note that the server analytics panel and lease statistics panel display data retrieved using SNMP,
therefore, the graphs are empty if the SNMP is not configured properly. To edit the SNMP para-
meters of an EfficientIP DHCP server, refer to the section Editing the SNMP Monitoring Parameters
of EfficientIP DHCP Servers.

Keep in mind that you can zoom in and out of the charts or decide the period and data to display.
For more details, refer to the section Charts.

To display the lease statistics of a DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page open.
3. Open the panel DHCP server leases <physical-server-name> using .
Once the panel is open, you can use the buttons under the chart to: move back or forward
the start time displayed; zoom in and out ; refresh the data .The drop-down list allows
to restrict or expand the period of time displayed: Last 3 hours (selected by default), Current
hour, Day, Week, Month, Year.

465
 Monitoring and Reporting DHCP
Data

To display the satistics of a DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page open.
3. Open the panel DHCP server statistics <physical-server-name> using .
Once the panel is open, you can use the buttons under the chart to: move back or forward
the start time displayed; zoom in and out ; refresh the data .The drop-down list allows
to restrict or expand the period of time displayed: Last 3 hours (selected by default), Current
hour, Day, Week, Month, Year.

By default, on a smart architecture properties page, statistics panels are displayed for maximum
ten physical servers. For more details, refer to the section Setting the number of DHCP server
statistics panels to display.

To display the state log of a DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page open.
3. Open the panel State log using . The panel content retrieves the server state in the logs:
OK , KO, Invalid settings... and the time and date for each.

To display the audit of a DHCP server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page open.
3. Open the panel Audit using . The panel displays the latest changes in the database.
Each occurrence specifies the Date and time it occurred, the Service used, the User perform-
ing the operation and the server basic information: DHCP name, DHCP type and Architecture
if relevant.
By default, it lists the changes carried out by the user logged in, but if they belong to a group
with access to the changes from all users, the panel displays all the operations ever per-
formed. For more details, refer to the section Allowing Users to Display All the Operations
Performed.

Setting the Number of DHCP Server Statistics Panels to Display

You can set the number of panels dedicated to DHCP server statistics that are displayed on the
properties page of a smart architecture. By default, the value is set to 10.

Keep in mind that:

• If you display a large number of charts, it will take more time for the page to load when you
open the panels.
• The number of panels you set applies to the properties page of DHCP and DNS smart archi-
tectures.

To set the number of server statistics panels to display on the properties page of
a smart
Only users of the group admin can perform this operation.

466
 Monitoring and Reporting DHCP
Data

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with www.display.properties_page.stats.max_servers.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value. The wizard Registry database edit a value opens.
6. In the field Value, specify the number of seconds of your choice. By default, it is set to 10.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new key value is displayed.

Monitoring DHCP Servers from the Page Analytics

The page Analytics provides data sampling lists dedicated to DHCP messages for EfficientIP
DHCP physical servers. Keep in mind that:
• There are some limitations.
• The analytics functionality is enabled by default and samples the DHCP messages over spe-
cific periods of time. By default, it offers 5-minute samples. To set a shorter or larger periodicity,
refer to the section Configuring the Analytics Retrieval.
• You can set up an alert on the entries displayed. For more details, refer to the chapter Managing
Alerts.

The analytics functionality is enabled by default and samples the DHCP messages over specific
periods of time. By default, it offers 5-minute samples. To set a shorter or larger periodicity, refer
to the section Configuring the Analytics Retrieval.

Limitations
• The analytics are only available for EfficientIP DHCP servers.
• Only the first 50 entries matching the selected data are listed. Therefore, if during the selected
period of time, 100 pieces of information are identical, the GUI only displays the first 50.
• You might slow your appliance down if you edit the purge mechanism to include more lines or
keep data longer than the default 30 days.

Accessing the Page Analytics

The page Analytics offers dedicated DHCP data samples based on the DHCP messages of the
physical servers.

Each sample compares data retrieved over a specific periodicity, a limited period of time, that is
set by default to a sample time of 5 minutes. You can edit the sampling period following the pro-
cedure in the section Configuring the Periodicity.

To display the page Analytics

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on Analytics. The page refreshes.
4. To only display the analytics of a specific physical server, in the column Server, click on the
name of your choice. The server name is displayed in the breadcrumb and only its data is
returned.

Each column provides and compares message information over the specified sample time.

467
 Monitoring and Reporting DHCP
Data

Table 36.1. The columns on the page Analytics

Column Description
Server The name of the physical server. This column is displayed for all analytics if no server is
displayed in the breadcrumb.
Start date The time and date when the data retrieval started. This column is displayed for all analytics.
You can filter it with the keyword last to display the data retrieved in the last X minutes,
where X is the number of minutes set for the Period of the server. If no data is retrieved
in that period, the list is empty.
End date The time and date when the data retrieval stopped. The end date respects the number of
minutes set for the Period. This column is displayed for all analytics. By default the column
is filtered with the keyword last to only display the data retrieved in the last X minutes set
for the Period of the server.
Period The periodicity set for the sample of queries, 1, 5, 10 or 15 minutes. This column is dis-
played for all analytics. The periodicity is set on the physical server properties page, for
more details refer to the section Configuring the Periodicity.
Address The IP or MAC address of the requesting client, or the IP address of the relay agent. This
column is displayed for all analytics, except Message types.
Reason The reason why the lease was abandoned for the selected period. This column is displayed
only for Top 50 ABANDONED LEASES (IP).
Message type The DHCP message type: DISCOVER, OFFER, REQUEST, ACKNOWLEDGE, NOT
ACKNOWLEDGE, RELEASE, DECLINE, INFORM or other. This column is only displayed
for Message types.
Total messages The total number of messages in the DHCP logs during the selected period. This column
is displayed for all analytics.
Number of hits The exact number of times a certain message type was requested by the IP or MAC address
for the selected period. This column is displayed for all analytics.
For instance, the number of DISCOVER messages for a specific IP address during a 5-
minute period.
Total ratio The percentage of Number of hits compared with the Total messages for the selected
period. This column is displayed for all analytics.
For instance, the percentage of DISCOVER messages of a specific IP address compared
with all the messages in the logs during a 5-minute period.
Nb of hits / type The number of hits matching the selected message type during the selected period. This
column is displayed for all analytics, except Message types.
For instance, the number of DISCOVER messages during a 5-minute period.
Relative ratio The percentage of Number of hits compared with the Nb of hits / type during the selected
period. This column is displayed for all analytics, except Message types.
For instance, the percentage that represents the DISCOVER messages of a specific IP
address compared with all the DISCOVER messages in the logs during a 5-minute period.

Displaying the DHCP Analytics

From the page Analytics, you can display physical servers data samples retrieved from its mes-
sages. It focuses by default on a sample period of 5 minutes to draw Top 50 comparisons.

To display specific DHCP analytics data

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. In the column Name, click on the server or smart architecture of your choice to display the
scopes it contains.
3. In the breadcrumb on the right of the server name, click on to display additional pages.
4. Click on Analytics. The page refreshes.

468
 Monitoring and Reporting DHCP
Data

5. Under the menu, in the drop-down list Display, select the data of your choice. The page
data and columns refresh. All available analytics are detailed in the table below.
6. Under the drop-down list, you can tick the box Automatic refresh to automatically refresh
the data listed every minute. To edit the page refresh frequency, refer to the section Editing
the Automatic Refresh Frequency.

You can edit the sample time following the procedure in the section Configuring the Periodicity.

Table 36.2. DHCP analytics

Statistic Description
Top 50 DISCOVER (MAC) The top 50 clients who sent the most DHCPDISCOVER messages during
the configured Period. These clients are identified using their MAC ad-
dress.
Top 50 OFFER (MAC) The top 50 clients who received the most DHCPOFFER messages during
the configured Period. These clients are identified using their MAC ad-
dress.
Top 50 OFFER (IP) The top 50 clients who received the most DHCPOFFER messages during
the configured Period. These clients are identified using their IP address.
Top 50 REQUEST (MAC) The top 50 clients who sent the most DHCPREQUEST messages during
the configured Period. These clients are identified using their MAC ad-
dress.
Top 50 REQUEST (IP) The top 50 clients who sent the most DHCPREQUEST messages during
the configured Period. These clients are identified using their IP address.
Top 50 ACK (MAC) The top 50 clients who received the most DHCPACK messages (acknow-
ledged) during the configured Period. These clients are identified using
their MAC address.
Top 50 ACK (IP) The top 50 clients who received the most DHCPACK messages (acknow-
ledged) during the configured Period. These clients are identified using
their IP address.
Top 50 NAK (MAC) The top 50 clients who received the most DHCPNAK messages (not ac-
knowledged) during the configured Period. These clients are identified
using their MAC address.
Top 50 NAK (IP) The top 50 clients who received the most DHCPNAK messages (not ac-
knowledged) during the configured Period. These clients are identified
using their IP address.
Top 50 RELEASE (MAC) The top 50 clients who sent the most DHCPRELEASE messages during
the configured Period. These clients are identified using their MAC ad-
dress.
Top 50 RELEASE (IP) The top 50 clients who sent the most DHCPRELEASE messages during
the configured Period. These clients are identified using their IP address.
Top 50 DECLINE (MAC) The top 50 clients who sent the most DHCPDECLINE messages during
the configured Period. These clients are identified using their MAC ad-
dress.
Top 50 DECLINE (IP) The top 50 clients who sent the most DHCPDECLINE messages during
the configured Period. These clients are identified using their IP address.
Top 50 INFORM (IP) The top 50 clients who sent the most DHCPINFORM messages during
the configured Period. These clients are identified using their IP address.
a
Top 50 ABANDONED LEASES (IP) The top 50 clients whose lease was abandoned during the configured
Period. These clients are identified using their IP address.
Top 50 RELAY The top 50 most used DHCP relay agents during the configured Period.
These relay agents are identified using their IP address.
Top 50 "Peer holds all free leases" The top 50 DHCP relay agents on which the failover channel refused
leases during the configured Period. These relay agents are identified
using their IP address.

469
 Monitoring and Reporting DHCP
Data

Statistic Description
Top 50 "Unknown network segment" The top 50 clients who received unknown network segment messages
during the configured Period. These clients are identified using their IP
address.
Top 50 "Unknown subnet" The top 50 clients who received message unknown subnet messages
during the configured Period. These clients are identified using their IP
address.
Message types All the messages sent and received by the DHCP server during the con-
figured Period. All messages are identified using their type.
a
The lease was either accepted by another client while being offered or declined by the client.

Configuring the Analytics Retrieval

You can configure the DHCP analytics retrieval according to your needs.You can edit the sampling
period, or periodicity, the page automatic refresh frequency, the data retrieval frequency and
even its purge frequency.

Editing the Automatic Refresh Frequency

On the page Analytics, the box Automatic refresh allows to automatically refresh the page display
every 60 seconds. You can edit this frequency via a registry database key.

To edit the analytics automatic refresh frequency

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with www.dhcp.stat.refresh.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value. The wizard Registry database edit a value opens.
6. In the field Value, specify the number of seconds of your choice. By default, it is set to 60.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new key value is visible.

Configuring the Periodicity

By default, the data sampling compares the DHCP messages over a periodicity of 5 minutes. On
the page Analytics, the sample time is specified in the column Period.

You can configure a shorter or larger periodicity on each physical server individually.

Note that no matter the periodicity, the data is available on the page at a frequency specified
through the rule 381. To edit that rule, refer to the section Configuring the DHCP Analytics Re-
trieval Frequency.

To edit the analytics periodicity of a DHCP physical server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the physical server of your choice, click on . The properties page
opens.
3. Open the panel DHCP analytics. It indicates if the retrieval is enabled and the periodicity.
4. Click on EDIT . The wizard Configure DHCP analytics opens.

470
 Monitoring and Reporting DHCP
Data

5. Make sure the field Enable analytics collection is ticked.

6. In the drop-down list Periodicity (min.), select 1, 5, 10 or 15. By default, 5 is selected.
7. Click on OK to complete the operation. The report opens and closes.

Configuring the DHCP Analytics Retrieval Frequency

The frequency to which the analytics are displayed on the page Analytics is set by the rule 381,
Retrieval of the DHCP analytics data. By default, every 5 minutes it displays the data comparison
results for messages sampled during 1, 5, 10 or 15 minutes, depending on the configured peri-
odicity.

No matter the periodicity you set on the physical server, the data is available in the GUI depending
on the rule configuration.

To edit the rule 381 that sets the DHCP analytics data retrieval
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 381 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. This field is required.
7. In the field Comment, you can insert, edit or delete the rule comment. This field is optional.
8. Click on NEXT . The page Rule filters opens.
9. Edit the rule frequency according to your needs.

Table 36.3. Frequency filters of the rule 381

Column Default value
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, every hour is selected. This field is op-
tional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, every 5 minutes is selected. This field is optional.

10. Click on OK to complete the operation. The report opens and closes.

Configuring the DHCP Analytics Purge Frequency

You can configure the purge mechanism of the analytics retrieval. By default, it is based on:
• The data age. The rule 383, Configuration of the DHCP analytics purge, deletes data older
than 30 days. You can set it to delete data earlier or later.
• A line count. A registry key deletes data if the analytics database exceeds 100,000 lines, each
analytic can reach that many lines. You can set a lower or higher threshold.

471
 Monitoring and Reporting DHCP
Data

As both thresholds work together, once the number of days or the number of lines is met, the
unwanted data is deleted.

No matter the way you want to purge your database, keep in mind that if you set very high
thresholds, you may slow down your appliance because the database contains too much
information.

To edit the rule 383 that purges the DHCP analytics

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 383 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. This field is required.
7. In the field Comment, you can insert, edit or delete the rule comment. This field is optional.
8. Click on NEXT . The page Rule filters opens.
9. Edit the rule frequency according to your needs.

Table 36.4. Frequency filters of the rule 383

Column Default value
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 23 is selected. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, 30 is selected. This field is optional.

10. Click on NEXT . The page Rule parameters opens.

11. In the field Number of days, specify the number of days above which you want the logs
database to be purged. By default it is set to 30, logs older than thirty days are automatically
deleted.
12. Click on OK to complete the operation. The report opens and closes.

To add a threshold to purge DHCP analytics

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, click on Add. The wizard Registry database Add an item opens.
4. In the field Name, type in dhcp.stats.limit.
5. In the field Value, specify the number of lines of your choice, above that value the data is
purged. By default, it is set to 100000.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the key is listed.

472
 Monitoring and Reporting DHCP
Data

Exporting the Analytics

From the page Analytics, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Disabling the Analytics

You can disable analytics and stop retrieving the data of any physical server.

To disable the analytics retrieval on a DHCP physical server

1. In the sidebar, go to DHCP > Servers. The page All servers opens.
2. At the end of the line of the physical server of your choice, click on . The properties page
opens.
3. Open the panel DHCP analytics. It indicates if the retrieval is enabled and its periodicity.
4. Click on EDIT . The wizard Configure DHCP analytics opens.
5. Untick the box Enable analytics collection.The page refreshes, the drop-down list Periodicity
(min.) is no longer visible.
6. Click on OK to complete the operation. The report opens and closes. In the panel, the field
Enable analytics collection is marked no.

Monitoring DHCP Servers Using Rules

In order to monitor DHCP servers efficiently, SOLIDserver allows you to add advanced rules to
monitor DHCP events: monitor the scope/range usage or set up an alert dedicated to monitoring
the server status.

In the following procedures, we are going to configure a monitoring process to add the rules 105
and 082 that respectively check DHCP scope/range usage and send an alert if a DHCP scope
is full.

Before using the monitoring rules, make sure the server is responding.

To add the rule 105 that checks scopes and ranges usage
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select DHCP.
5. In the drop-down list Event, select Execution of a scheduled rule.
6. In the list Rule, select (105) Check DHCP scope/range usage.
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can specify a comment if you want.
9. Click on NEXT . The page Rule filters opens.
10. Edit the rule frequency according to your needs.

473
 Monitoring and Reporting DHCP
Data

Table 36.5. Frequency filters of the rule 105

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, every hour is selected. This field is op-
tional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, every 10 minutes is selected. This field is optional.

11. Click on NEXT . The page Rule parameters opens.

12. In the field Maximum scope usage, specify, in percent, the maximum scope usage of your
choice. By default, it is set to 90.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Once the rule 105 is added, add the rule 082. Make sure the SNMP service is configured properly.
For more details, refer to the section Configuring the SNMP Server.

To add the rule 082 that sends an alert when a scope is full
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select DHCP.
5. In the drop-down list Event, select Event.
6. In the list Rule, select (082) Send an alert if a DHCP scope is full.
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can specify a comment if need be.
9. Click on NEXT . The page Rule filters opens.
10. Click on NEXT . The page Rule parameters opens.
11. To be notified via SNMP trap:
a. In the field IP address of the SNMP trap, specify the IP address of the appliance that
should receive the SNMP trap.
b. In the field SNMP trap community, specify the community string for this trap. By default
it is ness.
12. To be notified via email, in the field Send a mail to, specify the email address that should
receive the notification.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Thanks to these two rules, if scopes from your DHCP servers exceed the percentage of usage
specified in the rule 105, you are automatically notified via email and/or SNMP trap.

Besides, you can display DHCP scope/range usage, in the panel State log of the scope properties
page.

474
 Monitoring and Reporting DHCP
Data

Generating DHCP Reports

EfficientIP provides DHCP dedicated reports at server and scope level.

Table 36.6. Available DHCP reports

Page Report
All servers Clients most used OS
Server data exchanges
Server options comparison
Server usage chart
Most used networks
Server usage evolution charts
All scopes Clients most used OS
Scopes options comparison
Scopes summary

For more details regarding the reports and their generation, refer to the section Managing Reports.

475
 Part VII. DNS
The Domain Name System (DNS) is a hierarchical distributed naming system which main function is to
convert an IP address into an intelligible domain name (name resolution) or a domain name into an IP address
(reverse resolution). The DNS namespace can be seen as a reversed tree of domains managed by zones.

DELEGATION
root

.com .net .org

Figure 156. The DNS hierarchy, a reverse tree of delegations

At the root of the structure, the highest zone is represented by a silent dot ( . ) followed, in order, by the Top-
Level Domains (TLDs) and the Second-Level Domains (SLDs). The TLDs are divided into generic TLDs
(gTLD), like .com, .org or .net, and country code TLDs (ccTLD), like .us, .fr or .uk . The whole access path
to a domain reads from right to left: SLD.TLD .

At the top of the reverse tree, there are 13 root servers listed alphabetically from A to M and spread out
worldwide. They all gather the same information regarding the TLDs and, to avoid being saturated by
queries, they delegate names and IP addresses to accredited registrars.

In theory, a client that wants to access a web page would have to follow the whole hierarchy from the root
down to the sub-domain. For that reason, DNS servers offer a combination of authoritative, recursive or
cache functionalities.

The DNS hierarchy can include up to 4 levels of organization:

• Server: the highest level of the hierarchy. It can contain views, zones and records. For more details, refer
to the chapters Managing DNS Servers and Configuring DNS Servers. One or several servers can be
managed via a smart architecture to ensure service availability and prevent data or configuration loss.
For more details, refer to the chapters Understanding DNS Smart Architectures and Managing DNS Smart
Architectures.
• View: an optional level that belongs to a server and contains zones. It allows to grant or limit user access
the data of your choice. Depending on who queries a domain, they receive different responses. For more
details, refer to the chapters Managing DNS Views and Configuring DNS Views.
• Zone: the second level of the DNS hierarchy. They contain resource records and can be set to resolve
names or IP addresses. For more details, refer to the chapters Managing DNS Zones and Configuring
DNS Zones.
• RR: the lowest level of the hierarchy. They define zone characteristics. For more details, refer to the
chapter Managing DNS Resource Records.

The DNS module also provides:

• DDNS. You can configure Dynamic Domain Name Server to dynamically take into account in the DNS
any IP address assignment updates in the DHCP. For more details, refer to the chapter Implementing
Dynamic Update.
• RPZ. You can add and manage Response Policy Zones and set specific rules. For more details, refer to
the chapter DNS Firewall (RPZ).
• Hybrid DNS. You can set up a hybrid DNS service that can switch from BIND to NSD or Unbound and
vice versa. For more details, refer to the chapter Hybrid DNS Service.
• DNSSEC.You can configure the Domain Name System Security Extensions to use a server as a resolver
or sign your zones. For more details, refer to the chapter DNSSEC.
• Monitoring and Reporting. There are many ways for the reporting and monitoring of DNS servers traffic
and activity. For more details, refer to the chapter Monitoring and Reporting DNS Data.
• Automation of IPAM and DHCP resources addition.The advanced properties allow to automate additions
in the IPAM or DHCP when you add DNS resources. For more details, refer to the chapter Managing
Advanced Properties.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
37. Understanding DNS Smart Architectures ................................................................... 481
Master/Slave Smart Architecture ............................................................................ 482
Multi-Master Smart Architecture ............................................................................. 482
Stealth Smart Architecture ..................................................................................... 483
Single-Server Smart Architecture ........................................................................... 483
Farm Smart Architecture ........................................................................................ 484
38. Managing DNS Smart Architectures .......................................................................... 485
Browsing DNS Smart Architectures ........................................................................ 485
Adding a DNS Smart Architecture .......................................................................... 486
Converting a DNS Server into a Smart Architecture ................................................. 496
Editing a DNS Smart Architecture .......................................................................... 497
Handling the Status Locked Synchronization ........................................................... 501
Exporting DNS Smart Architectures ....................................................................... 502
Deleting a DNS Smart Architecture ........................................................................ 502
Defining a DNS Smart Architecture as a Group Resource ........................................ 502
39. Managing DNS Servers ............................................................................................ 503
Browsing DNS Servers .......................................................................................... 504
Managing EfficientIP DNS Servers ......................................................................... 505
Managing Microsoft Windows DNS Servers ............................................................ 511
Managing BIND DNS Servers on Linux ................................................................... 514
Managing Generic DNS Servers ............................................................................ 523
Managing Amazon Route 53 Servers ..................................................................... 526
Managing Azure DNS Servers ............................................................................... 538
Synchronizing DNS Servers ................................................................................... 542
Editing DNS Servers ............................................................................................. 543
Securing the Management of DNS Servers Using a TSIG Key ................................. 544
Flushing the Cache of DNS Servers ....................................................................... 545
Exporting DNS Servers ......................................................................................... 546
Deleting DNS Servers ........................................................................................... 546
Defining a DNS Server as a Group Resource .......................................................... 546
40. Configuring DNS Servers ......................................................................................... 547
Configuring DNS Forwarding at Server Level .......................................................... 547
Configuring DNS Recursion at Server Level ............................................................ 549
Configuring DNS Notify Messages at Server Level .................................................. 552
Restricting DNS Queries at Server Level ................................................................ 553
Limiting Zone Transfers at Server Level .................................................................. 556
Configuring a Blackhole ......................................................................................... 557
Configuring Client Resolver Cache Options at Server Level ..................................... 558
Configuring EDNS Options at Server Level ............................................................. 559
Configuring Prefetch on a Server ........................................................................... 560
Improving the Server Performance ......................................................................... 560
Configuring a Sortlist at Server Level ...................................................................... 561
Limiting the Number of Responses of a Server ........................................................ 562
Configuring DNS64 ............................................................................................... 563
Configuring DNS Sources at Server Level ............................................................... 567
Authenticating the Zones Dynamic Update from the Server ...................................... 570
Configuring Access Control Lists for a Server ......................................................... 572
Configuring DNS Keys ........................................................................................... 574
Including Non-Supported DNS Settings .................................................................. 575
Setting up Anycast DNS ........................................................................................ 575
Integrating Cisco Umbrella ..................................................................................... 588

478
 DNS

Forwarding the Client IP Address ........................................................................... 591

41. Managing DNS Views .............................................................................................. 593
Browsing DNS Views ............................................................................................. 593
Adding DNS Views ................................................................................................ 594
Editing DNS Views ................................................................................................ 597
Editing the Order of the Views ................................................................................ 598
Exporting DNS Views ............................................................................................ 598
Deleting DNS Views .............................................................................................. 599
Defining a DNS View as a Group Resource ............................................................ 599
Going Back to Managing Zones Without Views ........................................................ 599
42. Configuring DNS Views ............................................................................................ 601
Configuring DNS Forwarding at View Level ............................................................. 601
Configuring DNS Notify Messages at View Level ..................................................... 602
Configuring DNS Recursion at View Level ............................................................... 604
Restricting DNS Queries at View Level ................................................................... 606
Limiting Zone Transfer at View Level ....................................................................... 608
Configuring Client Resolver Cache Options at View Level ........................................ 609
Configuring EDNS Options at View Level ................................................................ 610
Configuring a Sortlist at View Level ........................................................................ 611
Configuring DNS Sources at View Level ................................................................. 611
43. Managing DNS Zones .............................................................................................. 615
Browsing DNS Zones ............................................................................................ 615
Adding DNS Zones ............................................................................................... 616
Synchronizing DNS Zones ..................................................................................... 630
Editing DNS Zones ................................................................................................ 630
Converting DNS Zones .......................................................................................... 635
Adding or Removing an NS Record ........................................................................ 636
Copying or Moving DNS Zones .............................................................................. 636
Setting Properties on Multiple DNS Zones .............................................................. 637
Configuring Scavenging on DNS Zones .................................................................. 642
Forcing the Update of DNS Zones Content ............................................................. 645
Disabling and Enabling DNS Zones ........................................................................ 647
Adding or Updating DNS Zones from the IPAM ....................................................... 647
Exporting DNS Zones ............................................................................................ 647
Deleting DNS Zones .............................................................................................. 647
Defining a DNS Zone as a Group Resource ............................................................ 648
44. Configuring DNS Zones ........................................................................................... 649
Managing DNS Zone Delegation ............................................................................ 649
Configuring DNS Forwarding at Zone Level ............................................................ 651
Configuring DNS Notify Messages at Zone Level .................................................... 652
Managing DNS Security ........................................................................................ 655
Configuring DNS Sources at Zone Level ................................................................. 659
45. Managing DNS Resource Records ........................................................................... 663
Browsing DNS Resource Records .......................................................................... 663
Adding Resource Records ..................................................................................... 665
Editing Resource Records ..................................................................................... 683
Configuring the Delegation at Record Level ............................................................ 686
Copying or Moving Records ................................................................................... 687
Changing the Hostname Convention ...................................................................... 688
Load Balancing with Round-Robin .......................................................................... 688
SPF Record .......................................................................................................... 689
Adding IP Addresses and Aliases from the Page All RRs ......................................... 689
Updating DNS Records from the IPAM ................................................................... 690
Adding Records from the DHCP ............................................................................. 690

479
 DNS

Exporting DNS Resource Records ......................................................................... 690

Deleting Resource Records ................................................................................... 690
46. Implementing Dynamic Update ................................................................................. 691
Configuring Dynamic Update ................................................................................. 691
Configuring Secure Dynamic Update ...................................................................... 691
Disabling Dynamic Update and Deleting Keys ......................................................... 699
47. DNS Firewall (RPZ) ................................................................................................. 702
Prerequisites ........................................................................................................ 702
Limitations ............................................................................................................ 702
Managing RPZ Zones ............................................................................................ 703
Managing RPZ Rules ............................................................................................ 712
48. Hybrid DNS Service ................................................................................................. 724
Checking the Compatibility with Hybrid ................................................................... 724
Switching to Hybrid DNS ....................................................................................... 727
Forcing Compatibility with Hybrid ........................................................................... 730
Switching Back to BIND ......................................................................................... 731
Administrating the Backup and Restoration of Hybrid Configurations ........................ 732
49. DNSSEC ................................................................................................................. 733
Managing DNSSEC on Authoritative Servers .......................................................... 734
Managing DNSSEC on Recursive Servers .............................................................. 750
50. Monitoring and Reporting DNS Data ......................................................................... 756
Monitoring DNS Servers from their Properties Page ................................................ 756
Monitoring DNS Servers from the Page Analytics .................................................... 758
Monitoring DNS Queries and Answers .................................................................... 765
Generating DNS Reports ....................................................................................... 767

480
Chapter 37. Understanding DNS Smart
Architectures
The current approach of DNS service management is mainly limited at managing a single server,
restricting service configuration and management with a server per server approach even if it is
performed from a centralized platform. This approach is insufficient to ensure service reliability,
security and easiness of management. It could weaken your DNS architecture because:
• It increases the risk of misconfigurations.
• There is no Best Practices enforcement to ensure the high security of the network services
architecture.
• There is no automation of architecture implementation and management.
• There are difficult and risky architecture changes.

With this approach, even if the configuration is simplified from the GUI, it is still complex, expensive
and requires experts to deploy and configure all servers in coherent architectures of DNS-DHCP
services.

To drastically simplify the implementation and administration of your network service, we strongly
recommend managing every DNS server from a smart architecture. That way, you can manage
DNS services at server level and at architecture level. Smart architectures are virtual management
tools that allow to back up your configuration. If the server(s) you are managing from the smart
architecture were to crash, the architecture would save the configuration and allow you to push
it on some new server(s) automatically. In addition, you can change the type of smart architecture
and the physical server(s) it manages.

The smart architecture offers a library of DNS architectures that are ready to apply on a set of
servers. All the DNS smart architectures designed for more than one server can contain
several Master servers. This sets up an even more secure environment: if one Master server
crashes or stops responding, the other one takes over and ensures service availability.

The DNS smart architecture library includes:

• Master/Slave.
• Multi-Master.
• Stealth.
• Single-Server.
• Farm.

Smart architectures support:

• EfficientIP DNS servers.
• Microsoft Windows Server DNS servers.
• ISC BIND servers.

Smart architectures allow to manage other DNS servers supporting DDNS (RFC2136) with the
single ability of updating the domains and not the server configuration or the zone configuration.
In that way, the server configuration and the zone configuration must be done locally on the
server. This configuration is useful when you are only allowed to update zones on a DNS partner.

481
 Understanding DNS Smart
Architectures

Master/Slave Smart Architecture

The Master/Slave configuration of DNS servers is widely used on the Internet. SOLIDserver
provide a dedicated Master/Slave DNS smart architecture. A master DNS configuration contains
one or more zones files for which this DNS server is authoritative. The term master is related to
the location of the zone data rather than any other operational characteristics. A master is reques-
ted to transfer zone data to one or more slave servers whenever the zone file change. The
master DNS obtains the zone data locally as opposed to a slave DNS, which obtains its zone
data via a zone transfer operation from the master DNS.

DNS
Master
DNS DNS
Slave Slave

Figure 37.1. DNS Master/Slave smart architecture

Multi-Master Smart Architecture

Multi-Master configurations are used to allow updates on all servers. The Multi-Master smart ar-
chitecture can manage all DNS servers, including Microsoft DNS servers integrated or not in
Active Directory, EfficientIP DNS, BIND servers or all DNS servers supporting DDNS. It can even
reproduce Microsoft's Multi-Master behavior.

DNS
Master

DNS DNS
Master Master

Figure 37.2. DNS Multi-Master smart architecture

With the smart architecture, updating a DNS server can be done from the management console,
from a DHCP allocation or from Microsoft DNS clients that update themselves their names by
using the Dynamic DNS (DDNS) mechanism:
• When a Multi-Master smart architecture is updated from the management console, the config-
uration is automatically pushed toward all the DNS servers belonging to the smart architecture.
• When a DNS server receives a dynamic update from a DNS client, the Multi-Master smart ar-
chitecture replicates the update to all the DNS servers it manages. This replication is automatic
and does not require any manual operations.

482
 Understanding DNS Smart
Architectures

• When a DHCP server offers a new IP address, the SOLIDserver IPAM appliance updates the
Multi-Master smart architecture and, consequently, all the DNS servers it manages.

A primary DNS server is eliminated as a single point of failure. Traditional DNS replication is
single-master; it relies on a primary DNS server to update all the secondary servers. Unlike tra-
ditional DNS replication, Directory Server Replication is Multi-Master. Changes made to a zone
can be replicated to one or more Directory Servers. Which is why we recommend that you refer
to your vendor information regarding the Directory Server used and its replication capabilities.

Stealth Smart Architecture

A Stealth architecture is composed of visible DNS servers and a hidden one. Its Hidden-Master
is a name server that does not appear in the list of the visible DNS servers, which means that its
NS resource record is not published among the zone and it does not answer queries from DNS
clients and other name servers. Stealth architectures are used in contexts that are sometimes
called demilitarized zone (DMZ) or Split servers, and can be defined as having the following
characteristics:
• Your organization needs to deploy DNS servers on the Internet.
• Your organization does not want the world to see any of its internal hosts either by interrogation
(query or zone transfer) or in the event the DNS service or external servers are compromised.

DNS Hidden
Master

DNS Slave DNS

Pseudo
Master
Slave

Figure 37.3. DNS Stealth smart architecture

The visible secondary DNS server contains only slave zones, which exposes it less to DNS attacks
as the real authoritative primary server is hidden. Zone transfers can be allowed from the second-
ary servers as required but they do not transfer or accept transfers from the stealth server.

One of the main advantages of this architecture is that the primary server can be offline for
maintenance without causing any interruption to DNS service within the expiration duration (30
days) set for the validity of its zone data.

Single-Server Smart Architecture

A Single-Server architecture manages only one DNS server and allows to keep its configuration
and data saved independently if anything were to happen to the physical server. In such case,
SOLIDserver would save the configuration and apply it to the next server you manage from the
architecture.

483
 Understanding DNS Smart
Architectures

Single
DNS

Figure 37.4. DNS Single-Server smart architecture

This architecture is therefore a backup in itself. Moreover, managing a physical server through
a Single server architecture eases up any migration or change of architecture. If after a few
weeks, for instance, you want to set up a Master/Slave architecture, you can edit the smart archi-
tecture, change it to Master/Slave, add another physical server and define which one acts as a
master and which one as a slave.

Farm Smart Architecture

The Farm architecture allows to control the DNS service through one or several load balancers.
The load balancer receives the DNS clients requests and redirects each query to the least used
DNS server at the time of the request. That way, the DNS load is balanced and the service
availability is heightened. The load balancer sends the DNS queries to a set of known DNS
servers that send back the information needed. The organization of the DNS servers in a Farm
architecture is based on the principle of the Master/Slave architecture with one Master server
and as many Slave servers as needed.

DNS
Master
DNS
Slaves

Figure 37.5. DNS Farm smart architecture

The Farm architecture is especially useful for huge configurations where the use of load balancers
is necessary.

484
Chapter 38. Managing DNS Smart
Architectures
Once you chose the smart architecture(s) that suit your needs in the chapter Understanding DNS
Smart Architectures, you can manage them following the sections below.

Browsing DNS Smart Architectures

Smart architectures are managed from the page All servers, listed like physical servers and
preceded by the icon . For more details, refer to the section Browsing DNS Servers.

Browsing the Smart Architectures Database

To display the list of DNS smart architectures
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. To display or hide the physical server(s) managed by each smart architecture, on the right-
end side of the menu, click on .

In the column Name, all the smart architectures are preceded by the icon . They are listed with
the physical servers.

To display a DNS smart architecture properties page

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
pages opens.

A set of panels on this page display all the query statistics of the server. For more details, refer
to the section Monitoring DNS Servers from their Properties Page.

Understanding the Smart Architecture Statuses

The columns Sync and Status return status details on the DNS smart architectures.

The column Status provides information on the configuration of each smart architecture.

Table 38.1. DNS smart architecture statuses

Status Description
OK The smart architecture is operational.

Invalid settings The smart architecture does not contain any physical server, is missing one or sev-
eral physical servers or is not configured properly (it may contain objects incompatible
with at least one of the physical servers it manages).

The column Sync provides synchronization details on the exchanges between the smart archi-
tecture and its physical server(s).

Table 38.2. DNS smart architecture synchronization statuses

Sync status Description
Synchronized The smart architecture has successfully synchronized the server(s) it manages.

485
 Managing DNS Smart Architectures

Sync status Description

Busy The smart architecture is synchronizing the server(s).

Locked synchronization The synchronizing failed, the smart architecture cannot send its configuration file to
the physical server(s) it manages. The configuration of one of its EfficientIP or Effi-
cientIP Package server is not viable. For more details, refer to the section Handling
the Status Locked Synchronization.

Adding a DNS Smart Architecture

A smart architecture provides a backup of the management configuration of the server(s) it
manages. If a DNS server crashes, you can delete it and add a new one on which you apply the
same architecture, the configuration set at architecture level is applied it to the new server.

There are five different kinds of smart architectures:

• Master/Slave, that manages at least one master and one slave server.
• Multi-Master, that manages several master servers.
• Stealth, that manages one hidden-master server, and several slave servers, one is used as
pseudo-master to protect the actual master.
• Farm, that manages at least one master and one slave server accessible through load balan-
cer(s).
• Single-Server, that manages only one master server.

Keep in mind that:

• Every DNS smart architecture sets up an active/active configuration.
• All supported physical servers can be managed from a smart architecture, but they cannot all
assume the same roles within the architecture:

Table 38.3. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

• If your smart architecture manages physical servers from several vendors, you may get warning
messages when you add views, zones or records. Some vendors do not support views, RPZ
zones and specific DNS zone and record types. You can force the configuration to add them
to the server(s) that do support them.
To display all the potential incompatibilities of your architecture in the column Multi-Status, you
can generate the report Smart architecture incompatibilities. For more details, refer to the
section DNS Server Reports in the chapter Monitoring.

Once added, the DNS smart architecture is listed as a real server on the page All servers, the
column Type indicates which smart architecture was configured.

486
 Managing DNS Smart Architectures

In the procedures below, we are going to add smart architectures and the physical servers they
manage, but you can go through the configuration without adding any server and do it later. For
more details, refer to the section Adding a DNS Server into a Smart Architecture.

Adding a Master/Slave Smart Architecture

The Master/Slave smart architecture is designed to manage at least 2 DNS servers with one
DNS server as master and the other(s) as slave (i.e. backup).

To add a DNS Master/Slave smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Smart architecture.The wizard Add a DNS smart architecture
opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field DNS Name, name the smart architecture with a valid FQDN.
5. In the list DNS smart architecture, select Master/Slave.

DNS
Master
DNS DNS
Slave Slave

Figure 38.1. DNS Master/Slave smart architecture

6. Click on NEXT . The page DNS servers role configuration opens.

7. You can select the physical servers that you want to manage from the smart architecture:
a. To add a master server, in the drop-down list Available DNS servers, select a server
and click on + MASTER . The server is moved to the Master DNS server(s) list. To remove
a server from the list, select it and click on .
Repeat this action for as many servers as needed. With several master servers, if one
crashes the other one takes over.
b. To add a slave server, in the drop-down list Available DNS servers, select a server
and click on + SLAVE . The server is moved to the Slave DNS servers list. To remove a
server from the list, select it and click on . Note that Generic, Amazon Route 53 and
Azure servers cannot be slave.
Repeat this action for as many servers as needed.
8. If you want to publish one or several name servers or load balancers or even force the Hybrid
compatibility of the smart architecture, you need to complete the configuration as follows.
a. Tick the box Expert mode. The page reloads.

487
 Managing DNS Smart Architectures

b. Click on NEXT . The page Advanced settings opens.

c. In the field NS record, specify the name server of your choice. It can also be the host-
name of an external load balancer.
d. Click on ADD . The name is moved to the Published name servers list. Note that the
first server in this list is used as MNAME value of the SOA for all the Master zones
managed by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
9. Click on NEXT . The last page opens.
10. Tick the box Use DNS as DNSSEC resolver if you want to activate DNSSEC validation on
all the servers the smart architecture manages. For more details, refer to the chapter
DNSSEC.
11. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
12. In the field Description, you can specify a description, it is displayed in the dedicated column
of the page All servers.
13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (master/slave) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Adding a Multi-Master Smart Architecture

The Multi-Master smart architecture is designed to manage at least 2 DNS Master servers, this
architecture cannot manage slave servers. From the management console, a DNS client or a
DNS server automatically replicates and updates data on all the DNS servers within this architec-
ture.

488
 Managing DNS Smart Architectures

To add a DNS Multi-Master smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Smart architecture.The wizard Add a DNS smart architecture
opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field DNS Name, name the smart architecture with a valid FQDN.
5. In the list DNS smart architecture, select Multi-Master.

DNS
Master

DNS DNS
Master Master

Figure 38.2. DNS Multi-Master smart architecture

6. Click on NEXT . The page DNS servers role configuration opens.

7. You can select physical servers to manage from the smart architecture:
a. In the drop-down list Available DNS servers, select a server.
b. To add a master server, in the drop-down list Available DNS servers, select a server
and click on + MASTER . The server is moved to the Master DNS server(s) list. To remove
a server from the list, select it and click on .
Repeat this action for as many servers as needed. With several master servers, if one
crashes the other one takes over.
8. If you want to publish one or several name servers or load balancers or even force the Hybrid
compatibility of the smart architecture, you need to complete the configuration as follows.
a. Tick the box Expert mode. The page reloads.
b. Click on NEXT . The page Advanced settings opens.
c. In the field NS record, specify the name server of your choice. It can also be the host-
name of an external load balancer.
d. Click on ADD . The name is moved to the Published name servers list. Note that the
first server in this list is used as MNAME value of the SOA for all the Master zones
managed by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .

489
 Managing DNS Smart Architectures

• To delete an entry from the list, select it and click on DELETE .

• To discard changes, click on CANCEL .

e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
9. Click on NEXT . The last page opens.
10. Tick the box Use DNS as DNSSEC resolver if you want to activate DNSSEC validation on
all the servers the smart architecture manages. For more details, refer to the chapter
DNSSEC.
11. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
12. In the field Description, you can specify a description, it it displayed in the dedicated column
of the page All servers.
13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (multi-master) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Adding a Stealth Smart Architecture

The Stealth smart architecture is designed to manage at least 3 DNS servers, a true master
server hidden from the world, one or several visible slave server(s) used as decoy and slave
server(s) that do not transfer or accept transfers from the hidden master server. The master
server can be offline for maintenance without causing any interruption to DNS service within the
expiration duration (30 days) set for the validity of its zone data.

To add a DNS Stealth smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Smart architecture.The wizard Add a DNS smart architecture
opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field DNS Name, name the smart architecture with a valid FQDN.

490
 Managing DNS Smart Architectures

5. In the list DNS smart architecture, select Stealth.

DNS Hidden
Master

DNS Slave DNS

Pseudo
Master
Slave

Figure 38.3. DNS Stealth smart architecture

6. Click on NEXT . The page DNS servers role configuration opens.

7. You can select the physical servers that you want to manage from the smart architecture:
a. To add a master server, in the drop-down list Available DNS servers, select a server
and click on + HIDDEN-MASTER . The server is moved to the Hidden-master DNS server(s)
list. To remove a server from the list, select it and click on . Note that BIND/Unbound
hybrid, Generic, Amazon Route 53 and Azure servers cannot be hidden-master.
Repeat this action for as many servers as needed.
b. To add the slave server you want to use as pseudo master, in the drop-down list
Available DNS servers, select a server and click on + PSEUDO-MASTER . The server is
moved to the field Pseudo-master DNS server (slave server used as decoy). To re-
move the server from the field, click on . Note that BIND/Unbound hybrid and Generic
servers cannot be pseudo-master.
Repeat this action for as many servers as needed.
c. To add a slave server, in the drop-down list Available DNS servers, select a server
and click + SLAVE . The server is moved to the Slave DNS servers list. To remove a
server from the list, select it and click on . Note that Generic, Amazon Route 53 and
Azure servers cannot be slave.
Repeat this action for as many servers as needed.
8. If you want to publish one or several name servers or load balancers or even force the Hybrid
compatibility of the smart architecture, you need to complete the configuration as follows.
a. Tick the box Expert mode. The page reloads.
b. Click on NEXT . The page Advanced settings opens.
c. In the field NS record, specify the name server of your choice. It can also be the host-
name of an external load balancer.
d. Click on ADD . The name is moved to the Published name servers list. Note that the
first server in this list is used as MNAME value of the SOA for all the Master zones
managed by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .

491
 Managing DNS Smart Architectures

• To discard changes, click on CANCEL .

e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
9. Click on NEXT . The last page opens.
10. Tick the box Use DNS as DNSSEC resolver if you want to activate DNSSEC validation on
all the servers the smart architecture manages. For more details, refer to the chapter
DNSSEC.
11. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
12. In the field Description, you can specify a description, it it displayed in the dedicated column
of the page All servers.
13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (stealth) in the column Type. To display or
hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Adding a Single-Server Smart Architecture

The Single-Server smart architecture is designed to manage only one DNS physical server. If it
crashes, you can apply again the configuration set on the architecture to a new server.

To add a DNS Single-Server smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Smart architecture.The wizard Add a DNS smart architecture
opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field DNS Name, name the smart architecture with a valid FQDN.
5. In the list DNS smart architecture, select Single-Server.

492
 Managing DNS Smart Architectures

Single
DNS

Figure 38.4. DNS Single-Server smart architecture

6. Click on NEXT . The page DNS servers role configuration opens.

7. You can select the physical server that you want to manage from the smart architecture:
a. In the drop-down list Available DNS servers, select a server.
b. Click on + MASTER . The server is moved to the Master DNS server(s) list. To remove
a server from the list, click on .
8. If you want to publish one or several name servers or load balancers or even force the Hybrid
compatibility of the smart architecture, you need to complete the configuration as follows.
a. Tick the box Expert mode. The page reloads.
b. Click on NEXT . The page Advanced settings opens.
c. In the field NS record, specify the name server of your choice. It can also be the host-
name of an external load balancer.
d. Click on ADD . The name is moved to the Published name servers list. Note that the
first server in this list is used as MNAME value of the SOA for all the Master zones
managed by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. You can tick the box Force Hybrid DNS compatibility if you intend to manage BIND
servers that you might switch to Hybrid in the future. For more details, refer to the chapter
Hybrid DNS Service.
9. Click on NEXT . The last page opens.
10. Tick the box Use DNS as DNSSEC resolver if you want to activate DNSSEC validation on
all the servers the smart architecture manages. For more details, refer to the chapter
DNSSEC.
11. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.

493
 Managing DNS Smart Architectures

12. In the field Description, you can specify a description, it it displayed in the dedicated column
of the page All servers.
13. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
14. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (single-server) in the column Type. To display
or hide the physical servers managed through the smart architecture click on on the right-
end side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Adding a Farm Smart Architecture

The Farm smart architecture is essentially a Master/Slave architecture that allows to have a set
of master and slave servers accessible through one or several external load balancers that redirect
the clients toward the least used server and avoid overloading the service.

To add a DNS Farm smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Smart architecture.The wizard Add a DNS smart architecture
opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field DNS Name, name the smart architecture with a valid FQDN.
5. In the list DNS smart architecture, select Farm.

DNS
Master
DNS
Slaves

Figure 38.5. DNS Farm smart architecture

6. Click on NEXT . The page DNS servers role configuration opens.

7. You can select the physical servers that you want to manage from the smart architecture:

494
 Managing DNS Smart Architectures

a. To add a master server, in the drop-down list Available DNS servers, select a server
and click on + MASTER . The server is moved to the Master DNS server(s) list. To remove
a server from the list, select it and click on .
Repeat this action for as many servers as needed. With several master servers, if one
crashes the other one takes over.
b. To add a slave server, in the drop-down list Available DNS servers, select a server
and click on + SLAVE . The server is moved to the Slave DNS servers list. To remove a
server from the list, select it and click on . Note that Generic, Amazon Route 53 and
Azure servers cannot be slave.
Repeat this action for as many servers as needed.
8. Click on NEXT . The page Advanced settings opens. You must publish one or several name
servers or load balancers to complete the configuration.
a. In the field NS record, specify the name server of your choice. It can also be the host-
name of an external load balancer.
b. Click on ADD . The name is moved to the Published name servers list. Note that the
first server in this list is used as MNAME value of the SOA for all the Master zones
managed by this smart architecture.
Repeat these actions for as many NS records as needed, every record listed is saved
in all zones and displayed on the page All RRs of each of the physical servers managed
by the smart architecture.
You can edit the content of the Published name servers list:
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

9. If you want to manage BIND servers that you might switch to Hybrid in the future, you need
to complete the configuration as follows.
a. Tick the box Expert mode. The box Force Hybrid DNS compatibility appears.
b. Tick the box Force Hybrid DNS compatibility. For more details, refer to the chapter
Hybrid DNS Service.
10. Click on NEXT . The last page opens.
11. Tick the box Use DNS as DNSSEC resolver if you want to activate DNSSEC validation on
all the servers the smart architecture manages. For more details, refer to the chapter
DNSSEC.
12. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
13. In the field Description, you can specify a description, it it displayed in the dedicated column
of the page All servers.
14. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.

495
 Managing DNS Smart Architectures

15. Click on OK to complete the operation. The report opens and closes. The smart architecture
is listed as a DNS server and marked Smart (farm) in the column Type. To display or hide
the physical servers managed through the smart architecture click on on the right-end
side of the menu.
During the first addition of a DNS smart architecture, the option allow-transfer is by
default configured with the ACL admin. Within SOLIDserver admin corresponds to any,
so you might want to change the ACL and restrict the option use as it is inherited by the
server zones. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Converting a DNS Server into a Smart Architecture

To keep a server configuration and avoid configuring a smart architecture to match the server
settings before adding it into the smart, you can convert DNS servers into smart architectures.

Keep in mind that once you converted a DNS server into a smart, it is no longer listed as a
physical server on the page All servers. You have to add it again to be able to manage it, on its
own or from a smart architecture.

During the conversion, you can add DNS servers into the smart architecture. Considering that
you might want to manage the server you converted from the smart architecture, we recommend
converting the server and then editing the smart to add the servers as detailed in the section
Adding a DNS Server into a Smart Architecture.

To convert a DNS physical server into a smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Right-click over the Name of the physical server of your choice.The contextual menu appears.
3. Click on Edit. The wizard Edit a DNS server opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the list DNS server type, select Smart architecture.
6. Click on NEXT . The next page opens.
7. In the field DNS Name, rename the smart architecture if need be.
8. In the field DNS smart architecture, select the type of your choice.
9. Click on NEXT . The page DNS servers role configuration opens.
To configure the smart architecture, refer to the relevant procedure in the section Adding a
DNS Smart Architecture.
10. If you want to configure the smart architecture later on, unless you selected Farm, you can
click on NEXT until you get to the last page of the wizard.
11. Click on OK to complete the operation. The report opens and closes. In the column Type,
the server is now listed as a smart architecture.

496
 Managing DNS Smart Architectures

Editing a DNS Smart Architecture

You can edit a smart architecture for a number of reasons, to:
• Define the server(s) it manages, as detailed in the section Adding a DNS Server into a Smart
Architecture.
• Stop managing some server(s), as detailed in the section Removing a DNS Server from a
Smart Architecture.
• Edit its servers role, as detailed in the section Changing the DNS Servers Role within a Smart
Architecture.
• Change its type, as detailed in the section Changing the Type of a DNS Smart Architecture.

Keep in mind that:

• All supported physical servers can be managed from a smart architecture, but they cannot all
assume the same roles within the architecture.You must take into account the physical servers
possible role within an architecture when you add a server to an architecture, edit its role, or
change a smart architecture type:

Table 38.4. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

• If your smart architecture manages physical servers from several vendors, you may get warning
messages when you add views, zones or records. Some vendors do not support views, RPZ
zones and specific DNS zone and record types. You can force the configuration to add them
to the server(s) that do support them.
To display all the potential incompatibilities of your architecture in the column Multi-Status, you
can generate the report Smart architecture incompatibilities. For more details, refer to the
section DNS Server Reports in the chapter Monitoring.

Adding a DNS Server into a Smart Architecture

You can add physical servers to an existing smart architecture, whether because it was added
without physical servers or because you want it to manage more servers.

If you do not have any physical server listed on the page All servers yet, refer to the chapter
Managing DNS Servers to add and manage them from a smart architecture.

Note that:
• Before managing a new server, make sure that the DNS service is properly started. For more
details, refer to the chapter Configuring the Services.
• If you want to manage several physical servers from a smart architecture, you should have
them all listed and ready before adding them into the smart architecture. Otherwise the archi-
tecture configuration may be invalid.

497
 Managing DNS Smart Architectures

• When you add one or more DNS servers into a smart architecture, the smart data is
automatically replicated from the architecture to the DNS servers it manages. So if the
smart architecture is empty (first use), the configuration file of the physical DNS server it
manages is completely overwritten.
• If you want to add an Amazon Route 53 server to a smart architecture, refer to the section
Adding an Amazon Route 53 Server in an Existing Smart Architecture of the chapter Managing
DNS Servers.

To add a DNS server into a smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS smart architecture
opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field DNS Name, edit the smart architecture name if need be.
6. In the list DNS smart architecture, edit the type of the smart architecture if need be.
7. Click on NEXT . The page DNS servers role configuration opens.
8. In the drop-down list Available DNS servers, select the physical server of your choice.
9. Define the role of the server, depending on the smart architecture click on + MASTER , + SLAVE
or + HIDDEN-MASTER , + PSEUDO-MASTER . The selected server is moved to the corresponding list.
Repeat this action for as many servers as needed.
Note that BIND/Unbound hybrid servers can only be defined as master or slave; Generic
servers can only be defined as master; Amazon Route 53 and Azure servers can only be
defined as master or pseudo-master.
10. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens, it is detailed at the end of the relevant
addition procedure in the section Adding a DNS Smart Architecture.
11. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Description
and Advanced properties, refer to the relevant smart architecture addition procedure in the
section Adding a DNS Smart Architecture.
12. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu.

Removing a DNS Server from a Smart Architecture

You can remove one or more DNS servers from a DNS smart architecture to manage them on
their own. When you remove one, the configuration applied on this server remains the same.

To remove a DNS server from a smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.

498
 Managing DNS Smart Architectures

2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS smart architecture
opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Click on NEXT . The page DNS servers role configuration opens.
6. In the Master DNS server(s) list or Slave DNS servers list, select the server of your choice
and click on . The server is moved back to the drop-down list Available DNS servers.
7. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens, it is detailed at the end of the relevant
addition procedure in the section Adding a DNS Smart Architecture.
8. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Description
and Advanced properties, refer to the relevant smart architecture addition procedure in the
section Adding a DNS Smart Architecture.
9. Click on OK to complete the operation. The report opens and closes. If your smart architecture
is still managing physical servers, you can display or hide them using the button on the
right-end side of the menu.

Changing the DNS Servers Role within a Smart Architecture

You can edit a smart architecture to change the role of the physical servers it manages. For in-
stance, you can make a master become a slave, or vice-versa, in a Master/Slave smart architec-
ture.

To change the role of a DNS server within a smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS smart architecture
opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field DNS Name, edit the smart architecture name if need be.
6. In the list DNS smart architecture, edit the type of the smart architecture if need be.
7. Click on NEXT . The page DNS servers role configuration opens.
8. Edit the physical servers role according to your needs:
a. In the Master DNS server(s) list or Slave DNS servers list, select the server of your
choice and click on . The server is moved back to the drop-down list Available DNS
servers.

499
 Managing DNS Smart Architectures

b. In the drop-down list Available DNS servers, select the server you previously removed,
and depending on the smart architecture click on + MASTER , + SLAVE or + HIDDEN-MASTER ,
+ PSEUDO-MASTER . The selected server is moved to the corresponding list.

Note that, within Stealth architectures, you can have several pseudo-master servers.
However, BIND/Unbound hybrid servers can only be defined as master or slave; Gen-
eric servers can only be defined as master; Amazon Route 53 and Azure servers can
only be defined as master or pseudo-master.
c. Repeat these actions for as many servers as needed.
9. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens, it is detailed at the end of the relevant
addition procedure in the section Adding a DNS Smart Architecture.
10. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Description
and Advanced properties, refer to the relevant smart architecture addition procedure in the
section Adding a DNS Smart Architecture.
11. Click on OK to complete the operation. The report opens and closes. To display or hide the
physical servers managed through the smart architecture click on on the right-end side
of the menu. The column Role displays the server(s) new role.

Changing the Type of a DNS Smart Architecture

You can edit a smart architecture to change its type. This allows to minimize operations while
keeping its data, rather than removing servers from one architecture to add another architecture
to manage them. For instance, you can make a Master/Slave architecture managing a master
and a slave server become a Multi-Master; once the type is changed you only need to update
the role of one server.

To change a DNS smart architecture type

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS smart architecture
opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field DNS Name, edit the smart architecture name if need be.
6. In the field DNS smart architecture, select a different type.
7. Click on NEXT . The page DNS servers role configuration opens.
8. Edit the physical servers roles if need be:
a. In the Master DNS server(s) list or Slave DNS servers list, select the server of your
choice and click on . The server is moved back to the drop-down list Available DNS
servers.
b. In the drop-down list Available DNS servers, select the server you previously removed,
and depending on the smart architecture click on + MASTER , + SLAVE or + HIDDEN-MASTER ,
+ PSEUDO-MASTER . The selected server is moved to the corresponding list.

500
 Managing DNS Smart Architectures

Note that, within Stealth architectures, you can have several pseudo-master servers.
However, BIND/Unbound hybrid servers can only be defined as master or slave; Gen-
eric servers can only be defined as master; Amazon Route 53 and Azure servers can
only be defined as master or pseudo-master.
c. Repeat these actions for as many servers as needed.
9. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens, it is detailed at the end of the relevant
addition procedure in the section Adding a DNS Smart Architecture.
10. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Description
and Advanced properties, refer to the relevant smart architecture addition procedure in the
section Adding a DNS Smart Architecture.
11. Click on OK to complete the operation. The report opens and closes. The column Type dis-
plays your changes.

Handling the Status Locked Synchronization

SOLIDserver provides a consistency check for smart architectures. Once you configured a smart
architecture with the server(s) it manages, the smart configuration is checked before it is sent to
the physical server(s) to ensure the configuration consistency and avoid pushing useless inform-
ation to the server(s):
• If the check is conclusive, the information is sent to the server and its status is Synchronized
in the column Sync of the page All servers.
• If any error is found, the verification stops and the server Sync status changes to Locked
Synchronization once the page is refreshed. To get a valid synchronization status again, you
need to "undo" the latest changes. This action loads a new synchronization and uploads the
status accordingly.

Once the server is in Locked synchronization, the corrupted configuration file is automatically
stored locally on the appliance and available for download in the Local Files Listing. It is named
<server_name>-named.conf. We advice that you take a look at this file because after the first
found error, the check stops and returns the Locked synchronization status. So if there are sev-
eral errors, the status is returned over and over again until the file is conclusive and can be sent
to the physical server.

You can check for failure in the configuration file from the GUI or via CLI.

To check for failure in a DNS configuration file from the GUI

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Syslog. The page Syslog opens.
3. In the drop-down list SOLIDserver, verify that the local appliance is selected. Only the
hostname appears with no IP address.
4. In the drop-down list Services, select ipmserver. The logs appear.
5. In the search engine of the column Log, type in CHECK DNSCONF.The relevant logs appear,
the server name is between brackets.

To check for failure in a DNS configuration file via CLI

1. Open an SSH session.
2. Use the following command to retrieve the list of corrupted files:

501
 Managing DNS Smart Architectures

# ls -la /data1/exports/*-named.conf

3. Use the following command to get a precise list of all the errors:
# /usr/local/nessy2/bin/named-checkconf /data1/exports/<server_name>-named.conf

4. Adjust identified statements, once the check runs again, the Locked Synchronization status
disappears if you now have a valid configuration.

Exporting DNS Smart Architectures

From the page All servers, you can export the smart architectures in a CSV, HTML, XML, XLS
or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting a DNS Smart Architecture

You can decide to stop managing your DNS servers through the smart architectures. You might
not need to delete a smart architecture, editing it might be enough. For more details, refer to the
section Changing the Type of a DNS Smart Architecture.

Before deleting a smart architecture, keep in mind that:

• Deleting a smart architecture does not delete any data from the physical server: it means that
you stop managing the server via the smart architecture. However, the configuration backup
of the smart architecture is deleted, so if the physical server crashes after the smart archi-
tecture deletion, you have to configure everything again manually.
• You cannot delete a smart architecture if it is still managing DNS servers.

To delete a DNS smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. If the smart architecture is managing DNS servers, remove them. For more details, refer to
the section Removing a DNS Server from a Smart Architecture.
3. Tick the smart architecture of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The smart architecture
is no longer listed. All the servers that used to be managed are listed as DNS servers of
whatever kind in the list Type.

Defining a DNS Smart Architecture as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a smart architecture as one of the resources of a specific group allows the users of that
group to manage the architecture in question as long as they have the corresponding rights
granted.

Granting access to a smart architecture as a resource also makes every physical server it contains
available. For more details, refer to the section Adding Resources to a Group in the chapter
Managing Groups.

502
Chapter 39. Managing DNS Servers
The server is the highest level of the DNS hierarchy. It allows to resolve host queries and access
specific areas of a network, as server can be:
• Authoritative: A server that has authority over a number of domain names and can delegate
them.
• Recursive: A server that might contain information, if not it directs the querying host toward
the relevant DNS server to solve the query.
• Cache: A server that retrieves and keeps information, query results, to answer the exact same
queries again.

You can add and manage EfficientIP DNS servers, EfficientIP Package DNS servers, Microsoft
Windows DNS servers (including via AD), Generic DNS servers, Amazon Route 53 servers and
Microsoft Azure servers. All server types can be managed independently or via a smart architec-
ture. For more details, refer to the chapters Understanding DNS Smart Architectures and Managing
DNS Smart Architectures.

In theory, when a host wishes to access a particular domain, a website for instance, a query is
sent to a DNS server that processes the resolution as follows:
1. The DNS client host sends a sequence of queries through a resolver to a recursive DNS
server.
2. The recursive server contacts the authoritative servers of the root domain. One of them returns
the IP address (an NS record) of the server that has authority over the concerned TLD.
3. The recursive server uses the IP address to connect to the TLD authoritative server and obtain
the IP address of the server that has authority over the zone.
4. The recursive server uses the IP address to connect to the zone authoritative server and obtain
the queried results.
5. The recursive server sends the results back to the DNS client.

.
root iterative server

DNS server .com

recursive server TLD iterative server
DNS client

.efficientip.com
domain iterative server
Figure 39.1. Diagram of a DNS query of www.efficientip.com via a recursive server

Obviously, such a mechanism would saturate the root zone, which is why a server can combine
recursive, cache and/or authoritative functionalities.

503
 Managing DNS Servers

Browsing DNS Servers

You can manage all your DNS servers from the page All servers.

DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE

Figure 39.2. The server in the DNS hierarchy

Browsing the Servers Database

To display the list of DNS servers
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. You can filter the list using the column search engines.

To display a DNS server properties page

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The server properties pages
opens.

A set of panels on this page display all query statistics of the server, including RPZ queries if you
configure it with RPZ zones. For more details, refer to the section Monitoring DNS Servers from
their Properties Page. If you enabled the service DNS Guardian, this page also contains a set of
charts dedicated to DNS Guardian data. For more details, refer to the part Guardian.

Customizing the Display on the Page All Servers

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Some columns provide more specific information regarding your servers:

Table 39.1. Available columns on the page All servers

Column Description
Guardian For compatible servers, information regarding the service DNS Guardian. For more details,
refer to the part Guardian.
DNSSEC The DNSSEC resolver status of the server, it can used be as a DNSSEC resolver (Yes) or
not (No). For more details, refer to the chapter DNSSEC.

Understanding the Server Statuses

The columns Multi-Status, Sync and Status return status details on the DNS servers. For more
details on the smart architectures statuses, refer to the section Understanding the Smart Archi-
tecture Statuses.

504
 Managing DNS Servers

The column Status provides information on each server.

Table 39.2. DNS server statuses

Status Description
OK The server is operational.

Timeout The server is unreachable.

License The server is compatible with the license applied to your appliance. For more details
on licenses and their metrics, refer to the chapter Managing Licenses.
Invalid credentials The SSL credentials are invalid or the server is already managed by another appliance
and you need to specify your credentials again. For more details, refer to the section
Editing DNS Servers.
If the appliance database is encrypted, it may be that the Active key is missing. For
more details, refer to the section Troubleshooting the Database Encryption of the
chapter Securing.
Syntax error The server configuration contains syntax errors, it is not viable.

Invalid resolver For Amazon Route 53 servers, SOLIDserver cannot resolve the AWS DNS service.
The Amazon services are unreachable and the server cannot be managed. Make
sure that the DNS resolvers declared on the page Network configuration are valid.
Invalid Time For Amazon Route 53 servers, no changes performed from the GUI are pushed to
the server because SOLIDserver time and date are incorrect. To correct the time
and date refer to the chapter Configuring the Time and Date. In addition, you must
ensure the appliance time zone is UTC, for more details refer to the section Config-
uring the User Display Settings.
Not running The service DNS server (named) is stopped on the appliance.

Unknown An error occurred that SOLIDserver could not identify.

The column Sync provides the synchronization details of each server.

Table 39.3. DNS server synchronization statuses

Sync status Description
Synchronized The server was successfully synchronized.

Busy The server synchronizing is ongoing. While the server is busy, the column Status
may return inaccurate information.
Locked synchronization For EfficientIP or EfficientIP Package servers, the server configuration is not viable.
If the server is managed from a smart architecture, the architecture cannot push its
configuration to the physical servers, for more details refer to the section Handling
the Status Locked Synchronization.

The column Multi-status provides you with emergency, warning, critical, error or informational
messages regarding the server compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.

Managing EfficientIP DNS Servers

SOLIDserver provides a proprietary EfficientIP DNS server that allows to manage your local
server configuration and data.

From the GUI, you can:

• Add EfficientIP servers. For more details, refer to the section Adding an EfficientIP DNS
Server.

505
 Managing DNS Servers

• Edit the SNMP monitoring parameters or properties of EfficientIP servers. For more details,
refer to the sections Editing the SNMP Monitoring Parameters of an EfficientIP DNS Server
and Editing DNS Servers.
• Configure EfficientIP DNS servers with a reverse proxy server, if they are running in a container
whose HTTP or HTTPS port is only accessible through a reverse proxy. For more details, refer
to the section Configuring a Reverse Proxy for an EfficientIP DNS Server.
• Delete EfficientIP servers. For more details, refer to the section Deleting DNS Servers.
• Configure EfficientIP servers. For more details, refer to the chapter Configuring DNS Servers.

Before managing a new server, make sure that the DNS service is properly started. For
more details, refer to the chapter Configuring the Services.

Note that EfficientIP DNS servers can assume any role within a smart architecture:

Table 39.4. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

Adding EfficientIP DNS Servers

From the page All servers, you can add an EfficientIP DNS Server to manage its configuration,
all its data and monitor it. Before adding the server, keep in mind that:
• The server name is very important. It is used to publish the NS records of the zone(s) that
the server manages.
Besides, DNS clients must be able to resolve this name when they query the server. To do so,
in each zone you must either add an A record or glue records to complete the delegation.
• Only reachable servers can be added, each server must be up and running when you add
it.
• The SNMP protocol is no longer supported as managing protocol for a server. Therefore:
• You can no longer add a DNS server managed via SNMP.
• EfficientIP DNS servers prior to version 4.0.x are no longer supported.
• SSL is used to manage a server while SNMP is used to monitor it. Therefore, you can
configure the SNMP monitoring parameters of the server. For more details, refer to the section
Editing the SNMP Monitoring Parameters of an EfficientIP DNS Server.
• When you add a server, a random password is generated to secure the communication between
the appliance and the server. The default SSH credentials of the account admin are no longer
used to manage the server but to generate this random password.
For servers added before the upgrade to version 7.0, switching to this new management system
is not automatic. You need to edit the servers. For more details, refer to the section Editing
DNS Servers.
• If your server is running in a container whose HTTP(S) port is only accessible through a reverse
proxy, refer to the section Configuring a Reverse Proxy for an EfficientIP DNS Server.
• By default, EfficientIP DNS servers embed a hint zone that gathers the IP of all 13 root servers.

506
 Managing DNS Servers

To add an EfficientIP DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > EfficientIP. The wizard Add an EfficientIP DNS server opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, specify a DNS resolvable fully qualified domain name (FQDN) for your
server.
5. In the field Management IP address, specify the IPv4 address of the server you want to
manage.
If you already configured a resolver for the appliance, you can specify a name and click on
SEARCH , the matching IP address is retrieved from the DNS and displayed. For more details,
refer to the section Setting the DNS Resolver.
6. If you want to secure the management of your server, you can associate it with a TSIG key.
a. Tick the box Configure TSIG parameters. The drop-down list TSIG key name appears.
b. In the drop-down list TSIG key name, select an existing key. Note that this key must
also be used in the statements allow-update and allow-transfer at view and/or zone level
to secure all exchanges. For more details, refer to the section Securing the Management
of DNS Servers Using a TSIG Key.
7. If you have changed the default SSH password of the appliance embedding the DNS server,
you must update the enrollment parameters.
a. Tick the box Configure enrollment parameters. The field "Admin" account password
appears, it contains the default admin account password.
b. Empty the field "Admin" account password and specify your SSH password.
8. If you want to edit the server SNMP parameters, tick the box Configure SNMP monitoring
parameters.
A set of fields appear, configure them to monitor and retrieve the server statistics.

Table 39.5. SNMP monitoring parameters available when you add a server
Field Description
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
Use TCP The network communication protocol, either TCP (ticked) or UDP (unticked). By default,
the box is unticked. You should tick the box to use TCP instead of UDP if the network
link is unreliable. This field is optional.
SNMP profile The SNMP profile used to retrieve the statistics. By default, standard v2c is selected.
This field is optional. The list contains the default profiles (standard v1, standard v2c and
standard v3) and the ones you may have added. Each profile has its own level of security
and enables the definition of a global security policy. For more details, refer to the section
Managing SNMP Profiles.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1, 2, 3, 4, 5, 10 or 30.
By default, it is set to 5. This field is required.

507
 Managing DNS Servers

9. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
10. In the field Description, you can specify a description, it it displayed in the column Description
of the page All servers.
11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The report opens and closes. The server is listed.
The server might appear Busy in the column Status. It changes to OK after a while.
During the first DNS server addition, the allow-transfer option is by default configured
with the ACL any. As it is inherited by the server views and zones, you might need to restrict
the statement. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Once added, you can edit your server to secure its data exchanges with SOLIDserver. For more
details, refer to the section Securing the Management of DNS Servers Using a TSIG Key.

Editing the SNMP Monitoring Parameters of an EfficientIP DNS

Server
Once added to the page All servers, you can edit the SNMP monitoring parameters of an EfficientIP
DNS server.

The SNMP protocol is no longer supported as managing protocol for a server.

To edit the SNMP monitoring parameters of an EfficientIP DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. In the panel SNMP monitoring properties, click on EDIT . The wizard SNMP parameters
opens.
4. Edit the monitoring parameters according to your needs:

Table 39.6. SNMP monitoring parameters available when you edit a server
Field Description
SNMP version The version of the SNMP protocol used to retrieve the statistics. It can be either v1, v2c
or v3. By default, v2c is selected. This field is required.
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1s, 2s, 3s, 4s, 5s, 10s
or 30s. By default, it is set to 5s. This field is required.
Use bulk For SNMP version v2c or v3. Allows to send several requests at once, it uses a bulk
transfer of data. This compact SNMP request method accelerates transfers. By default,
it is set to Yes. This field is required.

508
 Managing DNS Servers

Field Description
Use TCP The network communication protocol, either TCP (Yes) or UDP (No). By default, No is
selected. You should use TCP instead of UDP if the network link is unreliable. This field
is required.
SNMP transfer The number of minutes above which the SNMP transfer is aborted when you add or refresh
timeout (minutes) a device, a value between 0 and 999. By default, it is set to 0. This field is optional.

5. Click on NEXT . The page SNMP profile opens.

6. In the drop-down list SNMP profile, choose a profile using the same version of the SNMP
protocol as the one you selected in the field SNMP version.
If you added SNMP profiles, you can choose one of your profiles. They are listed only if they
use the same version of the SNMP protocol as the one you selected on the previous page.
Note that the SNMP profiles you can choose from must be configured on the appliance you
are currently working with. For more details, refer to the section Managing SNMP Profiles.
7. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

Configuring a Reverse Proxy for an EfficientIP DNS Server

You can configure a reverse proxy server when you add EfficientIP or EfficientIP Package servers
if your server is running in a container whose HTTP(S) port is only accessible through a reverse
proxy server. The reverse proxy server transfers queries to the container via HTTP or HTTPS.

To configure the reverse proxy server you must:

1. Enable the key module.system.enable_reverse_proxy_config.
2. Specify the URL of a reverse proxy server when you add the server.

Note that you cannot edit an existing server to configure it with a reverse proxy server.

To enable the registry key that allows to configure a reverse proxy server
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.system.enable_reverse_proxy_config.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 1 to enable it. By default, its value is 0.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

Once you enabled the registry key, you can add an EfficientIP or EfficientIP package server and
configure it with a reverse proxy server.

To configure a reverse proxy for an EfficientIP DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > EfficientIP or EfficientIP Package. The wizard Add an Effi-
cientIP DNS server or Add an EfficientIP Package server opens.

509
 Managing DNS Servers

3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, specify a DNS resolvable fully qualified domain name (FQDN) for your
server.
5. In the field Management IP address, specify the IPv4 address of the server you want to
manage.
If you already configured a resolver for the appliance, you can specify a name and click on
SEARCH , the matching IP address is retrieved from the DNS and displayed. For more details,
refer to the section Setting the DNS Resolver.
6. In the field Management URL, specify the URL of the reverse proxy server that forwards
client queries to the DNS server via HTTP or HTTPS.
7. If you want to secure the management of your server, you can associate it with a TSIG key.
a. Tick the box Configure TSIG parameters. The drop-down list TSIG key name appears.
b. In the drop-down list TSIG key name, select an existing key. Note that this key must
also be used in the statements allow-update and allow-transfer at view and/or zone level
to secure all exchanges. For more details, refer to the section Securing the Management
of DNS Servers Using a TSIG Key.
8. If you have changed the default SSH password of the appliance embedding the DNS server,
you must update the enrollment parameters.
a. Tick the box Configure enrollment parameters. The field "Admin" account password
appears, it contains the default admin account password.
b. Empty the field "Admin" account password and specify your SSH password.
9. If you want to edit the server SNMP parameters, tick the box Configure SNMP monitoring
parameters.
A set of fields appear, configure them to monitor and retrieve the server statistics.

Table 39.7. SNMP monitoring parameters available when you add a server
Field Description
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
Use TCP The network communication protocol, either TCP (ticked) or UDP (unticked). By default,
the box is unticked. You should tick the box to use TCP instead of UDP if the network
link is unreliable. This field is optional.
SNMP profile The SNMP profile used to retrieve the statistics. By default, standard v2c is selected.
This field is optional. The list contains the default profiles (standard v1, standard v2c and
standard v3) and the ones you may have added. Each profile has its own level of security
and enables the definition of a global security policy. For more details, refer to the section
Managing SNMP Profiles.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1, 2, 3, 4, 5, 10 or 30.
By default, it is set to 5. This field is required.

10. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.

510
 Managing DNS Servers

This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
11. In the field Description, you can specify a description, it it displayed in the column Description
of the page All servers.
12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on OK to complete the operation. The report opens and closes. The server is listed.
The server might appear Busy in the column Status. It changes to OK after a while.
During the first DNS server addition, the allow-transfer option is by default configured
with the ACL any. As it is inherited by the server views and zones, you might need to restrict
the statement. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Managing Microsoft Windows DNS Servers

You can add Microsoft Windows DNS servers to manage them from the page All servers. They
can be included into an Active Directory (AD) domain or not.

You can reproduce the Microsoft Windows Multi-Master behavior with the smart architecture
Multi-Master. This architecture supports Microsoft DNS server, SOLIDserver DNS and BIND
server. For more details, refer to the section Adding a Multi-Master Smart Architecture.

Note that Microsoft Windows DNS servers can assume any role within a smart architecture:

Table 39.8. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

Once you manage a server, you can also manage its parameters, zones and records.

The management of Microsoft DNS servers is based on Microsoft Remote Procedure Calls (MS
RPC) and allows to retrieve and display data is real-time and avoid installing any WinDHCP
agent. Microsoft DNS servers with agent are not supported.

Prerequisites
• A Microsoft Windows Server 2008, 2008 R2, 2012 R2, 2016 or 2019. The server must:
• Have the TCP ports 135 and 445 open. They are used by the port mapper interface, the
services that indicates to the clients which port provides access to each service.
• Have Firewall policies that allow traffic between SOLIDserver and the Microsoft servers it
manages.

511
 Managing DNS Servers

• In Windows Server, RPC uses by default the dynamic port range 49152-65535. Note that
you can reduce the number of available ports, as long as you respect the minimum number
1
of ports required in the range, which is 255, via the netsh tool .
• The credentials of a member of the groups DnsAdmins and Domain Admins. Users with insuf-
ficient privileges cannot manage the server.
• The service DNS is properly started. For more details, refer to the chapter Configuring the
Services.
• The zones of the Microsoft Windows server must allow the server management IP address in
their statement allow-transfer.

Limitations
The management of Microsoft Windows DNS servers within SOLIDserver has some limitations.
For more details regarding the Microsoft limitations, refer to their documentation.
Server Limitations
• You must refresh manually the DNS server parameters, the list of zones and their paramet-
ers. However, the content of the zones is still refreshed automatically every 3600 seconds
(by default).
• The AD configuration of the AD integrated DNS servers often includes security settings
that prevent the addition or edition of the DNS zones.
• If the parameter Forward is set to != none at server level but a list of forwarders is provided
anyway, the forwarders are pushed onto the Microsoft DNS server.
ACL Limitations
• Microsoft processes as follows the ACL allow-update:

Table 39.9. Limitations for the ACL allow-update

Allow-update set to Microsoft behavior
admin;any; The update rights are granted to anyone.
any; The update rights are granted to anyone.
admin; If the zone is AD integrated, the update is changed to Secure Only.
Any other parameter The update is impossible, the allow-update is set to no update.

• Microsoft processes as follows the ACL allow-transfer:

Table 39.10. Limitations for the ACL allow-transfer

Allow-transfer set to Microsoft behavior
any; The transfer rights are granted to anyone.
No parameter is set The transfer rights are granted to anyone.
none; The transfer rights are not granted to anyone.
eip_ns_only; Only the transfer of the zone NS resource records is granted.
Any other parameter If ACLs are set, they are ignored.
Any other parameter If IP addresses are listed, the allow-transfer is granted to the Specified IP Ad-
dress List and to the zone NS resource records.

Zone Limitations
• The zones e164.arpa and ip6.int (deprecated reverse mapping name space) are not sup-
ported by Microsoft.
1
For information, refer to http://support.microsoft.com/kb/929851 .

512
 Managing DNS Servers

• You cannot add forward zones with the forwarding parameter set to None on Microsoft
servers.
• If nothing is specified during the Notify configuration then by default, the notify is set to NS
only.
• You cannot edit the AD replication behavior set on the zones of an AD integrated Microsoft
server. Once set, you cannot edit or remove the replication behavior selected, you must
delete the zone and add it again with the configuration that suits your needs.
Resource Record Limitations
• Microsoft servers only support the records A, AAAA, CNAME, MX, NS, PTR, SOA, SRV
and TXT.

Adding Microsoft Windows DNS Servers

Before adding a Microsoft Windows DNS server make sure you meet the prerequisites.

If your Microsoft DNS server is integrated to an AD with several forests, you can use the Expert
mode during the server addition to specify AD domain you want to authenticate.

In addition, you can manage AD integrated zones. For more details, refer to the section Managing
DNS Zones.

To add a Microsoft Windows DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Microsoft. The wizard Add a Microsoft DNS server opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, specify a DNS resolvable fully qualified domain name (FQDN) for your
server.
5. In the field Management IP address, specify the IPv4 address of the server you want to
manage.
If you already configured a resolver for the appliance, you can specify a name and click on
SEARCH , the matching IP address is retrieved from the DNS and displayed. For more details,
refer to the section Setting the DNS Resolver.
6. In the field User, specify the name of a user with sufficient management privileges over the
Windows DNS server.
7. In the field Password, specify the corresponding password.
8. If your Windows DNS server is integrated to Active Directory and contains several forests:
a. Tick the box Expert mode (AD). The field AD domain appears
b. In the field AD domain, specify the full domain or subdomain.
9. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.

513
 Managing DNS Servers

10. In the field Description, you can specify a description, it it displayed in the column Description
of the page All servers.
11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The report opens and closes. The server is listed,
the column Version indicates the Microsoft server version.

Managing BIND DNS Servers on Linux

SOLIDserver provides its software versions through native packages of operating system. Installing
the DNS package allows you to use the module DNS at the best of its potential on Linux, it allows
you to manage your BIND server through an EfficientIP DNS server, which incidentally provides
all the options that come with it (statistics retrieved via SNMP...).

To successfully install the DNS packages on Linux, you must follow the prerequisites and proced-
ures in the section that matches your environment:
• Installing an EfficientIP DNS Package on Debian 8 or Higher.
• Installing an EfficientIP DNS Package on RedHat 6 or Higher.

Once your package is installed you can add an EfficientIP Package in the GUI as detailed in the
section Adding BIND DNS Servers.

If you need to upgrade your package, refer to the section Upgrading EfficientIP DNS Packages.

Installing an EfficientIP DNS Package on Debian 8 or Higher

You must take into account the prerequisites before installing a DNS package on Debian.

Prerequisites
• The DNS package file, ipmdns-y.y.y-debianxx-amd64.deb, whose name provides you with a
number of information separated by hyphens: the type of package (ipmdns, so a DNS package),
the version of SOLIDserver (y.y.y); the version of Debian (debianxx where xx is x dot x) and
finally the Debian architecture (amd64).
In the procedure below, this file is referred to as <ipmdns-y.y.y-debianxx-amd64.deb>.
• The EfficientIP BIND package platform must have at least 20 Mb of free disk space.
• The EfficientIP BIND package may need certain libraries of your operating system, you must
2
have a shell access with root login in local, via ssh on the server to be installed.
• You must make sure that no other DNS/DHCP service on your Linux is running : it would inter-
fere with the BIND/ISC package installation.
• You must make sure that SOLIDserver and Debian are set to the same time and date.
• You must make sure that Apache server is up-to-date.
• You must make sure that the service dbus is installed.
• You must make sure that HTTPS (port 443) and the DNS service (port 53) are not blocked by
a network filtering process (firewall).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.

2
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.

514
 Managing DNS Servers

Installing EfficientIP DNS Packages on Debian

Once you have taken into account the prerequisites, you can install an EfficientIP DNS Package
on Debian.

If you have not installed the DHCP packages yet, you need to:
1. Follow the procedure To install an EfficientIP DNS Package on Debian.
2. Follow the procedure To complete the DNS package installation on Debian if the DHCP
package is not installed.

If you already installed the DHCP packages, you only need to follow the procedure To install
an EfficientIP DNS Package on Debian below.

The procedure below includes the commands that make the web services configurable.

To install an EfficientIP DNS Package on Debian

1. Open an SSH session.
2. Stop and disable your DNS software: If you are using NSD or Unbound, refer to the related
proprietary documentation. In the case of BIND, use the following commands:
# service bind9 stop
# update-rc.d -f bind9 remove

3. Install the dependency packages, ONLY if you have not installed the EfficientIP DHCP
package, using the following commands:
# apt-get install php
# apt-get install sudo
# apt-get install snmpd
# apt-get install libuv1

4. Install the EfficientIP DNS package, using the following command:

# dpkg -i <ipmdns-y.y.y-debianxx-amd64.deb>

5. Make the web services configurable: in the directory /etc/sudoers.d, create the file ipmdns
containing the line below.
www-data ALL = NOPASSWD: /usr/local/nessy2/script/install_named_conf.sh, \
/usr/local/nessy2/script/push_default_zone_params.sh, \
/usr/local/nessy2/script/push_dnssec_keys_zones.sh, \
/usr/local/nessy2/script/move_dnszone_file.sh, \
/usr/local/nessy2/script/restore_named_conf.sh, \
/usr/local/nessy2/script/delete_zone_file.sh, \
/usr/local/nessy2/script/restore_zone_file.sh, \
/usr/local/nessy2/script/install_keytab.sh, \
/usr/local/nessy2/bin/rndc

6. Set the users access rights as follows:

# chmod 440 /etc/sudoers.d/ipmdns

Note that you can change the password admin of the web service using the following com-
mand:
# htpasswd -c /usr/local/nessy2/www/php/cmd/dns/.htpasswd admin

If you have not installed the DHCP package or are not planning on installing it, you must
now follow the procedure below.

515
 Managing DNS Servers

To complete the DNS package installation on Debian if the DHCP package is not
installed
1. If relevant, open an SSH session.
2. Allow SNMP access to the DNS statistics by appending the file /etc/snmp/snmpd.conf with
the following line:
view systemview included .1.3.6.1.4.1.2440

3. Start the snmp daemon using the following command:

# service snmpd start

4. Create a self-signed certificate for Apache using the following commands:

# cd /etc/apache2
# openssl genrsa -des3 -out server.key 4096
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# openssl rsa -in server.key -out server.key.insecure
# mv server.key server.key.secure
# mv server.key.insecure server.key

5. Activate the SSL mode in Apache using the following command:

# a2enmod ssl

6. Make sure that a symbolic link to the default VirtualHost SSL configuration file is located in
the folder sites-enabled/ . If not, use the following command:
# a2ensite default-ssl

7. Configure the web services by editing the file /etc/apache2/sites-enabled/default-ssl.conf to

replace the FULL section <VirtualHost *:443> with the following configuration:
<VirtualHost *:443>

ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>

# Please note that the following, from "php_admin_value" to

"site:/usr/local/share/pear",
# represents and must be written on a single line.
php_admin_value include_path
/usr/local/nessy2/www/php/include:/usr/local/nessy2/lib/php:/usr/local/nessy2/www/site:/usr/local/share/pear
php_admin_value file_uploads 1
php_admin_value upload_max_filesize 300000000
php_admin_value post_max_size 300000000
php_admin_value memory_limit 150000000
php_admin_value register_globals 0
php_admin_value short_open_tag 1
php_admin_value safe_mode 0
php_admin_value magic_quotes_gpc 0

SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

516
 Managing DNS Servers

# Please note that the following, from "SetEnvIf" to "force-response-1.0", represents

and
# must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0

</VirtualHost>

8. Disable the default site in Debian Apache configuration using the following command:
# a2dissite 000-default

9. Restart Apache using the following command:

# service apache2 restart

10. Make sure that the ipmdns package is running using the following command:
# service ipmdns status

If it is not running, use the following command:

# service ipmdns start

Once the configuration is complete, you can add an EfficientIP Package DNS server to manage
your BIND server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding BIND DNS Servers.

Installing an EfficientIP DNS Package on RedHat 6 or Higher

You must take into account the prerequisites before installing a DNS package on RedHat or
CentOS.

Prerequisites
• The DNS package file, ipmdns-y.y.y-redhatx.x86_64.rpm, whose name provides you with a
number of information separated by hyphens or a point: the type of package (ipmdns, so a
DNS package), the version of SOLIDserver (y.y.y); the version of RedHat (redhatx) and finally
the RedHat architecture (x86_64).
In the procedure below, this file is referred to as <ipmdns-y.y.y-redhatx.x86_64.rpm>.
• The EfficientIP BIND package platform must have at least 20 Mb of free disk space.
• The EfficientIP BIND package may need certain libraries of your operating system, you must
3
have a shell access with root login in local, via ssh on the server to be installed.
• You must make sure that no other DNS/DHCP service on your Linux is running : it would inter-
fere with the BIND/ISC package installation.
• You must make sure that SOLIDserver and RedHat/CentOS are set to the same time and date.
• You must make sure that Apache server is up-to-date.
• You must make sure that HTTPS (port 443) and the DNS service (port 53) are not blocked by
a network filtering process (firewall).
If your Apache configuration already uses the port 443, you have to create an additional IP-
based VirtualHost dedicated to the DNS/DHCP management.

3
You could also connect via telnet but, for security purposes, we recommend that you favor ssh.

517
 Managing DNS Servers

Installing the EfficientIP DNS Package on RedHat

Once you have taken into account the prerequisites, you can install an EfficientIP DNS Package
on RedHat or CentOS.

If you have not installed the DHCP packages yet, you need to:
1. Follow the procedure To install an EfficientIP DNS Package on RedHat.
2. Follow the procedure To complete the DNS package installation on RedHat if the DHCP
package is not installed.

If you already installed the DHCP packages, you only need to follow the procedure To install
an EfficientIP DNS Package on RedHat below.

The installation procedure below also includes the commands that make the web services con-
figurable.

To install an EfficientIP DNS Package on RedHat

1. Open an SSH session.
2. Stop and disable your DNS software, using the following commands:
# service named stop
# chkconfig named off

3. Install the repository EPEL:

# yum install epel-release

4. Install the dependency packages using the following commands:

# yum install mod_ssl php php-pdo sudo net-snmp libuv json-c

5. Install EfficientIP DNS package, using the following command:

# rpm -ivh <ipmdns-y.y.y-redhatx.x86_64.rpm>

6. Make the web services configurable: in the directory /etc/sudoers.d, create the file ipmdns
containing the line below.
apache ALL = NOPASSWD: /usr/local/nessy2/script/install_named_conf.sh, \
/usr/local/nessy2/script/push_default_zone_params.sh, \
/usr/local/nessy2/script/push_dnssec_keys_zones.sh, \
/usr/local/nessy2/script/move_dnszone_file.sh, \
/usr/local/nessy2/script/restore_named_conf.sh, \
/usr/local/nessy2/script/delete_zone_file.sh, \
/usr/local/nessy2/script/restore_zone_file.sh, \
/usr/local/nessy2/script/install_keytab.sh, \
/usr/local/nessy2/bin/rndc

7. Set the users access rights as follows:

# chmod 440 /etc/sudoers.d/ipmdns

Note that you can change the password admin of the web service using the command below:
# htpasswd -c /usr/local/nessy2/www/php/cmd/dns/.htpasswd admin

If you have not installed the DHCP package or are not planning on installing it, you must
now follow the procedure below.

518
 Managing DNS Servers

To complete the DNS package installation on RedHat if the DHCP package is not
installed
1. If relevant, open an SSH session.
2. Disable the firewall using the following commands.
a. For RedHat 6:
# service iptables stop
# chkconfig iptables off

b. For RedHat 7 and 8:

# service firewalld stop
# chkconfig firewalld off

3. Disable selinux by editing its dedicated line, SELINUX=enforcing, in the file

/etc/selinux/config to match the following:
SELINUX=disabled

Note that changing the selinux policy requires you to restart the system.
4. Reboot the system to take into account the selinux policy changes :
# reboot

5. In the file /etc/sudoers, disable requiretty by making it a comment as follows:

#Defaults requiretty

6. Allow SNMP access to the DNS statistics. In the file /etc/snmp/snmpd.conf , in the section
entitled Access Control, enter the lines:
master agentx
view systemview included .1.3.6.1.4.1.2440
#You may need to specify another view, AllView or a custom one,
#if you edited the default SNMP configuration.

7. Start the SNMP daemon, using the following command:

# service snmpd start

8. Create a self-signed certificate for Apache, using the following commands:

# cd /etc/httpd
# openssl genrsa -des3 -out server.key 4096
# openssl req -new -key server.key -out server.csr
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
# openssl rsa -in server.key -out server.key.insecure
# mv server.key server.key.secure
# mv server.key.insecure server.key

9. Configure the web services. In the file /etc/httpd/conf.d/ssl.conf, replace the FULL section
<VirtualHost *:443> with the configuration below.
a. For RedHat 6:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
AllowOverride All
</Directory>

519
 Managing DNS Servers

# Please note that the following data, from "php_admin_value" to

"site:/usr/local/share/pear",
# represents and must be written on a single line.
php_admin_value include_path
/usr/local/nessy2/www/php/include:/usr/local/nessy2/lib/php:/usr/local/nessy2/www/site:/usr/local/share/pear
php_admin_value file_uploads 1
php_admin_value upload_max_filesize 300000000
php_admin_value post_max_size 300000000
php_admin_value memory_limit 150000000
php_admin_value register_globals 0
php_admin_value short_open_tag 1
php_admin_value safe_mode 0
php_admin_value magic_quotes_gpc 0

SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

# Please note that the following data, from "SetEnvIf" to "force-response-1.0",

represents
# and must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0

</VirtualHost>

b. For RedHat 7:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>

# Please note that the following data, from "php_admin_value" to

"site:/usr/local/share/pear",
# represents and must be written on a single line.
php_admin_value include_path
/usr/local/nessy2/www/php/include:/usr/local/nessy2/lib/php:/usr/local/nessy2/www/site:/usr/local/share/pear
php_admin_value file_uploads 1
php_admin_value upload_max_filesize 300000000
php_admin_value post_max_size 300000000
php_admin_value memory_limit 150000000
php_admin_value register_globals 0
php_admin_value short_open_tag 1
php_admin_value safe_mode 0
php_admin_value magic_quotes_gpc 0

SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

# Please note that the following data, from "SetEnvIf" to "force-response-1.0",

represents
# and must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0

</VirtualHost>

520
 Managing DNS Servers

c. For RedHat 8:
<VirtualHost *:443>
ServerName 127.0.0.1
DocumentRoot /usr/local/nessy2/www/php
<Directory /usr/local/nessy2/www/php>
Require all granted
AllowOverride Authconfig
Options Indexes FollowSymLinks
</Directory>

SSLEngine on
SSLCertificateFile /etc/httpd/server.crt
SSLCertificateKeyFile /etc/httpd/server.key
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM

# Please note that the following data, from "SetEnvIf" to "force-response-1.0",

# represents and must be written on a single line.
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0
force-response-1.0
</VirtualHost>

10. Restart Apache using the following command:

# service httpd restart

11. Make sure that the ipmdns package is running using the following command:
# service ipmdns status

If it is not running, use the following command:

# service ipmdns start

Once the configuration is complete, you can add an EfficientIP Package DNS server to manage
your BIND server from SOLIDserver GUI. For more details, refer to the procedure in the section
Adding BIND DNS Servers.

Adding BIND DNS Servers

Once you successfully installed your EfficientIP DNS Package on Linux, you can add your BIND
server to the page All servers in the GUI, as an EfficientIP Package, and configure it according
to your needs.

Note that:
• Before managing a new server, make sure that the DNS service is properly started. For more
details, refer to the chapter Configuring the Services.
• EfficientIP package servers can assume any role within a smart architecture:

Table 39.11. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X

521
 Managing DNS Servers

Physical server vendor

Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

To add a BIND DNS server for a Linux package

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > EfficientIP Package. The wizard Add an EfficientIP Package
DNS server opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, specify a DNS resolvable fully qualified domain name (FQDN) for your
server.
5. In the field Management IP address, specify the IPv4 address of the server you want to
manage.
If you already configured a resolver for the appliance, you can specify a name and click on
SEARCH , the matching IP address is retrieved from the DNS and displayed. For more details,
refer to the section Setting the DNS Resolver.
6. If you want to secure the management of your server, you can associate it with a TSIG key.
a. Tick the box Configure TSIG parameters. The drop-down list TSIG key name appears.
b. In the drop-down list TSIG key name, select an existing key. Note that this key must
also be used in the statements allow-update and allow-transfer at view and/or zone level
to secure all exchanges. For more details, refer to the section Securing the Management
of DNS Servers Using a TSIG Key.
7. If you have changed the default SSH password of the appliance embedding the DNS server,
you must update the enrollment parameters.
a. Tick the box Configure enrollment parameters. The fields Login and Password ap-
pear. By default they both contain admin.
b. Edit the fields to make sure that the SSL credentials match your SSH credentials.
8. If you want to edit the server SNMP parameters, tick the box Configure SNMP monitoring
parameters.
A set of fields appear, configure them to monitor and retrieve the server statistics.

Table 39.12. SNMP monitoring parameters available when you add a server
Field Description
SNMP port The port used to retrieve the server statistics. By default, the port 161 is used. If you
changed the UDP port of your SNMP server, you must use the same port. This field is
required. For more details, refer to the section Configuring the SNMP Server.
Use TCP The network communication protocol, either TCP (ticked) or UDP (unticked). By default,
the box is unticked. You should tick the box to use TCP instead of UDP if the network
link is unreliable. This field is optional.
SNMP profile The SNMP profile used to retrieve the statistics. By default, standard v2c is selected.
This field is optional. The list contains the default profiles (standard v1, standard v2c and

522
 Managing DNS Servers

Field Description
standard v3) and the ones you may have added. Each profile has its own level of security
and enables the definition of a global security policy. For more details, refer to the section
Managing SNMP Profiles.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1, 2, 3, 4, 5, 10 or 30.
By default, it is set to 5. This field is required.

9. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
10. In the field Description, you can specify a description, it it displayed in the column Description
of the page All servers.
11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The report opens and closes. The server appears in
the list with status Busy. It changes to OK after a while.
During the first DNS server addition, the allow-transfer option is by default configured
with the ACL any. As it is inherited by the server views and zones, you might need to restrict
the statement. For more details, refer to the chapter Limiting Zone Transfers at Server Level.

Once the EfficientIP Package server is added, you can manage your BIND server installed on
Linux from the GUI.

Upgrading EfficientIP DNS Packages

No matter the package version, to upgrade packages:
1. You must uninstall your current packages.
2. You must install the new package following the relevant section:
• Installing an EfficientIP DNS Package on Debian 8 or Higher.
• Installing an EfficientIP DNS Package on RedHat 6 or Higher.

Managing Generic DNS Servers

SOLIDserver provides support for generic DNS servers, in addition to EffcientIP, Microsoft, Route
53 and Azure DNS servers.

Note that:
• Unlike all other DNS servers, the management of generic servers is more limited. However,
following RFC 2136, they support dynamic update (DDNS).
• Generic servers retrieve data via zone transfer. Therefore, the remote server you manage as
a Generic server must allow zone transfer or you must configure TSIG parameters to secure
the exchanges between the server and the appliance.

523
 Managing DNS Servers

• Before managing a new server, make sure that the DNS service is properly started. For more
details, refer to the chapter Configuring the Services.
• Generic DNS servers can only assume a limited number of roles within the architecture:

Table 39.13. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

Adding Generic DNS Servers

To fully configure and manage a Generic DNS server, you must:
1. Add a Generic server on the page All servers, and configure it with:
• The IP address of the remote server already configured to allow transfer.
• If the server you specified does not allow zone transfer, you must Configure TSIG parameters.
2. Add the relevant DNS zones on the page All zones.

To add a generic DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Generic. The wizard Add a Generic DNS server opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, specify a DNS resolvable fully qualified domain name (FQDN) for your
server.
5. In the field Management IP address, specify the IPv4 address of the server you want to
manage.
If you already configured a resolver for the appliance, you can specify a name and click on
SEARCH , the matching IP address is retrieved from the DNS and displayed. For more details,
refer to the section Setting the DNS Resolver.
6. If you want to secure the management of your server, you can associate it with a TSIG key.
a. Tick the box Configure TSIG parameters. The drop-down list TSIG key name appears.
b. In the drop-down list TSIG key name, select an existing key. Note that this key must
also be used in the statements allow-update and allow-transfer at view and/or zone level
to secure all exchanges. For more details, refer to the section Securing the Management
of DNS Servers Using a TSIG Key.
7. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.

524
 Managing DNS Servers

This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
8. In the field Description, you can specify a description, it it displayed in the column Description
of the page All servers.
9. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
10. Click on OK to complete the operation. The server is listed in the page All servers.

Once added, you can edit your server to secure its data exchanges with SOLIDserver. For more
details, refer to the section Securing the Management of DNS Servers Using a TSIG Key.

To add generic DNS server zones

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Click on the name of the Generic server. The page All zones opens.
3. In the menu, click on Add. The wizard Add a DNS zone opens.
4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Click on NEXT . The next page opens.
6. In the list DNS zone type, select Master.
7. In the list DNS zone resolution, select Name.
8. Click on NEXT , the next page opens.
9. Fill in the fields according to the table below:

Table 39.14. Master zone addition fields

Field Description
Name The zone name, it should strictly respect the syntax of RFC1034. This field is required.
Space The name of an IPAM space to associate with the zone or None. This field is optional.
If DNS to IPAM advanced properties are configured, the selected space is updated by
the zone records. For more details, refer to the section Configuring DNS Advanced
Properties.

10. Click on NEXT . The last page opens.

11. The fields on that page are automatically filled. However you can edit them following the
table below. All the fields are required.

Table 39.15. Zone advanced parameters

Field Description
Primary server The primary Master server for the zone.
Responsible The administrator email address for the zone.
Serial number The zone serial number. It is automatically incremented for each zone change.
Refresh The refresh period for slave server(s). When the selected period is reached, the slave
server(s) read the Master SOA record and, if their data is not up-to-date, trigger a zone
transfer to get the latest version of the zone.

525
 Managing DNS Servers

Field Description
Retry The retry interval if the server fails to reach the master during a refresh cycle.
Expire The period after which the records are considered to be no longer valid/authoritative and
the server stops responding to queries for the zone.
Minimum The negative caching period of the zone, in seconds. This period is used as TTL for every
NXDOMAIN returned to clients querying unexisting records.
TTL The TTL (Time to Live) of the SOA, its duration, in seconds. The drop-down list next to
the input field allows to select durations in human-readable format.

You can set the value by default for the parameters above, except for the Primary server
and Serial number. For more details, refer to the procedure To configure the default SOA
parameters of Master zones below.
12. Click on OK to complete the operation. The report opens and closes. The report opens and
closes. The zone is listed and marked Delayed create before being marked OK.

Managing Amazon Route 53 Servers

SOLIDserver supports the management of Route 53 DNS servers.These servers provide a cloud
based Anycast DNS service available for Amazon Web Service (AWS) account owners.

From the page All servers, you can add your Amazon Route 53 server using your AWS account
credentials. Once listed in the GUI, you can add, edit and/or delete the server zones and resource
records.

Note that Amazon Route 53 servers can be managed from a smart architecture. For more details,
refer to the section Managing an Amazon Route 53 Server With a Smart Architecture.

Prerequisites
• You must make sure that the DNS service is properly started before adding a new server. For
more details, refer to the chapter Configuring the Services.
• You must have an AWS account with a subscription to the service Amazon Route 53.
• You must have an Amazon IAM Account with sufficient permissions to manage the service
Amazon Route 53. For security reasons, we recommend granting access only to this service.
These permissions can be assigned using the predefined IAM policy AmazonRoute53FullAccess
or a custom one. For more details on which minimal permissions to grant, refer to the appendix
Custom AWS IAM Policy Route 53 Minimal Permissions.
• You must have the ID of an existing reusable delegation set ready, if you want to configure
this delegation set on a Private server and apply it to all its zones.
• You must configure NTP synchronization to ensure that SOLIDserver and AWS are time syn-
chronized. For more details, refer to the section Configuring the Time and Date.
Besides, we recommend displaying the time using UTC. For more details, refer to the procedure
To configure the user settings.
• You must make sure SOLIDserver is able to reach the endpoint of the service Amazon Route
53 using HTTPs. If the service is unreachable, the Amazon Route 53 server stays in Timeout.
For more details, go to https://docs.aws.amazon.com/general/latest/gr/r53.html.

Limitations
• SOLIDserver only supports unique zone names within one server.
If your Amazon Route 53 server contains several zones named the same way, none of them
can be managed from the GUI.

526
 Managing DNS Servers

• DNSSEC is not supported on Amazon Route 53 servers.

• The edition options are limited:
• You can only edit the panels Main properties and Group access on Amazon Route 53 servers
managed outside a smart architecture.
• Once an Amazon Route 53 server is managed via a smart architecture, you can only edit
the panel Group access on the server properties page.
• Converting master zones to slave on Amazon Route 53 servers deletes all the records of
the original master zone.
• Some options are not supported on Amazon Route 53 servers:
• You cannot edit the access control of an Amazon Route 53 server or its zone.
• You cannot edit the options of an Amazon Route 53 server or its zone.
These options cannot be edited either from SOLIDserver or from the service Amazon Route
53 itself.
• Some AWS options, like the record options Heatlh Check and Routing Policy, are not supported
by SOLIDserver. Therefore, before adding an Amazon Route 53 server to the GUI, we recom-
mend that you take into account the prerequisites, specificities and limitations listed in the
section Managing Amazon Route 53 Zones.
If any AWS zone contains records configured with these options, the entire zone is not syn-
chronized.

Adding Amazon Route 53 Servers

When adding an Amazon Route 53 server, you do not need to provide an IP address. Thanks to
the AWS account credentials, SOLIDserver identifies your Amazon Route 53 server and commu-
nicates directly with it using REST protocol.

Before adding an Amazon Route 53 server, note that:

• Each Amazon Route 53 server is associated with a specific AWS account. For each account,
the configuration of your servers determines if you can manage one or more public and private
servers.
• You can manage public zones and records in Public servers, and private zones and records
in Private servers. At server level, you must select one type or the other.
Note that you cannot edit a server to change its Type, it is either Public or Private.
• If you add a Public server, you can configure it with an existing reusable delegation set. This
configuration automates the addition of the delegation set on all the private zones of the server.
Each delegation set can only be used on one server, you cannot edit a server to change its
reusable deletion set ID.
Keep in mind that, on AWS, Route 53 servers configured with a delegation set cannot manage
a domain in one zone and any of its subdomains another zone, it creates a conflict. Therefore,
once you configured a reusable delegation set at server level, your server can contain either
a zone managing a domain or several zones managing any subdomain. Other Route 53 servers
can manage the subdomains or the domain, if they are not configured with a delegation set,
or if they are configured with a different one.
For each AWS account, you can only manage one Public server without delegation set. How-
ever, you can manage as many Public servers configured with a delegation set as you want.
• If you add a Private server, you must configure a list of Virtual Private Clouds (VPC) at server
level. This allows to associate all the zones of the server with these VPCs.
If you already manage private zones on AWS, you must configure the server with the exact
same list of VPCs, to be able to synchronize these zones from the GUI.

527
 Managing DNS Servers

Keep in mind that several Private servers can manage the same domain only if each server is
configured with different VPCs.
For each AWS account, you can manage as many Private servers as you want, as long as
they have a unique list of VPCs.

To add an Amazon Route 53 server

1. Take into account the prerequisites and limitations.
2. In the sidebar, go to DNS > Servers. The page All servers opens.
3. In the menu, select Add > Amazon Route 53. The wizard Add an Amazon Route 53
DNS server opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field Name, specify a DNS resolvable fully qualified domain name (FQDN) for your
server.
6. In the field Access Key ID, specify your AWS account Access Key ID.
7. In the field Secret Access Key, specify the corresponding Secret Access Key.
8. In the drop-down list Type, select Public or Private. By default, Public is selected.
a. If you leave Public selected, in the field Reusable delegation set ID you can specify
the identifier of an existing delegation set. Go to step 9 to complete the configuration.
Keep in mind that a reusable delegation set ID can only be configured on one server.
Once you configured a delegation set on a Route 53 server, the server can either host
a domain in a zone, or subdomains in separate zones. It cannot manage both a domain
and any of its subdomains.
b. If you select Private, the page refreshes and the fields Filter, Available VPCs and Se-
lected VPCs appear. You must configure the list of VPCs of the server and all its zones:

Table 39.16. Public VPC configuration fields for Amazon Route 53 servers
Field Description
Filter An IPv4 address, IPv6 address, VPC name or region to filter the list of Available
VPCs. This field is optional.
Available VPCs The list of VPCs of the specified Access Key ID and Secret Access Key. They
are displayed as follows: <VPC name> - <Region>.
Right of the list, you can click on to query your AWS environment and refresh
the list.
Select one by one all the VPCs of your choice and click on to move them to
the list Selected VPCs.
Selected VPCs The list of all the VPCs of the server. It cannot exceed 300 VPCs. This field is
required.
To remove a VPC from the list, select it and click on to move it back to the list
Available VPCs.
Keep in mind that if you already manage the private zones of the server on AWS,
you must select the exact same list of VPCs to be able to synchronize them in
the GUI.

9. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.

528
 Managing DNS Servers

This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
10. In the field Description, you can specify a description, it is displayed in the column Description
of the page All servers.
11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The server is listed on the page All servers.

Once you added an Amazon Route 53 server:

• The server stays in Invalid time if SOLIDserver and the AWS account are not set at the same
time. SOLIDserver must be set to UTC. For more details, refer to the procedure To configure
the user settings.
• If you edit the content of an Amazon Route 53 server directly from the AWS account, you need
to synchronize the server in SOLIDserver GUI to retrieve and display the changes. For more
details, refer to the procedure To synchronize DNS servers.
• If you want to manage your server from a smart architecture, refer to the section Managing an
Amazon Route 53 Server With a Smart Architecture.
• Before managing zones and records, keep in mind that:
• If you added a Public server and configured it with a reusable delegation set, all its zones
are automatically set with this delegation set.
• If you added a Private server, all its zones are associated with the VPCs you configured.
For more details, refer to the sections Managing Amazon Route 53 Zones and Managing
Amazon Route 53 Records.
• If your internal network policies prevent you from accessing Amazon services directly, you
might need to set a proxy server via a registry database entry to handle Amazon Route 53 re-
quests, as described below.

To set a proxy server for Amazon Route 53

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.dns.route53.proxy.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the corresponding value. The wizard Registry database
Add an item opens.
6. In the field Value, specify the server configuration as follows: <hostname_or_ip>:<port>.
If need be, you can also define the access credentials as follows: <username>:<pass-
word>@<hostname_or_ip>:<port>.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the key is listed.

529
 Managing DNS Servers

Managing Amazon Route 53 Servers from a Smart Architecture

You can manage Amazon Route 53 servers from any type of smart architecture. All the available
types are detailed in the chapter Understanding DNS Smart Architectures.

Before adding your server to a smart architecture, note that:

• We recommend that you tick the AWS server and generate the report Route 53 incompatib-
ilities. That way you can edit the server and make sure that the server you manage through
the smart is properly configured. For more details, refer to the section DNS Server Reports.
• You must make sure your AWS server status is OK.
• Amazon Route 53 servers can only assume a limited number of roles within the architecture:

Table 39.17. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

• If your smart architecture manages physical servers from several vendors, you may get warning
messages when you add views, zones or records. Some vendors do not support views, RPZ
zones and specific DNS zone and record types. You can force the configuration to add them
to the server(s) that do support them.
To display all the potential incompatibilities of your architecture in the column Multi-Status, you
can generate the report Smart architecture incompatibilities. For more details, refer to the
section DNS Server Reports in the chapter Monitoring.
• You can add it to a new smart architecture or to an existing one, as detailed in the sections
Adding an Amazon Route 53 Server When Adding a Smart Architecture and Adding an Amazon
Route 53 Server in an Existing Smart Architecture.

Once you manage an Amazon Route 53 server with a smart architecture:

• It has the role Master.
• It cannot be set as Slave.
• Only the Master zones of the other physical servers managed through the smart architecture
are replicated on the Amazon Route 53 server.
• Only the supported configuration settings of the other physical servers managed through the
smart architecture are pushed to the Amazon Route 53 server. For more details, refer to the
section limitations.
• All the AWS options not supported by SOLIDserver are silently ignored. They are never replic-
ated on the other physical server(s) of the architecture, and the column Multi-Status does not
notify you if non-supported AWS options were set and ignored.
• Any changes performed from the GUI - zones or records addition, edition or deletion - automat-
ically refresh the server, it then replicates the information to your AWS account server.
• You cannot delete the awsdns NS records from the list All RRs of the smart architecture. The
resolution of the Amazon Route 53 server zones rely on them.

530
 Managing DNS Servers

To remove an Amazon Route 53 server from a smart architecture, you must first delete the
resource records it contains. To delete a resource record, refer to the section Deleting Resource
Records of the chapter Managing DNS Resource Records.

Adding an Amazon Route 53 Server When Adding a Smart Architecture

You can add an Amazon Route 53 server to the management of the smart while adding the smart
architecture.

This allows to automate the synchronization of the Amazon Route 53 server content. Therefore,
all your zones and records are retrieved by the smart and replicated to all the physical servers
you might manage as well with the new smart.

To add an Amazon Route 53 server to a smart architecture you are adding

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the menu, select Add > Smart architecture.The wizard Add a DNS smart architecture
opens.
3. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field DNS Name, name the smart architecture with a valid FQDN.
5. In the list DNS smart architecture, select an architecture. Click on NEXT . The page DNS
servers role configuration opens.
6. If you are adding a Single-Server smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER . The server is moved to the Master DNS server(s) list. To remove
a server from the list, click on .
c. If you want to publish one or several name servers or load balancers or even force the
Hybrid compatibility of the smart architecture, tick the box Expert mode and complete
the configuration.
For more details, refer to the section Adding a Single-Server Smart Architecture in the
chapter Managing DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the section Adding a Single-Server Smart Ar-
chitecture in the chapter Managing DNS Smart Architectures.
e. Click on OK to complete the operation. The report opens and closes. The smart archi-
tecture is listed, if you do not see the server it manages, click on on the right-end
side of the menu.
7. If you are adding a Master/Slave or Multi-Master smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER . The server is moved to the Master DNS server(s) list. To remove
a server from the list, click on . Note that an Amazon Route 53 server cannot be slave.
If you want to add other servers to the smart architecture, refer to the section Adding a
Master/Slave Smart Architecture or Adding a Multi-Master Smart Architecture in the
chapter Managing DNS Smart Architectures.

531
 Managing DNS Servers

c. If you want to publish one or several name servers or load balancers or even force the
Hybrid compatibility of the smart architecture, tick the box Expert mode and complete
the configuration.
For more details, refer to the section Adding a Master/Slave Smart Architecture or Adding
a Multi-Master Smart Architecture in the chapter Managing DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the section Adding a Master/Slave Smart Ar-
chitecture or Adding a Multi-Master Smart Architecture in the chapter Managing DNS
Smart Architectures
e. Click on OK to complete the operation. The report opens and closes. The smart archi-
tecture is listed, if you do not see the servers it manages, click on on the right-end
side of the menu.
8. If you are adding a Stealth smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER or + PSEUDO-MASTER to add it to the relevant list and manage it via the
smart architecture. Note that an Amazon Route 53 server cannot be slave or hidden-
master.
If you want to add other servers to the smart architecture, refer to the section Adding a
Stealth Smart Architecture in the chapter Managing DNS Smart Architectures.
c. If you want to publish one or several name servers or load balancers or even force the
Hybrid compatibility of the smart architecture, tick the box Expert mode and complete
the configuration.
For more details, refer to the section Adding a Stealth Smart Architecture in the chapter
Managing DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the section Adding a Stealth Smart Architecture
in the chapter Managing DNS Smart Architectures.
e. Click on OK to complete the operation. The report opens and closes. The smart archi-
tecture is listed, if you do not see the servers it manages, click on on the right-end
side of the menu.
9. If you are adding a Farm smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER . The server is moved to the Master DNS server(s) list. To remove
a server from the list, click on . Note that an Amazon Route 53 server cannot be slave.
If you want to add other servers to the smart architecture, refer to the section Adding a
Farm Smart Architecture in the chapter Managing DNS Smart Architectures.
c. Click on NEXT . The page Advanced settings opens. Finish the configuration by publish-
ing one or several name servers or load balancers.
For more details, refer to the procedure in the section Adding a Farm Smart Architecture
in the chapter Managing DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the section Adding a Farm Smart Architecture
in the chapter Managing DNS Smart Architectures.

532
 Managing DNS Servers

e. Click on OK to complete the operation. The report opens and closes. The smart archi-
tecture is listed, if you do not see the servers it manages, click on on the right-end
side of the menu.

On the page All servers and All zones, the column Multi-status indicates any incompatibilities
or replication problems.

You can check that the replication is properly performed on the page All RRs of the smart archi-
tecture. They should be all listed and OK.

For more details regarding the server content configuration, refer to the chapters Managing
Amazon Route 53 Zones and Managing Amazon Route 53 Records.

Adding an Amazon Route 53 Server in an Existing Smart Architecture

If you add an Amazon Route 53 server to an existing smart architecture managing other servers,
keep in mind that the zones it contains rely on a specific set of NS records to run properly. Without
all these records, the zones are not viable.

Therefore, the smart architecture automatically:

• Retrieves the content of the Amazon Route 53 server.
• Replicates the content of your Amazon Route 53 server (all the additional NS records) on all
the physical servers managed. The All RRs list of all the servers should therefore contain
awsdns records.

To add an Amazon Route 53 server into an existing smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS smart architecture
opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field DNS Name, name the smart architecture with a valid FQDN.
6. In the list DNS smart architecture, edit the type of DNS smart architecture if need be. Click
on NEXT . The page DNS servers role configuration opens.
7. For a Single-Server smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER to add it to the Master DNS server(s) list and manage it via the smart
architecture.
c. If you want to publish one or several name servers or load balancers or even force the
Hybrid compatibility of the smart architecture, tick the box Expert mode and complete
the configuration as detailed in the section Adding a Single-Server Smart Architecture
in the chapter Managing DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the relevant smart architecture addition proced-

533
 Managing DNS Servers

ure in the section Adding a DNS Smart Architecture in the chapter Managing DNS Smart
Architectures.
8. For a Master/Slave or Multi-Master smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER to add it to the Master DNS server(s) list and manage it via the smart
architecture. Note that an Amazon Route 53 server cannot be slave.
If you want to add other servers to the smart architecture, refer to the section Adding a
Master/Slave Smart Architecture or Adding a Multi-Master Smart Architecture in the
chapter Managing DNS Smart Architectures.
c. If you want to publish one or several name servers or load balancers or even force the
Hybrid compatibility of the smart architecture, tick the box Expert mode and complete
the configuration as detailed in the section Adding a Single-Server Smart Architecture
in the chapter Managing DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the relevant smart architecture addition proced-
ure in the section Adding a DNS Smart Architecture in the chapter Managing DNS Smart
Architectures.
9. For a Stealth smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER or + PSEUDO-MASTER to add it to the relevant list and manage it via the
smart architecture. Note that an Amazon Route 53 server cannot be slave or hidden-
Master.
If you want to add other servers to the smart architecture, refer to the section Adding a
Stealth Smart Architecture in the chapter Managing DNS Smart Architectures.
c. If you want to publish one or several name servers or load balancers or even force the
Hybrid compatibility of the smart architecture, tick the box Expert mode and complete
the configuration as detailed in the section Adding a Single-Server Smart Architecture
in the chapter Managing DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the relevant smart architecture addition proced-
ure in the section Adding a DNS Smart Architecture in the chapter Managing DNS Smart
Architectures.
10. For a Farm smart architecture:
a. In the drop-down list Available DNS servers, select an Amazon Route 53 server.
b. Click on + MASTER to add it to the Master DNS server(s) list and manage it via the smart
architecture. Note that an Amazon Route 53 server cannot be slave.
If you want to add other servers to the smart architecture, refer to the section Adding a
Farm Smart Architecture in the chapter Managing DNS Smart Architectures.
c. Click on NEXT . The page Advanced settings opens, finish the configuration following
the procedure in the section Adding a Farm Smart Architecture in the chapter Managing
DNS Smart Architectures.
d. Click on NEXT . The last page opens.
For more details regarding the fields Use DNS as DNSSEC resolver, Isolated, Descrip-
tion and Advanced properties, refer to the relevant smart architecture addition proced-
ure in the section Adding a DNS Smart Architecture in the chapter Managing DNS Smart
Architectures.

534
 Managing DNS Servers

11. Click on OK to complete the operation. The report opens and closes. The synchronization,
sends the physical servers information to your AWS account server. You can display or hide
physical servers managed by the smart architecture using the button on the right-end
side of the menu.

On the page All servers and All zones, the column Multi-status indicates any incompatibilities
or replication problems.

You can check that the replication is properly performed on the page All RRs of the smart archi-
tecture. They should be all listed and OK.

For more details regarding the server content configuration, refer to the chapters Managing
Amazon Route 53 Zones and Managing Amazon Route 53 Records.

Removing an Amazon Route 53 Server from a Smart Architecture

You can stop managing an Amazon Route 53 server from a smart architecture.

To successfully remove an AWS server from a smart:

1. Follow the procedure To remove an Amazon Route 53 server from a smart architecture.
2. If your smart architecture manages other servers, you should remove the awsdns NS records
as they are no longer relevant for the smart architecture, as detailed in the procedure To delete
Amazon Route 53 NS resource records.

To remove an Amazon Route 53 server from a smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the smart architecture of your choice, click on . The properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS server opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Click on NEXT . The smart architecture dedicated page opens.
6. Click on NEXT . The page DNS servers role configuration opens.
7. In the Master DNS server(s) list or Pseudo-master DNS server (slave server used as
decoy) list, click on . The server is moved back to the drop-down list Available DNS servers.
8. If you are editing a Farm architecture or if you configured NS records on another architecture,
click on NEXT . The page Advanced settings opens. For more details regarding this page,
refer to the last steps of the relevant smart architecture addition procedure in the section
Adding a DNS Smart Architecture.
9. Click on OK to complete the operation. The report opens and closes. If the architecture
manages other DNS servers, you can display them using the button on the right-end
side of the menu.

If the smart architectures manages other servers, now that it no longer manages the Amazon
Route 53 server, you must delete all AWS NS records.

535
 Managing DNS Servers

To delete Amazon Route 53 NS resource records

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice to display the RRs it con-
tains.
3. In the column Type, filter the list to only display NS records.
4. In the column Value, filter the list to display awsdns records.
5. Tick the record(s) of your choice.
6. In the menu, click on Delete. The wizard Delete opens.
7. Click on OK to complete the operation. The RR is marked Delayed delete and is then no
longer listed.

Managing Amazon Route 53 Zones

From the page All zones, you can manage public zones in Public Route 53 servers, and private
zones in Private Route 53 servers.

Before managing Route 53 zones, you must take into account the prerequisites, specificities and
limitations.

For more details on how to add, edit and delete zones on Amazon Route 53 servers, refer to the
chapter Managing DNS Zones.

Prerequisites
• To manage existing Private zones from the GUI, the parent Amazon Route 53 server must be
configured with the exact same VPCs list as the zones in AWS.
• The zone name must be unique. If several zones of the Amazon Route 53 server share the
same name on your AWS account, you cannot manage any of them.
• The zone name must be FQDN and include a TLD.
• SOLIDserver and AWS must be time synchronized, ideally using NTP. Otherwise, any change
made from the GUI cannot be pushed to your AWS account server.

Specificities
• You can only add or import Master zones. For more details, refer to the sections Adding a
Master Zone in the chapter Managing DNS Zones or Importing Zones in the chapter Importing
Data from a CSV File.
• All the zones of a Private server are associated with the VPCs configured on the server.
• Your zone contains by default an SOA specific to Amazon Route 53 and four awsdns NS re-
cords.
• On the zones properties page, the Name servers panel lists all the NS records of the zone.
• Adding, editing or deleting zones automatically refreshes the server and replicates your changes
to the AWS account server.
• The report Zones NS and IP addresses allows to retrieve the IP address of each of your NS
records. For more details, refer to the section DNS Zone Reports.

Limitations
• If your AWS zones contain records configured with the options Heatlh Check and Routing
Policy, they cannot be synchronized. These options are not supported by SOLIDserver. You

536
 Managing DNS Servers

must remove these options directly via your AWS account to then be able to synchronize and
manage the zone via the GUI.
• On Public Amazon Route 53 servers, once a delegation set is configured:
• The server can either host a domain in a zone, or subdomains in separate zones. It cannot
manage both a domain and any of its subdomains.
• The server cannot host more than 100 zones.
• On Private Amazon Route 53 servers:
• Several Private servers can manage the same domain only if they are configured with different
VPCs.
• Each zone cannot be associated with more than 300 VPCs.

Managing Amazon Route 53 Records

From the page All RRs, you can manage public records in Public Route 53 servers, and private
records in Private Route 53 servers.

Before managing Route 53 records, you must take into account the prerequisites, specificities
and limitations.

For more details on how to add, edit and delete records on Amazon Route 53 servers, refer to
the chapter Managing DNS Resource Records.

Prerequisites
• SOLIDserver and AWS must be time synchronized, ideally using NTP. Otherwise, any change
made from the GUI cannot be pushed to your AWS account server.

Specificities
• Each zone contains by default four NS records with the value awsdns, specific to Amazon
Route 53 servers.
• Each zone contains by default an SOA record named after one of the NS records. For that
reason, even if the server is managed by a smart architecture, the SOA name is not overwritten
by the name of the smart architecture server.
• TXT records containing characters considered invalid by AWS are listed in the GUI but are
never synchronized.

Limitations
• Amazon Route 53 servers only support the following records: NS, MX, A, AAAA, PTR, CNAME,
TXT and SRV.
• If your server is managed via a smart architecture, you can add other types of records, but
their status is N/A and they are not taken into account, or replicated, by your Amazon Route
53 server.
• AWS records configured with the options Heatlh Check and Routing Policy are not supported.
If a zone contains them, it cannot be synchronized.
• The AWS zones resolution relies on the awsdns NS records, so you cannot delete them from
a zone, an AWS server or a smart architecture managing an AWS server.
However, if you stop managing an Amazon Route 53 server via a smart architecture, you can
remove the awsdns records from the page All RRs of the smart architecture as they are no
longer relevant.

537
 Managing DNS Servers

Managing Azure DNS Servers

SOLIDserver supports the management of Azure DNS servers. These servers provide a cloud
based Anycast DNS service available for Microsoft Azure account owners.

From the page All servers, you can add your Azure DNS server using your Microsoft Azure account
credentials. Once listed in the GUI, you can add, edit and/or delete the server zones and resource
records.

Note that:
• Azure DNS servers can be managed from a smart architecture, but they can only assume a
limited number of roles within the architecture:

Table 39.18. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

• The column Multi-status returns any incompatibility or limitation in the server configuration.

Prerequisites
• You must make sure that the DNS service is properly started before adding a new server. For
more details, refer to the chapter Configuring the Services.
• You must have an Azure Subscription. Keep your subscription ID ready to add Azure servers.
• You must have an Azure Application with sufficient permissions to manage Azure DNS Zones
and Private DNS Zones. Keep your tenant ID, application (Client) ID and secret key ready to
add Azure servers.
These permissions can be assigned using the predefined IAM roles DNS Zone Contributor
and Private DNS Zone Contributor, assigned to the application on the subscriptions and/or
resource groups you intend to manage.
• You must configure NTP synchronization to ensure that SOLIDserver and Microsoft Azure are
time synchronized. For more details, refer to the section Configuring the Time and Date.
Besides, we recommend displaying the time using UTC. For more details, refer to the procedure
To configure the user settings.
• You must make sure SOLIDserver is able to reach the endpoint of the services Microsoft Azure
using HTTPs. If the services are unreachable, the Azure server stays in Timeout.

Limitations
• Azure DNS servers do not support DNS views.
• Azure records management is limited, only a set of records are supported. For more details,
refer to the section Managing Azure Records.

538
 Managing DNS Servers

Adding Azure DNS Servers

When adding an Azure DNS server, you do not need to provide an IP address. Thanks to the
Microsoft Azure account credentials, SOLIDserver identifies your Azure DNS server and commu-
nicates directly with it using REST protocol.

Before adding an Azure DNS server, note that:

• You can manage public zones and records in Public servers, and private zones and records
in Private servers. At server level, you must select one type or the other.
Note that you cannot edit a server to change its Type, it is either Public or Private.
• If you add a Private server, you must configure a list of virtual networks at server level. This
allows to associated all the zones of the server with these virtual networks.
If you already manage private zones on Azure, to ensure they are properly served once man-
aged from the GUI, it is recommended to configure the server with all the virtual networks
currently associated with one or several of these zones.

To add an Azure DNS server

1. Take into account the prerequisites and limitations.
2. In the sidebar, go to DNS > Servers. The page All servers opens.
3. In the menu, select Add > Azure. The wizard Add an Azure DNS server opens.
4. If custom classes are enabled at server level, in the list DNS server class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field Name, specify a DNS resolvable fully qualified domain name (FQDN) for your
server.
6. In the field Azure tenant ID, specify your Azure tenant ID.
7. In the field Azure application ID, specify your Azure application ID.
8. In the field Azure subscription ID, specify a subscription ID.
9. In the field Azure resource group, specify the name of a resource group.
10. In the field Azure secret, specify the secret key.
11. In the drop-down list Type, select Public or Private. By default, Public is selected.
a. If you leave Public selected, go to step 12.
b. If you select Private, the page refreshes and the fields Filter, Available virtual networks
and Selected virtual networks appear. You must configure the list of VNs of the server
and all its zones:

Table 39.19. Public virtual network configuration fields for Azure servers
Field Description
Filter An IPv4 address, IPv6 address, resource group name, virtual network name or
location to filter the list of Available virtual networks. This field is optional.
Available virtual The list of virtual networks (VN) of the specified subscription ID.They are displayed
networks as follows: <resource-group>/<VN-name> - <Region>.
Right of the list, you can click on to query your Azure tenant and refresh the
list.
Select one by one all the VNs of your choice and click on to move them to the
list Selected virtual networks.

539
 Managing DNS Servers

Field Description
Keep in mind that it is recommended to configure the server with all the virtual
networks associated with your existing zones in Azure.
Selected virtual The list of all the VNs of the server. It cannot exceed 1000 VNs. This field is re-
networks quired.
To remove a VN from the list, select it and click on to move it back to the list
Available virtual networks.

12. Tick the box Isolated if you want to isolate the server within SOLIDserver. This prevents the
server, and its content, from executing any configured replication rule or advanced property.
The server still receives data if your network configuration allows it.
This option is mainly useful during migrations. When the server configuration is ready and
you untick the box, you must manually execute the rules and/or advanced properties, at all
relevant levels of the module hierarchy, via the menu Tools > Initialize rules.
13. In the field Description, you can specify a description, it it displayed in the column Description
of the page All servers.
14. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
15. Click on OK to complete the operation. The server is listed on the page All servers.

Once you added an Azure DNS server:

• The server stays in Invalid time if SOLIDserver and the Microsoft Azure account are not set at
the same time. SOLIDserver must be set to UTC. For more details, refer to the procedure To
configure the user settings.
• If you edit the content of an Azure DNS server directly from the Microsoft Azure interface, you
need to synchronize the server in SOLIDserver GUI to retrieve and display the changes. For
more details, refer to the procedure To synchronize DNS servers.
• Before managing zones and records, keep in mind that if you added a Private server, all its
zones are associated with the virtual networks you configured.
For more details, refer to the sections Managing Azure Zones and Managing Azure Records.
• If your internal network policies prevent you from accessing Microsoft services directly, you
might need to set a proxy server via a registry database entry to handle Azure DNS requests,
as described below.

To set a proxy server for Azure DNS

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.dns.azure.proxy.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the corresponding value. The wizard Registry database
Add an item opens.
6. In the field Value, specify the server configuration as follows: <hostname_or_ip>:<port>.
If need be, you can also define the access credentials as follows: <username>:<pass-
word>@<hostname_or_ip>:<port>.

540
 Managing DNS Servers

7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the key is listed.

Managing Azure Zones

From the page All zones, you can manage public zones in Public Azure servers, and private
zones in Private Azure servers.

Before managing Azure zones, you must take into account the prerequisites, specificities and
limitations.

For more details on how to add, edit and delete zones on Azure servers, refer to the chapter
Managing DNS Zones.

Prerequisites
• The zone name must include a TLD.
• SOLIDserver and Microsoft Azure must be time synchronized, ideally using NTP. Otherwise,
any change made from the GUI cannot be pushed to your Microsoft Azure account server.

Specificities
• You can only add or import Master name and Master reverse zones. For more details, refer to
the section Adding a Master Zone in the chapter Managing DNS Zones or Importing Zones in
the chapter Importing Data from a CSV File.
• All the zones of a Private server are associated with the virtual networks configured on the
server.
• If you manage existing Private zones from the GUI, it is recommended to configure the parent
server with all the virtual networks already associated with any of your zones in Azure.
• Adding, editing or deleting zones automatically refreshes the server and replicates your changes
to the Microsoft Azure account server.
• The report Zones NS and IP addresses allows you to retrieve the IP address of each of your
NS records. For more details, refer to the section DNS Zone Reports.

Limitations
• Azure Public servers only support 250 zones per subscription.
• Azure Private servers only support 1000 private zones per subscription.
• Azure Private zones cannot be associated with more than 1000 VNs.
• Azure DNS servers do not support RPZ zones.
• Zones cannot be named test.zone.

Managing Azure Records

From the page All RRs, you can manage public records in Public Azure servers, and private re-
cords in Private Azure servers.

Before managing Azure records, you must take into account the prerequisites, specificities and
limitations.

For more details on how to add, edit and delete records on Azure servers, refer to the chapter
Managing DNS Resource Records.

541
 Managing DNS Servers

Prerequisites
• SOLIDserver and Microsoft Azure must be time synchronized, ideally using NTP. Otherwise,
any change made from the GUI cannot be pushed to your Microsoft Azure account server.

Specificities
• Each zone contains by default an SOA record named after one of the NS records. For that
reason, even if the server is managed by a smart architecture, the SOA name is not overwritten
by the name of the smart architecture server.

Limitations
• Azure Public servers only support:
• A, AAAA, CNAME, MX, NS, PTR, SRV, TXT, CAA and SOA records. For TXT records, only
ASCII is supported.
• 10 000 RRsets per public zone.
• 20 RRs per RRset in public zones.
• Azure Private servers only support:
• A, AAAA, CNAME, MX, PTR, SRV, TXT, CAA and SOA records. For TXT records, only
ASCII is supported.
• 25 000 RRsets per private zone.
• If your server is managed from a smart architecture, you can add other types of records, but
their status is N/A and they are not taken into account, or replicated, by your Azure DNS
server.

Synchronizing DNS Servers

By default, all DNS physical servers and smart architectures are synchronized periodically but
you can manually synchronize them to ensure all data is up-to-date.

Amazon Route 53 servers must be synchronized if they were edited directly from the AWS account.

Some data, like the panel Sources of physical servers, is only visible once the server has been
successfully synchronized at least once.

To synchronize DNS servers

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the server(s) you want to synchronize.
3. In the menu, select Edit > Synchronize. The wizard Synchronization opens.
4. Click on OK to complete the operation. The report opens and closes. The page reloads.

542
 Managing DNS Servers

Editing DNS Servers

You can edit any kind of DNS server via the contextual menu or from its properties page. Before
proceeding, note that:
• For servers managed from a smart architecture, some parameters can only be edited when
you edit the architecture. For instance, on EfficientIP servers managed via an architecture, the
boxes Isolated, Use as DNSSEC resolver and the advanced properties are only available when
you edit the architecture.
• The edition procedure does not detail all parameters, for more details refer to the relevant ad-
dition procedure.
• The SNMP protocol is no longer supported as managing protocol for a server, so editing it
automatically changes the management protocol to use SSL instead of SNMP. This op-
eration is non-reversible.
• EfficientIP and EfficientIP Package servers in version 7.x are managed through a dedicated
service account using a randomly generated password. Note that:
• A server can be managed by only one appliance. To switch the appliance managing the
server, you need to edit your sever and specify your credentials again.
• For servers added in previous versions, after an upgrade to version 7.0, to switch to this new
management system, you need to edit the servers.
• EfficientIP and EfficientIP Package servers can only be edited if they are reachable, they must
be up and running when you edit them.
• You can edit EfficientIP, EfficientIP Package and Generic servers to secure their data exchanges
with SOLIDserver. For more details, refer to the section Securing the Management of DNS
Servers Using a TSIG Key.
• You can edit Amazon Route 53 servers. However, you cannot change their Type, they are
either Public or Private.
On Public Amazon Route 53 servers, you cannot edit the reusable delegation set if you con-
figured one.
• You can edit Azure servers. However, you cannot change their Type, they are either Public or
Private.

For more advanced configurations like forwarding, recursion, transfer, blackhole, sortlist..., refer
to the chapter Configuring DNS Servers.

To edit a DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open all the panels using .
4. In the panel of your choice, click on EDIT . The corresponding wizard opens.
5. Make all the changes you need.
If you are editing the Main properties of a server, you can edit the DNS server type and
click on NEXT . The next page open.
For EfficientIP and EfficientIP Package, the main properties include extra fields, you can:
a. Tick the box Configure TSIG parameters to secure the management of your server.
The drop-down list TSIG key name appears.
In the drop-down list TSIG key name, select an existing key. Note that this key must
also be used in the statements allow-update and allow-transfer at view and/or zone level

543
 Managing DNS Servers

to secure all exchanges. For more details, refer to the section Securing the Management
of DNS Servers Using a TSIG Key.
b. If you have changed the default SSH password of the appliance embedding the DNS
server or if you want to switch to the new management system, tick the box Configure
enrollment parameters. The field "Admin" account password appears.
In the field "Admin" account password, replace the value displayed with the relevant
SSH password.
c. Tick the box Configure SNMP monitoring parameters to edit the server SNMP para-
meters. A set of fields appear. To configure them, refer to the section Adding an Efficien-
tIP DNS Server.
d. Tick the box Use DNS as DNSSEC resolver, to enable DNSSEC resolution on the
server. For more details, refer to the chapter Managing DNSSEC on Recursive Servers.
6. Click on OK to complete the operation. The report opens and closes.

Securing the Management of DNS Servers Using a TSIG

Key
You can use TSIG keys to secure all the data exchanges between a DNS server and a SOLID-
server appliance. You can secure EfficientIP, EfficientIP Package and Generic servers. TSIG
keys are not supported by Microsoft servers.

By default, EfficientIP physical servers managed via a smart architecture provide TSIG keys on
the properties page. You can use either key to secure the server. To add TSIG keys, refer to the
section Configuring DNS Keys.

Note that:
• The TSIG key used to secure the server must also be used in the statements allow-transfer
and allow-update. Setting these statements at server level allows for the server views and
zones to inherit the configuration.
By default, the statement allow-transfer is configured with the ACL any, and the statement allow-
update is configured with the ACL admin.
To include the relevant TSIG key in both statements you can include the key to the ACL admin.
In this case, you must edit the statement allow-transfer to replace the ACL any with the ACL
admin. The statement allow-update is automatically updated.
To avoid using ACLs, you can edit the statement allow-transfer to grant access to the TSIG
key instead of the ACL any. You also need to add it to the statement allow-update.
For more details, refer to the section Limiting Zone Transfers at Server Level.
• The TSIG key selected at server level can be used at zone level to set up dynamic update, if
you use the TSIG key in the statement allow-update. For more details, refer to the section
Configuring DNS Update Authorizations on a Zone.

If you manage your physical servers from a smart architecture, the TSIG keys of the smart archi-
tecture are pushed to the properties of each of the physical servers it manages. So keep in mind
that a TSIG key must be unique to each server, you cannot use the same for several servers.

To select a TSIG key for EfficientIP and EfficientIP Package servers

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Right-click over the name of the EfficientIP or EfficientIP Package server of your choice,
click on . The wizard Edit a DNS server opens.

544
 Managing DNS Servers

3. Click on NEXT until you get to the last page of the wizard.
4. Tick the box Configure TSIG parameters if it is not already ticked.
5. In the drop-down list TSIG key name, select the key of your choice.
6. Click on OK to complete the operation. The report opens and closes.

To configure a TSIG key for Generic servers

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Generic server of your choice, click on . The properties page
opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS server opens.
4. Click on NEXT until you get to the last page of the wizard.
5. Tick the box Configure TSIG parameters if it is not already ticked.
6. In the field TSIG key name, specify the name of the key.
4
7. In the drop-down list TSIG key method, select the method that suits your needs . If you are
not using an access key for this server, select None.
8. In the field TSIG key value, specify your key value.
9. Click on OK to complete the operation. The report opens and closes.

Flushing the Cache of DNS Servers

You can flush the cache of EfficientIP servers to delete entries. Note that:
• You can only flush EfficientIP and EfficientIP Package servers.
• You can only flush recursive and cache servers, you cannot flush authoritative servers.
• Flushing the cache is irreversible.

To flush the cache of DNS servers

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the server(s) of your choice.
3. In the menu, select Edit > Command > Flush cache. The wizard Flush DNS Cache
opens.
4. In the drop-down list Flush, select The entire cache, Zone(s) or Record(s).

Table 39.20. Available options in the drop-down list Flush

Option Description
The entire cache Allows to delete all cached entries. By default, it is selected.
Zone(s) Allows to delete the cached entries of a domain and any of its subdomains and records.
Selecting it refreshes the wizard, the field Name appears.
Name The name of a domain, like domain.com to delete all the cached entries of
the domain and all its subdomains. This field is required.
You can specify the name of a subdomain, like sub.domain.com to delete
all the entries of the subdomain, or *.domain.com to delete all matching
subdomain entries.
Record(s) Allows to delete one or more cached records. Selecting it refreshes the wizard, the
field Name appears.
Name The name of a cached record, like www.domain.com to delete it from the
cache. This field is required.

4
The standardized protocol for key codes is HMAC-MD5.

545
 Managing DNS Servers

Option Description
You can type in *.domain.com to delete all matching records.

5. The box Set Guardian entries as expired (do not flush) only applies to Guardian servers,
leave it unticked.
For more details, refer to the section Clearing Guardian Cache Manually in the chapter
Managing Guardian Cache.
6. Click on OK to complete the operation. The wizard closes.

Exporting DNS Servers

From the page All servers, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DNS Servers

You can delete a server and stop managing it from SOLIDserver.

Keep in mind that you cannot delete a physical server if:

• It is managed by a smart architecture. For more details, refer to chapter Managing DNS Smart
Architectures.
• It is associated with an application. For more details, refer to chapter Managing Applications.

To delete a DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the server(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The server might be
marked Delayed delete until it is no longer listed.

Defining a DNS Server as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a server as one of the resources of a specific group allows the users of that group to
manage the server in question as long as they have the corresponding rights granted.

Granting access to a server as a resource also makes every item it contains available. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

546
Chapter 40. Configuring DNS Servers
You can configure EfficientIP DNS servers and smart architectures with specific options from
their properties page. Note that:
• When a server is managed from a smart architecture, you cannot configure most of its options.
Instead, you must configure the smart architecture, all changes are applied to the server.
Only a few configurations can be set directly on a server managed from an architecture, to
override the architecture configuration.
• Any configuration set at server level is inherited by all the views and zones it contains.
• If you configure any of these options at view or zone level, the value set at server level
is overridden.

Configuring DNS Forwarding at Server Level

A forwarder is a DNS server that is designated to facilitate forwarding of queries for other DNS
servers. It can manage name resolution for names outside of your network, such as names on
the Internet, and improve the efficiency of name resolution for the computers in your network.
Forwarding is used only for queries for which the server is not authoritative and does not have
the answer in its cache.

Setting a DNS server as a forwarder allows to prevent leaving DNS information exposed outside
of a network as your DNS servers do not need to send queries outside to their root hints. In ad-
dition, it allows to minimize the volume of external traffic which can be costly and inefficient for
a network with a slow Internet connection or a company with high Internet service costs.

If you specify a list of forwarders on a smart server, you can set the forwarding to:
• first: the DNS server queries the forwarders first, if none of the forwarders in the list are re-
sponsive, the server looks for the answer itself.
• only: the DNS only forward queries to the forwarders in order to avoid an answer seeking.
• none: the forwarding is disabled. This is the default value.

SOLIDserver always sends the query to the forwarder with the lowest round trip time (RTT) in
the list of forwarders configured. The RTT measures how long a remote name server takes to
respond to queries. Each time an EfficientIP DNS server sends a query to a forwarder it starts
an internal clock, and stops it when it receives a response. The RTT is stored to ensures that
queries are sent to the proper forwarder.

Keep in mind that:

• The forwarding configuration set on a smart architecture is automatically inherited by the
servers it manages. You can override the configuration directly on a physical server.
• Any configuration set at view or zone level overrides the server level configuration. For
more details, refer to the sections Configuring DNS Forwarding at View Level and Configuring
DNS Forwarding at Zone Level.

To configure forwarding on a server or smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page opens.
3. Open the panel Forwarding using .

547
 Configuring DNS Servers

4. Click on EDIT . The wizard Forwarding configuration opens.

5. In the drop down-list Forward mode, select None, First or Only. By default, None is selected.

Table 40.1. Forward mode options at smart architecture or server level

Option Description
None The server does not send the queries to a forwarder and looks for the answer itself. This
option is set by default. Selecting this option clears the list Forwarders. You cannot set
None on a server managed by a smart architecture.
First The server sends the queries to the forwarder(s) and, if it does not receive any answer,
attempts to find an answer on its own.
Only The server only forwards queries to the forwarder(s) configured for the server.

6. Specify the forwarder(s):

a. In the field Add a forwarder, specify the address of a forwarder or its name and click
on SEARCH to retrieve its IP address.
b. Click on ADD to move it to the list Forwarders.
Repeat these actions for as many forwarders as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

7. Click on OK to complete the operation. The report opens and closes. The configuration is
displayed in the panel.

You can set a specific forwarding configuration for physical servers managed via a smart
architecture already configured with forward options. This new configuration is inherited by the
views, zones and records of the physical server. Keep in mind that:
• When a forward mode is set on a smart architecture, you cannot set the forward mode to None
on any physical server it manages. You can only set a different forward mode.
• Any configuration set at view or zone level overrides the server level configuration.

To configure a specific forward mode on a server managed via a smart architecture

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Make sure the servers managed by your smart architectures are displayed. If not, on the
right-end side of the menu, click on .
3. At the end of the line of the server or smart architecture of your choice, click on . The
properties page opens.
4. Open the panel Forwarding using .
5. Click on EDIT . The wizard Forwarding configuration opens.
6. Tick the box Overwrite the smart settings. The page refreshes and displays additional
fields.
7. In the field Forward mode, select First or Only. For more details, refer to the table Forward
mode options.
You cannot set the forward mode of a physical server managed via a smart architecture to
None.
8. Specify the forwarder(s):

548
 Configuring DNS Servers

a. In the field Add a forwarder, specify the address of a forwarder or its name and click
on SEARCH to retrieve its IP address.
b. Click on ADD to move it to the list Forwarders.
Repeat these actions for as many forwarders as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

9. Click on OK to complete the operation. The report opens and closes. The configuration is
displayed in the panel, the value of Forward is preceded by the message Smart configuration
is overwritten.

To revert the specific configuration and inherit it again, edit the Forwarding to untick the box
Overwrite the smart settings.

Configuring DNS Recursion at Server Level

In principle, authoritative name servers are sufficient for the operation of the Internet. However,
with only authoritative name servers operating, every DNS query must start with recursive queries
at the root zone of the DNS and each user system must implement resolver software capable of
recursive operations. To improve performance, recursive servers cache the results of the lookups
they perform. The processes of recursion and caching are intimately connected, then the terms
recursive server and caching server are often used synonymously. The length of time for which
a record may be retained in the cache of a caching name server is controlled by the field Time
To Live (TTL) of each resource record. Typically, such caching servers, also called DNS caches,
also implement the recursive algorithm necessary to resolve a given name starting with the DNS
root through to the authoritative name servers of the queried domain. By default the DNS recursion
function is enabled in SOLIDserver DNS.

A recursive query requires the DNS server to return requested DNS data, or locate the data
through queries to remote DNS servers. When a DNS server receives a query for DNS data it
does not have, it first sends a query to any specified forwarders. If a forwarder does not respond
with any return, it resends the same query to the next configured forwarder until it receives an
answer. If it receives no answer or a negative answer, then it sends a non-recursive query to
specified internal root servers. If no internal root servers are configured, the DNS server sends
a non-recursive query to the Internet root servers.

Enabling and Disabling the Recursion

If the recursion is enabled, the server always provides recursive query behavior if requested by
the client. If it is disabled, the server only provides iterative query behavior - normally resulting
in a referral. If the answer to the query already exists in the cache, it is returned irrespective of
the value of this statement. This statement essentially controls caching behavior in the server.

By default, the DNS recursion is enabled. The DNS properties page displays the panel Recur-
sion that allows you can set different DNS recursion configurations.

Keep in mind that any configuration set at view or zone level overrides the server level
configuration.

549
 Configuring DNS Servers

To enable the DNS recursion

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Recursion using .
4. If the Recursion is set to no, click on EDIT . The wizard Recursion configuration opens.
5. In the drop-down list Recursion, select yes.
6. In the field Recursive-clients, you can edit the number of clients to serve recursively. By
default, it is set to 1000. For more details, refer to the section Limiting the Number of Clients
Served Recursively.
7. Click on NEXT . The page Allow recursion opens. For more details, refer to the section
Limiting the Recursion at Server Level.
8. Click on OK to complete the operation.

To disable the DNS recursion

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Recursion using .
4. If the Recursion is set to yes, click on EDIT . The wizard Recursion configuration opens.
5. In the drop-down list, select no.
6. Click on NEXT . The page Allow recursion opens. For more details, refer to the section
Limiting the Recursion at Server Level.
7. Click on OK to complete the operation.

Limiting the Recursion at Server Level

By default, the EfficientIP DNS is allowed to serve all clients that send recursive queries. You
can restrict it by defining a match list defining IP address(es) which are allowed to issue recursive
queries to the server. Limiting the recursion allows to specify which hosts are allowed to make
recursive queries through the DNS server. If the restriction of the recursion (allow-recursion) is
not set then the restriction of caching (allow-query-cache) is applied if set, otherwise the restriction
of queries (allow-query) is used if set, or the default (localnets; localhost;) is used. If the answer
to the query already exists in the cache, it is returned irrespective of this statement.

Keep in mind that any configuration set at view or zone level overrides the server level
configuration.

To set an allow-recursion match list at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Recursion using and click on EDIT . The wizard Recursion configuration
opens.
4. Click on NEXT . The page Allow recursion opens.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

550
 Configuring DNS Servers

Table 40.2. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
5. Click on OK to complete the operation. The report opens and closes.

Limiting the Number of Clients Served Recursively

The statement recursive-clients allows to define the number of simultaneous recursive lookups
the server performs on behalf of its clients. In other words, it allows you to set or limit the number
of clients that your BIND server serves at the same time.

Once you set the recursion to yes, the recursive-client statement is enabled. To disable the re-
cursive-clients statement, you must disable the recursion.

The statement default value is 1000, meaning that 1000 simultaneous lookup requests can be
answered by the server. The minimum value is 1 and the maximum value is 4294967295.

You can set this statement on a smart architecture or on a physical server.

To limit the number of clients served recursively

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Recursion using .
4. If the Recursion is set to no, click on EDIT . The wizard Recursion configuration opens.
5. In the drop-down list Recursion, select yes.
6. In the field Recursive-clients, specify the number of clients to serve recursively. It must be
a value between 1 and 4294967295. By default, it is set to 1000.
7. Click on NEXT . The page Allow recursion opens.

551
 Configuring DNS Servers

To edit the recursion configuration, refer to the section Limiting the Recursion at Server
Level.
8. Click on OK to complete the operation.

Configuring DNS Notify Messages at Server Level

DNS Notify ensures information consistency between primary and secondary servers as it allows
to inform slave zones of changes performed on the master zone. At server level, it allows to set
the changes notification once, on all relevant servers. Once the notification is sent to slave zones,
the administrator decides if a zone transfer is relevant. For more details, refer to the section
Limiting Zone Transfers at Server Level.

From the properties pages of a server, you can set the notification configuration in the panel
Notify. It contains:
• The current configuration of the server, the field Notify is either set to Yes, Explicit or No.
• The statement Also-notify, the IP address and port of the managing smart architecture(s) that
must be notified of any slave zones update.
By default, this statement is unset. Therefore, the smart architecture is informed of the changes
when it refreshes, every hour, and not instantly.
• The statement Allow-notify of the server slave zones. It can allow all the servers of a network
to notify your server slave zones or only some servers.
Note that this statement is implicitly set when you add a slave zone, when you set the Master
IP address of the slave zone you are allowing the master zones of this server to send notify
messages to your slave zone.

Keep in mind that any configuration set at view or zone level overrides the server level
configuration.

To configure notify messages at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Notify using and click on EDIT .The wizard Notifying configuration opens.
4. In the drop-down list Notify, select no, yes or explicit. By default, yes is selected.

Table 40.3. Notify configuration at server level

Field Description
no No notify message is sent when changes are performed in the master zones.
yes The notify messages are sent to the target of the NS records of the master zone and to the
server(s) of the Also-notify list.
explicit The notify messages are only sent to the server(s) of the Also-notify list.

5. If you selected yes or explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
a. In the field IP address, specify the IP address of another server.
b. In the field Port, you can specify which port number, on the specified server, should
receive the notify messages.
c. Click on ADD . The IP address and port number are moved to the Also-notify list as
follows: <ip-address> port: <port-number>.
Repeat these actions for as many servers as needed.

552
 Configuring DNS Servers

• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

6. Click on NEXT . The page Allow-notify opens. It allows to specify if the server slave zones
can receive master zones notification messages.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 40.4. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
7. Click on OK to complete the operation. The report opens and closes. The configuration is
displayed in the panel.

Restricting DNS Queries at Server Level

The DNS queries can be restricted through the options allow-query and allow-query-cache. They
both set an ACL list for IP addresses and/or network addresses, so keep in mind that the order
of the elements listed in the field ACL values is important as each restriction or permission
is reviewed following the order you set in the list.

Allow query
You can specify which hosts are allowed to issue DNS queries. The allow-query properties can
be configured for an entire server including all the zones it contains. By default, queries are allowed
from the local host (localhost) and the local networks (localnets).

553
 Configuring DNS Servers

Keep in mind that any configuration set at view or zone level overrides the server level
configuration.

To set an allow-query match list at server level

You can apply the procedure below, at zone level as well.
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel gathers the server Allow-query, Allow-
query-cache, Allow-transfer and Blackhole configuration.
4. Click on EDIT to change the configuration. The wizard opens.
5. On the page Allow query, set up the allow-query match list.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 40.5. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
6. Click on NEXT twice to skip the pages Allow-query-cache and Allow transfer and open the
page Blackhole.
7. Click on OK to complete the operation. The report opens and closes.

Allow query cache

You can set a list of the IP addresses that are allowed to issue queries on the local cache. The
allow-query-cache properties are configured at server level and apply to the zones managed
through the server.

554
 Configuring DNS Servers

Allow-query-cache statement particularities

The allow-query-cache is independent from the allow-query statement but closely linked to
the allow-recursion statement.
If the recursion is set to no, the cache cannot be queried, so it is useless to set an allow-
query-cache match list.
If the recursion is set to yes and the allow-recursion statement is not defined, by default the
localhost and localnets are permitted to query the server cache.
If the recursion is set to yes and the allow-recursion statement is defined with a specific match
list, the local cache access is granted to all the entries of the allow-recursion match list.

The match list defined controls recursive behavior as recursive queries would be useless without
access to the local cache. Typically, if a host is in the allow-recursion match list, it could access
the server the first time and get query result. However, if it is not part of the allow-query-cache
match list then it would not be able to make the same query a second time as it would be saved
on the cache to which it does not have access. On the contrary, if a host is in the allow-query-
cache match list but not in the allow-recursion match list, it would only get results for queries
already sent by another host with the proper access rights. Hence the need to configure carefully
both these statements to avoid conflicts and absurd access configurations.

Keep in mind that any configuration set at view level overrides the server level configuration.

To set an allow-query-cache match list at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel gathers the server Allow-query, Allow-
query-cache, Allow-transfer and Blackhole configuration.
4. Click on EDIT to change the configuration. The wizard opens.
5. Click on NEXT to skip the page Allow-query.
6. On the page Allow-query-cache, set up the allow-query cache match list.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 40.6. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following

555
 Configuring DNS Servers

the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
7. Click on NEXT twice to skip the page Allow-transfer and open the page Blackhole.
8. Click on OK to complete the operation. The report opens and closes.

Limiting Zone Transfers at Server Level

DNS zone transfer allows to replicate and synchronize copies of a zone on all the relevant servers.
SOLIDserver denies zone transfers by default to all DNS servers.

You can edit the statement allow-transfer of a server to specify which hosts, networks, or TSIG
keys are granted or denied the right to do transfers for all the zones it maintains.

Keep in mind that:

• If you secured a server with a TSIG key, the statement allow-transfer must grant access to the
same key. It can either only allow the TSIG key in the statement, or include the key to an ACL
and use that ACL instead of the ACL any. This configuration is inherited by the views and
zones of the server. For more details, refer to the section Securing the Management of DNS
Servers Using a TSIG Key.
• Any configuration set at view or zone level overrides the server level configuration.

To set an allow-transfer match list at server level

You can also apply the procedure below at zone level.
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel gathers the server Allow-query, Allow-
query-cache, Allow-transfer and Blackhole configuration.
4. Click on EDIT to change the configuration. The wizard opens, each page corresponds to an
option.
5. Click on NEXT twice to skip the pages Allow-query and Allow query cache.
6. On the page Allow-transfer, setup the transfer match list.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 40.7. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...

556
 Configuring DNS Servers

Type Restriction configuration

ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
7. Click on NEXT . The page Blackhole opens.
8. Click on OK to complete the operation. The report opens and closes.

Configuring a Blackhole
By default, queries are allowed from the local host and the local networks. You can configure a
blackhole to identify specific IP addresses, networks, ACLs and keys you consider as spam.

The blackhole configuration is set at server level, it applies to the server, its views and its zones.

Once you configured a blackhole, the specified clients no longer receive any response. Their
queries remain unanswered, in other words they are ignored.

To set a blackhole match list at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel gathers the server Allow-query, Allow-
query-cache, Allow-transfer and Blackhole configuration.
4. Click on EDIT to change the configuration. The wizard opens.
5. Click on NEXT to skip the pages Allow-query, Allow query cache and Allow-transfer.
6. On the page Blackhole, set up your blackhole configuration.
Using the drop-down lists Type and Restriction, you can deny access to as many networks,
IP addresses, ACLs and keys as you need. Select a Type and complete the configuration
as follows:

Table 40.8. Available restriction parameters to configure a Blackhole

Type Restriction configuration
Network address Allows to deny query responses to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.

557
 Configuring DNS Servers

Type Restriction configuration

IP address Allows to deny query responses to a specific IP address. Specify the IPv4 or IPv6
address of an appliance, user, host...
ACL Allows to deny query responses to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any custom ACL added at server level. For more details,
refer to the section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key Allows to deny query responses to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction is configured as needed, click on ADD . The entry is moved to the list ACL
values. All denied entries are preceded by an exclamation mark (!). Keep in mind that the
entries order matters, each restriction listed is reviewed following the order you set. To order
the entries, select them one by one and click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
7. Click on OK to complete the operation. The report opens and closes.

Configuring Client Resolver Cache Options at Server Level

From the properties page of an EfficientIP DNS server using the SSL protocol, you can edit the
two options dedicated to client resolver cache memory via the panel Options:
lame-ttl
This option defines the amount of time a client should keep in its cache the information sent
bay a lame server that has been queried directly. It allows to limit the time the information is
kept as, coming from a lame server, it might not be up-to-date and therefore potentially erro-
neous.
max-cache-size
This option limits the size of the cache memory of a server or view. When the cache memory
size reaches this threshold, the server causes records to expire prematurely. The value 0
can be set to purge the cache only when the records TTL expires.

These options can be set at server or view level. For more details regarding the configuration on
views, refer to the section Configuring Client Resolver Cache Options at View Level. Keep in
mind that any configuration set at view level overrides the server level configuration.

To set the option lame-ttl at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Lame-ttl, specify the value of your choice. This value is in seconds can be set
between 30 and 1800. The default value is 600, the maximum value is 1800 seconds.
5. Click on OK to complete the operation. The report opens and closes.

558
 Configuring DNS Servers

To set the option max-cache-size at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Max-cache-size, specify the value of your choice to set the cache memory size.
This value is in bytes. The default value is 100m.
5. Click on OK to complete the operation. The report opens and closes.

Configuring EDNS Options at Server Level

The Extension mechanisms for DNS allow to add information to DNS messages and therefore
send out larger packages or packages containing more parameters. The EDNS, also known as
EDNS (0), has been defined in RFC 6891.

If you configured DNSSEC on your server or are managing records that relay IPv6 information,
we strongly recommend configuring EDNS: in both cases, the messages sent out usually exceed
512 bytes.

Within SOLIDserver, two EDNS options can be configured at server and view level on EfficientIP
DNS servers using the SSL protocol:
edns-udp-size
This option sets the EDNS UDP buffer size advertised by the server when querying a remote
server. It is set in bytes and allows to specify the size of the packets that you receive.
Typically, you would set this option to enable UDP answers to pass through broken firewalls
that block fragmented packets and/or packets greater than 512 bytes. The value set for this
option is a preference.
max-udp-size
This option sets the maximum EDNS UDP message size sent by the server. It is set in bytes
and allows to specify the maximum size of the packets that you send to a remote server.
Typically, this option would be set to enable UDP answers to pass through broken firewalls
that block fragmented packets and/or packets greater than 512 bytes.

For more details regarding the configuration on views, refer to the section Configuring EDNS
Options at View Level. Keep in mind that any configuration set at view level overrides the
server level configuration.

To set the option edns-udp-size

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Edns-udp-size, specify the size of received packets of your choice. This value
is in bytes, and must be set between 512 and 4096. The default value is 4096.
5. Click on OK to complete the operation. The report opens and closes.

To set the option max-udp-size

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.

559
 Configuring DNS Servers

3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Max-udp-size, specify the maximum size of the packets you send. This value is
in bytes and must be set between 512 and 4096. The default value is 4096.
5. Click on OK to complete the operation. The report opens and closes.

Configuring Prefetch on a Server

You can configure the statement prefetch on recursive servers to anticipate the expiration of its
cache entries. It allows to automatically query again specific entries before they expire, and ensure
the cache always answers clients with up-to-date information.

Note that:
• You can only configure prefetch on EfficientIP recursive servers, EfficientIP Package recursive
servers and the smart architectures that manage them.
• By default, prefetch is disabled.
• The parameters Prefetch "trigger" and Prefetch "eligibility" respectively allow to configure when
to prefetch entries, and define which entries are eligible.
Both parameters must have a value greater than 0, otherwise prefetch is disabled.

To set the statement prefetch on a server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Prefetch "trigger", specify the number of seconds, before cache entries expire,
that trigger the prefetch. By default, it is set to 0. The prefetch trigger is usually set to 2, you
can set a value between 1 and 10.
Cache entries are only queried again when the specified number of seconds before their
TTL expires is reached and if they match or exceed the Prefetch "eligibility".
If you set it to 0, prefetch is disabled, both parameters are ignored.
5. In the field Prefetch "eligibility", specify the minimum TTL, in seconds, that makes cache
entries eligible for the prefetch. By default, it is set to 0. The prefetch eligibility is usually set
to 9, it must be at least 6 seconds longer than the Prefetch "trigger".
Cache entries are eligible for prefetch when their original TTL matches or exceeds the
number of seconds specified. They are only queried again when they reach the configured
Prefetch "trigger".
If you set it to 0, prefetch is disabled, both parameters are ignored.
6. Click on OK to complete the operation. The report opens and closes. The configuration is
displayed in the panel as follows: prefetch <trigger> <threshold>.

Improving the Server Performance

You can configure the statement minimal-responses at server level. This statement can be used
to reduce the size of the outgoing data and improve performances.

Enabling minimal-responses allows the server to only add records to the authority and additional
data sections of the response if they are specifically required by the protocol. For instance, these
sections are included in the delegations and negative responses.

560
 Configuring DNS Servers

By default, the statement minimal-responses is set to yes on BIND servers.

This statement can be set on a physical server or on a smart architecture.

To set the minimal-responses statement at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the drop-down list Minimal-responses, select yes or no according to your needs. By de-
fault, the statement is set to yes on BIND servers.
5. Click on NEXT . The last page opens.
6. Click on OK to complete the operation. The report opens and closes.

Configuring a Sortlist at Server Level

The option sortlist is actually a statement that allows to set a preferential response order for equal
A resource records, forming an RRset. In other words, it modifies the response packet received
by the client resolver. It allows to put an end to cyclic round-robin responses to queries for the
IP networks of your choice.You can define as many sortlist statements as you want on EfficientIP
DNS servers using the SSL protocol. For each network of client IP addresses, you can set the
order of the records of an A RRset: this list can contain all of the A records of the RRset if you
want. The server checks if the client resolver IP address matches the sortlist defined and modify
its response accordingly.

Within the GUI, the statement configuration is closely linked to the statement syntax in the zone
file. Here below is an example of the sortlist statement syntax in the zone file:

In a zone file, the statement would look as follows for the zone many.example.com :
// zone file example.com
$ORIGIN example.com.
many IN A 192.168.3.6
IN A 192.168.4.5
IN A 192.168.5.5
IN A 10.2.4.5
IN A 172.17.4.5

The client-side server has a sortlist statement, set as follows:

options {
....
sortlist {
{// 1st preference block start
192.168.4/24; // 1st client IP selection matches any of these
{10.2/16; // return any of these response IPs as 1st preference
172.17.4/24; // 2nd preference
};
}; // end first block
{ // second preference block
192.168.5/24; // 2nd client IP selection matches any of these
{192.168.4/24; // return any of these response IPs as 1st preference
172.18.4/24; // 2nd preference
10.2/16; // 3rd preference
};
}; // end second block
}; // end sortlist

561
 Configuring DNS Servers

};

As you can see after the client IP, the response preferences are defined one after the other and
separated by a semi-colon.

Keep in mind that any configuration set at view level overrides the server level configuration.

To define a sortlist statement at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Client address, specify the client IP address/subnet. It must be composed of an
IPv4 address containing 1 to 4 bytes followed by the prefix: <IP address>/<prefix>.
5. In the field Sort address, specify a list of IP addresses or subnets followed by a semi-colon.
These addresses correspond to the value of an A record of the RRset for which you add the
sortlist. The statement respects the order in which you specified the addresses. The value
must respect the format <IP address>/<prefix>; even if you only specify one sort address.
6. Once both fields are filled, click on ADD to move the client and sort addresses to the field
Sortlist. Both values are displayed as follows: {<client-IP-address>/<prefix> {<sort-IP-ad-
dress>/<prefix>;};}; . By default, this field is empty.
7. Click on OK to complete the operation. The report opens and closes. The sortlist is displayed
as follows: {<client_address_field_value>; {<first_sort_address>;<second_sort_ad-
dress;<etc>};}; . There is one sortlist per client address defined.

Limiting the Number of Responses of a Server

Managing the Response Rate Limiting (RRL) of a server helps mitigate the DNS amplification
attacks targeting a victim.

Amplification attacks are Distributed Denial of Service (DDoS) tactics in which an attacker uses
the IP address of any computer to send high volumes of forged queries using an authoritative
DNS server. The attacker queries are usually small-sized but designed to generate large re-
sponses, thus generating an amplified traffic toward the victim. Considering that the attacker
mimics the query format of the server, the client only sees a large number of responses and
cannot know if the response is real or malicious. This high volume of responses is likely to make
the victim's computer overload and eventually collapse.

In light of the increasing number of DDoS attacks on the Internet, in 2012 Paul Vixie and Vernon
Schryver proposed RRL as a method for preventing a caching server from being used in a DNS
Amplification attack. It allows to maintain the type of queries that have been made, that way the
server keeps track of the queries made and can limit the number of responses returned without
changing the nature of the DNS.

Limitations
• RRL cannot be set at view or zone level, it can only be configured for a whole server.
• RRL can only be configured on EfficientIP DNS servers, EfficientIP DNS Package servers,
smart architectures or Guardian servers configured with the parameter recursive set to 2.

562
 Configuring DNS Servers

• If RRL settings are configured on a smart architecture managing servers that are not compatible
with RRL, for these servers the RRL configuration is ignored and the Multi-Status column
provides details regarding incompatibilities.
• RRL can be set on a BIND/NSD Hybrid server but the option Log only disables RRL on NSD
servers.

Configuring the RRL Parameters

RRL is disabled by default. You can configure it on a physical server or smart architecture from
its properties page.

If you set it on a smart architecture that manages different types of servers, it only applies to the
relevant servers. The settings are ignored by all the servers that do not support it.

To limit the number of responses of a server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. Click on NEXT . The last page opens.
5. In the field Maximum number of responses per second, specify the number of your choice.
This field defines a threshold of responses which, once met, drops all the additional queries
unless you set a Slip value.
The field default value is 0, meaning the option is disabled. You can set a value between 1
and 1000. We recommend that you set the value at 10 or higher.
6. In the field Slip, you can specify a number between 0 and 10. This option allows to add an
extra bit to the server responses, the Truncated (TC) bit, and makes the requestor use TCP
to resend the query once they receive the truncated response.The number specified in the
field defines every how many queries the TC bit and TCP are forced.
If the field is empty or set to 0, all the similar queries are dropped. If set to 1, the TC is set
in the response to every query. If set to 2, it is set in the response to every other query. If
set to 3, it is set in the response to every third query, etc.
We recommend that you set the Slip value to 1 because it limits cache poisoning attacks
- it is worthless for attackers performing volumetric or PPS DDoS attacks - and is less CPU
consuming for flooded resolvers.
7. If you are configuring a BIND server, in the section Log only you can tick the box. It allows
to prevent the rate limiting function from operating and only display in the logs what would
have happened.
On NSD servers, ticking the box disables RRL altogether.
8. Click on OK to complete the operation. The report opens and closes. The configuration is
displayed in the panel.

Configuring DNS64
SOLIDserver provides, for EfficientIP and BIND servers, a panel on the properties page dedicated
to configuring DNS Extensions for Network Address Translation from IPv6 Clients to IPv4 Servers,
or DNS64.

563
 Configuring DNS Servers

This mechanism was described in RFC 6147 and allows to rely on a NAT64 server to synthesize
IPv6 addresses and enable communication between IPv6-only clients and IPv4-only DNS servers
and get a valid response to their queries. Which is why DNS64 mechanism is useless on its own.

SOLIDserver does not include a NAT64 server but provides a wizard to configure DNS64 with
the settings that you configured on your own NAT64 server.

Once NAT64 is configured, you can configure DNS64 on the server of your choice. All the fields
available in the GUI are optional, DNS64 can perform the synthesis using only the address and
prefix of the NAT64. It relies on your NAT64 server IPv6 address to IPv4 address translation
settings to synthesize AAAA records from A records. The synthesis is performed as follows:
1. DNS64 uses the NAT64 server address and prefix configuration as the start of the synthesized
IPv6 address.
2. The target IPv4 address is appended to the address and prefix in hexadecimal form.
3. The suffix is appended at the end of the synthesized IP address to get a 128 bit address to
send back to the client in the AAAA record.

When your DNS64 configuration is over, two reverse zones are automatically added. That way,
even the reverse queries of IPv6 clients can be synthesized and answered.

The mechanism is completely transparent: the client does not know that the queried server only
manages IPv4 related data as, after querying it, the client receives records that can be used in
an IPv6 environment.

Prerequisites
• You must have SOLIDserver in version 5.0.0 or greater.
• You must manage:
• An EfficientIP DNS server in version 5.0.0 or greater; or
• A BIND server in version 9.8 or higher (EfficientIP BIND package).
• You must manage your server through SSL.
• You must have a NAT64 server configured on your network.
• You must have the NAT64 server address and prefix ready when you start configuring. Note
that depending on your NAT64 server vendor, you might not be able to set the address and
prefix of your choice. In this case you must use the ones provided by the vendor during the
DNS64 configuration.

Limitations
• DNS64 can "break" DNSSEC. For more details, refer to the substatement break-dnssec.
• DNS64 cannot be configured on Hybrid DNS engines.

DNS64 Supported Substatements

SOLIDserver supports the configuration of a set of DNS64 substatements listed below. By default
all substatements are unset in the GUI as they are all optional, the fields are empty or set to
None.
dns64-server
Allows you to specify the name of a server. The server you declare in that field should be
the server for which you are configuring DNS64. Once the substatement is set, the server
name is saved in the SOA of the reverse zones that DNS64 automatically adds, that way the
server can be queried in reverse without further configuration.

564
 Configuring DNS Servers

Default value: N/A

dns64-contact
Allows you to specify the email address of the contact managing the server - declared in the
substatement dns64-server - and the zones it contains. The contact is saved as well in the
SOA of the reverse zones that DNS64 automatically adds.
This field is only relevant if you specified a dns64-server.
Default value: N/A
address
Allows you to specify the IPv6 address set on the NAT64 server following the syntax <start-
of-IPv6-address>:: . Depending on the NAT64 server of your network, you can either set the
address of your choice or use the one already set on the NAT64 server.
This field is useless if you do not specify a prefix.
Default value: N/A
prefix
Allows you to specify the prefix set on the NAT64 server. It should be: 32 bits, 40 bits, 48
bits, 56 bits, 64 bits or 96 bits. Depending on the NAT64 server of your network, you can
either set the prefix of your choice or use the one already set on the NAT64 server.
This field is useless if you do not specify an address.
Default value: N/A
suffix
Allows you to specify a suffix following the syntax ::<end-of-IPv6-address>. The suffix is ap-
pended to the synthesized IP address (composed as follows: <address-field-value>:<queried-
ipv4-address-in-its-hexadecimal-form>).
Default value: :: . No need to specify a suffix if you specified a 96 bits prefix, BIND default
value is automatically applied.
break-dnssec
Allows you to interact with DNSSEC. If you set it to yes, DNS64 synthesizes the responses
authoritative and recursive queries even if the resulting records are considered invalid by the
queried signed zones. Which is why it is considered to "break" DNSSEC. If set to no, the
DNS64 synthesis is not performed if zones are signed with DNSSEC.
Default value: None.
recursive-only
Allows you to decide to use DNS64 synthesis in case of recursive queries. If set to yes, only
the server responses to recursive queries are synthesized. If set to no, all the server responses
are synthesized.
Default value: None.
client
Allows you to set or use existing ACLs to define which DNS clients get a synthesized response
to their queries.
Default value: none. If you only specify an address and prefix this value is automatically ap-
plied.
mapped
Allows you to set or use existing ACLs to prevent DNS64 from synthesizing some IPv4 ad-
dresses of your network. Any IPv4 address listed in the ACLs is ignored by DNS64 and
therefore never returned as an IPv6 address in the response.
Default value: any. If you only specify an address and prefix this value is automatically applied.

565
 Configuring DNS Servers

exclude
Allows you to set or use existing ACLs to exclude a list of IPv6 addresses. As DNS64 is
dedicated to synthesizing IPv6 addresses from IPv4 addresses, if any zone contains AAAA
records DNS64 ignores the zone. Therefore it ignores the A records it might contain. Setting
up the exclude substatement allows to ignore the AAAA records of a zone, your exclude
substatement ACL must contain all the IPv6 addresses declared in your AAAA records. That
way you can make sure that DNS64 synthesizes all the A records of the zone. The IPv6 ad-
dresses you declare must be part of or match the range of addresses declared for the NAT64
server (address and prefix).
Default value: none. If you only specify an address and prefix this value is automatically ap-
plied.

Configuring DNS64 On a Server

You can configure DNS64 from the properties page of a physical server or a smart architecture.

To disable it, you must open the wizard DNS64 configuration, empty all the fields and select None
in the drop-down lists.

To configure DNS64 on a server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel DNS64 using and click on EDIT . The wizard DNS64 configuration opens.
4. Fill in the fields DNS64 Server, DNS64 Contact following the expected format detailed in
the section DNS64 Supported Substatements.
5. In the drop-down list Prefix, select 32 bits, 40 bits, 48 bits, 56 bits, 64 bits or 96 bits. For
more details, refer to the section DNS64 Supported Substatements.
6. Once you selected a Prefix, the field and drop-down lists Address, Suffix, Break-dnssec
and Recursive-only appear. Fill them in according to your needs. For more details, refer to
the section DNS64 Supported Substatements.
Note that the field Suffix is not displayed if you select the Prefix 96 bits.
You can choose to only configure the Address and Prefix for your DNS64 server and contact.
In which case, SOLIDserver sets the substatement client, mapped and exclude to their
DNS64 Supported Substatements. To do so, click on NEXT until the last page of the wizard
and click on OK to commit your configuration.
7. Click on NEXT . The page DNS64 configuration: Client opens.
You can define an ACL that lists the DNS clients that get a synthesized response to their
queries. For more details regarding the substatement, refer to the section DNS64 Supported
Substatements.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 40.9. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...

566
 Configuring DNS Servers

Type Restriction configuration

ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
All the entries of the ACL values constitute your ACL.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
8. Click on NEXT . The page DNS64 configuration: Mapped opens.
You can define an ACL that lists the IPv4 addresses that are ignored by DNS64. The ACL
configuration is detailed in the step 6 of this procedure. For more details regarding the sub-
statement, refer to the section DNS64 Supported Substatements.
9. Click on NEXT . The page DNS64 configuration: Exclude opens.
You can define an ACL that lists the IPv6 addresses that are ignored by DNS64. The ACL
configuration is detailed in the step 6 of this procedure. For more details regarding the sub-
statement, refer to the section DNS64 Supported Substatements.
10. Click on OK to complete the operation. The report opens and closes. The properties page
is available again, the panel DNS64 displays your configuration.

Configuring DNS Sources at Server Level

Configuring DNS source allows to set physical interfaces at server level that are systematically
used for all notify operations and zone transfer. This information can only be set on EfficientIP
DNS physical server using the SSL protocol and is inherited by the server views and zones and
displayed accordingly on their properties page.

From the Sources and Sources V6 panels, through their IP address, you can configure physical
interfaces that should be used for the server transfer and notify options. These panels only appear
after the first synchronization of the physical server. When editing these panels, you can define
the following statements:
query-source
This statement allows to define the IPv4 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker

567
 Configuring DNS Servers

would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
query-source-v6
This statement allows to define the IPv6 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker
would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
transfer-source
This statement allows to determine the IPv4 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
transfer-source-v6
This statement allows to determine the IPv6 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
use-alt-transfer-source
This statement allows to set the use of an alternate interface IP address for the transfer if
the transfer-source or the transfer-source-v6 were to fail. This statement configuration is
displayed on the physical server, view and slave zones properties page.
This statement definition is only configurable from the panel Sources but applies to interfaces
whether they were identified through an IPv4 or an IPv6 address.
Its default value is no if the server contains views and yes if the server does not contain any
view.
alt-transfer-source
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
alt-transfer-source-v6
This statement allows to determine the alternate IPv6 address of the interface used to execute
the zones transfer on the server if the transfer-source-v6 failed and if the use-alt-transfer-
source is enabled.You can also specify a port for this statement. Its configuration is displayed
on the physical server, views and slave zones properties page.
notify-source
This statement allows to define the IPv4 address of the physical interface used for all the
server outgoing notify operations. You can also specify a port for this statement. It is used
by master zones and its configuration is therefore displayed on the physical server, views
and master zones properties page.
notify-source-v6
This statement allows to define the IPv6 address of the physical interface used all the server
outgoing notify operations.You can also specify a port for this statement. It is used by master
zones and its configuration is therefore displayed on the physical server, views and master
zones properties page.

568
 Configuring DNS Servers

Keep in mind that any configuration set at view or zone level overrides the server level
configuration.

To set IPv4 DNS sources at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the physical server of your choice, click on . The properties page
opens.
3. Open the panel Sources using and click on EDIT . The wizard Configuration: Sources
opens.
4. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise, all the transfer operations would fail.
a. In the field Query-source address, specify the IPv4 address of the interface used for
outgoing queries.
b. In the field Query-source port, you can specify the port number used for outgoing
queries. Keep in mind that specifying a port number can lead to cache poisoning if DNS
server definitions are not set properly.
c. In the field Transfer-source address, specify the IPv4 address to be used for the zones
transfer operations. Specify an interface that you already configured on the appliance.
d. In the field Transfer-source port, you can specify which port on the interface should
be used.
e. In the drop-down list Use-alt-transfer-source, select none, no or yes. By default, none
is selected.

Table 40.10. Use-alt-transfer-source parameters

Parameter Description
none If your server contains views, it corresponds to no. If your server does not contain any
view, it corresponds to yes.
no Allows to disable the use of an alternate interface if the transfer set via transfer-source
or transfer-source-v6 fails.
yes Allows to enable the use of an alternate interface if the transfer set via transfer-source
or transfer-source-v6 fails. In this case, you need to set the alternate interface IP address
(and port if you want) through the alt-transfer-source and alt-transfer-source-v6 state-
ments in the following steps.

The use-alt-transfer-source statement applies to the alternate interfaces declared through

IPv4 address (Alt-transfer-source address) and IPv6 address (Alt-transfer-source ad-
dress-v6).
f. If you enabled the use of an alternate interface, in the field Alt-transfer-source address,
specify the IPv4 address of the alternate interface. It must also be configured on the
appliance.
g. If you enabled the use of an alternate interface, in the field Alt-transfer-source port,
you can specify which port on the interface should be used.
5. Configure the notify statement. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise, all the notify operations would fail.
a. In the field Notify-source address, specify the IPv4 address to be used for outgoing
notify operations. Specify an interface that you already configured on the appliance.
b. In the field Notify-source port, you can specify which port on the interface should be
used.
6. Click on OK to complete the operation. The report opens and closes.

569
 Configuring DNS Servers

To set IPv6 DNS sources at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the physical server of your choice, click on . The properties page
opens.
3. Open the panel Sources using and click on EDIT . The wizard Configuration: Sources
opens.
4. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the transfer operations would fail.
a. In the field Query-source-v6 address, specify the IPv6 address of the interface used
for outgoing queries.
b. In the field Query-source-v6 port, you can specify the port number used for outgoing
queries. Keep in mind that specifying a port number can lead to cache poisoning if DNS
server definitions are not set properly.
c. In the field Transfer-source-v6 address, specify the IPv4 address to be used for the
zones transfer operations. Specify an interface that you already configured on the appli-
ance. If you defined the use-alt-transfer-source statement in the Sources panel, it applies
to the alternate interfaces declared in IPv4 (Alt-transfer-source address) and IPv6 (Alt-
transfer-source address-v6).
d. In the field Transfer-source-v6 port, you can specify which port on the interface should
be used.
e. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 address, specify the IPv6 address of the alternate interface. It must also be
configured on the appliance.
f. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 port, you can specify which port on the interface should be used.
5. Configure the notify statement. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise, all the notify operations would fail.
a. In the field Notify-source-v6 address, specify the IPv6 address to be used for the
outgoing notify operations. Specify an interface that you already configured on the ap-
pliance.
b. In the field Notify-source-v6 port, you can specify which port on the interface should
be used.
6. Click on OK to complete the operation. The report opens and closes.

Authenticating the Zones Dynamic Update from the Server

Within SOLIDserver, dynamic update relies on TSIG keys and can only be configured for the
master zones if the server they belong to is properly configured and secured. Keep in mind that
configuring dynamic update can be dangerous as any client could update the server data. You
can configure dynamic update on all DNS servers except Amazon Route 53 DNS servers. For
more details regarding dynamic update, refer to the chapter Implementing Dynamic Update.

To set up dynamic update, you must:

1. Secure the server with a unique TSIG key. For more details, refer to the section Securing the
Management of DNS Servers Using a TSIG Key.
2. Configure the server for dynamic update:
• Either edit the default ACL admin to include the same TSIG key to its permissions.

570
 Configuring DNS Servers

• Or add a new ACL that includes the TSIG key to its permissions. For more details, refer to
the section Configuring Access Control Lists for a Server.
3. Configure the statement allow-update of your master zones with the same TSIG key. For more
details, refer to the section Configuring DNS Update Authorizations on a Zone.
Note that if you edited the ACL admin of the server, the configuration is complete because,
by default, the ACL admin of the physical server is specified in the statement allow-update of
the master zones.

Note that instead of configuring the ACL admin to allow the securing TSIG key, you could allow
the IP address of SOLIDserver and restrict the default permissions. However, allowing updates
based on the requestor IP address is insecure, we strongly recommend using the TSIG key
protocol filtering rather than an IP address based filtering.

To edit the ACL admin of a server to allow dynamic update

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the physical server of your choice, click on . The properties page
opens.
3. In the panel ACL, in the list DNS ACLs select admin.
4. Click on EDIT . The wizard ACL configuration Edit a DNS server opens.
5. Delete the ACL any to make sure that only SOLIDserver can edit the server and its content:
a. In the list ACL values, select any. The fields Type, Restriction and ACL are refreshed.
b. Click on DELETE . The ACL is no longer listed.
6. Specify your TSIG key:
a. In the drop-down list Type, select TSIG key.
b. In the drop-down list Restriction, select Allow.
c. In the field Key, select the same TSIG key than the one you used to secure the server.
For more details, refer to the section Securing the Management of DNS Servers Using
a TSIG Key.
d. Click on ADD . The TSIG key is moved to the list ACL values.
7. Click on OK to complete the operation. The report opens and closes.
8. Once the ACL admin is configured with the TSIG key, the master zones it contains are all
configured for dynamic update as the statement allow-update grants by default access to
this ACL.

To add an ACL that allows dynamic update

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel ACL using .
4. Click on ADD . The wizard ACL configuration opens.
5. In the field ACL name, name your ACL.
6. In the drop-down lists Type, select TSIG key.
7. In the drop-down lists Restriction, select Allow.
8. In the field Key, select the same TSIG key than the one you used to secure the server. For
more details, refer to the section Securing the Management of DNS Servers Using a TSIG
Key.
9. Click on ADD . The TSIG key is moved to the list ACL values.

571
 Configuring DNS Servers

10. Click on OK to complete the operation. The report opens and closes.
11. Once the ACL is added, you must add it to the permissions of the statement allow-update
of the master zone(s) of the server. For more details, refer to the section Configuring DNS
Update Authorizations on a Zone.

Configuring Access Control Lists for a Server

The Access Control List (ACL) is a match list that allows to grant or deny access to a network
device, IP address, TSIG keys or even another ACL. For more details regarding TSIG keys, refer
to the section Configuring DNS Keys.

When set at server level, the ACLs can be used on the views and zones of the server. Once
added, you can use an ACL to configure the statements allow-recursion, allow-notify, allow-
query, allow-query-cache, allow-transfer, blackhole at any of relevant level of the DNS
hierarchy.You could, for instance, add one ACL that specifies which part of the network is denied
access or the IP address of the server that should always receive the notification messages, etc.

Note that by default EfficientIP servers provide the ACL admin. You can edit it according to your
needs but you cannot delete it.

To add an ACL at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel ACL using .
4. Click on ADD . The wizard ACL configuration opens.
5. In the field ACL name, name your ACL.
6. Configure the ACL according to your needs.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 40.11. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .

572
 Configuring DNS Servers

All the entries of the ACL values constitute the content of your ACL.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
7. Click on OK to complete the operation. The report opens and closes. The ACL is listed in
the panel.
Once added, an ACL includes permissions and restrictions that you allow or deny access
to depending on the configuration you set:
• If you allow access to the ACL, every permission it contains are granted access to,
every restriction it contains are denied access to.
• If you deny access to the ACL, the contrary is set: every permission it contains are
denied access to, every restriction it contains are granted access to.

You can add as many ACL as you want on a server.

To edit an ACL at server level

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel ACL using .
4. In the list DNS ACLs, select an ACL and click on EDIT . The wizard ACL configuration
opens.
5. To add permissions and restrictions to the ACL, configure the Type and Restriction as de-
tailed in the procedure To add an ACL at server level.
6. To edit the permissions and restrictions of the ACL values:
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To reorder the entries, select them one by one and click on the arrows to move them up
or down .
7. Click on OK to complete the operation. The report opens and closes.

To delete an ACL at server level

1. Make sure the ACL is not used in any statement of the server, view or zone.
2. In the sidebar, go to DNS > Servers. The page All servers opens.
3. At the end of the line of the server of your choice, click on . The properties page opens.
4. Open the panel ACL using .
5. In the list DNS ACLs, select an ACL your want to delete.
6. Click on DELETE . The wizard Delete opens.
7. Click on OK to complete the operation. The report opens and closes. The ACL is no longer
listed.

573
 Configuring DNS Servers

Configuring DNS Keys

SOLIDserver supports the use of Transaction SIGnatures (TSIG) keys to encrypt and authenticate
every DNS data exchange between SOLIDserver itself and your DNS servers or clients.

The information is encrypted via a technique called HMAC (Keyed-Hashing for Message Authen-
tication, see RFC 2104) which employs a shared secret and a one-way cryptographic hash
function to sign data. This shared secret is used a password known only to the two parties involved
in the exchange.

From the properties page of EfficientIP, EfficientIP Package and Generic servers as well as smart
architectures you can add, edit and delete TSIG keys. Once a key is added, you can use it:
• To secure the server with a unique TSIG key. For more details, refer to the section Securing
the Management of DNS Servers Using a TSIG Key.
• In any statement or in ACLs at server, view and/or zone level. For more details, refer to the
chapters Configuring DNS Servers, Configuring DNS Views and Configuring DNS Zones.
• When adding and editing slave zones, RPZ or not, and stub zones. For more details, refer to
the chapters Managing DNS Zones and DNS Firewall (RPZ).
• To set up dynamic update for you master zones. For more details, refer to the sections Config-
uring Access Control Lists for a Server and Authenticating the Zones Dynamic Update from
the Server.

Note that TSIG keys are not supported by Microsoft servers. However, you can configure their
zones for dynamic update via GSS-TSIG keys.

For more details, refer to the section Implementing Dynamic Update.

To add a TSIG key

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Keys using and click on ADD . The wizard TSIG Key configuration opens.
4. Configure the key. You can edit the valid hmac-sha512 key configured by default.

Table 40.12. DNS key configuration parameters

Field Description
Key name The name of the key. It must be a string starting with a letter or underscore, followed
by any number of letters, numbers, or underscores. This field is required.
Key algorithm The key algorithm, either hmac-sha512, hmac-sha384, hmac-sha256, hmac-sha224,
hmac-sha1 or hmac-md5 (obsolete). By default, hmac-sha512 is selected. This field
is required.
TSIG Key value The key value is the secret to be used by the algorithm, and is treated as a base-64
encoded string.
By default, the field contains a valid value, matching the default algorithm hmac-sha512.

5. Click on OK to complete the operation. The report opens and closes.

To edit a TSIG key

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel Keys using and select the key you want to edit.

574
 Configuring DNS Servers

4. Click on EDIT . The wizard TSIG Key configuration opens.

5. Edit the Key algorithm and/or TSIG Key value according to your needs.
You cannot rename the key.
6. Click on OK to complete the operation. The report opens and closes.

To delete a TSIG key

1. Make sure the key is no longer used in any statement of the server, view or zone.
2. In the sidebar, go to DNS > Servers. The page All servers opens.
3. At the end of the line of the server of your choice, click on . The properties page opens.
4. Open the panel Keys using .
5. In the list DNS keys, select the key of your choice.
6. Click on DELETE . The wizard Delete opens.
7. Click on OK to complete the operation. The report opens and closes. The key is no longer
listed.

Including Non-Supported DNS Settings

SOLIDserver provides the possibility to include parameters in BIND configuration files that are
not supported by SOLIDserver.

Only administrators with a good understanding of BIND configuration files should perform
these operations.

The prerequisites, limitations and procedures to follow are all described in the appendix Config-
uring Non-Supported BIND Options.

Once the non-supported options are included to the configuration file, they are processed like
any other option unless their syntax is incorrect or the option itself was already set. In which case,
the included options are ignored until the proper changes have been made.

Setting up Anycast DNS

Anycast DNS is useful if your deployment includes multiple geographically distributed sites. It
improves the service high availability and reliability by improving the redundancy of the DNS
service. In addition to sharing the workload, this configuration helps mitigating a DDoS attack by
diluting its effects.

When relying on an anycast architecture, DNS clients always query the same IP address(es) but
their packets are routed to the nearest anycast DNS server according to the network topology.
If the closest DNS server is down, the related route is withdrawn and the packets are transparently
re-routed by the network to the nearest available DNS server in the topology.

Before setting up anycast, keep in mind that:

• You can configure anycast addressing on loopback interfaces only.
• You can set up anycast via the routing protocols OSPF, BGP and/or IS-IS, on recursive
and authoritative DNS servers.
• SOLIDserver embeds FRRouting (FRR) is a routing protocol suite that allows to set up anycast
architectures. Its configuration is locally stored on the appliance and is automatically saved in
the appliance backup file.
• Once anycast is configured, the routers are able to redirect clients to the nearest server.

575
 Configuring DNS Servers

Note that since version 8, anycast no longer relies by default on a Quagga package to set
up anycast. If you upgraded your appliance, your configuration is now saved in the folder
/data1/etc/frr. To switch back to using quagga, execute the following commands:
sudo -s
/usr/local/nessy2/script/quagga_frr.sh quagga

# To switch back to FRR, run the command: /usr/local/nessy2/script/quagga_frr.sh frr

Prerequisites
• An IP address that can be anycasted on the network and configured on a loopback of each
SOLIDserver belonging to the anycast group.
• Sufficient information and accesses to configure SOLIDserver routing daemon in order to es-
tablish neighboring relationships with the peer routers.
• The anycast configuration must be completed on every DNS server of the anycast group. This
applies whether or not the servers are managed from a smart architecture.

With this type of topology, the anycast IP address is advertised from multiple locations and the
router ends up choosing the best path to that IP address, according to the routing protocol al-
gorithm and configuration. Once you finished the configuration detailed in the sections below,
the DNS servers managed via SOLIDserver advertise the anycast IP address to the network.

Setting up Anycast Using OSPF

OSPF is an interior gateway protocol, or IGP. Successfully setting up anycast using OSPF on
your network requires:
1. Meeting anycast prerequisites.
2. Configuring the Appliance for OSPF Anycast to make sure it uses the FRRouting suite to enable
route advertisement for anycast.
3. Setting up OSPF Routing to implement the configuration that suits your needs.
4. Making Sure Anycast DNS Was Properly Configured for OSPF, once the configuration is
complete.

Configuring the Appliance for OSPF Anycast

SOLIDserver embeds the FRRouting suite, you must enable it in the system configuration file to
set up anycast.

To successfully configure the appliance for OSPF anycast you must:

1. Edit the file rc.conf to enable FRR services.
2. Create and configure the file vtysh.conf to enable the communication between the FRRouting
suite components.
3. Delete the files /tmp/running_conf.cf* and /tmp/previous_conf.cf*.
4. Reboot the appliance. After the reboot, these files running_conf.cf* and previous_conf.cf* are
created again and take into account the changes.

To configure the appliance for anycast DNS

1. Edit the system configuration file.
a. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
b. Get root access using the following command:

576
 Configuring DNS Servers

sudo -s

c. Open the file /etc/rc.conf to edit it.

d. Enable FRR and make sure the file is configured as follows:
frr_daemons="zebra ospfd"
frr_enable="YES"

Note that you can support more than one routing protocol if you specify several daemons
in the configuration file, separated by a space. It could be set as follows frr_dae-
mons="zebra ospfd bgpd isisd".
e. Add the following line to the file to specify the anycast dedicated IP address:
# Expected syntax: ifconfig_<interface-name>_alias0="inet <IP-address> netmask
<netmask>"
# Example:

ifconfig_lo0_alias0="inet 192.168.55.2 netmask 255.255.255.255"

f. Save your changes.

2. Create and configure the file that enables the communication between the FRRouting suite
components.
a. Create the file vtysh.conf as follows:
touch /data1/etc/frr/vtysh.conf

b. Add the following line to the file to configure your access credentials:
hostname dns-anycast-1
username root nopassword

3. Delete the files /tmp/running_conf.cf* and /tmp/previous_conf.cf* using the

following command:
rm /tmp/running_conf.cf* /tmp/previous_conf.cf*

4. Reboot the appliance using the following command:

reboot

Now that the appliance is ready, you need to set up OSPF using FRR, as detailed in the next
section.

Setting up OSPF Routing

Once the FRRouting suite enables route advertisement, as detailed in the section Configuring
the Appliance for OSPF Anycast, you can configure it.

Setting up OSPF routing implies:

1. Making sure that the firewall rule 36 using the OSPF protocol is enabled. Basically, this ensures
that anycast management traffic and inbound messages are allowed.
2. Creating the FRR and OSPF dedicated configuration files.
3. Restarting FRR routing daemons.
4. Checking the logs.

577
 Configuring DNS Servers

To make sure the anycast dedicated firewall rule is enabled

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Firewall rules. The page Firewall rules opens.
3. In the column Protocol, type in ospf and hit Enter. The rule is the only one listed.
4. In the column Action, make sure it is marked allow.

To create the FRR dedicated configuration files

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. Go to the directory /data1/etc/frr .

4. In this directory, create the zebra configuration file using the following commands:
# emacs zebra.conf

It should contain the appliance hostname, administrator passwords, anycast IP address,

anycast VIP(s) address and log file location like in the example below.
# more /data1/etc/frr/zebra.conf
hostname dns-anycast-1
password mypassword
enable password mypassword

# Specify the name of the interfaces used by your clients. "bge1" and "lo0" are
examples.
interface bge1
ip address 192.168.53.2/24
interface lo0
ip address 192.168.55.2/32

log syslog debugging

log facility syslog

5. In this directory, create the OSPF configuration file using the following commands:
# emacs ospfd.conf

It should contain the appliance hostname, authentication details, response time, interfaces
dedicated to OSPF, access list and log file location like in the example below.
# more /data1/etc/frr/ospfd.conf
hostname dns-anycast-1

# Specify the proper interface. "bge1" was specified in zebra.conf in our example.
interface bge1
ip ospf authentication message-digest
ip ospf message-digest-key 1 md5 mypassword
ip ospf priority 0
ip ospf hello-interval 1
ip ospf dead-interval 5

router ospf
log-adjacency-changes
ospf router-id 192.168.53.2
area 20 authentication message-digest
area 20 nssa
network 192.168.53.0/24 area 20
redistribute connected metric-type 1

578
 Configuring DNS Servers

distribute-list ANYCAST out connected

!
access-list ANYCAST permit 192.168.55.2/32

log syslog debugging

log facility syslog

To restart FRR routing daemons

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. Check the FRR status using the following command:

/usr/local/etc/rc.d/frr status

4. Restart FRR using the following command:

/usr/local/etc/rc.d/frr restart

To check FRR log file

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. In the file /var/log/zebra.log you can check the FRR dedicated logs. If everything went
well, you should have three lines similar to the ones below:
// example of a sucssessfull configuration

Feb 25 09:46:02 dns1-anycast ospfd[18600]: Packet[DD]: Neighbor 192.168.53.1

Negotiation done (Master).
Feb 25 09:46:02 dns1-anycast ospfd[18600]: AdjChg: Nbr 192.168.53.1 on
bge1:192.168.53.2: Loading -> Full (LoadingDone)
Feb 25 09:46:02 dns1-anycast ospfd[18600]: nsm_change_state(192.168.53.1, Loading ->
Full): scheduling new router-LSA origination

Making Sure Anycast DNS Was Properly Configured for OSPF

You can make sure that anycast DNS is successfully configured, on the router itself and on
SOLIDserver, via a set of commands that ensure that the IP addresses used during the configur-
ation are part of the routes.

To display the OSPF routes on Cisco routers

1. Connect to SOLIDserver via a shell session.
2. Run the following command:
router>show ip route
Codes: C - connected, 5 - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, 0 - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

579
 Configuring DNS Servers

* - candidate default, U - per-user static route, o - ODR

P - periodic downloaded static route

Gateway of last resort is not set

192.168.56.0 32 is subnetted 1 subnets

0 N1 192.168.56.2 [110/21] via 192.168.53.2, 00:26:02, FastEthernet0/1
C 192.168.54.0/24 is directly connected, FastEthernetO/0
C 192.168.53.0/24 is directly connected, FastEthernetO/l
router>

To display the OSPF neighbors on Cisco routers

1. Connect to your Cisco router via a shell session.
2. Run the following command:
router>show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface

192.168.53.2 1 FULL/BDR 00:00:38 192.168.53.2 FastEthernet0/0

To display the OSPF neighbors on SOLIDserver

1. Connect to SOLIDserver via a shell session.
2. Run the following command to connect to the zebra service:
# vtysh

Hello, this is FRRouting (version 7.5.1).

Copyright 1996-2005 Kunihiro Ishiguro, et al.

dns-anycast-1#

3. Run the following command:

dns-anycast-1# show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface RXmtL

RqstL DBsmL
192.168.53.1 1 FULL/DR 36.591s 192.168.53.1 eth0:200.0.0.1 0
0 0

Setting up Anycast Using BGP

BGP is an inter routing protocol that establishes communication between two AS (Autonomous
System) numbers. Successfully setting up anycast using BGP on your network requires:
1. Meeting anycast prerequisites and BGP prerequisites.
2. Configuring the Appliance for BGP Anycast to make sure it uses the FRRouting suite to enable
route advertisement for anycast.
3. Setting up BGP Routing to implement the configuration that suits your needs.
4. Making Sure Anycast DNS Was Properly Configured for BGP, once the configuration is com-
plete.

BGP Prerequisites
• Make sure the network flows are properly configured, as detailed in the appendix Matrices of
Network Flows.
• Have the following information ready:

580
 Configuring DNS Servers

• The local AS Number, EfficientIP AS Number.

• The remote AS Number, the client AS Number.
• The Anycast IP address.
• The Neighbor IP address.

Configuring the Appliance for BGP Anycast

SOLIDserver embeds the FRRouting suite, you must enable it in the system configuration file to
set up anycast.

To successfully configure the appliance for BGP anycast you must:

1. Edit the file rc.conf to enable FRR services.
2. Create and configure the file vtysh.conf to enable the communication between the FRRouting
suite components.
3. Delete the files /tmp/running_conf.cf* and /tmp/previous_conf.cf*.
4. Reboot the appliance. After the reboot, these files running_conf.cf* and previous_conf.cf* are
created again and take into account the changes.

To configure the appliance for anycast DNS

1. Edit the system configuration file.
a. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
b. Get root access using the following command:
sudo -s

c. Open the file /etc/rc.conf to edit it.

d. Enable FRR and make sure the file is configured as follows:
frr_daemons="zebra bgpd"
frr_enable="YES"

Note that you can support more than one routing protocol if you specify several daemons
in the configuration file, separated by a space. It could be set as follows frr_dae-
mons="zebra ospfd bgpd isisd".
e. Add the following line to the file to specify the anycast dedicated IP address:
# Expected syntax: ifconfig_<interface-name>_alias0="inet <IP-address> netmask
<netmask>"
# Example:

ifconfig_bge1_alias0="inet 192.168.53.2 netmask 255.255.255.0"

Save your changes.

2. Create and configure the file that enables the communication between the FRRouting suite
components.
a. Create the file vtysh.conf as follows:
touch /data1/etc/frr/vtysh.conf

b. Add the following line to the file to configure your access credentials:
hostname dns-anycast-1
username root nopassword

581
 Configuring DNS Servers

3. Delete the files /tmp/running_conf.cf* and /tmp/previous_conf.cf* using the

following command:
rm /tmp/running_conf.cf* /tmp/previous_conf.cf*

4. Reboot the appliance using the following command:

reboot

Now that the appliance is ready, you need to set up BGP using FRR, as detailed in the next
section.

Setting up BGP Routing

Once the FRRouting suite enables route advertisement, as detailed in the section Configuring
the Appliance for BGP Anycast, you can configure it.

Setting up BGP routing implies:

1. Creating the FRR and BGP dedicated configuration files.
2. Restarting FRR routing daemons.

To create the FRR dedicated configuration files

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. Go to the directory /data1/etc/frr .

4. In this directory, create the zebra configuration file using the following commands:
# emacs zebra.conf

It should contain the appliance hostname, administrator passwords, anycast IP address,

anycast VIP(s) address and log file location like in the example below.
# more /data1/etc/frr/zebra.conf
hostname dns-anycast-1
password mypassword
enable password mypassword

# Specify the name of the interfaces used by your clients. "bge1" and "lo0" are
examples.
interface bge1
ip address 192.168.53.2/30
interface lo0
ip address 192.168.55.2/32

log syslog debugging

log facility syslog

5. In this directory, create the BGP configuration file using the following commands:
# emacs bgpd.conf

It should contain the appliance hostname, authentication details, response time, interfaces
dedicated to BGP, access list and log file location like in the example below.

582
 Configuring DNS Servers

# more /data1/etc/frr/bgpd.conf
hostname dns-anycast-1
password zebra
log syslog
router bgp 64500
bgp router-id 192.168.53.2
network 192.168.56.1/32
timers bgp 5 10
neighbor 192.168.53.1 remote-as 65000
neighbor 192.168.53.1 soft-reconfiguration inbound
neighbor 192.168.53.1 activate

To restart FRR routing daemons

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. Check the FRR status using the following command:

/usr/local/etc/rc.d/frr status

4. Restart FRR using the following command:

/usr/local/etc/rc.d/frr restart

Making Sure Anycast DNS Was Properly Configured for BGP

To make sure that anycast DNS is successfully configured, on the router itself and on SOLIDserver,
you can use a set of commands that ensure the IP address used during the configuration are
part of the routes.

To display the BGP routes on Cisco routers

1. Connect to SOLIDserver via a shell session.
2. Run the following command:
router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

192.168.56.0/32 is subnetted, 1 subnets

B 192.168.56.1 [20/0] via 192.168.53.2, 00:02:57
C 192.168.53.0/24 is directly connected, FastEthernet1/0

To display the BGP neighbors on SOLIDserver

1. Connect to SOLIDserver via a shell session.
2. Run the following command to connect to the zebra service:
# vtysh

583
 Configuring DNS Servers

Hello, this is FRRouting (version 7.5.1).

Copyright 1996-2005 Kunihiro Ishiguro, et al.

dns-anycast-1#

3. Run the following command to display the routes.

dns1-anycast# show bgp neighbors
BGP neighbor is 192.168.53.1, remote AS 65000, local AS 64500, external link
BGP version 4, remote router ID 192.168.53.1
BGP state = Established, up for 00:01:41
Last read 00:00:00, hold time is 10, keepalive interval is 3 seconds
Neighbor capabilities:
4 Byte AS: advertised
Route refresh: advertised and received(old & new)
Address family IPv4 Unicast: advertised and received
Graceful Restart Capabilty: advertised
Message statistics:
Inq depth is 0
Outq depth is 0
Sent Rcvd
Opens: 2 2
Notifications: 1 0
Updates: 2 0
Keepalives: 50 43
Route Refresh: 0 0
Capability: 0 0
Total: 55 45
Minimum time between advertisement runs is 30 seconds
For address family: IPv4 Unicast
Inbound soft reconfiguration allowed
Community attribute sent to this neighbor(both)
0 accepted prefixes
Connections established 2; dropped 1
Last reset 00:02:02, due to BGP Notification send
Local host: 192.168.53.2, Local port: 27184
Foreign host: 192.168.53.1, Foreign port: 179
Nexthop: 192.168.53.2
Nexthop global: ::
Nexthop local: ::
BGP connection: non shared network
Estimated round trip time: 105 ms
Read thread: on Write thread: off

To display the BGP summary on SOLIDserver

1. Connect to SOLIDserver via a shell session.
2. Run the following command to connect to the zebra service:
# vtysh

Hello, this is FRRouting (version 7.5.1).

Copyright 1996-2005 Kunihiro Ishiguro, et al.

dns-anycast-1#

3. Run the following command to display the summary.

dns1-anycast# show bgp summary
IPv4 Unicast Summary:
---------------------
BGP router identifier 192.168.53.2, local AS Number 64500
RIB entries 1, using 112 bytes of memory
Peers 1, using 6960 bytes of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

584
 Configuring DNS Servers

192.168.53.1 4 65000 48 58 0 0 0 00:01:52 0

Total number of neighbors 1

Setting up Anycast Using IS-IS

IS-IS is a link-state routing protocol, operating by reliably flooding link state information throughout
a network of routers. Successfully setting up anycast using IS-IS on your network requires:
1. Meeting anycast prerequisites.
2. Configuring the Appliance for IS-IS Anycast to make sure it uses the FRRouting suite to enable
route advertisement for anycast.
3. Setting up IS-IS Routing to implement the configuration that suits your needs.
4. Making Sure Anycast DNS Was Properly Configured for IS-IS, once the configuration is com-
plete.

Configuring the Appliance for IS-IS Anycast

SOLIDserver embeds the FRRouting suite, you must enable it in the system configuration file to
set up anycast.

To successfully configure the appliance for IS-IS anycast you must:

1. Edit the file rc.conf to enable FRR services.
2. Create and configure the file vtysh.conf to enable the communication between the FRRouting
suite components.
3. Delete the files /tmp/running_conf.cf* and /tmp/previous_conf.cf*.
4. Reboot the appliance. After the reboot, these files running_conf.cf* and previous_conf.cf* are
created again and take into account the changes.

To configure the appliance for anycast DNS

1. Edit the system configuration file.
a. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
b. Get root access using the following command:
sudo -s

c. Open the file /etc/rc.conf to edit it.

d. Enable FRR and make sure the file is configured as follows:
frr_daemons="zebra isisd"
frr_enable="YES"

Note that you can support more than one routing protocol if you specify several daemons
in the configuration file, separated by a space. It could be set as follows frr_dae-
mons="zebra ospfd bgpd isisd".
e. Add the following line to the file to specify the anycast dedicated IP address:
# Expected syntax: ifconfig_<interface-name>_alias0="inet <IP-address> netmask
<netmask>"
# Example:

ifconfig_lo0_alias0="inet 192.168.99.8 netmask 255.255.255.0"

Save your changes.

585
 Configuring DNS Servers

2. Create and configure the file that enables the communication between the FRRouting suite
components.
a. Create the file vtysh.conf as follows:
touch /data1/etc/frr/vtysh.conf

b. Add the following line to the file to configure your access credentials:
hostname dns-anycast-1
username root nopassword

3. Delete the files /tmp/running_conf.cf* and /tmp/previous_conf.cf* using the

following command:
rm /tmp/running_conf.cf* /tmp/previous_conf.cf*

4. Reboot the appliance using the following command:

reboot

Now that the appliance is ready, you need to set up IS-IS using FRR, as detailed in the next
section.

Setting up IS-IS Routing

Once the FRRouting suite enables route advertisement, as detailed in the section Configuring
the Appliance for IS-IS Anycast, you can configure it.

Setting up IS-IS routing implies:

1. Creating the FRR and IS-IS dedicated configuration files.
2. Restarting FRR routing daemons.
3. Checking the logs.

To create the FRR dedicated configuration files

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. Go to the directory /data1/etc/frr .

4. In this directory, create the zebra configuration file using the following commands:
# emacs zebra.conf

It should contain the appliance hostname, administrator passwords, anycast IP address,

anycast VIP(s) address and log file location like in the example below.
# more /data1/etc/frr/zebra.conf
hostname dns-anycast-1
password mypassword
enable password mypassword

log syslog debugging

log facility syslog

5. In this directory, create the IS-IS configuration file using the following commands:

586
 Configuring DNS Servers

# emacs isisd.conf

It should contain interfaces used for IS-IS communication and for anycast, an IS-IS address
and log file location like in the example below:
# more /data1/etc/frr/isisd.conf
hostname dns-anycast-1
password mypassword
enable password mypassword

interface em3
ip router isis ISIS_0

interface lo0
ip router isis ISIS_0

router isis ISIS_0

net 49.0001.1720.1600.2002.00
is-type level-1
metric-style wide

log facility syslog

To restart FRR routing daemons

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. Check the FRR status using the following command:

/usr/local/etc/rc.d/frr status

4. Restart FRR using the following command:

/usr/local/etc/rc.d/frr restart

To check FRR log file

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. In the file /var/log/zebra.log you can check the FRR dedicated logs using the following
command:
# tail -f /var/log/zebra.log

Making Sure Anycast DNS Was Properly Configured for IS-IS

To make sure that anycast DNS is successfully configured, on the router itself and on SOLIDserver,
you can use a set of commands that ensure the IP address used during the configuration are
part of the routes.

587
 Configuring DNS Servers

To display the IS-IS routes and neighbors status on Cisco routers

1. Connect to SOLIDserver via a shell session.
2. Run the following command:
router> show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override

Gateway of last resort is not set

[...]
192.168.99.0/32 is subnetted, 1 subnets
i L1 192.168.99.8 [115/20] via 192.168.1.50, 00:00:33, FastEthernet0/0
[...]

router> show clns neighbors

System Id Interface SNPA State Holdtime Type Protocol
dns-anycast-1 Fa0/0 000c.29ef.d8bb Up 28 L1 IS-IS

To display the IS-IS neighbors status on SOLIDserver

1. Connect to SOLIDserver via a shell session.
2. Run the following command to connect to the zebra service:
% vtysh
Hello, this is FRR (version 1.1.1).
Copyright 1996-2005 Kunihiro Ishiguro, et al.
dns-anycast-1#

3. Run the following command to display info on IS-IS neighbor:

dns-anycast-1# show isis neighbor
Area ISIS_0:
System Id Interface L State Holdtime SNPA
router em3 1 Up 8
ca01.025d.0000

dns-anycast-1# show isis hostname

Level System ID Dynamic Hostname
1 1720.1600.1001 router
* 1720.1600.2002 dns-anycast-1

Integrating Cisco Umbrella

SOLIDserver embeds a DNSCrypt proxy which allows you to forward all the DNS queries it re-
1
ceives to the Cisco Umbrella Cloud .

DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS
resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses ori-
ginate from Cisco Umbrella and haven't been tampered with.

To successfully configure SOLIDserver for Cisco Umbrella:

1
For more details regarding Cisco Umbrella services, refer to the proprietary website at https://umbrella.cisco.com/.

588
 Configuring DNS Servers

1. Via Cisco Umbrella web interface, create a network device and retrieve its API key and secret
strings.
2. Via SOLIDserver GUI, configure the IP address dedicated to Umbrella as the only forwarder
for your local DNS appliance.
3. Via SOLIDserver CLI, configure and launch the proxy DNSCrypt.

Note that:
• The DNSCrypt protocol uses the port 443, in TCP and UDP, which is usually reserved to HTTPS.
It is possible that some equipments, such as firewalls, IDP or IPS detect a wrongful use of the
port. Make sure these equipments are configured to allow this traffic.
• You cannot integrate Cisco Umbrella on Hybrid servers. For more details on Hybrid servers,
refer to the chapter Hybrid DNS Service.
• Once you integrated Cisco Umbrella, you can complete the CLI configuration and forward the
client IP address. For more details, refer to the section Forwarding the Client IP Address.

To configure the appliance for Cisco Umbrella

Only users of the group admin can perform this operation.
1. Retrieve your Cisco Umbrella parameters
a. Connect to your Cisco Umbrella web interface using your credentials.
b. In the left panel, click on Admin > API Keys. The page refreshes.
c. Tick the box Umbrella Network Devices.
d. Click on CREATE . The page refreshes and displays Your Key and Your Secret strings.
Copy these values and keep them at hand as they disappear after you leave this page,
you need them later on during the configuration.
e. Tick the confirmation box and click on CLOSE .
2. Configure the DNS forwarder from the GUI
a. In the sidebar, go to DNS > Servers. The page All servers opens.
b. At the end of the line of the server or smart architecture you intend to connect to Cisco
Umbrella Cloud, click on . The properties page opens.
c. Open the panel Forwarding using .
d. Click on EDIT . The wizard Forwarding configuration opens.
e. In the field Add a forwarder, type 127.0.1.53 which is the IP address dedicated to the
proxy DNSCrypt.
f. Click on ADD to move it to the list Forwarders.
g. In the field Forward mode, select Only.
h. Click on OK to complete the operation. The report opens and closes. The properties
page refreshes and displayed the new settings.
i. Repeat step c to i for each server or smart architecture on which you plan to deploy
DNSCrypt.
3. Configure and launch the proxy DNSCrypt via CLI
a. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
b. Get root access using the following command:
sudo -s

589
 Configuring DNS Servers

c. Retrieve your DNSCrypt parameters using the script umbrella_setup. You must specify
the API key and API secret you copied earlier and the name of the device of your choice,
as defined in your Network Devices list, as follows:
/usr/local/nessy2/script/umbrella_setup <Your-Cisco-Umbrella-API-Key>
<Your-Cisco-Umbrella-API-Secret> <Your-Network-Devices-Cisco-Umbrella-Device-Name>

The result should look as follows:

server 127.0.1.53 {
edns-opendns yes;
edns-opendns-orgid <your-Cisco-Umbrella-Organization-ID>;
edns-opendns-deviceid "<your-Cisco-Umbrella-Device-ID>";
};

d. Copy the lines returned.

e. Edit the DNS global include file.
1. Open the /data1/etc/namedb/global_include.conf.
2. Copy the lines of the DNSCrypt global parameters your retrieved.
3. Save your changes.
f. Edit the DNS options include file.
1. Open the /data1/etc/namedb/options_include.conf.
2. Add the following line to the file, to specify DNSCrypt options parameters:
listen-on { !127.0.1.0/24; any ; };

3. Save your changes.

g. Edit the system configuration file.
1. Open the file /etc/rc.conf.
2. Edit it to enable the proxy DNSCrypt as follows:
dnscrypt_proxy_enable="YES"

3. Add the following line to the file to specify the IP address dedicated to the proxy
DNSCrypt:
ifconfig_lo0_alias53="inet 127.0.1.53 netmask 255.0.0.0"

4. Save your changes.

h. Restart the network configuration using the following command:
/etc/netstart

i. Start the service dnscrypt-proxy using the following command:

/usr/local/etc/rc.d/dnscrypt-proxy start

j. Restart the service ipmdns using the following command:

/usr/local/etc/rc.d/ipmdns.sh restart

Now, every DNS query trafficking through the appliance is directly forwarded to the
Cisco Umbrella Cloud for resolution using your organization ID and device ID, and
therefore, your Umbrella policies.
k. Repeat all the steps for each appliance you want to configure.

590
 Configuring DNS Servers

Forwarding the Client IP Address

Via CLI, you can configure EfficientIP DNS and BIND recursive servers to forward the IP address
of the client that performed the original query.

If you have cascaded several resolvers, the IP address of a client is overwritten every time it is
forwarded. Therefore, once the query gets to the resolver that actually performs the resolution,
the source IP address it receives is no longer the one of the original client. Forwarding the original
client IP address between resolvers allows to track it, no matter how many resolvers forwarded
the original query.

To enable forwarding of the client IP address, you must configure the statement server with
the following options:
• edns-opendns set to yes.
• edns-opendns-orgid set with the administrative value of your choice, it must be composed of
digits. If you did not integrate Cisco Umbrella you can specify any value, otherwise you must
specify the relevant organization ID.
• edns-opendns-deviceid set with the administrative value of your choice, it must be hexadecimal.
If you did not integrate Cisco Umbrella you can specify any value, otherwise you must specify
the relevant device ID.

If you prefer to forward the client IP address declared in the OpenDNS EDNS option, you must
also set the option:
• edns-opendns-forward to yes. If you integrated Cisco Umbrella on any of your cascaded resolv-
ers, you should enable this option to benefit from Umbrella full reporting capabilities.

Note that:
• You should not set the option edns-opendns-forward on the closest server to the DNS clients.
• You cannot forward the client IP address on Hybrid servers. For more details on Hybrid servers,
refer to the chapter Hybrid DNS Service.
• DNS Guardian servers provide dedicated parameters to identify and monitor clients using their
IP address or EDNS options. For more details, refer to the section Managing Guardian Views
in the chapter Managing Guardian Protection.

To forward the client IP address on an EfficientIP DNS server

Only users of the group admin can perform this operation.
1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Get root access using the following command:
sudo -s

3. Edit the file /usr/local/nessy2/etc/named/global_include.conf to include or edit the relevant

statement server with client IP address forward options:
a. You must enable the forwarding as follows:
edns-opendns yes;

b. You must specify the organization ID as follows:

edns-opendns-orgid <your-organization-id>;

591
 Configuring DNS Servers

If you did not integrate Cisco Umbrella you can specify any value, it must be composed
of digits.
c. You must specify the device ID as follows:
edns-opendns-device <your-device-id>;

If you did not integrate Cisco Umbrella you can specify any value, it must be hexadecimal.
d. You can forward the client IP address declared in the OpenDNS EDNS option as follows:
edns-opendns-forward yes;

If you did not enable edns-opendns and set the edns-opendns-orgid and edns-opendns-
device with a value, the option is ignored.
The complete configuration may look as follows:
server 53.0.0.10 {
edns-opendns yes;
edns-opendns-orgid 2450948;
edns-opendns-deviceid "ab00b1f191132406";
edns-opendns-forward yes;
};

4. Make sure the whole configuration file is still viable using the command:
/usr/local/nessy2/bin/named-checkconf /etc/namedb/named.conf

If no errors are returned and the configuration file is OK, go to the next step. If not, you must
edit the content of the included file because incorrect configurations are ignored.
5. Once the configuration is OK, restart the DNS daemon to take into account your changes
with the command:
service ipmdns.sh restart

6. Make sure the DNS daemon is running with the command:

service ipmdns.sh status

592
Chapter 41. Managing DNS Views
You can add and manage views to serve one version of a zone to one set of clients and a different
version of a zone to another set of clients. A view can manage DNS zones and RPZ zones.

Views provide a different answer to the same DNS query, depending on the IP source of the
query or the IP where the client packet is received. You can add multiple views of a given zone,
with a different set of records in each of them. You can also have common resource records in
multiple zones.

Note that you can configure views from their properties page. For more details, refer to the chapter
Configuring DNS Views.

Browsing DNS Views

Within the DNS module, the view is the second level of the hierarchy. It allows you to manage
zones, and therefore in extension, resource records. Keep in mind that also this level of the
hierarchy is optional, once you add views, all the zones have to be managed via a view
whether all zones are managed through a unique view or several views.

DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE

Figure 41.1. The view in the DNS hierarchy

Browsing the DNS Views Database

To display the list of DNS views
1. In the sidebar, go to DNS > Views. The page All views opens.
2. You can filter the list using the column search engines.

To display the DNS views of a specific server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Click on the name of the server of your choice.The list of All zones of the server is displayed.
3. In the breadcrumb, click on All views. The list of views of the chosen server opens.

To display a view properties page

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.

593
 Managing DNS Views

Customizing the Display on the Page All Views

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Understanding the DNS View Statuses

The column Status provides information regarding the views you manage.

Table 41.1. DNS view statuses

Status Description
OK The view is operational.

Delayed create The creation or update is delayed until the view is created on the physical server(s) of the
smart architecture. The creation is automatically done after a maximum of 1 minute.
Delayed delete The deletion is delayed until the view is deleted from the physical server(s) of the smart
architecture. The deletion is automatically done after a maximum of 1 minute.

You can also rely on the column Multi-status to monitor your view configuration with messages
regarding the compatibility with Hybrid. For more details, refer to the section Understanding the
Column Multi-Status.

Adding DNS Views

You can add as many views as you need to manage your zones. Each view must have a unique
name and can be configured with a list match-clients and/or a list match-destinations.

The list match-clients filters access based on the location of the query. It allows to define which
IP address or network is able, or not, to access the zone(s) managed by the view.

Extranet Intranet
network 192.168.0.0 network 10.0.0.0
mycorp.com mycorp.com
accounting-app.intranet

ns1.mycorp.com
filtering on the filtering on the
network network
192.168.0.0 10.0.0.0

Zone access
based on the
client network

Figure 41.2. Defining access to zones using the list match-clients of two views

594
 Managing DNS Views

The list match-destinations filters access based on the interface receiving the query. It allows
to define through which interface it possible, or not, to access the zone(s) managed by the view.

Extranet Intranet
network 192.168.0.0 network 10.0.0.0
mycorp.com mycorp.com
accounting-app.intranet

ns1.mycorp.com
filtering on the filtering on the
interface interface
192.168.0.0 10.0.0.0

Zone access
based on the
interface receiving
the query

Figure 41.3. Defining access to zones using the list match-destinations of two views

Keep in mind that:

• If you add views in a server that already contains zones, all the zones are moved to that
view. If you need several views, you have to add another view and then move the zones in
the view of your choice. For more details regarding zones migration, refer to the section
Copying or Moving DNS Zones. Once you add one or more views, you can no longer manage
zones independently. All zones belong to a view.
• If you add a view to a smart architecture managing server(s), the last page of the wizard returns
a warning message if any server does not support views. You can force the addition to add it
to the server(s) that do support them.

To add a DNS view

1. In the sidebar, go to DNS > Views. The page All views opens.
2. In the menu, click on Add. The wizard DNS server selection opens.
3. In the field DNS server, select the server on which you are adding a view.
4. Click on NEXT . The page Add a DNS view opens.
5. If custom classes are enabled at view level, in the list DNS view class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field DNS view name, specify a unique and explicit name. This name cannot contain
special characters, it can only contain letters and numbers.
If you want to add a view and configure it later, click on NEXT until to get to the last page of
the wizard and click on OK to complete the operation. The default configuration settings of
a view are detailed after this procedure.
7. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.

595
 Managing DNS Views

8. Click on NEXT . The page Match clients opens.

9. You can configure the list ACL values:
a. Using the drop-down lists Type and Restriction, you can grant or deny access to as
many networks, IP addresses, ACLs and keys as you need. Select a Type and complete
the configuration as follows:

Table 41.2. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 ad-
dress of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6
address of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin,
any, none, localhost, localnets or any server custom ACL. For more details, refer
to the section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any
TSIG key available in the panel Keys. For more details, refer to the section Con-
figuring DNS Keys.

b. Once a restriction/permission is configured as needed, click on ADD .The value is moved

to the list ACL values. In the list, denied hosts are preceded by an exclamation mark
(!).
Repeat these actions for as many restrictions and permissions as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
Make sure the order of the values in the list ACL values suits your needs: the order of
the elements listed is important as each restriction or permission is reviewed following
the order you set in the list. To order the entries, select them one by one and click on
the arrows to move them up or down .
10. Click on NEXT . The page Match destinations opens.
11. You can configure the list ACL values as detailed in step 9.
12. Click on NEXT . The page DNS views order opens.
13. In the field DNS views order, the view you are adding is listed. It is always listed at the
bottom of the list.
Once you added more than one view, you can order the list using and . Within a server,
each view match clients and match destinations is reviewed following the order set in this
field. For more details, refer to the section Editing the Order of the Views.
14. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the configuration is visible in the columns Match clients and Match destinations.

Note that:
• By default, if you do not configure any list for a view:
• The match clients is configured with a key named key <viewname>.
• The match destinations is configured with a key key <viewname> and the ACL any. If you
do not edit or delete this ACL, it grants access to anyone.

596
 Managing DNS Views

• Adding a view automatically edits the match clients and match destinations of the existing
view(s), with a key ! key <newviewname>. This ensures that the views deny access to each
other and manage separate zones and RRs.
• Every time you add a new view, the Status of all the views changes from OK to Delayed
create while their match clients is being updated. Once it is done, they all change back to OK.

Editing DNS Views

Once a view is added, you can edit it. Before editing a view, keep in mind that:
• You cannot edit the name of a view.
• The list match-clients allows to grant or restrict access to the zones managed by the view
based on the source IP address of the incoming DNS requests.
1
• The list match-destinations allows to set the destination address of the incoming DNS requests
based on the interface used for the request. If you did not set several interfaces, it is useless
to configure the match-destination.
• The lists match-clients and match-destinations are access control lists in essence. Therefore,
the order of the elements listed in both lists is important as each restriction or permission is
reviewed following the order you set in the list.

To edit a DNS view

1. In the sidebar, go to DNS > Views. The page All views opens.
2. Put your mouse over the Name of the view you want to edit. The contextual menu appears.
3. Click on . The wizard Edit a DNS view opens.
4. If custom classes are enabled at view level, in the list DNS view class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. You cannot edit the field DNS view name, the view name is displayed in gray.
6. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
7. Click on NEXT . The page Match clients opens.
8. To add permissions and restrictions to the ACL, configure the Type and Restriction as de-
tailed in the procedure, fill in the fields as detailed in the procedure Configure the list ACL
values.
9. To edit the permissions and restrictions of the ACL values:.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
To order the entries, select them one by one and click on the arrows to move them up or
down .
10. Click on NEXT . The page Match destinations opens.

1
The destination IP address is actually a DNS server interface.

597
 Managing DNS Views

11. Edit the list ACL Values as detailed in step 7.

12. Click on NEXT . The page DNS views order opens.
13. In the field DNS views order, reorder the views according to your needs using and .
For more details, refer to the section Editing the Order of the Views below.
14. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the changes are visible in the columns Match clients and Match destinations.

Editing the Order of the Views

Once you manage several views on a server, you can order them. The Order set is displayed in
the column Order. If you only have one view on a server, its value is 0.

Ordering views on a server allows to specify in which order the match client and match destination
configurations of each view (ACL, networks, etc.) are reviewed. This, in turn, impacts the DNS
client queries responses. The order of the views you set is followed strictly: once a match is
found, the rest of the restrictions and permissions are ignored. The first view reviewed is 0, the
second on is 1, and so forth. This order is saved in the DNS server configuration.

To edit the order of the views

1. In the sidebar, go to DNS > Views. The page All views opens.
2. Click on the name of the smart server of your choice. Only the views of the selected server
are displayed.
3. Right-click over the Name of the view of your choice. The contextual menu opens.
4. Click on . The wizard Add a DNS view opens.
5. The field DNS view name is gray to indicate that it cannot be edited.
6. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
7. Click on NEXT . The page Match clients opens.
8. Click on NEXT . The page Match destinations opens.
9. Click on NEXT . The page DNS views order opens.
10. In the field DNS views order, reorder the views according to your needs using and .
11. Click on OK to complete the operation. The report opens and closes. The page refreshes.
The new order set is visible in the column Order.

Exporting DNS Views

From the page All views, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

598
 Managing DNS Views

Deleting DNS Views

At any moment you can delete a view. Before deleting a view, keep in mind that:
• The views must be deleted one by one.
• Deleting one view deletes the zone(s) it manages, as well as all the records the zone(s) manage
on the physical server. So if you want to delete a view but not the zones it contains, migrate
the zones to a different view before deleting it. For more details regarding zones migration,
refer to the section Copying or Moving DNS Zones.
• Deleting a view, removes it from the DNS views order list: the list is updated. This order is also
updated in the DNS configuration.
• If you only have one view, deleting it does not delete the zone(s) it manages but only the con-
tainer itself: the view is therefore no longer listed on the server All views page.
• If zones inherited class parameters from the deleted view, their value and the source of their
value remain the same: the Inheritance property of each class parameter is forced to Inherit
or Set to match the configuration of the deleted view.

If you want get rid of all the views and manage zones via the DNS server itself, refer to the section
Going Back to Managing Zones Without Views.

To delete a view
1. In the sidebar, go to DNS > Views. The page All views opens.
2. Tick the view of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The view is in Delayed
delete until it is no longer listed. If the server has several views, the zones and records
managed by the view you delete are deleted as well.

Defining a DNS View as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a view as one of the resources of a specific group allows the users of that group to
manage the view in question as long as they have the corresponding rights granted.

Granting access to a view as a resource also makes every item it contains available. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

Going Back to Managing Zones Without Views

You can stop managing your zones with views. Considering that the way you delete views has
an impact on the database and different behaviors you need to be careful. First, keep in mind
that no matter how many views you manage, the last view listed on the page All views of a spe-
cific server can be deleted on its own: it does not delete the zones it manages.

With that in mind, we recommend that you follow the steps below to successfully get rid of the
views when you no longer need them.

To successfully remove all views

1. Choose the view that should be deleted last.
2. Migrate all the zones you want to keep in that view. For more details regarding zones migra-
tion, refer to the section Copying or Moving DNS Zones.

599
 Managing DNS Views

3. One by one, tick and delete the unwanted views. For more details, refer to the procedure
To delete a view.
4. Once the only remaining view is the one that holds all the zones you want to work with, tick
it and delete it. The zones and RRs it contains are kept and still listed in the pages All zones
and All RRs of the server. Now you can manage them through the server directly.

600
Chapter 42. Configuring DNS Views
Like EfficientIP DNS servers, the views can be configured individually from their properties page
to set a series of behaviors for the zones they contain.

Any configuration set at view level overwrites what was set at server level, on physical servers
or smart architectures.

Configuring DNS Forwarding at View Level

You can set a forwarding configuration on a view from its properties page. Note that:
• On a view belonging to a server not managed via a smart architecture, the specific forwarding
configuration only applies to the view on said server.
• On a view belonging to a server managed via a smart architecture, the specific forwarding
configuration applies to the view on all the servers managed by the smart.
• The forwarding configuration set on a smart architecture view is automatically inherited by the
zones it manages. You can override the configuration directly on the physical server view.
• Any configuration set at view level overrides the server level configuration. All the zones
managed by the view inherit the new settings.
• Any configuration set at zone level overrides the view level configuration. For more details,
refer to the section Configuring DNS Forwarding at Zone Level.

To configure forwarding at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Forwarding using .
4. Click on EDIT . The wizard Forwarding Configuration opens.
5. In the drop down-list Forward mode, select None, Default, First or Only. By default, Default
is selected.

Table 42.1. Forward mode options at view level

Option Description
Default The view uses the forward configuration set at server level.
None The forwarding is disabled.
First The server sends the queries to the forwarder(s) configured for the view and, if it does not
receive any answer, attempts to find an answer itself.
Only The server only forwards queries to the forwarder(s) configured for the view.

6. Specify the forwarder(s):

a. In the field Add a forwarder, specify the address of a forwarder or its name and click
on SEARCH to retrieve its IP address.
b. Click on ADD to move it to the list Forwarders.
Repeat these actions for as many forwarders as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

601
 Configuring DNS Views

7. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, your configuration is
displayed.

You can set a specific forwarding configuration for a view belonging to a physical server
managed via a smart architecture. This new configuration is inherited by the zones and records
of the view. Keep in mind that:
• When a forward mode is set on a smart architecture view, you cannot set the forward mode
to None on a view belonging to a physical server managed via a smart architecture. You can
only set a different forward mode.
• Any configuration set at zone level overrides the view level configuration.

To configure a specific forward mode on a physical server view

1. In the sidebar, go to DNS > Views. The page All views opens.
2. Make sure the servers managed by your smart architectures are displayed. If not, on the
right-end side of the menu, click on .
3. At the end of the line of the view of the physical server of your choice, click on . The
properties page opens.
4. Open the panel Forwarding using .
5. Click on EDIT . The wizard Forwarding configuration opens.
6. Tick the box Overwrite the smart settings. The page refreshes and displays additional
fields.
7. In the drop down-list Forward mode, you can select First or Only. For more details, refer to
the table Forward mode options.
8. Specify the forwarder(s):
a. In the field Add a forwarder, specify the address of a forwarder or its name and click
on SEARCH to retrieve its IP address.
b. Click on ADD to move it to the list Forwarders.
Repeat these actions for as many forwarders as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

9. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, the Forward value is
preceded by the message Smart configuration is overwritten.

To revert the specific configuration and inherit it again, edit the Forwarding to untick the box
Overwrite the smart settings.

Configuring DNS Notify Messages at View Level

Configuring the Notify at view level allows to set the changes notification for all the master zones
or RPZ zones it contains. Once the notification is sent to slave zones, the administrator decides
if a zone transfer is relevant. For more details, refer to the section Limiting Zone Transfer at View
Level.

602
 Configuring DNS Views

From the properties pages of a view, you can set the notification configuration in the panel Notify.
It contains:
• The current configuration of the view, the field Notify is either set to Yes, Explicit or No. It can
be inherited from the server.
• The statement Also-notify, which slave zones receive the notify messages through their
managing view. It can be inherited from the server.
• The statement Allow-notify of the view slave zones. It can be inherited from the server.
Note that this statement is implicitly set when you add a slave zone, when you set the Master
IP address of the slave zone you are allowing the master zones of this server to send notify
messages to your slave zone.

Keep in mind that any configuration set at view level overrides the server level configuration
and any configuration set at zone level overrides the view level configuration.

To configure notify messages at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Notify using and click on EDIT . The wizard opens.
4. Click on NEXT . The page Notifying configuration opens.
5. In the drop-down list Notify, select No, Yes or Explicit. By default, Yes is selected..

Table 42.2. Notify configuration at view level

Field Description
No No notify message is sent when changes are performed in the master zones.
Yes The notify messages are sent to the target of the NS records of the master zone and to the
server(s) of the Also-notify list.
Explicit The notify messages are only sent to the server(s) of the Also-notify list.

6. If you selected Yes or Explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
a. In the field IP address, specify the IP address of another server.
b. In the field Port, you can specify which port number, on the specified server, should
receive the notify messages.
c. Click on ADD . The IP address and port number are moved to the Also-notify list as
follows: <ip-address> port: <port-number>.
Repeat these actions for as many servers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

7. Click on NEXT . The page Allow-notify opens. It allows to specify if the view slave zones can
receive master zones notification messages.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

603
 Configuring DNS Views

Table 42.3. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
8. Click on OK to complete the operation. The report opens and closes. Your configurations
are displayed in the panel Notify.

Configuring DNS Recursion at View Level

The recursion settings at server level are inherited by the views. However, you can change these
settings at view level to customize the recursion configuration on the network: the changes oper-
ated on view are inherited by the zones managed through the view.

Enabling and Disabling the Recursion on a View

The recursion statement essentially controls caching behavior in the view and the zones it man-
ages.

From the view properties page, you can edit its recursive behavior through the panel Recursion.
By default, its content is inherited from the server.

Keep in mind that any configuration set at view level overrides the server level configuration.

To enable the DNS recursion on a view

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb, click on All views. The page All views of the physical server opens.
3. At the end of the line of the view of your choice, click on . The properties page opens.
4. Open the panel Recursion using . If the Recursion is set to no, click on EDIT . The wizard
Recursion configuration opens.
5. In the drop-down list Recursion, select yes.

604
 Configuring DNS Views

6. Click on NEXT . The page Allow recursion opens. For more details regarding the recursion
configuration, refer to the section Limiting the Recursion at View Level below.
7. Click on OK to complete the operation. In the panel the recursion is enabled.

To disable the DNS recursion on a view

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb, click on All views. The page All views of the physical server opens.
3. At the end of the line of the view of your choice, click on . The properties page opens.
4. Open the panel Recursion using . If the Recursion is set to yes, click on EDIT . The wizard
Recursion configuration opens.
5. In the drop-down list Recursion, select no.
6. Click on OK to complete the operation. In the panel the recursion is disabled.

Limiting the Recursion at View Level

By default, the view inherits the server recursion settings (permissions and restrictions).

Once the recursion is restricted at view level, it overrides the server recursion configuration
and applies to the zones it contains.

To set an allow-recursion match list at view level

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb, click on All views. The page All views of the physical server opens.
3. At the end of the line of the view of your choice, click on . The properties page opens.
4. Open the panel Recursion using .
5. Click on EDIT . The wizard Recursion configuration opens.
6. Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 42.4. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .

605
 Configuring DNS Views

• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
7. Click on OK to complete the operation. The report opens and closes.

Restricting DNS Queries at View Level

The DNS queries can be restricted through the allow-query and allow-query-cache options. They
both set an ACL list for IP addresses and/or network addresses, so keep in mind that the order
of the elements listed in the field ACL values is important as each restriction or permission
is reviewed following the order you set in the list.

Allow Query
You can specify which hosts are allowed to issue DNS queries.

The allow-query configuration set at view level overrides the allow-query defined at server level.
Once the statement is set for a view, it applies to all the zones it contains.

Keep in mind that any configuration set at view level overrides the server level configuration
and any configuration set at zone level overrides the view level configuration.

To set an allow-query match list at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel gathers the view Allow-query, Allow-
query-cache and Allow-transfer configuration.
4. Click on EDIT . The wizard Allow-query opens.
5. Set up the allow-query match list.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 42.5. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in

606
 Configuring DNS Views

mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
6. Click on NEXT twice to skip the page Allow-query-cache and open the page Allow-transfer.
7. Click on OK to complete the operation. The report opens and closes. Your configuration is
listed in the list Allow-query of the panel Access control.

Allow Query Cache

You can specify which hosts are allowed to issue DNS queries on the local view cache.

The allow-query-cache configuration set at view level overrides the allow query cache
defined at the server level. Once the statement is set for a view, it applies to all the zones it
contains.
Allow-query-cache statement particularities
The allow-query-cache is independent from the allow-query statement but closely linked to
the allow-recursion statement.
If the recursion is set to no, the cache cannot be queried, so it is useless to set an allow-
query-cache match list.
If the recursion is set to yes and the allow-recursion statement is not defined, by default the
localhost and localnets are permitted to query the server cache.
If the recursion is set to yes and the allow-recursion statement is defined with a specific match
list, the local cache access is granted to all the entries of the allow-recursion match list.

The match list defined controls recursive behavior as recursive queries would be useless without
access to the local view cache. Typically, if a host is in the allow-recursion match list, it could
access the view the first time and get query result. However, if it is not part of the allow-query-
cache match list then it would not be able to make the same query a second time as it would be
saved on the cache to which it does not have access. On the contrary, if a host is in the allow-
query-cache match list but not in the allow-recursion match list, it would only get results for
queries already sent by another host with the proper access rights. Hence the need to configure
carefully both these statements to avoid conflicts and absurd access configurations.

To set an allow query cache match list at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel gathers the view Allow-query, Allow-
query-cache and Allow-transfer configuration.
4. Click on EDIT . The wizard Allow-query opens.
5. Click on NEXT . The page Allow query cache opens.
6. Set up the allow-query-cache match list.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

607
 Configuring DNS Views

Table 42.6. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
7. Click on NEXT . The page Allow-transfer opens.
8. Click on OK to complete the operation. The report opens and closes. Your configuration is
listed in the list Allow-query-cache of the panel Access control.

Limiting Zone Transfer at View Level

DNS zone transfer allows to replicate and synchronize copies of a zone on all the relevant servers.
SOLIDserver denies zone transfers by default to all DNS servers.

At view level, you can edit the statement allow-transfer to specify which hosts, networks, or TSIG
keys are granted or denied the right to do transfers for all the zones it maintains.

Configuring the statement adds an ACL dedicated to controlling transfers. Keep in mind that the
order of the elements listed in the field ACL values is important as each restriction or per-
mission is reviewed following the order you set in the list.

Keep in mind that:

• If you secured a server with a TSIG key, the statement allow-transfer of the server must grant
access to the same key. This configuration is inherited by the view. For more details, refer to
the section Securing the Management of DNS Servers Using a TSIG Key in the chapter Man-
aging DNS Servers.
• The configuration of the statement allow-transfer at view level overrides the allow-query defined
at server level. Once the statement is configured at view level, it applies to all the zones it
contains.
• Any configuration set at view level overrides the server level configuration and any
configuration set at zone level overrides the view level configuration.

608
 Configuring DNS Views

To set an allow-transfer match list at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Access control using . This panel gathers the view Allow-query, Allow-
query-cache and Allow-transfer configuration.
4. Click on EDIT . The wizard Allow-query opens.
5. Click on NEXT . The page Allow query cache opens.
6. Click on NEXT . The page Allow-transfer opens.
7. Set up the allow-transfer match list.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 42.7. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
8. Click on OK to complete the operation. The report opens and closes. Your configuration is
listed in the list Allow-transfer of the panel Access control.

Configuring Client Resolver Cache Options at View Level

From the properties page of a view belonging to a smart architecture managing EfficientIP DNS
servers using the SSL protocol, you can edit the lame-ttl and max-cache-client options.

These options set at view level override the server level configuration. Once they are con-
figured at view level, they apply to all the zones it contains.

For more details regarding these two options, refer to the section Configuring Client Resolver
Cache Options at Server Level.

609
 Configuring DNS Views

To set the lame-ttl option at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Lame-ttl, specify the value of your choice. This value is in seconds can be set
between 30 and 1800. The default value is 600, the maximum value is 1800 seconds.
5. Click on OK to complete the operation. The report opens and closes.

To set the max-cache-size option at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Max-cache-size, specify the value of your choice to set the cache memory size.
This value is in bytes. The default value is 100m.
5. Click on OK to complete the operation. The report opens and closes.

Configuring EDNS Options at View Level

From the properties page of a view belonging to a smart architecture managing EfficientIP DNS
servers using the SSL protocol, you can edit the edns-udp-size and max-udp-size options.

These options set at view level override the server level configuration. Once they are con-
figured at view level, they apply to all the zones it contains.

For more details regarding these options, refer to the section Configuring EDNS Options at
Server Level.

To set the edns-udp-size option at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Edns-udp-size, specify the size of received packets of your choice. This value
is in bytes, and must be set between 512 and 4096. The default value is 4096.
5. Click on OK to complete the operation. The report opens and closes.

To add a DNS key at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Max-udp-size, specify the maximum size of the packets you send. This value is
in bytes and must be set between 512 and 4096. The default value is 4096.
5. Click on OK to complete the operation. The report opens and closes.

610
 Configuring DNS Views

Configuring a Sortlist at View Level

From the properties page of a view belonging to a smart architecture managing EfficientIP DNS
servers using the SSL protocol, you can edit the sortlist statement can be edited at view level.
Like any other configuration option, the settings defined at server level are edited by the view.
Editing them at view level overwrites the server level configuration and applies to the zones
managed by the view.

For more details regarding the sortlist statement, refer to the section Configuring a Sortlist at
Server Level.

Keep in mind that any configuration set at view level overrides the server level configuration.

To define a sortlist statement at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Options using and click on EDIT . The wizard Options configuration
opens.
4. In the field Client address, specify the client IP address/subnet. It must be composed of an
IPv4 address containing 1 to 4 bytes followed by the prefix: <IP address>/<prefix>.
5. In the field Sort address, specify a list of IP addresses or subnets followed by a semi-colon.
These addresses correspond to the value of an A record of the RRset for which you add the
sortlist. The statement respects the order in which you specified the addresses. The value
must respect the format <IP address>/<prefix>; even if you only specify one sort address.
6. Click on OK to complete the operation. The report opens and closes. The sortlist is displayed
as follows: {<client_address_field_value>; {<first_sort_address>;<second_sort_ad-
dress;<etc>};}; . There is one sortlist per client address defined.

Configuring DNS Sources at View Level

The Sources configuration is only available for views managed through an EfficientIP DNS
physical server using the SSL protocol.

Configuring DNS sources allows to set physical interfaces at view level to be systematically used
for all notify operations and zone transfer. DNS sources configuration can be inherited from the
server. If set at view level, it is inherited by the zones. The inheritance details are visible on both
the views and zones properties page.

Keep in mind that any configuration set at view level overrides the server level configuration
and any configuration set at zone level overrides the view level configuration.

From the Sources and Sources V6 panels, through their IP address, you can configure physical
interfaces to be used for the view transfer and notify options. When editing these panels, you
can define the following statements:
query-source
This statement allows to define the IPv4 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker

611
 Configuring DNS Views

would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
query-source-v6
This statement allows to define the IPv6 address and/or port used as the source of the
server or view outgoing queries. By default, BIND uses any server or view interface IP address
and a random port for outgoing queries.
Using a fixed port number allows to control UDP operations but can be extremely dangerous:
it can lead to cache poisoning if used with any caching DNS server definition as any attacker
would need to guess the transaction ID to get both the specified interface IP address and
port number. This statement is displayed on servers and views properties page.
transfer-source
This statement allows to determine the IPv4 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
transfer-source-v6
This statement allows to determine the IPv6 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
use-alt-transfer-source
This statement allows to set the use of an alternate interface IP address for the transfer if
the transfer-source or the transfer-source-v6 were to fail. This statement configuration is
displayed on the physical server, view and slave zones properties page.
This statement definition is only configurable from the panel Sources but applies to interfaces
whether they were identified through an IPv4 or an IPv6 address.
Its default value is no if the server contains views and yes if the server does not contain any
view.
alt-transfer-source
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
alt-transfer-source-v6
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
notify-source
This statement allows to define the IPv4 address of the physical interface used for all the
server outgoing notify operations. You can also specify a port for this statement. It is used
by master zones and its configuration is therefore displayed on the physical server, views
and master zones properties page.
notify-source-v6
This statement allows to define the IPv6 address of the physical interface used all the server
outgoing notify operations.You can also specify a port for this statement. It is used by master
zones and its configuration is therefore displayed on the physical server, views and master
zones properties page.

612
 Configuring DNS Views

To set IPv4 DNS sources at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.
3. Open the panel Sources using and click on EDIT . The wizard Configuration: Sources
opens.
4. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise, all the transfer operations would fail.
a. In the field Query-source address, specify the IPv4 address of the interface used for
outgoing queries.
b. In the field Query-source port, you can specify the port number used for outgoing
queries. Keep in mind that specifying a port number can lead to cache poisoning if DNS
server definitions are not set properly.
c. In the field Transfer-source address, specify the IPv4 address to be used for the zones
transfer operations. Specify an interface that you already configured on the appliance.
d. In the field Transfer-source port, you can specify which port on the interface should
be used.
e. In the drop-down list Use-alt-transfer-source, select none, no or yes. By default, none
is selected.

Table 42.8. Use-alt-transfer-source parameters

Parameter Description
none The use-alt-transfer-source statement is not configured.
no Allows to disable the use of an alternate interface if the transfer set via transfer-source
or transfer-source-v6 fails.
yes Allows to enable the use of an alternate interface if the transfer set via transfer-source
or transfer-source-v6 fails. In this case, you need to set the alternate interface IP address
(and port if you want) through the alt-transfer-source and alt-transfer-source-v6 state-
ments in the following steps.

The statement use-alt-transfer-source applies to the alternate interfaces declared through

IPv4 address (Alt-transfer-source address) and IPv6 address (Alt-transfer-source ad-
dress-v6).
f. If you enabled the use of an alternate interface, in the field Alt-transfer-source address,
specify the IPv4 address of the alternate interface. It must also be configured on the
appliance.
g. If you enabled the use of an alternate interface, in the field Alt-transfer-source port,
you can specify which port on the interface should be used.
5. Configure the notify statement. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the notify operations would fail.
a. In the field Notify-source address, specify the IPv4 address to be used for outgoing
notify operations. Specify an interface that you already configured on the appliance.
b. In the field Notify-source port, you can specify which port on the interface should be
used.
6. Click on OK to complete the operation. The report opens and closes.

To set IPv6 DNS sources at view level

1. In the sidebar, go to DNS > Views. The page All views opens.
2. At the end of the line of the view of your choice, click on . The properties page opens.

613
 Configuring DNS Views

3. Open the panel Sources using and click on EDIT . The wizard Configuration: Sources
opens.
4. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the transfer operations would fail.
a. In the field Query-source-v6 address, specify the IPv6 address of the interface used
for outgoing queries.
b. In the field Query-source-v6 port, you can specify the port number used for outgoing
queries. Keep in mind that specifying a port number can lead to cache poisoning if DNS
server definitions are not set properly.
c. In the field Transfer-source-v6 address, specify the IPv4 address to be used for the
zones transfer operations. Specify an interface that you already configured on the appli-
ance. If you defined the use-alt-transfer-source statement in the panel Sources, it applies
to the alternate interfaces declared in IPv4 (Alt-transfer-source address) and IPv6 (Alt-
transfer-source address-v6).
d. In the field Transfer-source-v6 port, you can specify which port on the interface should
be used.
e. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 address, specify the IPv6 address of the alternate interface. It must also be
configured on the appliance.
f. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 port, you can specify which port on the interface should be used.
5. Configure the notify statement. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the notify operations would fail.
a. In the field Notify-source-v6 address, specify the IPv6 address to be used for the
outgoing notify operations. Specify an interface that you already configured on the ap-
pliance.
b. In the field Notify-source-v6 port, you can specify which port on the interface should
be used.
6. Click on OK to complete the operation. The report opens and closes.

614
Chapter 43. Managing DNS Zones
When deploying a name server, it is important to understand the difference between a zone and
a domain. A zone is a delegated point within a DNS structure, and is made up of adjoining elements
of the domain structure, which are governed by a name server.

SOLIDserver allows you to add and manage 6 types of zones: Master, Slave, Forward, Stub,
Hint and Delegation-Only. Each type of zone provides specific options that you can set when
adding or editing the zones. Note that:
• You can configure zones from their properties page. For more details, refer to the chapter
Configuring DNS Zones.
• If you want to add and manage RPZ zones, refer to the chapter DNS Firewall (RPZ).

Browsing DNS Zones

As far as the DNS hierarchy is concerned, the zone is the third level. It is compulsory to add a
zone to manage resource records.

DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE

Figure 43.1. The zone in the DNS hierarchy

Browsing the DNS Zones Database

To display the list of zones
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. To display the list of zones of a specific server, in the column Server, click on the name of
the server of your choice. The page refreshes.

To display a zone properties page

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.

The properties page displays the configuration details of each zone in a set of panels. For more
details regarding how to edit the panel Name servers, Forwarding, Notify, Sources or Sources
V6 of a zone, refer to the chapter Configuring DNS Zones.

Customizing the Display on the Page All Zones

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

615
 Managing DNS Zones

Understanding the DNS Zone Statuses

The column Status provides information regarding the zones you manage.

Table 43.1. DNS zone statuses

Status Description
OK The zone is operational.

Busy The zone is synchronizing.

Delayed create The creation or update is delayed until the zone is created on the physical server(s)
of the smart architecture. The creation is automatically done after a maximum of 1
minute.
Delayed delete The deletion is delayed until the zone is deleted from the physical server(s) of the
smart architecture. The deletion is automatically done after a maximum of 1 minute.
Timeout The zone is not available.

Unknown The zone is not synchronized yet.

Not authoritative The zone configuration is incorrect, in the SOA another server was set as authoritative.

Refused The DNS server refuses the transfer between the current zone and the management
platform, check the parameter allow-transfer on the zone or server properties page.
No RR Only for forward zones. There is no RR to transfer for the zone.

Unmanaged The zone is disabled, it is not available.

N/A Only for Amazon Route 53 servers. The zone is not a Master or does not have a
TLD.

Moreover, the column Multi-status provides you with emergency, warning, critical, error or in-
formational messages regarding the compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.

Adding DNS Zones

From the page All zones, you can add as many zones as you want. Each type zone has a dedic-
ated section:
• Adding a Master Zone.
• Adding a Slave Zone.
• Adding a Forward Zone.
• Adding a Stub Zone.
• Adding a Hint Zone.
• Adding a Delegation-Only Zone.

Note that:
• If you add a zone to a smart architecture managing server(s), the last page of the wizard returns
a warning message if any server does not support its type. You can force the addition to add
it to the server(s) that do support them.
• Amazon Route 53 and Azure zones have some prerequisites, specificities and limitations. For
details, refer to the sections Managing Amazon Route 53 Zones and Managing Azure Zones
of the chapter Managing DNS Servers.
• SOLIDserver can be used for Hosting Active Directory Domain Zones.
• You can also import zones, for more details refer to the section Importing Zones in the chapter
Importing Data from a CSV File.

616
 Managing DNS Zones

If you want to add RPZ zones, refer to the chapter DNS Firewall (RPZ).

Adding a Master Zone

A master zone stocks the original zone important records for a certain name space and answers
the other name servers queries regarding this space name.

The most common use of Master zones is to configure them with a slave zone of the same name
that stores all its records, in a Master/Slave configuration where the master server contains the
master zones and the slave server contains the slave zones. However, if you want to make the
DNS available at all times, you can use a multiple master configuration. In which case, all DNS
servers are master servers for each zone. This disposition requires to propagate any change,
made to a zone file or the DNS configuration, to every DNS server configured as master.
Therefore, we recommend that you manage your master servers through a DNS Multi-Master
smart architecture. For more details regarding its configuration, refer to the section Adding a
Multi-Master Smart Architecture.

If you want to add an RPZ master name zone, refer to the chapter DNS Firewall (RPZ).

To add a master zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the menu, click on Add. The wizard Add a DNS zone opens.
3. In the field DNS server, select the server of your choice.
4. Click on NEXT . The next page opens.
5. If the server selected contains several views, the view selection page opens:
a. In the drop-down list View, select a view.
b. Click on NEXT . The next page opens.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically and specified in the zone details on the next page of the wizard.
If your server does not contain any view, the page is not displayed.
6. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the list DNS zone type, select Master.
8. In the list DNS zone resolution: select Name or Reverse and click on NEXT . The next page
opens.
9. Configure the zone's basic parameters.
a. For a Name zone:

Table 43.2. DNS name zone basic parameters

Field Description
Name The zone name, it should strictly respect the syntax of RFC1034. This field is re-
quired.
If you are adding an Amazon Route 53 zone, you must include the zone TLD.
Note that Amazon Route 53 Public and Private servers and Microsoft Azure Private
servers can automatically configure the zone with specific configurations. For
more details, refer to the chapter Managing DNS Servers.

617
 Managing DNS Zones

Field Description
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

b. For a Reverse zone:

Table 43.3. DNS reverse zone basic parameters

Field Description
Name The name of the reverse domain, it auto-completes with the address you specify
in the next field. The suffix displayed changes according to the Reverse type se-
lected. This field is required.
IP address / The IP address of the zone. It completes the reverse domain name, it should be
IPv6 address composed of a maximum of three bytes (xxx.xxx.xxx). This field is required.
Reverse type A resolution methods, your selection automatically changes the extension displayed
in the field Name. This field is required.
IPv4 in-addr.arpa Allows to configure IPv4 reverse-mapping.
E164 arpa Allows to configure reverse-mapping of telephone numbers
for the zone.
IPv6 int Allows to configure IPv6 reverse-mapping. Note that this ex-
tension is deprecated, as detailed in RFC 4159, so unless
your IPv6 configuration is older than 2001 we recommend
that you use the IPv6 arpa extension.
Ipv6 arpa Allows to configure IPv6 reverse-mapping.
View The view that manages the zone. The list is empty if the server does no have any
view.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

10. If you are managing an Active Directory integrated Microsoft DNS server, you can configure
the Expert Mode and/or AD integrated parameters.

Table 43.4. DNS zone expert mode parameters

Field Description
Expert Mode Tick this box to complete the AD configuration of a Microsoft DNS server managed
via a smart architecture. The box AD integrated appears. This field is optional.
The box is not displayed if your Microsoft DNS server is managed outside a smart
architecture.
AD integrated If your server is AD integrated, you can tick this box to set the replication preferences.
The drop-down list AD replication appears. This field is optional.
AD replication The zone content and parameters replication, either All DC in the AD Domain (default),
All DNS servers in the AD domain or All DNS servers in the AD forest. By default, All
DC in the AD Domain (default) is selected.
All DC in the AD domain allows to replicate the zone parameters and content to all
the Domain Controllers of the AD domain. This option is not available for Stub zones.
All DNS servers in the AD domain allows to replicate the zone parameters and
content to all the DNS servers of the AD domain.

618
 Managing DNS Zones

Field Description
All DNS servers in the AD forest allows to replicate the zone parameters and content
to all the DNS servers of the AD forest.

Note that the column AD integrated allows to display the AD integration configuration (Yes,
No, N/A) of each zone. For more details, refer to the section Managing List Templates.
11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on NEXT . The last page opens.
13. All fields are required and automatically filled, they configure the SOA of the zone. You can
edit them.

Table 43.5. DNS zone SOA parameters

Field Description
Primary server The primary Master server for the zone, i.e. the MNAME of the SOA. When you add
a zone on a smart architecture, it is automatically filled and cannot be edited.
Responsible The administrator email address for the zone.
Serial number The zone serial number. It is automatically incremented for each zone change.
Refresh The refresh period for slave server(s). When the selected period is reached, the slave
server(s) read the Master SOA record and, if their data is not up-to-date, trigger a
zone transfer to get the latest version of the zone.
Retry The retry interval if the server fails to reach the master during a refresh cycle.
Expiration The period after which the records are considered to be no longer valid/authoritative
and the server stops responding to queries for the zone.
Minimum The negative caching period of the zone, in seconds. This period is used as TTL for
every NXDOMAIN returned to clients querying unexisting records.
TTL The TTL (Time to Live) of the SOA, its duration, in seconds. The drop-down list next
to the input field allows to select durations in human-readable format.

You can set the value by default for the parameters above, except for the Primary server
and Serial number. For more details, refer to the procedure To configure the default SOA
parameters of Master zones below.
14. Click on OK to complete the operation. The report opens and closes. The zone is listed and
is marked Delayed create before being marked OK.
During the first Master zone addition, the allow-update may be configured by default
with the ACL any. This configuration is inherited from the server or view, you might need
to restrict the statement. For more details, refer to the section Configuring DNS Update Au-
thorizations on a Zone.
Note that you can also configure the statement on several zones at once. For more details,
refer to the section Setting Authorizations.

Note that you can configure default values for the SOA record that is automatically added when
you add a master zone.

To configure the default SOA parameters of Master zones

1. Go to DNS > Servers, Views or Zones. The page opens.
2. In the menu, select Extra options > Default configuration. The wizard Default SOA
parameters opens.
Ancienne taille de la page

619
 Managing DNS Zones

3. Edit the fields with the values you want to be automatically used when adding a master zone:

Table 43.6. DNS zone default SOA parameters

Field Description
Responsible The administrator email address for the zone.
Refresh The refresh period for slave server(s). When the selected period is reached, the slave
server(s) read the Master SOA record and, if their data is not up-to-date, trigger a
zone transfer to get the latest version of the zone.
Retry The retry interval if the server fails to reach the master during a refresh cycle.
Expiration The period after which the records are considered to be no longer valid/authoritative
and the server stops responding to queries for the zone.
Minimum The negative caching period of the zone, in seconds. This period is used as TTL for
every NXDOMAIN returned to clients querying unexisting records.
TTL The TTL (Time to Live) of the SOA, its duration, in seconds. The drop-down list next
to the input field allows to select durations in human-readable format.

4. Click on OK to complete the operation. The report opens and closes. When adding a master
zone, the DNS zone advanced parameters now auto-completes with the values you indicated
for the SOA.

Adding a Slave Zone

A slave zone has one purpose, to respond to requests made to other servers that have authority
over the domain queried.

They are usually added on slave name servers that receive their information from master name
servers through a zone transfer, the master zone and the slave zone on each server are named
the same. During the zone transfer, the master zone sends a NOTIFY to all the slave zone(s) it
knows. The zone content is only sent to the slave zones authorized to receive the transfer, the
other zones receive an error message. Note that several master servers can be configured for
one slave server.

If you want to add an RPZ slave name zone, refer to the chapter DNS Firewall (RPZ).

To add a slave zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the menu, click on Add. The wizard Add a DNS zone opens.
3. In the field DNS server, select the server of your choice.
4. Click on NEXT . The next page opens.
5. If the server selected contains several views, the view selection page opens:
a. In the drop-down list View, select a view.
b. Click on NEXT . The next page opens.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.

620
 Managing DNS Zones

7. In the list DNS zone type, select Slave.

8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. Configure the zone's basic parameters.
a. For a Name zone:

Table 43.7. DNS name zone basic parameters

Field Description
Name The zone name, it should strictly respect the syntax of RFC1034. This field is re-
quired.
If you are adding an Amazon Route 53 zone, you must include the zone TLD.
Note that Amazon Route 53 Public and Private servers and Microsoft Azure Private
servers can automatically configure the zone with specific configurations. For
more details, refer to the chapter Managing DNS Servers.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

b. For a Reverse zone:

Table 43.8. DNS reverse zone basic parameters

Field Description
Name The name of the reverse domain, it auto-completes with the address you specify
in the next field. The suffix displayed changes according to the Reverse type se-
lected. This field is required.
IP address / The IP address of the zone. It completes the reverse domain name, it should be
IPv6 address composed of a maximum of three bytes (xxx.xxx.xxx). This field is required.
Reverse type A resolution methods, your selection automatically changes the extension displayed
in the field Name. This field is required.
IPv4 in-addr.arpa Allows to configure IPv4 reverse-mapping.
E164 arpa Allows to configure reverse-mapping of telephone numbers
for the zone.
IPv6 int Allows to configure IPv6 reverse-mapping. Note that this ex-
tension is deprecated, as detailed in RFC 4159, so unless
your IPv6 configuration is older than 2001 we recommend
that you use the IPv6 arpa extension.
Ipv6 arpa Allows to configure IPv6 reverse-mapping.
View The view that manages the zone. The list is empty if the server does no have any
view.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on NEXT . The last page opens.

621
 Managing DNS Zones

13. Configure the master servers of the zone.

Table 43.9. Master server configuration fields

Field Description
Master IP address The master server IPv4 or IPv6 address. This field is required.
Note that the master zones of the specified server are automatically allowed to send
notify messages of any changes to the zone you are adding.
Port The number of the port dedicated to communicating with the zone. This field is optional.
TSIG key A TSIG key, set at server level. This field is optional. For more details, refer to the
section Securing the Management of DNS Servers Using a TSIG Key.

Once the IP, port and key are configured, click on ADD . The configuration is moved to the
list Masters.
Repeat these actions for as many servers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .

• To discard changes, click on CANCEL .

14. Click on OK to complete the operation. The report opens and closes. The zone is listed and
is marked Delayed create before being marked OK.

Adding a Forward Zone

A forward zone, or redirector, allows to redirect all recursive requests for a zone toward a selected
list of servers. The listed servers search local zones to resolve the recursive requests to which
they cannot respond.

To add a forward zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the menu, click on Add. The wizard Add a DNS zone opens.
3. In the field DNS server, select the server of your choice.
4. Click on NEXT . The next page opens.
5. If the server selected contains several views, the view selection page opens:
a. In the drop-down list View, select a view.
b. Click on NEXT . The next page opens.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the list DNS zone type, select Forward.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. Configure the zone's basic parameters.

622
 Managing DNS Zones

a. For a Name zone:

Table 43.10. DNS name zone basic parameters

Field Description
Name The zone name, it should strictly respect the syntax of RFC1034. This field is re-
quired.
If you are adding an Amazon Route 53 zone, you must include the zone TLD.
Note that Amazon Route 53 Public and Private servers and Microsoft Azure Private
servers can automatically configure the zone with specific configurations. For
more details, refer to the chapter Managing DNS Servers.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

b. For a Reverse zone:

Table 43.11. DNS reverse zone basic parameters

Field Description
Name The name of the reverse domain, it auto-completes with the address you specify
in the next field. The suffix displayed changes according to the Reverse type se-
lected. This field is required.
IP address / The IP address of the zone. It completes the reverse domain name, it should be
IPv6 address composed of a maximum of three bytes (xxx.xxx.xxx). This field is required.
Reverse type A resolution methods, your selection automatically changes the extension displayed
in the field Name. This field is required.
IPv4 in-addr.arpa Allows to configure IPv4 reverse-mapping.
E164 arpa Allows to configure reverse-mapping of telephone numbers
for the zone.
IPv6 int Allows to configure IPv6 reverse-mapping. Note that this ex-
tension is deprecated, as detailed in RFC 4159, so unless
your IPv6 configuration is older than 2001 we recommend
that you use the IPv6 arpa extension.
Ipv6 arpa Allows to configure IPv6 reverse-mapping.
View The view that manages the zone. The list is empty if the server does no have any
view.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

11. If you are managing a Microsoft DNS server through a smart architecture, you might want
to configure the parameters of the Expert Mode:

Table 43.12. DNS zone expert mode parameters

Field Description
Expert Mode Tick this box to complete the AD configuration of a Microsoft DNS server managed
via a smart architecture. The box AD integrated appears. This field is optional.
The box is not displayed if your Microsoft DNS server is managed outside a smart
architecture.

623
 Managing DNS Zones

Field Description
AD integrated If your server is AD integrated, you can tick this box to set the replication preferences.
The drop-down list AD replication appears. This field is optional.
AD replication The zone content and parameters replication, either All DC in the AD Domain (default),
All DNS servers in the AD domain or All DNS servers in the AD forest. By default, All
DC in the AD Domain (default) is selected.
All DC in the AD domain allows to replicate the zone parameters and content to all
the Domain Controllers of the AD domain. This option is not available for Stub zones.
All DNS servers in the AD domain allows to replicate the zone parameters and
content to all the DNS servers of the AD domain.
All DNS servers in the AD forest allows to replicate the zone parameters and content
to all the DNS servers of the AD forest.

12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on NEXT . The last page opens.
14. Configure the forwarders and forward mode for the zone. The fields Forwarders list and
Forward Mode are mandatory.
a. In the field Add a forwarder (IP), specify the IP address of the master server to which
the queries should be forwarded to and click on ADD .
The IP address is moved to the Forwarders list. Repeat these actions for as many
servers as needed. The order of the servers in the list is not important.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
b. In the drop-down list Forward Mode, select First, Only or None. By default, First is se-
lected.

Table 43.13. Available forward modes for a zone

Forward mode Description
First Allows the zone to first send a query to the forwarder, if not answered, it issues
queries directly.
Only Allows the zone to only want the zone to forward queries.
You must select Only if you manage reverse forward zones for private or reserved
addresses on a BIND server.
None Allows to automatically apply the Forward mode set at server level.

c. Click on . The configuration is moved to the Forwarders list.

d. Repeat steps a to c for as many forwarders as needed.
15. Click on OK to complete the operation. The report opens and closes. The zone is listed and
is marked Delayed create before being marked OK.

Adding a Stub Zone

A stub zone is similar to a slave zone, with the exception that it does more than simply replicate
the name servers of a master zone. Stub zones can be used to force the resolution of a domain,

624
 Managing DNS Zones

particularly for a restrained collection of servers. They are not part of the DNS standard zones,
they are specific to BIND implementations.

The stub zone cannot be added into Generic DNS servers.

To add a stub zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the menu, click on Add. The wizard Add a DNS zone opens.
3. In the field DNS server, select the server of your choice.
4. Click on NEXT . The next page opens.
5. If the server selected contains several views, the view selection page opens:
a. In the drop-down list View, select a view.
b. Click on NEXT . The next page opens.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the list DNS zone type, select Stub.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. Configure the zone's basic parameters.
a. For a Name zone:

Table 43.14. DNS name zone basic parameters

Field Description
Name The zone name, it should strictly respect the syntax of RFC1034. This field is re-
quired.
If you are adding an Amazon Route 53 zone, you must include the zone TLD.
Note that Amazon Route 53 Public and Private servers and Microsoft Azure Private
servers can automatically configure the zone with specific configurations. For
more details, refer to the chapter Managing DNS Servers.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

b. For a Reverse zone:

Table 43.15. DNS reverse zone basic parameters

Field Description
Name The name of the reverse domain, it auto-completes with the address you specify
in the next field. The suffix displayed changes according to the Reverse type se-
lected. This field is required.
IP address / The IP address of the zone. It completes the reverse domain name, it should be
IPv6 address composed of a maximum of three bytes (xxx.xxx.xxx). This field is required.

625
 Managing DNS Zones

Field Description
Reverse type A resolution methods, your selection automatically changes the extension displayed
in the field Name. This field is required.
IPv4 in-addr.arpa Allows to configure IPv4 reverse-mapping.
E164 arpa Allows to configure reverse-mapping of telephone numbers
for the zone.
IPv6 int Allows to configure IPv6 reverse-mapping. Note that this ex-
tension is deprecated, as detailed in RFC 4159, so unless
your IPv6 configuration is older than 2001 we recommend
that you use the IPv6 arpa extension.
Ipv6 arpa Allows to configure IPv6 reverse-mapping.
View The view that manages the zone. The list is empty if the server does no have any
view.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

11. If you are managing a Microsoft DNS server through a smart architecture, you might want
to configure the parameters of the Expert Mode:

Table 43.16. DNS zone expert mode parameters

Field Description
Expert Mode Tick this box to complete the AD configuration of a Microsoft DNS server managed
via a smart architecture. The box AD integrated appears. This field is optional.
The box is not displayed if your Microsoft DNS server is managed outside a smart
architecture.
AD integrated If your server is AD integrated, you can tick this box to set the replication preferences.
The drop-down list AD replication appears. This field is optional.
AD replication The zone content and parameters replication, either All DNS servers in the AD domain
or All DNS servers in the AD forest. By default, All DNS servers in the AD domain is
selected.
All DNS servers in the AD domain allows to replicate the zone parameters and
content to all the DNS servers of the AD domain.
All DNS servers in the AD forest allows to replicate the zone parameters and content
to all the DNS servers of the AD forest.

12. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
13. Click on NEXT . The last page opens.
14. Configure the master servers of the zone.

Table 43.17. Master server configuration fields

Field Description
Master IP address The master server IPv4 or IPv6 address. This field is required.
Note that the master zones of the specified server are automatically allowed to send
notify messages of any changes to the zone you are adding.
Port The number of the port dedicated to communicating with the zone. This field is optional.

626
 Managing DNS Zones

Field Description
TSIG key A TSIG key, set at server level. This field is optional. For more details, refer to the
section Securing the Management of DNS Servers Using a TSIG Key.

Once the IP, port and key are configured, click on ADD . The configuration is moved to the
list Masters.
Repeat these actions for as many servers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
15. Click on OK to complete the operation. The report opens and closes. The zone is listed and
is marked Delayed create before being marked OK. A stub zone only contains an SOA
and NS RRs.

Adding a Hint Zone

A hint zone is aimed at querying root servers. By default, EfficientIP DNS servers embed a hint
zone that is updated automatically but not listed on the page All zones. If you manage your DNS
with another type of server, keep in mind that the hint zone is relevant only for name servers that
provide recursive services.

The hint zone updates the local server cache with a list of the 13 root-servers saved in the form
of A records (from a.root-servers.net to m.root-servers.net). Therefore, one hint zone per server
or view is enough. When the server starts up, it uses the hint zone to query a root zone and obtain
the complete list of the current authoritative root servers. This list is then used by the name
server as a starting point for any domain query, if there is no locally defined zone (slave or master)
or cached answers. A hint zone should be updated every 12 months or whenever there are dis-
crepancies returned in the log messages, when the DNS server loads for instance.

Note that the hint zone can also contain an internal list and be used locally; in this case, the
configuration is running an internal name service on a closed network, or the name server is not
defined but recursive queries are required.

The hint zone cannot be added into a Microsoft server.

To add a hint zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the menu, click on Add. The wizard Add a DNS zone opens.
3. In the field DNS server, select the server on which you are adding a zone.
4. Click on NEXT . The next page opens.
5. If the server selected contains several views, the view selection page opens:
a. In the drop-down list View, select a view.
b. Click on NEXT . The next page opens.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.

627
 Managing DNS Zones

Click on NEXT . The next page opens.

If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the list DNS zone type, select Hint.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.
10. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
11. Click on OK to complete the operation. The report opens and closes. The zone is listed,
named and marked OK.

Adding a Delegation-Only Zone

The delegation-only zone allows to send an NXDOMAIN response to any query received without
an explicit or implicit delegation in the authority section. They are usually added on caching/re-
cursive servers.

When a zone is declared as delegation-only, it does not contain any record. You can use deleg-
ation-only zones to filter out wildcard or synthesized data from NAT boxes or from authoritative
name servers whose undelegated (in-zone) data is of no interest.They can also be used to enforce
the delegation-only status of infrastructure zones (e.g. COM, NET, ORG).

The name of the delegation-only zone is the domain for which you send the NXDOMAIN response,
any subdomain responds normally.

The Delegation-Only zone cannot be added into a Microsoft server.

To add a delegation-only zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the menu, click on Add. The wizard Add a DNS zone opens.
3. In the field DNS server, select the server on which you are adding a zone.
4. Click on NEXT . The next page opens.
5. If the server selected contains several views, the view selection page opens:
a. In the drop-down list View, select a view.
b. Click on NEXT . The next page opens.
If your server contains only one view, the page is not displayed. Your view is selected auto-
matically.
If your server does not contain any view, the page is not displayed.
6. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the list DNS zone type, select Delegation-Only.
8. In the list DNS zone resolution, select Name or Reverse.
9. Click on NEXT . The next page opens.

628
 Managing DNS Zones

10. Configure the zone's basic parameters.

a. For a Name zone:

Table 43.18. DNS name zone basic parameters

Field Description
Name The zone name, it should strictly respect the syntax of RFC1034. This field is re-
quired.
If you are adding an Amazon Route 53 zone, you must include the zone TLD.
Note that Amazon Route 53 Public and Private servers and Microsoft Azure Private
servers can automatically configure the zone with specific configurations. For
more details, refer to the chapter Managing DNS Servers.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

b. For a Reverse zone:

Table 43.19. DNS reverse zone basic parameters

Field Description
Name The name of the reverse domain, it auto-completes with the address you specify
in the next field. The suffix displayed changes according to the Reverse type se-
lected. This field is required.
IP address / The IP address of the zone. It completes the reverse domain name, it should be
IPv6 address composed of a maximum of three bytes (xxx.xxx.xxx). This field is required.
Reverse type A resolution methods, your selection automatically changes the extension displayed
in the field Name. This field is required.
IPv4 in-addr.arpa Allows to configure IPv4 reverse-mapping.
E164 arpa Allows to configure reverse-mapping of telephone numbers
for the zone.
IPv6 int Allows to configure IPv6 reverse-mapping. Note that this ex-
tension is deprecated, as detailed in RFC 4159, so unless
your IPv6 configuration is older than 2001 we recommend
that you use the IPv6 arpa extension.
Ipv6 arpa Allows to configure IPv6 reverse-mapping.
View The view that manages the zone. The list is empty if the server does no have any
view.
Space The name of an IPAM space to associate with the zone or None. This field is op-
tional.
If DNS to IPAM advanced properties are configured, the selected space is updated
by the zone records. For more details, refer to the section Configuring DNS Ad-
vanced Properties.

Keep in mind that the name of your delegation-only zone is a domain that, once querried,
sends an NXDOMAIN response to the client.
11. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
12. Click on OK to complete the operation. The report opens and closes. The zone is listed and
marked OK.

629
 Managing DNS Zones

Hosting Active Directory Domain Zones

SOLIDserver can be configured to update native Microsoft DNS servers and host DNS zones
coming from AD domains.

On Active Directory integrated Microsoft DNS servers, when you add Master, Slave, Forward or
Stub zones the box AD integrated allows to set up the AD replication of your choice. Note than
once set, you cannot edit the AD replication configuration unless you delete the zone and add it
again. For more details, refer to the sections Adding a Master Zone, Adding a Slave Zone, Adding
a Forward Zone or Adding a Stub Zone.

Keep in mind that the DNS Multi-Master smart architecture can reproduce Microsoft's Multi-
Master behavior. For more details, refer to the section Multi-Master smart architecture.

Synchronizing DNS Zones

Synchronizing DNS zones means updating their content. You can synchronize all zones. Note
that each zone is regularly and automatically synchronized based on the refresh parameter of
its SOA record, but you can manually update each one of them.

You can synchronize zones to force a retrieval of the latest changes and records.

To synchronize zones
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) you want to synchronize.
3. In the menu, select Edit > Status > Synchronize. The wizard Synchronization opens.
4. Click on OK to complete the operation.The report opens and closes when the synchronization
is over. The page reloads.

You can also synchronize the entire content of a zone, rather than only the latest change. The
option Force full synchronization retrieves and uploads the complete content of a zone and resets
the serial number of the SOA of the zone.

Resetting the SOA serial ensures that the entire zone data is up to date. It can be useful if you
restored a server that you used to manage, as you might have a synchronization drift between
the data that SOLIDserver stored locally and all the changes that have been performed directly
on the server since you last managed it.

To force the full synchronization of zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) you want to synchronize.
3. In the menu, select Tools > Expert > Force full synchronization. The wizard Synchron-
ization opens.
4. Click on OK to complete the operation.The report opens and closes when the synchronization
is over. The page reloads.

Editing DNS Zones

You can edit all zone types.

If you want to edit RPZ zones, refer to the chapter DNS Firewall (RPZ).

630
 Managing DNS Zones

Editing a Master Zone

After Adding a Master Zone, you can always edit the zone configuration parameters from its
properties page or from the page All zones itself, using in the contextual menu.

To edit a master zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS zone opens.
The top gray area sums up the zone parameters: its Name, Type, Server and View.
4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. Edit the SOA parameters if need be. All fileds are required.

Table 43.20. DNS zone SOA parameters

Field Description
Primary server The primary Master server for the zone, i.e. the MNAME of the SOA. When you add
a zone on a smart architecture, it is automatically filled and cannot be edited.
Responsible The administrator email address for the zone.
Serial number The zone serial number. It is automatically incremented for each zone change.
Refresh The refresh period for slave server(s). When the selected period is reached, the slave
server(s) read the Master SOA record and, if their data is not up-to-date, trigger a
zone transfer to get the latest version of the zone.
Retry The retry interval if the server fails to reach the master during a refresh cycle.
Expiration The period after which the records are considered to be no longer valid/authoritative
and the server stops responding to queries for the zone.
Minimum The negative caching period of the zone, in seconds. This period is used as TTL for
every NXDOMAIN returned to clients querying unexisting records.
TTL The TTL (Time to Live) of the SOA, its duration, in seconds. The drop-down list next
to the input field allows to select durations in human-readable format.

8. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).

You can also add and delete NS records, for multiple master zones at once, from the page All
zones.

631
 Managing DNS Zones

Editing a Slave Zone

After Adding a Slave Zone, you can always edit the zone configuration parameters from its
properties page or from the page All zones itself, using in the contextual menu.

To edit a slave zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS zone opens.
The top gray area sums up the zone parameters: its Name, Type, Server and View.
4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. If you want to add another master server, refer to the step 14 of the procedure To add a
slave zone.
8. If you want to edit a server, select it in the list Masters.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
9. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).

Editing a Forward Zone

After Adding a Forward Zone, you can always edit the zone from its properties page or from the
page All zones itself, using in the contextual menu.

Keep in mind that:

• The panel Main properties of a forward zone only allows to edit the zone classes and the ad-
vanced properties, if relevant.
• The panel Forwarding allows to edit the forwarding configuration, as detailed in the procedure
below.

To edit a forward zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Forwarding, click on EDIT . The wizard Edit a DNS zone opens.

632
 Managing DNS Zones

4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. If you want to add another forwarding master server refer to the step 14 of the To add a
forward zone procedure.
8. In the fields Add a forwarder (IP) and Forward Mode, fill in the address of the master
server and select if the zone should forward Only or send a query First.
9. If you want to delete a server, select it in the list Forwarders list and click on . The server
is no longer listed in the list.
10. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).

Editing a Stub Zone

After Adding a Stub Zone, you can always edit the zone configuration parameters from its prop-
erties page or from the page All zones itself, using in the contextual menu.

To edit a stub zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS zone opens.
4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Space if need be. Note that you cannot edit any other parameter, including the
configuration of the parameters AD integrated and AD replication.
In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
6. Click on NEXT . The last page opens.
7. If you want to add another master server refer to the step 14 of the To add a stub zone pro-
cedure.
8. If you want to edit a server, select it in the list Masters.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .

633
 Managing DNS Zones

• To discard changes, click on CANCEL .

9. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).

Editing a Hint Zone

After Adding a Hint Zone, you can only edit advanced properties of the zone from its properties
page or from the page All zones itself, using in the contextual menu.

To edit a hint zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS zone opens.
4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the panel.

Editing a Delegation-Only Zone

After Adding a Delegation-Only Zone, you can always edit the zone configuration parameters
from its properties page or from the page All zones itself, using in the contextual menu.

To edit the properties of a delegation-only zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a DNS zone opens.
4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Space and/or the AD integrated and AD replication configuration if need be. Note
that you cannot edit any other parameter.
In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
You can display All available fields, but you may not be able configure them. For more details,
refer to the relevant module section in the chapter Managing Advanced Properties.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the relevant panel(s).

634
 Managing DNS Zones

Converting DNS Zones

On EfficientIP DNS servers, you can convert one or several zones from master to slave, and vice
versa. Note that:
• You cannot convert Forward, Stub, Hint, Delegation-only zones.
• Converting a slave zone to master adds an apex NS record to the new master zone. During
the conversion, you can keep or delete all the apex NS records of the former slave zone.
• On servers that do not support slave zones, like Amazon Route 53 or Unbound, converting a
master zone to slave deletes all the records of the original master zone.

To convert slave zones to master

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the slave zone(s) of your choice.
3. In the menu, select Edit > Convert > To master. The wizard Zone conversion from
slave to master opens.
4. In the drop-down list Remove apex NS records, you can:
a. Select No to keep all the former apex NS records, if you plan on using them in the future
master zone.
b. Select Yes to delete all the apex NS record of the former slave zone.
5. Click on OK to complete the operation. The report opens and closes. The page reloads and
displays all converted zones again.

To convert master zones to slave

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the master zone(s) of your choice.
3. In the menu, select Edit > Convert > To slave. The wizard Zone conversion from
master to slave opens.
4. In the field IP of master server, specify the IP address of the master server that now has
authority over the zone(s).
5. Click on OK to complete the operation. The report opens and closes. The page reloads and
displays all converted zones again.

635
 Managing DNS Zones

Adding or Removing an NS Record

You can add and delete the same NS RR, at once, for multiple Master and Hint zones.

To add or remove an NS RR for multiple zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the Master or Hint zone(s) for which you want to add/delete an NS RR.
3. In the menu, select Edit > Add/Delete an NS RR. The wizard Add/Delete an NS RR
opens.
4. If you want to remove an NS RR from the selected zone(s), in the field NS value to delete
specify the value of the record.
5. If you want add an NS RR to the selected zone(s), in the field NS value to add specify the
value of the record.
6. Click on OK to complete the operation. The report opens and closes.
7. In the column Name, click on the name of the zone(s) you edited to display the records it
now contains.

Copying or Moving DNS Zones

At some point you might need to migrate or copy zones from one DNS server or view to the
other. In this case, you need to use the Migrate option. Note that this option has nothing to do
with the zones database replication of the DNS command allow-transfer.

Copying or moving a zone also applies to the records it manages.

To copy a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone (s) you want to copy on another server or view.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving zones opens.
4. In the drop-down list Method, select Copy.
5. In the drop-down list Target server, select the DNS server where you want to copy the se-
lected zone. The wizard refreshes.
6. If the selected server has views, the drop-down list Target view appears, select the view of
your choice. The wizard refreshes.
7. Tick the box Asynchronous to run the records addition in the background. This option
shortens the process but the records do not appear instantly on the page All RRs.
8. Click on OK to complete the operation. The report opens and closes. The page displays the
duplicated zone. If you selected a view, the zone is also listed in the list All zones of said
view.

To move a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone (s) you want to copy on another server or view.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving zones opens.
4. In the drop-down list Method, select Move.
5. In the drop-down list Target server, select the DNS server where you want to move the
selected zone. The wizard refreshes.

636
 Managing DNS Zones

6. If the selected server has views, the Target view drop-down list appears, select the view of
your choice. The wizard refreshes.
7. Tick the box Asynchronous to run the records addition in the background. This option
shortens the process but the records do not appear instantly on the page All RRs.
8. Click on OK to complete the operation. The report opens and closes. The page displays the
migrated zone. If you selected a view, the zone is also listed on the page All zones of said
view.

Setting Properties on Multiple DNS Zones

You can configure properties for multiple zones at once from the page All zones. This allows to
set common properties for several zones, among these properties you can set IPAM spaces,
forwarders, master servers or configure authorizations for specific users. Keep in mind that you
can define new settings or use the parameters of existing zones.

Setting a Space
You can associate multiple zones, of any type, with the same IPAM space.

To set a space for multiple zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) for which you want to set a space.
3. In the menu, select Edit > Properties > Set space. The wizard Set a Space opens.
4. In the drop-down list Space, select the space of your choice.
5. Click on OK to complete the operation. The report opens and closes. On the properties page
of the zone(s), the space is visible in the panel Main properties.

Setting Authorizations
All the authorizations set at server or view level are inherited by the zones. You can change the
statements allow-transfer, allow-query and allow-update of several zones at once.

Keep in mind that:

• You can only configure the statement allow-transfer on master and slave zones.
• You can only configure the statement allow-query on master, slave and stub zones.
• You can only configure the statement allow-update on master zones.
• If you secured a server with a TSIG key, the statements allow-transfer and allow-update of its
zones must allow access to the same TSIG key. For more details, refer to the section Securing
the Management of DNS Servers Using a TSIG Key in the chapter Managing DNS Servers.

Note that you can also limit zone transfers and queries or manage DNS update one zone at a
time.

To set allow-transfer properties for multiple zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) for which you want to set allow-transfer or allow-query properties.
3. In the menu, select Edit > Properties > Set authorizations > Allow-transfer. The wizard
Set zone transfer authorizations opens.
4. To set new authorization parameters for the selected zone(s):

637
 Managing DNS Zones

a. In the drop-down list Source, select New settings.

b. Using the drop-down lists Type and Restriction, you can grant or deny access to as
many networks, IP addresses, ACLs and keys as you need. Select a Type and complete
the configuration as follows:

Table 43.21. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 ad-
dress of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6
address of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin,
any, none, localhost, localnets or any server custom ACL. For more details, refer
to the section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any
TSIG key available in the panel Keys. For more details, refer to the section Con-
figuring DNS Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is

moved to the list ACL values. All denied entries are preceded by an exclamation mark
(!). Keep in mind that the entries order matters, each restriction or permission listed is
reviewed following the order you set. To order the entries, select them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

5. To use existing authorization parameters for the selected zone(s):

a. In the drop-down list Source, select Use existing zone parameters. The wizard refreshes
and the drop-down list Zone appears.
b. In the drop-down list Zone, select the zone whose properties you want to apply to your
selection.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the zone(s) properties page, in the panel Main properties.

To set allow-query properties for multiple zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) for which you want to set allow-transfer or allow-query properties.
3. In the menu, select Edit > Properties > Set authorizations > Allow-query. The wizard
Set zone queries authorizations opens.
4. To set new authorization parameters for the selected zone(s):
a. In the drop-down list Source, select New settings.
b. Using the drop-down lists Type and Restriction, you can grant or deny access to as
many networks, IP addresses, ACLs and keys as you need. Select a Type and complete
the configuration as follows:

638
 Managing DNS Zones

Table 43.22. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 ad-
dress of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6
address of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin,
any, none, localhost, localnets or any server custom ACL. For more details, refer
to the section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any
TSIG key available in the panel Keys. For more details, refer to the section Con-
figuring DNS Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is

moved to the list ACL values. All denied entries are preceded by an exclamation mark
(!). Keep in mind that the entries order matters, each restriction or permission listed is
reviewed following the order you set. To order the entries, select them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

5. To use existing authorization parameters for the selected zone(s):

a. In the drop-down list Source, select Use existing zone parameters. The wizard refreshes
and the drop-down list Zone appears.
b. In the drop-down list Zone, select the zone whose properties you want to apply to your
selection.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the zone(s) properties page, in the panel Main properties.

To set allow-update properties for multiple zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) for which you want to set allow-update properties.
3. In the menu, select Edit > Properties > Set authorizations > Allow-update. The wizard
Set zone update authorizations opens.
4. In the field Source, you can:
Configure a new update policy for your zone, following step 5.
Configure an update policy using existing zone parameters, following step 6.
Configure an update policy using GSS-TSIG, following step 7.
5. If you want to configure a new update policy parameters for the selected zone(s):
a. In the drop-down list Source, select New settings.
b. Using the drop-down lists Type and Restriction, you can grant or deny access to as
many networks, IP addresses, ACLs and keys as you need. Select a Type and complete
the configuration as follows:

639
 Managing DNS Zones

Table 43.23. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 ad-
dress of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6
address of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin,
any, none, localhost, localnets or any server custom ACL. For more details, refer
to the section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any
TSIG key available in the panel Keys. For more details, refer to the section Con-
figuring DNS Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is

moved to the list ACL values. All denied entries are preceded by an exclamation mark
(!). Keep in mind that the entries order matters, each restriction or permission listed is
reviewed following the order you set. To order the entries, select them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

6. If you want to set the properties of an existing zone to the selected zone(s):
a. In the drop-down list Source, select Use existing zone parameters. The wizard refreshes
and the drop-down list Zone appears.
b. In the drop-down list Zone, select the zone whose properties you want to apply to your
selection.
7. If you want to set a specific update policy:
a. In the drop-down list Source, select New settings.
b. Tick the box Use GSS-TSIG/update-policy. The wizard refreshes, the update-policy
related fields replace the other fields of the wizard, and the box Enable DDNS scavenging
appears.
c. You can tick the box Enable DDNS scavenging if you want to delete stale DDNS re-
cords. This box is only taken into account if the scavenging is enabled on the appliance.
For more details, refer to the section Configuring Scavenging on DNS Zones.
d. Configure the dynamic update permissions and restrictions for your zone:

Table 43.24. Update-policy configuration parameters

Option Description
Permission The access configuration to the update-policy rights, either grant or deny. This field applies
to all the following fields.
Identity The GSS-TSIG key sent by the client when they try to update the zone. It may look like
<ad-server-name>$@<full-ad-domain> . Its use depends on the Matchtype you select, it
can therefore partially depend on the Tname.
Matchtype The matchtype of your choice, either subdomain, krb5-self, krb5-subdomain, ms-self or
ms-subdomain, described below. The matchtype only applies to the record type specified
in the list Any.

640
 Managing DNS Zones

Option Description
subdomain Allows to define the subdomain being updated. You must specify the
domain in the field Tname following the format <domain>.<tld> ,
everything left of the specified <domain> becomes a match.
wildcard Allows to define the record being updated.You must specify the record's
name in the field Tname using at least one wildcard (*). It can contain
only a wildcard, in which case any record name can match.
krb5-self Allows to define a rule based on Kerberos machine principal
(host/QDN@REALM). The record being updated matches the QDN
part of the Principal. The matching REALM must be specified exactly
in the fields Identity and Tname.
krb5-subdomain Allows to define a rule based on Kerberos machine principal
(host/QDN@REALM).The subdomain being updated matches the QDN
part of the Principal. The matching REALM is what is specified the field
Identity, or any subdomain of the specified Identity.
ms-self Allows to define a rule based on AD format principal (machine-
name$@REALM) to update machinename.realm in the DNS. The
matching REALM must be specified exactly in the fields Identity and
Tname.
ms-subdomain Allows to define a rule based on AD format principal (machine-
name$@REALM) to update machinename.realm in the DNS. The
matching REALM is what is specified the field Identity, or any subdo-
main of the specified Identity.
Tname A value to that applies the Matchtype subdomain, krb5-self, krb5-subdomain, ms-self or
ms-subdomain. The expected format is detailed above, with each Matchtype.
RR type The type(s) of records that the configuration applies to, either Specific or Any.
Specific The permissions of your choice for the record type A, AAAA, AFSDB,
CNAME, DNAME, HINFO, MX, NS, NSAP, PTR, SRV, TXT and/or
WKS.
Select each type in the list Available types and click on . The record
type is moved to the list Selected type(s).
Repeat this action for as many record types as you need.
Any Allows to apply the configuration to all the update-policy record types,
i.e. A, AAAA, AFSDB, CNAME, DNAME, HINFO, MX, NS, NSAP, PTR,
SRV, TXT and WKS.

e. Once you configured the fields, click on ADD . Your update-policy entry is moved to the
Update-policy list. The page refreshes.
f. You can configure as many entries as you want.
To organize the list, use the buttons and . Each restriction or permission is reviewed
and processed following the order set in the list.
8. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the zone(s) properties page, in the panel Main properties.

Setting Forwarders
You can associate multiple master, slave, forward and stub zones to the same forward parameters
at once.

To set forwarders for multiple zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) for which you want to set properties.

641
 Managing DNS Zones

3. In the menu, select Edit > Properties > Set forwarders. The related wizard opens.
4. If you want to set the properties of an existing zone for the selected zone(s):
a. In the drop-down list Source, select Use existing zone parameters. The wizard refreshes
and the drop-down list Zone appears.
b. In the drop-down list Zone, select the zone whose properties you want to apply to your
selection.
5. If you want to set new properties for the selected zone(s):
a. In the drop-down list Source, select New settings.
b. In the drop-down list Forward mode, select Default, None, First or Only according to
your needs. If you select Only or First, the field Add a forwarder (IP) appears.
c. If you selected First or Only, in the field Add a forwarder (IP) specify the address of a
forwarder and click on ADD to move it to the list Forwarders. Repeat these actions for
as many forwarders as needed.
6. Click on ADD . The configuration is displayed in the list ACL at the bottom.
7. Repeat the operation with as many configuration parameters as needed.
8. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the zone(s) properties page, in the panel Main properties.

Setting Master Servers

You can associate multiple slave and stub zones to the same master server(s) at once.

To set a master server for multiple zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) for which you want to set properties.
3. In the menu, select Edit > Properties > Set master servers. The wizard Set several
master servers opens.
4. In the field Master IP address, specify the IP address of the master server that communicates
with the selected slave zone(s).
5. In the field Port, specify a port number on the master server dedicated to the communication
with the selected slave zone(s).
6. In the field TSIG key, specify the TSIG key chosen to identify the zone(s) from the master
server.
7. Click on ADD . The configuration is displayed in the list ACL at the bottom.
8. Repeat the operation with as many configuration parameters as master servers.
9. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the zone(s) properties page, in the panel Main properties.

Configuring Scavenging on DNS Zones

You can clean up the stale resource records dynamically added via GSS-TSIG at zone level.
This automated deletion is called DDNS scavening.

To configure the scavenging you must:

1. Edit the rule 416 to enable DDNS scavenging on the appliance.
2. Configure DDNS scavenging on the zones of your choice.

642
 Managing DNS Zones

Prerequisites
• You can only enable the scavenging on zones relying on secure dynamic update (DDNS), they
are marked Yes in the column GSS-TSIG. To configure secure dynamic update, refer to the
chapter Implementing Dynamic Update.
• The scavenging only deletes DDNS records dynamically updated.
Note that on the page All RRs, the columns GSS-TSIG auth. and Last updated on allow to
identify them. The column Last update (days) displays the number of days since the last update.

Limitations
• DDNS scavenging can only be configured on EfficientIP and EffcientIP Package DNS servers
serving Microsoft Active Directory clients.
• DDNS scavenging can only be configured on Master zones.

Enabling DDNS Scavenging

The rule 416 allows to enable the automated scavenging of the record types of your choice on
the appliance.

The rule configuration applies to all the zones you manage from the GUI, if their scavenging is
enabled.

Note that:
• By default the rule is disabled. You must edit it to match your needs and then enable it.
• Once the rule is enabled, you must configure the scavenging on the zones of your choice.
Only the DDNS records that have been stale for longer than the aging limit set for the rule are
deleted.

To edit the rule 416 that enables DDNS scavenging on the appliance
Only users of the group admin can perform this operation.
1. Take into account the prerequisites and limitations.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. In the column Rule#, type in 416 and hit Enter. The rule is the only one listed.
5. In the column Rule name, right-click over the name of the rule. The contextual menu opens.
6. Click on Edit. The wizard Edit a rule opens.
7. Click on Next . The page Rule filters opens. These filters define when the rule is executed.
8. Edit the rule frequency according to your needs.

Table 43.25. Frequency filters of the rule 416

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.

643
 Managing DNS Zones

Field Description
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, every hour is selected. This field is op-
tional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, 00 is selected. This field is optional.

9. Click on Next . The page Configure DDNS scavenging opens.

10. In the field Aging limit (hours), specify the threshold that triggers the scavenging. By default,
it is set to 336 (14 days), it cannot be shorter than 1 hour.
11. You can tick the box Expert mode to specify the record types to include in the scavenging.
The fields RR type and Included record types appear.
a. In the field RR type, you can specify any record type following the format TYPE.
Note that by default, the list Included record types already contains the types A, AAAA,
CNAME, DNAME, MX, NAPTR, PTR, SRV and TXT.
b. In the list Included record types, you can order the record types using and .
• To edit a record type, select it. It is displayed in the field RR type again. Edit it and
click on UPDATE .
• To remove a record, select it. It is displayed in the field RR type again. Click on DELETE .
Note that if you empty the list, all record types are taken into account.
12. Click on OK to complete the operation. The report closes. Your changes are visible.
13. The rule is now configured but it is still disabled, you must enable it:
a. Tick the rule.
b. In the menu, select Edit > Enable. The wizard Enable opens.
c. Click on OK to complete the operation. The report closes. In the column Status, the rule
is marked OK, it is enabled.

Configuring DDNS Scavenging on Zones

Once the rule is enabled, you can configure DDNS scavenging on any zone relying on GSS-
TSIG.

In the procedure below, we configure DDNS scavenging from the page All zones, but you can
also enable or disable it from the properties page of a zone, if you edit its Update-policy configur-
ation in the panel Access control. For more details, refer to the chapter Configuring your Zone
for Secure Dynamic Update in the chapter Implementing Dynamic Update.

Note that:
• DDNS scavenging can be configured on the zones of smart architectures and physical servers.
• Only the records that have been stale for longer than the threshold of the rule 416 are deleted.
Each deletion is logged on the page Syslog of the module Administration. For more details,
refer to the section Managing the Logs in the chapter Monitoring.

To enable or disable DDNS scavenging on zones

1. Take into account the prerequisites and limitations.
2. In the sidebar, go to DNS > Zones. The page All zones opens.
3. Filter the column GSS-TSIG with Yes, to only display zones compatible with DDNS scaven-
ging.

644
 Managing DNS Zones

4. Tick the Master zone(s) of your choice.

5. In the menu, select Edit > Properties > Set DDNS scavenging. The wizard Set zone
scavenging opens.
6. By default, the box Enable DDNS scavenging is always empty, even if the DDNS scavenging
is enabled. Note that the GSS-TSIG status is displayed on the page All zones.
a. To enable the scavenging, tick the box.
b. To disable the scavenging, leave the box empty.
7. Click on OK to complete the operation. The report closes, and the DDNS scavenging status
is updated in the column DDNS scavenging.

From the page All RRs, you can display what records are deleted once DDNS scavenging is
enabled their zone:
• In the column GSS-TSIG auth., the record is marked Yes.
• In the column Last updated on, the record has a date.
• In the column Last update (days), the record has a number of days since the last update date.

Forcing the Update of DNS Zones Content

By default, the zone content is updated every hour. If you know changes were made locally on
the zones of the master or slave servers you manage, you can update the content of one or
several zones at a time.

You can force a notify, refresh or retransfer right away if needed. Keep in mind that:
• You can only force a zone content update on BIND and EfficientIP DNS servers. Other servers
do not support RNDC commands
• You cannot use these options on Hybrid DNS servers. For more details, refer to the chapter
Hybrid DNS Service.

Forcing DNS Zones Notification

When the records of a zone are edited, slave servers have to be notified of this change to ask
for a zone transfer. Notify messages can be sent to name servers and/or IP address(es).
SOLIDserver automatically triggers the notification when you are Configuring DNS Notify Messages
at Zone Level, but you can force the notification for Master and Slave zones.

The option Force notify allows to send a notify, or also-notify, from the zone(s) you select. Keep
in mind that:
• The option uses the information of NS records named like the zone you select. Therefore, it
cannot work if the selected zone does not contain at least one NS record named after the zone
itself.
• The notify, and also-notify, can be inherited from the server or view. If the notify is disabled on
the zone, the option cannot be used.

To force master or slave zones notification

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the Master or Slave zone(s) of your choice. The notify or also-notify is sent only if the
zone contains NS records named like the zone itself.
3. In the menu, select Edit > Command > Force notify.The wizard Force zone notification
[force-notify] opens.

645
 Managing DNS Zones

4. Click on OK to complete the operation. The report opens and closes when the operation is
over. The page reloads.

Forcing DNS Zones Refresh

When the records of a Master zone are edited, the option Force refresh allows to force the related
Slave zone(s) to retrieve the new values immediately.

To also force the record addition, refer to the section Forcing DNS Zones Retransfer.

To force slave zones refresh

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the Slave zone(s) you want to refresh using the missing record information of their
Master zone.
3. In the menu, select Edit > Command > Force refresh. The wizard Force zone refresh
[force-refresh] opens.
4. Click on OK to complete the operation. The report opens and closes when the operation is
over. The page reloads.

Forcing DNS Zones Retransfer

When the records of a Master zone are edited and new records are added, you can force the
related Slave zone(s) to retrieve all the new values and records it now contains.

The option Force retransfer triggers the addition and update of the records present in the Master
zone(s), and their values, within the selected Slave zone(s). Note that:
• If your Slave zone contains more records than the Master zone, the option deletes the outdated
records.
• The option is taken into account immediately in the DNS database, but you need to synchronize
the zones to see them in the GUI.

To only update the values of the existing records of Slave zone(s), but not add new records, refer
to the section Forcing DNS Zones Refresh.

To force slave zones retransfer

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Force the retransfer:
a. Tick the Slave zone(s) for which you want the Master zone to retransfer all record in-
formation.
b. In the menu, select Edit > Command > Force retransfer. The wizard Force zone
retransfer [force-retransfer] opens.
c. Click on OK to complete the operation. The report opens and closes when the operation
is over. The page reloads.
3. Synchronize the zone(s) to see the changes in the GUI:
a. Tick the relevant zone(s).
b. In the menu, select Edit > Status > Synchronize. The wizard Synchronization
opens.
c. Click on OK to complete the operation. The report opens and closes when the synchron-
ization is over. The page reloads.

646
 Managing DNS Zones

Disabling and Enabling DNS Zones

By default when you add a zone, it is enabled.

On smart architectures, you can disable a zone. Once disabled, a zone is no longer available
and therefore cannot be queried.

Disabling a zone allows to maintain or edit its content without impacting the physical server that
manages it, it can be helpful if you intend to move or repair its managing server(s).

To enable/disable a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zones you want to enable or disable.
3. In the menu, select Edit > Status > Enable or Disable. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The zone Status
changes to OK or Unmanaged.

Adding or Updating DNS Zones from the IPAM

The advanced properties allow to add or update zones when you add terminal networks in the
IPAM.
• Adding a terminal network can add a reverse zone. The Gateway of that network also adds
the PTR record in the zone.
• Adding a terminal network can also add an A record in the name zone you set as Domain.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Exporting DNS Zones

From the page All zones, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting DNS Zones

The deletion procedure is the same for every type of zones. Deleting a zone also deletes all the
resource records it contains.

To delete a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The zone is marked
Delayed delete until it is no longer listed.

647
 Managing DNS Zones

Defining a DNS Zone as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a zone as one of the resources of a specific group allows the users of that group to
manage the zone in question as long as are they are granted the relevant rights.

Granting access to a zone as a resource also makes every item it contains available. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

648
Chapter 44. Configuring DNS Zones
Like EfficientIP DNS servers, smart architectures and views, zones can be configured individually
from their properties page to set a series of behaviors for the records they contain.

Any configuration set at zone level overwrites what was set at server level, on physical servers
or smart architectures, and view level.

Note that some properties can be set on RPZ zones, as detailed in the sections Configuring
Delegation at Zone Level, Configuring DNS Notify Messages at Zone Level and Managing DNS
Security.

Managing DNS Zone Delegation

DNS provides the option of dividing up the namespace into one or more zones, which can then
be stored, distributed and replicated to other DNS servers. When considering dividing your DNS
namespace to make additional zones, take into account the following reasons to use additional
zones:
• A need to delegate management of part of your DNS namespace to another location or depart-
ment within your organization.
• A need to divide one large zone into smaller zones to distribute traffic loads among multiple
servers, improve DNS name resolution performance, or add a more fault-tolerant DNS envir-
onment.
• A need to extend the namespace by adding numerous subdomains at once, to accommodate
the opening of a new branch or site for instance.

If, for any of these reasons, you could benefit from delegating zones, it might make sense to re-
structure your namespace by adding additional zones. When choosing how to structure zones,
you should use a plan that reflects the structure of your organization. When delegating zones
within your namespace, be aware that for each new zone you add, you need delegation records
(NS) in other zones that point to the authoritative DNS servers for the new zone. This is necessary
both to transfer authority and to provide correct referral to other DNS servers and clients of the
new servers being made authoritative for the new zone.

To make a server known to others outside of the new delegated zone, two RRs are needed in
the parent zone to complete delegation to the new zone. These RRs include:
• An NS record to effect the delegation. This RR is used to advertise that the server named is
an authoritative server for the delegated subdomain.
• An A record (also known as a glue record) is needed to resolve the name of the server specified
in the NS record to its IP address. The process of resolving the host name in this record to the
delegated DNS server in the NS record is sometimes referred to as glue chasing. In reality,
the A record is not required when it comes to configuring zones delegation; however, if you
add it, you save the DNS client some time as you give in one query the authoritative server of
the child zone and IP address. That way, there is no need to query twice to first get the server
and then its IP address.

Configuring Delegation at Zone Level

At zone level, setting up the delegation implies editing the properties of the zone with the appro-
priate data. You can configure delegation for DNS zone or RPZ zone.

649
 Configuring DNS Zones

To configure a name server for a zone

1. In the sidebar, go to DNS > Zones or RPZ Zones. The page All zones or All RPZ zones
opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Name Servers, click on EDIT . The wizard Authoritative DNS servers opens.
4. In the field DNS server name, specify the name of the server of your choice.
5. Click on ADD . The server is moved to the list Authoritative DNS servers. Repeat these
actions for as many servers as needed.
6. Click on NEXT . The page Delegated data opens.
7. In the field Delegation, specify the name of the record and the server you want to delegate
it following the syntax: RRname > dnsserver.name.
8. Click on ADD . Your data is moved to the list Delegated data. Repeat these actions for as
many records and servers as needed.
9. Click on OK to complete the operation. The report opens and closes. The configuration
parameters are visible in the panel.

Configuring delegation only adds the NS record. For more details regarding the A record addition,
refer to the section Configuring the Delegation at Record Level.

Using the Classless in-addr.arpa Delegation

SOLIDserver allows you to configure a classless in-addr.arpa delegation for networks containing
less than 256 IP addresses, as defined in the RFC 2317. Typically, it is used to delegate reverse
DNS lookup for part of that network to other DNS servers.

In the parent master reverse zone, the classless in-addr.arpa delegation adds CNAME resource
records for each address you want to delegate. It also adds an NS record for each delegated
server. Note that the NS record of each delegated server can be added in a domain different
from in-addr.arpa using a suffix for the CNAME records value. For the reverse lookup to function
properly, the delegated server(s) should contain the PTR records associated with each address.

To add a classless in-addr.arpa delegation

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the column Name, click on the master reverse zone you want to delegate a part of. It
should be composed of a maximum of three bytes (xxx.xxx.xxx.in-addr.arpa). The page All
RRs opens and displays the RRs of the zone.
3. In the menu, select Add > Classless in-addr.arpa delegation. The wizard Add a
classless in-addr.arpa delegation opens.
4. In the field Start address, specify the first address of the range you want to delegate. By
default, the first available address of the zone id displayed in this field.
5. In the field Delegation range size, specify the number of addresses you want to delegate.
6. In the field Delegated NS, specify the name of the DNS server) that should be authoritative
over the range of addresses. Use to add this server name the Delegated NS list.Repeat
these actions for as many servers as needed. Use to remove a server name from the list.
7. In the drop-down list Delegated zone format, select the concatenation format ([start]-
[end].c.b.a.in-addr.arpa, [start]-[size].c.b.a.in-addr.arpa, [start]-[prefix].c.b.a.in-addr.arpa) for
NS record name.
8. Tick the box Add a specific suffix if you want the NS record to be added in a domain different
from in-addr.arpa. The Specific suffix field appears.

650
 Configuring DNS Zones

9. In the field Specific suffix, specify the suffix of your choice. This suffix corresponds to the
domain in which you want to add the NS record. This suffix is added at the end of each of
the CNAME record you are adding.
10. Click on OK to complete the operation. The report opens and closes. There are as many
CNAME records as delegated addresses and as many a NS records as delegated servers.
In the column Value, each address is listed according to the format you chose, if you added
a suffix, it is visible in that column as well.

Configuring DNS Forwarding at Zone Level

You can set a forwarding configuration on master, slave, forward and stub zones zones from
their properties page. Note that:
• On a zone belonging to a server not managed via a smart architecture, the specific forwarding
configuration only applies to the zone on said server.
• On a zone belonging to a server managed via a smart architecture, the specific forwarding
configuration applies to the zone on all the servers managed by the smart.
• The forwarding configuration set on a smart architecture zone is automatically inherited by the
records it manages. You can override the configuration directly on the physical server zone.
• Any configuration set at zone level overrides the server or view level configuration.

To configure forwarding on a zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. Open the panel Forwarding using .
4. Click on EDIT . The wizard Edit a DNS zone opens.
5. Click on NEXT until the page Forwarding configuration appears.
6. In the drop down-list Forward mode, select None, Default, First or Only. By default, Default
is selected.

Table 44.1. Forward mode options at zone level

Option Description
Default The zone uses the forward configuration set at server or view level.
None The forwarding is disabled.
First The server sends the queries to the forwarder(s) configured for the zone and, if it does not
receive any answer, attempts to find an answer itself.
Only The server only forwards queries to the forwarder(s) configured for the zone.

7. Specify the forwarder(s):

a. In the field Add a forwarder, specify the address of a forwarder or its name and click
on SEARCH to retrieve its IP address.
b. Click on ADD to move it to the list Forwarders. Repeat these actions for as many for-
warders as needed.
8. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, your configuration is
displayed.

You can set a specific forwarding configuration for a zone belonging to a physical server
managed via a smart architecture. Keep in mind that:

651
 Configuring DNS Zones

• When a forward mode is set on a smart architecture, you cannot set the forward mode to Default
on a zone belonging to a physical server managed via a smart architecture. You can only set
a different forward mode.
• Any configuration set at zone level overrides the view or server level configuration.

To configure a specific forward mode on a physical server zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Make sure the servers managed by your smart architectures are displayed. If not, on the
right-end side of the menu, click on .
3. At the end of the line of the zone of the physical server of your choice, click on . The
properties page opens.
4. Open the panel Forwarding using .
5. Click on EDIT . The wizard Edit a DNS zone opens.
6. Click on NEXT until the page Forwarding configuration appears.
7. Tick the box Overwrite the smart settings. The page refreshes and displays additional
fields.
8. In the drop down-list Forward mode, you can select None, First or Only. For more details,
refer to the table Forward mode options.
9. Specify the forwarder(s):
a. In the field Add a forwarder, specify the address of a forwarder or its name and click
on SEARCH to retrieve its IP address.
b. Click on ADD to move it to the list Forwarders. Repeat these actions for as many for-
warders as needed.
10. Click on OK to complete the operation. The report opens and closes. The properties page
refreshes and displayed the new settings. In the panel Forwarding, the Forward value is
preceded by the message Smart configuration is overwritten.

To revert the specific configuration and inherit it again, edit the Forwarding to untick the box
Overwrite the smart settings.

Configuring DNS Notify Messages at Zone Level

Configuring the Notify at zone level allows to tailor the changes notification. Once the notification
is sent to slave zones, the administrator decides if a zone transfer is relevant. For more details,
refer to the sections Limiting Zone Transfers at Server Level and Limiting Zone Transfer at View
Level.

From the properties pages of a zone, you can set the notification configuration in the panel Notify.
It contains:
• The current configuration of the zone, the field Notify is either set to Yes, Explicit or No. It can
be inherited from the server or view.
• The statement Also-notify, which slave zones receive the notify messages. It can be inherited
from the server or view.
• The statement Allow-notify of the slave zones. It can be inherited from the server or view.
Note that this statement is implicitly set when you add a slave zone, when you set the Master
IP address of the slave zone you are allowing the master zones of this server to send notify
messages to your slave zone.

652
 Configuring DNS Zones

Keep in mind that any configuration set at zone level overrides the configuration set at
server or view level.

To configure notify messages for a master zone

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Click on the name of the server of your choice. The page All zones of the server opens.
To configure notify messages for a master RPZ zone, in the breadcrumb click on All RPZ
zones. The page opens.
3. At the end of the line of the master zone of your choice, click on . The properties page
opens.
4. Open the panel Notify using and click on EDIT . The wizard opens.
5. In the drop-down list Notify, select Inherited, No, Yes or Explicit. By default, Inherited is se-
lected.

Table 44.2. Notify configuration at zone level

Field Description
Inherited The zone uses the notify configuration set at server or view level.
No No notify message is sent when changes are performed in the master zones.
Yes The notify messages are sent to the target of the NS records of the master zone and to the
server(s) of the Also-notify list.
Explicit The notify messages are only sent to the server(s) of the Also-notify list.

6. If you selected Yes or Explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
a. In the field IP address, specify the IP address of another server.
b. In the field Port, you can specify which port number, on the specified server, should
receive the notify messages.
c. Click on ADD . The IP address and port number are moved to the Also-notify list as
follows: <ip-address> port: <port-number>.
Repeat these actions for as many servers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

7. Click on OK to complete the operation. The report opens and closes. Your notify and also-
notify settings are displayed in the panel Notify.

To configure notify messages for a slave zone

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Click on the name of the server of your choice. The page All zones of the server opens.
To configure notify messages for a master RPZ zone, in the breadcrumb click on All RPZ
zones. The page opens.
3. At the end of the line of the slave zone of your choice, click on . The properties page opens.
4. Open the panel Notify using and click on EDIT . The wizard opens.
5. In the drop-down list Notify, select Inherited, No, Yes or Explicit. By default, Inherited is se-
lected.

653
 Configuring DNS Zones

Table 44.3. Notify configuration at zone level

Field Description
Inherited The zone uses the notify configuration set at server or view level.
No No notify message is sent when changes are performed in the master zones.
Yes The notify messages are sent to the target of the NS records of the master zone and to the
server(s) of the Also-notify list.
Explicit The notify messages are only sent to the server(s) of the Also-notify list.

6. If you selected Yes or Explicit, you can set the IP address and port of the server(s) which
slave zones should receive the messages:
a. In the field IP address, specify the IP address of another server.
b. In the field Port, you can specify which port number, on the specified server, should
receive the notify messages.
c. Click on ADD . The IP address and port number are moved to the Also-notify list as
follows: <ip-address> port: <port-number>.
Repeat these actions for as many servers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

7. Click on NEXT . The page Allow-notify opens. It allows to specify if the slave zone can receive
master zones notification messages.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 44.4. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .

654
 Configuring DNS Zones

• To discard changes, click on CANCEL .

8. Click on OK to complete the operation. The report opens and closes. Your notify, also-notify
and allow-notify settings are displayed in the panel Notify.

Managing DNS Security

DNS Security can be configured at zone level through zone transfers configuration, DNS queries
restrictions configuration or dynamic update. All these methods set ACLs to allow or deny access
to your DNS zones or RPZ zones so keep in mind that the order of the elements listed in the
ACL values field is important as each restriction or permission is reviewed following the order
you set in the list.

Dynamic update is detailed in the chapter Implementing Dynamic Update.

Restricting DNS Queries for a Zone

You can specify which hosts are allowed to issue DNS queries for a specific zone. By default,
queries are allowed from the local host and the local networks.

You can configure the statement allow-query on all the zones of a specific server or view. For
more details, refer to the sections Restricting DNS Queries at Server Level and Restricting DNS
Queries at View Level.

You can configure the statement allow-query on multiple zones at once. For more details, refer
to the section Setting Authorizations.

Keep in mind that once the allow-query is configured at zone level, it overrides the config-
uration at server or view level.

To configure the statement allow-query of a zone

1. In the sidebar, go to DNS > Zones or RPZ Zones. The page All zones or All RPZ zones
opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Access Control, click on EDIT . The wizard Allow-query opens.
4. Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 44.5. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

655
 Configuring DNS Zones

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
5. Click on NEXT . The page Allow-transfer opens.
6. Click on NEXT . The page Allow-update opens.
7. Click on OK to complete the operation. The report opens and closes. In the panel Access
control, your configuration is visible in the list Allow-query.

Limiting Zone Transfers for a Zone

DNS zone transfer allows to replicate and synchronize copies of a zone on all the relevant servers.
SOLIDserver denies zone transfers by default to all DNS servers.

At zone level, you can edit the statement allow-transfer to specify which hosts, networks, or TSIG
keys are granted or denied the right to do transfers for all the zones it maintains.

Keep in mind that:

• You can configure the allow-transfer authorization only for master and slave zones.
If you secured the exchanges between a DNS server and a SOLIDserver appliance, the
statement allow-transfer of its zones must allow access the same TSIG key. For more details,
refer to the section Securing the Management of DNS Servers Using a TSIG Key in the chapter
Managing DNS Servers.
• You can configure the statement allow-transfer on all the zones of a specific server or view.
For more details, refer to the sections Limiting Zone Transfers at Server Level and Limiting
Zone Transfer at View Level.
• You can configure the statement allow-transfer on multiple zones at once. For more details,
refer to the section Setting Authorizations.
• Once the allow-transfer is configured at zone level, it overrides the configuration set at
server or view level.

To configure the statement allow-transfer of a zone

1. In the sidebar, go to DNS > Zones or RPZ Zones. The page All zones or All RPZ zones
opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Access Control, click on EDIT . The wizard opens.
4. Click on NEXT to skip the page Allow-query and open the page Allow-transfer.
5. Set the allow-transfer configuration of your choice.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

656
 Configuring DNS Zones

Table 44.6. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
6. Click on NEXT . The page Allow-update opens.
7. Click on OK to complete the operation. The report opens and closes. The parameters are
visible in the panel Access control, in the list Allow-transfer.

Configuring DNS Update Authorizations on a Zone

Once you authenticated dynamic update on a server, you can complete the configuration via the
statement allow-update of the master zones. This operation must be done one zone at a time.

Dynamic update replaces or deletes records in a master server by sending it a special form of
DNS messages. The format and meaning of these messages is specified in RFC 2136 and indic-
ates which servers or clients are authorized to dynamically update the DNS master zones. By
default, all DNS update queries are rejected. Note that:
• You can only complete the master zones configuration from the GUI on EfficientIP and EfficientIP
Package servers.
• You cannot edit the statement allow-update of Generic servers from the GUI, it has to be done
locally.
• You cannot configure dynamic update on Microsoft servers as they do not support TSIG keys.
However you can configure them with secure dynamic update using GSS-TSIG keys. For more
details, refer to the section Configuring Secure Dynamic Update.
• You can configure the statement allow-update on multiple zones at once. For more details,
refer to the section Setting Authorizations.

To set up dynamic update, you must:

1. Secure the server with a unique TSIG key. For more details, refer to the section Securing the
Management of DNS Servers Using a TSIG Key.

657
 Configuring DNS Zones

2. Configure the server for dynamic update. For more details, refer to the section Authenticating
the Zones Dynamic Update from the Server.
3. Configure the statement allow-update with the same TSIG key:
• If you edited the ACL admin of the server to include the TSIG key, the configuration may be
complete. By default, the statement allow-update of a physical server managed via smart
architecture is configured with the ACL admin and inherited by master zones.
• If you added an ACL that contains the TSIG key, you must edit the statement allow-update
and include the new ACL in the permissions.
• If you do not want to rely on ACLs, you must edit the statement allow-update and include
the TSIG key in the permissions.

Keep in mind that allowing updates based on the requestor IP address is insecure, we strongly
recommend using the TSIG key protocol filtering rather than an IP address based filtering.

To configure the statement allow-update of a zone

1. In the sidebar, go to DNS > Zones or RPZ Zones. The page All zones or All RPZ zones
opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Access Control, click on EDIT . The wizard opens.
4. Click on NEXT to skip the pages Allow-query and Allow-transfer and open the page Allow-
update.
5. Set the allow-update configuration of your choice.
Using the drop-down lists Type and Restriction, you can grant or deny access to as many
networks, IP addresses, ACLs and keys as you need. Select a Type and complete the con-
figuration as follows:

Table 44.7. Restriction and permission parameters

Type Restriction configuration
Network address A way to allow or deny access to an entire network. Specify the IPv4 or IPv6 address
of a network following the format <ip-address>/<prefix>.
IP address A way to allow or deny access to specific IP address. Specify the IPv4 or IPv6 address
of an appliance, user, host...
ACL A way to allow or deny access to an ACL defined at server level. Select admin, any,
none, localhost, localnets or any server custom ACL. For more details, refer to the
section Configuring Access Control Lists for a Server.
Note that the ACL admin is used by SOLIDserver to configure and exchange data
with DNS servers.
TSIG key A way to allow or deny access to a DNS key defined at server level. Select any TSIG
key available in the panel Keys. For more details, refer to the section Configuring DNS
Keys.

Once a restriction or permission is configured as needed, click on ADD . The entry is moved
to the list ACL values. All denied entries are preceded by an exclamation mark (!). Keep in
mind that the entries order matters, each restriction or permission listed is reviewed following
the order you set. To order the entries, select them one by one and click on the arrows to
move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

658
 Configuring DNS Zones

6. Click on OK to complete the operation. The report opens and closes. In the panel Access
control, your configuration is visible in the list Allow-update.

To disable dynamic update, refer to the section Disabling Dynamic Update.

Configuring DNS Sources at Zone Level

The Sources configuration is only available for zones managed through an EfficientIP DNS
physical server using the SSL protocol. The notify configuration can only be set on master zones,
whereas the transfer configuration can only be set on slave zones.

At zone level, configuring DNS sources allows to set physical interfaces that should be system-
atically used for all notify operations and zone transfer. DNS sources can be inherited from the
server and views or set for a zone. The inheritance details are visible the zones properties page.

Keep in mind that once the sources are configured at zone level, they override the config-
uration set at server or view level.

Notify Configuration on Master Zones

From the Sources and Sources V6 panels, through their IP address, you can configure physical
interfaces that should be used for the notify options. When editing these panels, you can define
the following statements:
notify-source
This statement allows to define the IPv4 address of the physical interface used for all the
server outgoing notify operations. You can also specify a port for this statement. It is used
by master zones and its configuration is therefore displayed on the physical server, views
and master zones properties page.
notify-source-v6
This statement allows to define the IPv6 address of the physical interface used all the server
outgoing notify operations.You can also specify a port for this statement. It is used by master
zones and its configuration is therefore displayed on the physical server, views and master
zones properties page.

Keep in mind that once the sources are configured at zone level, they override the config-
uration set at server or view level.

To set IPv4 DNS sources on a master zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the column Type, type in Master to only display master zones.
3. At the end of the line of the zone of your choice, click on . The properties page opens.
4. Open the panel Sources using and click on EDIT . The wizard Configuration: Sources
opens.
5. Configure the notify statement. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the notify operations would fail.
a. In the field Notify-source address, specify the IPv4 address to be used for the outgoing
notify operations. Specify an interface that you already configured on the appliance.
b. In the field Notify-source port, you can specify which port on the interface should be
used.
6. Click on OK to complete the operation. The report opens and closes.

659
 Configuring DNS Zones

To set IPv6 DNS sources on a master zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the column Type, type in Master to only display master zones.
3. At the end of the line of the zone of your choice, click on . The properties page opens.
4. Open the panel Sources using and click on EDIT . The wizard Configuration: Sources
opens.
5. Configure the notify statement. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the notify operations would fail.
a. In the field Notify-source-v6 address, specify the IPv6 address to be used for the
outgoing notify operations. Specify an interface that you already configured on the ap-
pliance.
b. In the field Notify-source-v6 port, you can specify which port on the interface should
be used.
6. Click on OK to complete the operation. The report opens and closes.

Transfer Configuration on Slave Zones

From the Sources and Sources V6 panels, through their IP address, you can configure physical
interfaces that should be used for the transfer options. When editing these panels, you can define
the following statements:
transfer-source
This statement allows to determine the IPv4 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
transfer-source-v6
This statement allows to determine the IPv6 address of the physical interface used to execute
the zones transfer on the server. You can also specify a port for this statement. It is only
valid for slave zones and its configuration is therefore displayed on the physical server, views
and slave zones properties page.
use-alt-transfer-source
This statement allows to set the use of an alternate interface IP address for the transfer if
the transfer-source or the transfer-source-v6 were to fail. This statement configuration is
displayed on the physical server, view and slave zones properties page.
This statement definition is only configurable from the panel Sources but applies to interfaces
whether they were identified through an IPv4 or an IPv6 address.
Its default value is no if the server contains views and yes if the server does not contain any
view.
alt-transfer-source
This statement allows to determine the alternate IPv4 address of the interface used to execute
the zones transfer on the server if the transfer-source fails and if the use-alt-transfer-source
is enabled. You can also specify a port for this statement. Its configuration is displayed on
the physical server, views and slave zones properties page.
alt-transfer-source-v6
This statement allows to determine the alternate IPv6 address of the interface used to execute
the zones transfer on the server if the transfer-source-v6 failed and if the use-alt-transfer-
source is enabled.You can also specify a port for this statement. Its configuration is displayed
on the physical server, views and slave zones properties page.

660
 Configuring DNS Zones

Keep in mind that once the sources are configured at zone level, they override the config-
uration set at server or view level.

To set IPv4 DNS sources on a slave zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the column Type, type in Slave to only display slave zones.
3. At the end of the line of the zone of your choice, click on . The properties page opens.
4. Open the panel Sources using and click on EDIT . The wizard Configuration: Sources
opens.
5. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the transfer operations would fail.
a. In the field Transfer-source address, specify the IPv4 address to be used for the zones
transfer operations. Specify an interface that you already configured on the appliance.
b. In the field Transfer-source port, you can specify which port on the interface should
be used.
c. In the drop-down list Use-alt-transfer-source, select none, no or yes. By default, none
is selected.

Table 44.8. Use-alt-transfer-source parameters

Parameter Description
none If your server contains views, it corresponds to no. If your server does not contain any
view, it corresponds to yes.
no Allows to disable the use of an alternate interface if the transfer set via transfer-source
or transfer-source-v6 fails.
yes Allows to enable the use of an alternate interface if the transfer set via transfer-source
or transfer-source-v6 fails. In this case, you need to set the alternate interface IP address
(and port if you want) through the alt-transfer-source and alt-transfer-source-v6 state-
ments in the following steps.

The statement use-alt-transfer-source applies to the alternate interfaces declared through

IPv4 address (Alt-transfer-source address) and IPv6 address (Alt-transfer-source ad-
dress-v6).
d. If you enabled the use of an alternate interface, in the field Alt-transfer-source address,
specify the IPv4 address of the alternate interface. It must also be configured on the
appliance.
e. If you enabled the use of an alternate interface, in the field Alt-transfer-source port,
you can specify which port on the interface should be used.
6. Click on OK to complete the operation. The report opens and closes.

To set IPv6 DNS sources on a slave zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the column Type, type in Slave to only display slave zones.
3. At the end of the line of the zone of your choice, click on . The properties page opens.
4. Configure the transfer statements. Make sure to specify the IP address of an interface already
declared on SOLIDserver, otherwise all the transfer operations would fail.
a. In the field Transfer-source-v6 address, specify the IPv6 address to be used for the
zones transfer operations. Specify an interface that you already configured on the appli-
ance. If you defined the use-alt-transfer-source statement in the panel Sources, it applies

661
 Configuring DNS Zones

to the alternate interfaces declared in IPv4 (Alt-transfer-source address) and IPv6 (Alt-
transfer-source address-v6).
b. In the field Transfer-source-v6 port, you can specify which port on the interface should
be used.
c. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 address, specify the IPv6 address of the alternate interface. It must also be
configured on the appliance.
d. If you enabled the use-alt-transfer-source in the Sources panel, in the field Alt-transfer-
source-v6 port, you can specify which port on the interface should be used.
5. Click on OK to complete the operation. The report opens and closes.

662
Chapter 45. Managing DNS Resource
Records
The resource records belong to DNS zones. They usually belong to master zones and can be
replicated to slave zones if need be.

When you add a master zone, it automatically contains an SOA record and an NS record. This
NS is not generated until the server is synchronized.

From the page All RRs, you can manage resource records of many different types, all detailed
in the section Supported Resource Record Types.

Browsing DNS Resource Records

The resource record, RR or record, is the lowest level of the DNS hierarchy.

DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE

Figure 45.1. The resource record in the DNS hierarchy

If you added RPZ zones, their records; or rules, are listed on the page All RPZ rules. For more
details, refer to the chapter DNS Firewall (RPZ).

Browsing the DNS Resource Records Database

To display the list of DNS records
1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. To display the list of DNS records of a specific zone, in the column Zone, click on the name
of your choice. The pages refreshes.

Resource records do not have a properties page, all their information is displayed in the list.

On the page All RRs, the columns allow you to know if you can edit a record or not.

663
 Managing DNS Resource Records

Figure 45.2. Resource records on the page All RRs

A record name not underlined cannot be edited. Here, the record belongs to a physical
server managed via a smart architecture.
An underlined record name can be edited. You can click on it to open the edition wizard.
Here, the record belongs to a smart architecture, if you edit it the changes are pushed to
the physical server managed via the smart.
The SOA record is never underlined because, unlike other records, it cannot be edited from
the page All RRs.
This lock indicates that the server records cannot be edited. Here, the server listed is a
physical server managed via a smart architecture.
This button, when gray, indicates that you are displaying the records of smart architectures
and the physical server(s) they manages.

Customizing the Display on the Page All RRs

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Some columns provide dedicated information regarding the records.You can display their Partial
RR name, value details, Class, class parameter details or even the Zone Type and/or View they
belong to.

Understanding the DNS Resource Record Statuses

The column Status provides information regarding the resource records you manage.

Table 45.1. DNS resource record statuses

Status Description
OK The resource record is operational.

664
 Managing DNS Resource Records

Status Description
Delayed create The creation or update is delayed until the resource record is created on the physical
server(s) of the smart architecture. The creation is automatically done after a maximum
of 1 minute.
Delayed delete The deletion is delayed until the resource record is deleted from the physical server(s) of
the smart architecture. The deletion is automatically done after a maximum of 1 minute.

Adding Resource Records

From the page All RRs, you can add records to a master zone, Name or Reverse. All these records
are detailed in the section Supported Resource Record Types.

When you add master zones, the SOA record and an NS record are added automatically.
This NS is only generated after the server is synchronized. You can add other NS records in the
zone.

Keep in mind that:

• All records can be named, if you do not name a record, it is named after the zone it belongs
to.
• All the records supported by SOLIDserver may not be supported by all DNS server vendors:

Table 45.2. Supported record types per server

Vendor Supported records
BIND A, AAAA, AFSDB, CAA, CDS, CDNSKEY, CERT, CNAME, DHCID, DLV, DNAME,
DNSKEY, DS, HINFO, MINFO, MX, NAPTR, NS, NSAP, OPENPGPKEY, PTR,
SOA, SSHFP, SRV, TLSA, TXT, URI, WKS.
NSD A, AAAA, AFSDB, CAA, CNAME, DNAME, HINFO, MINFO, MX, NAPTR, NS,
NSAP, OPENPGPKEY, PTR, SOA, SRV, TLSA, TXT, WKS.
AWS Route-53 A, AAAA, CAA, CNAME, MX, NAPTR, NS, PTR, SOA, SPF, SRV, TXT.
Microsoft DNS servers A, AAAA, CNAME, MX, NS, PTR, SOA, SRV, TXT.
Azure A, AAAA, CNAME, MX, NS, PTR, SRV, TXT (only ASCII), CAA, SOA.

• Amazon Route 53 and Azure records have some prerequisites, specificities and limitations.
For details, refer to the sections Managing Amazon Route 53 Records and Managing Azure
Records of the chapter Managing DNS Servers.
• If you add records to a smart architecture managing server(s), the last page of the wizard returns
a warning message if any server does not support their type. You can force the addition to add
them to the server(s) that do support them.

Supported Resource Record Types

SOLIDserver supports the following resource records types; most can be added to a zone, some
are automatically added when you add a zone.

Table 45.3. Supported DNS resource records

Type Full name Description
SOA Start of Authority The zone name, an email contact and various time and
refresh values applicable to the zone. It is automatically
generated when you add a zone and cannot be added
manually.
NS Name Server The name server(s) that has authority for the domain
(defined by the SOA record) or the subdomain. When

665
 Managing DNS Resource Records

Type Full name Description

you add a zone, it is automatically generated once the
server has been synchronized
A IPv4 Address A way to map a host name to an IPv4 address.
AAAA IPv6 Address A way to map a host name to an IPv6 address.
AFSDB AFS Database The location of the AFS servers.
CAA Certificate Authority Authorization The CAs authorized to issue a certificate for the domain.
CERT Certificate record A way to store certificates in the DNS.
CNAME Canonical Name An alias name for a host.
DHCID DHCP identifier A way to store DHCP client identifier in the DNS to re-
solve DNS update conflicts.
DNAME Delegation of Reverse Names The delegation of reverse addresses primarily in IPv6.
(Deprecated, use the CNAME RR instead)
HINFO System Information The host information, specifically hardware type and
operating system description.
MINFO Mailbox mail list Information The mail administrator for a mail list and optionally a
mailbox to receive error messages relating to the mail
list.
MX Mail Exchange The mail server/exchanger that services this zone.
NAPTR Naming Authority Pointer The general purpose definition of rules to be used by
applications e.g. VoIP.
NSAP Network Service Access Point A way to map a host name to an endpoint address. It is
an equivalent to the A record.
OPENPGPKEY OpenPGP public key record A way to publish the OpenPGP public keys in the DNS.
PTR Pointer Record A way to map a host name from an IPv4 or IPv6 address,
used in reverse mapping (address resolution).
SSHFP SSH Public Key Fingerprint A way to publish the Secure Shell Fingerprint associated
with a specific hostname.
SRV Service locator The services available in the zone, e.g. LDAP, HTTP...
TLSA TLSA certificate association A way to authenticate TLS client and server entities
without a certificate authority.
TXT Text The information associated with a name.
URI Uniform Resource Identifier A way to map a domain to a URI.
WKS Well-Known Service The services and protocols supported by a host.
This record type is obsolete, you can use an SRV record
instead.
DNSSEC records
65534 65534 A private type record automatically added to the zone
once it is signed with DNSSEC. It cannot be added
manually.
CDNSKEY Child DNSKEY The public cryptographic key used to sign the zone
managing a subdomain with DNSSEC.
CDS Child DS The information used to verify the validity of the ZSK of
a zone managing a subdomain signed with DNSSEC.
DNSKEY DNS Key The public cryptographic key used to sign the zone with
DNSSEC.
DS Delegation Signer The information used to verify the validity of the ZSK of
a zone signed with DNSSEC.

666
 Managing DNS Resource Records

Adding an A Record
The IPv4 Address (A) record maps a host name to an IPv4 address. It can be added to the page
All RRs of any Master zone. A single host can be mapped toward several A records, or IP ad-
dresses, that add an RRset. In this case, the DNS server responds to queries with all the addresses
defined but the order depends on the rrset-order statement of the server configuration file.

To add an A record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the master zone of your choice. The page refreshes
and only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select A.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field IP address, specify the IPv4 Address of the host.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK. The column RR name displays its Complete name, the column Value
displays the host IP address you specified.

If you do not name an A record, it takes the same name as the zone it belongs to, which allows
DNS clients to find the IPv4 address of your host using only its domain name. This way, querying
the zone name example.com would be resolved immediately and provide access to your host
through its IP address.

Adding a AAAA Record

The IPv6 Address (AAAA) record, also called Quad A record, is used to map a host name to an
IPv6 address. It can be added to the page All RRs of any Master zone. A single host can be
mapped toward several A records, or IP addresses, that add an RRset. In this case, the DNS
server responds to queries with all the addresses defined but the order depends on the rrset-order
statement of the server configuration file.

To add a AAAA record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the master zone of your choice. The page refreshes
and only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.

667
 Managing DNS Resource Records

If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select AAAA.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field IPv6 address, specify the IPv6 Address of the host.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK. The RR name column displays its Complete name, the Value column
displays the host IP address you specified.

If you do not name an AAAA record, it takes the same name as the zone it belongs to, which allows
DNS clients to find the IPv6 address of your host using only its domain name. This way, querying
the zone name example.com would be resolved immediately and provide access to your host
through its IPv6 address.

Adding an AFSDB Record

The Andrew File System Database (AFSDB) record maps a domain name to an AFS database
server. Its purpose is to allow to discover the host that provides service AFS within a domain. It
is not widely used, an Adding an SRV Record record could provide the same kind of information.

To add an AFSDB record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select AFSDB.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Sub-type, specify the version of service AFS used: 1 (AFS version 3.0) or 2 (OSF
DCE/NCA version).
9. In the field AFS server, specify the AFS hostname.
10. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

668
 Managing DNS Resource Records

Adding a CAA Record

The Certificate Authority Authorization (CAA) record allows the holder of a domain to specify
which certificate authoritie(s) are allowed to issue certificates for the domain.

To add an CAA record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select CAA.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Flags, specify the number, between 0 and 255, that influences the interpretation
of the record. 0 means that the record is not critical.
9. In the field Property identifier, specify the record tag that suits your needs: issue, issuewild,
iodef or any other value supported by your DNS engine. For more details, refer to the appendix
DNS Resource Records Configuration Fields.
10. In the field Value, specify the domain of the CA associated with the tag or a URL, depending
on the tag specified in the Property identifier.
11. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a CERT Record

The Certificate (CERT) record allows to store certificates in the DNS.

To add an CERT record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select CERT.

669
 Managing DNS Resource Records

6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Type specify the number, between 0 and 65535, that specifies the type of certi-
ficate. For more details, refer to the appendix DNS Resource Records Configuration Fields.
9. In the field Key tag, specify the certificate's key tag, a 16-bit value computed for the key
embedded in the certificate.
10. In the field Algorithm, specify the public key's cryptographic algorithm.
11. In the field Certificate or CRL, specify the certificate, encoded in base-64 format.
12. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a CNAME Record

The Canonical Name (CNAME) record maps an alias to a real name, also called canonical name.
This name may lie inside or outside your zone but it generally exists elsewhere in your DNS. The
CNAME is mostly used if a host has several possible names, the alias provides a way of saving
all the possible names in your zone to resolve more easily IP or domain name queries. The
CNAME always points to another record, usually an A record. During a query, the CNAME returns
the canonical name and IP address embedded in the A record. That's why a CNAME should not
point to another CNAME record, the DNS answer would take longer and could overload the
server: the first CNAME would point to another CNAME that would point to another CNAME and
so forth until finally getting the IP address from the A record.

Keep in mind that each CNAME RR name is unique: you cannot have several records named
www in the same zone. Their complete name would be www.example.com and as the CNAME
is an alias, it should provide a link toward a canonical name that has not been declared in the
zone yet.

To add a CNAME record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the master zone of your choice. The page refreshes
and only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select CNAME.
6. In the field RR name, name your RR. The field Complete name auto-completes and displays
the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Hostname, specify the host of your choice canonical name.

670
 Managing DNS Resource Records

9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

There should be as many hostname aliases as there are CNAME records in your zone.

Adding a DHCID Record

The DHCP identifier (DHCID) record allows to store DHCP client identifier (DUID) in the DNS to
resolve DNS update conflict performed by DHCP clients.

To add an DHCID record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select DHCID.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Key, specify the encoded DUID in a binary format, encoded in base-64
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a DNAME Record

The Delegation of Reverse Names (DNAME) record is used to map DNS subdomains with each
other. It does not redirect a query toward a subdomain: it rewrites the query. Technically, it rewrites
the subdomain query suffix and looks for a record within the zone matching this new name. It is
especially useful if a company has changed domain name or reorganizes its subdomains man-
agement.

Keep in mind that a DNAME record rewrites the subdomain suffix and applies to all its subdomains.
A DNAME record rewriting a query from support.company.com to support.company.corp also
applies to queries for fr.support.company.com or es.support.company.com . The DNAME config-
uration applies to any label located left of the specified domain name.

A zone configured with a DNAME has records that send back the proper information to DNS clients.
If the value of the DNAME is support.company.corp, there should be an A record, for instance,
named support.company.corp providing an IP address clients can reach.

Keep in mind that unlike a CNAME, the DNAME points a name and not to a record within the
zone.

671
 Managing DNS Resource Records

To add a DNAME record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select DNAME.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Domain, specify the domain name of a subdomain of the zone.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a DNSKEY Record

The Domain Name System KEY (DNSKEY) record is used in zones signed with DNSSEC and
contains the public cryptographic key (KSK or ZSK) used to validate signatures.

You do not need to add a DNSKEY record if you signed zones from the GUI, it is added
automatically for each zone.

If you manage from the GUI an external DNS server that contains one or more zones already
signed with DNSSEC, you can add a DNSKEY record to each concerned zone. When the zone
signature is not performed using the appliance, SOLIDserver cannot push the DNSSEC keys to
the server and displays them like any other signed zone. Therefore:
• The DNSKEY record is not listed among the records of the zones.
• The DNSSEC keys of each zone are not listed on the page All DNSSEC keys.
• The zones are not displayed as DNSSEC compliant even though they are.

Adding a DNSKEY record can therefore ease up the zone management and ensure that the
zones you signed from another platform are marked yes in the column DNSSEC. For more details,
refer to the chapter DNSSEC.

To successfully add a DNSKEY record, you need the DNSKEY flags, protocol, algorithm and
key; all of which are available in txt file generated after the zone signature.

To add a DNSKEY record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.

672
 Managing DNS Resource Records

4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select DNSKEY.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Flags, specify or paste the zone key flag.
9. In the field Protocol, specify or paste the protocol value.
10. In the field Algorithm, specify or paste the public key's cryptographic algorithm.
11. In the field Key, specify or paste the public key material.
12. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a DS Record
The Delegation Signer (DS) record is a DNSSEC that adds the chain of trust or authority from a
signed parent to a child zone. It can be used to verify the validity of the ZSK of a subzone. It is
composed of the parent zone key tag, key algorithm, digest type and digest itself. For more details,
refer to the section Managing DNSSEC on Authoritative Servers.

To add the DS records, refer to the section Publishing the Delegation Signer in the Parent Zone.

Adding an HINFO Record

The System Information (HINFO) record allows to specify the server type of CPU and OS in use.
This record information can be used by some application protocols (like FTP). This record is
rarely used on public servers.

Keep in mind that if you name an HINFO record like an A or AAAA record, they are linked together
in the zone file and provide additional information when the domain name they share (an
identical Complete name in the GUI) is queried.

To add an HINFO record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select HINFO.

673
 Managing DNS Resource Records

6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. Next to the field CPU, select a CPU in the drop-down list. It is displayed in the field. If your
CPU is not listed, select Other in the drop-down list and specify your CPU in the field.
9. Next to the field OS, select an OS in the drop-down list. If your OS is not listed, select Other
in the drop-down list and specify your OS in the field.
10. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

The HINFO can also be used as a specific TXT record and contain other information.

Adding an MINFO Record

The Mailbox mail list Information (MINFO) record defines the mailbox administrator for a mail list
or even the mailbox that should receive error messages relating to the mail list.

To add an MINFO record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select MINFO.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Responsible email, specify the email address of the administrator of the mail
list.
9. In the field Error email, specify the email address of the person that should receive the error
messages regarding the mail list.
10. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding an MX Record
The Mail Exchanger (MX) record allows to set the name and relative preference of your mail ex-
changers, in other words, mail servers for the zone. Keep in mind that:
• An MX record should not point to a CNAME record, as detailed in section 10.3 of RFC
2181. Therefore, if you have a CNAME called mail for the zone example.com (its complete
name would be mail.example.com) and if one of your mail exchangers name is mail.ex-

674
 Managing DNS Resource Records

ample.com, you need to remove the alias from the zone to be able to declare the mail exchanger
name in the MX record. To make the answer for the MX more efficient, you should also add
an A or AAAA record pointing to the IP address of the mail server.
• If the mail server stated in one of the MX records lies in the zone, you should add an A
record. This A record name becomes the mail server and its value becomes its IP address.

To add an MX record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select MX.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Preference, specify a number between 0 and 65535, which defines which server
has priority if there are several MX records in the zone. The lowest the value has the priority
over the other server(s), it can be 0.
9. In the field Mail server, specify the mail server hostname.
10. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

You can add as many MX records as you need in your master zones, it all depends on the
number of mail exchangers you want to declare.

Adding an NAPTR Record

The Naming Authority Pointer (NAPTR) record is a Dynamic Delegation Discovery System (DDDS)
record used to define a rule that may be applied to private data owned by a client application, as
detailed in RFC 3403.

To add an NAPTR record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.

675
 Managing DNS Resource Records

5. In the drop-down list RR type, select NAPTR.

6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Order, specify a number between 0 and 65535 to define which RR has priority
if there are several NAPTR records in the zone. The lowest value has the priority over the
other record(s).
9. In the field Preference, specify a number between 0 and 65535 to define which RR has
priority if several NAPTR records have the same Order in the zone. The lowest value has
the priority over the other record(s).
10. In the field Flags, specify the string that corresponds to the action you want your client ap-
plication to perform.
11. In the field Service, specify the services parameters needed according to your client applic-
ation syntax.
12. In the field Regex, specify the string that contains a substitution expression to be applied to
the original string specified in the field Flags.
13. In the field Replace, specify the FQDN domain name to be queried when looking for the
potential data specified in the field Flags.
14. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding an NS Record
The Name Server (NS) record is used to list all the DNS name servers that have authority over
a zone. NS records must be declared both in the parent and the child zones. In the parent zone,
they indicate the zone authoritative server, in the child zone where they constitute the point of
delegation.

The requirement is that at least two name servers are defined for each public domain, so there
is at least two NS records in each zone. The first NS record, named after the zone is added
automatically when you add zones from the GUI to indicate the authoritative server; all other NS
records must be added manually following the procedure below.

We strongly recommend that you add an A record for each NS server to provide detailed inform-
ation to the domain name query. This process is called adding a glue record, that way once your
domain is queried, it can return its authoritative servers name and IP address.

Keep in mind that RFC 2181 stipulates that the NS record can point to other records but
never to a CNAME record as the query answer does not return an address with the NS record
and in some cases might make the query fail altogether.

To add an NS record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add or, for reverse zones, Add > RR. The wizard Add a DNS
RR opens.

676
 Managing DNS Resource Records

4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select NS.
6. In the field RR name, name your RR. The field Complete name auto-completes and displays
the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field DNS server, specify the DNS server hostname.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding an NSAP Record

The Network Service Access Point (NSAP) record maps a hostname to an endpoint address for
the ISO's Open Systems Interconnect (OSI) system, in that sense it is the equivalent of an A re-
cord. The NSAP RR is described in the RFC 1706.

To add an NSAP record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select NSAP.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Name, specify the NSAP address of the end system. It should start with 0x and
not exceed 255 hexadecimal characters separated by dots.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding an OPENPGPKEY Record

The OpenPGP public key record (OPENPGPKEY) record allows to publish OpenPGP public
keys in the DNS for a specific email address.

677
 Managing DNS Resource Records

To add an OPENPGPKEY record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select OPENPGPKEY.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Key, specify the OpenPGP public key, without the last line.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a PTR Record

The Pointer (PTR) record is used to reverse map an IP address to a host name and can be used
both in IPv4 and IPv6. These records can only be added to reverse zones, they basically provide
the exact opposite information than the A and AAAA records.

The PTR name is always displayed in the RR name column in reverse with the syntax
B4.B3.B2.B1.in-addr.arpa but it is treated like a name. Which is why it is possible to set IP ad-
dresses final section (B4) with a value that does not respect the IP protocol: a value greater than
255 in IPv4 and greater than ffff in IPv6. This lack of limitation in the interface provides an addi-
tional tool for specific configurations.

The PTR being used for reverse host name look ups, it does not make sense to name multiple
PTR records with the same name, i.e. same IP address. However, to provide reverse round-robin
configuration, you can set several IP addresses with different values. For more details, refer to
the section Load Balancing with Round-Robin.

To add a PTR record in a reverse zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the master reverse zone of your choice. The page
refreshes and only displays the records it contains.
3. In the menu, click on Add > RR. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select PTR.

678
 Managing DNS Resource Records

6. Set the IP address in reverse via the field RR name or the field IP address. You must fill in
one of the two fields:
a. If you want to use the field RR name, you can type a number corresponding to the re-
maining section of the IP address of your choice. Filling in this field empties the field IP
address as only one of the two is required. The field Complete name auto-completes
and displays the RR full name as follows: RRname.reversezonename .
b. If you want to use the field IP address, the first sections of the IP address that you set
for the reverse zone is displayed, note that is not displayed in reverse. specify the
missing dot and final section of the IP address.The field Complete name auto-completes
and displays the RR full name as follows: RRname.reversezonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Hostname, specify the hostname that should be returned when the IP address
you stated above is queried.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

All the addresses used to name your PTR records provide as many entries toward the host names
of your choice in your reverse master zones.

Adding an SSHFP Record

The SSH Public Key Fingerprint (SSHFP) record allows to publish the Secure Shell (key) Finger-
print associated with a specific host. That host is specified in the RR name.

To add an SSHFP record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select SSHFP.
6. In the field RR name, specify the name of the host associated with the secure shell fingerprint
of the record. The field Complete name auto-completes and displays the RR full name as
follows: <host>.<domain> .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Algorithm, specify the number matching the algorithm used by the Public Key:
1 (RSA), 2 (DSA), 3 (ECDSA) or 4 (Ed25519).
9. In the field Type, specify the number matching the type of fingerprint used: 1 (SHA-1) or 2
(SHA-256).
10. In the field Fingerprint, specify the hexadecimal string of the hash result.

679
 Managing DNS Resource Records

11. Click on OK to complete the operation. The report opens and closes. The record is now listed
and marked OK.

Adding an SRV Record

The Services (SRV) record allows to associate a service with a hostname. That way, users can
locate a service via the relevant SRV record. The answer to a successful SRV query should
provide the user with a hostname, the port providing the service and the hostname priority. If
there are several hosts in the zone, their weight defines which one should be used..

This record only allows one piece of information per field, so if for instance you want to configure
a set of ports for one service, you can add several SRV records each with the same information
in all fields except the port, priority and weight.

To add an SRV record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select SRV.
6. In the field RR name, name your RR. The field Complete name auto-completes and displays
the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Priority, specify a number, between 0 and 65535, to define which server has
priority if there are several SRV RRs in the zone. The lowest the value has the priority over
the other server(s).
9. In the field Weight, specify a number, between 0 and 65535, to define the server weight. If
two SRV RRs have the same priority, the weight defines which server should be more used.
The greater the value is, the more the server is solicited. Basically, it gives priority to the
SRV RR with the greatest weight value. If you specify 0, there is no weighting.
10. In the field Port, specify the port number that delivers the service to the target.
11. In the field Target, specify the hostname of the server delivering the service.
12. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a TLSA Record

The TLSA certificate association (TLSA) record allows to authenticate TLS client and server en-
tities without a certificate authority (CA). It is used to associate a TLS server certificate or public
key with the domain name where the record is found.

680
 Managing DNS Resource Records

To add an TLSA record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select TLSA.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Certificate Usage, specify a number, between 0 and 255, that identifies the as-
sociation data provided to match the certificate presented in the TLS handshake. For more
details, refer to the appendix DNS Resource Records Configuration Fields.
9. In the field Selector, specify the part of the TLS certificate that the server presents to compare
with the association data: 0 (the Full certificate) or 1 (the SubjectPublicKeyInfo).
10. In the field Matching Type, specify the way the association data is presented, where 0 is
the Exact match on selected content, 1 is an SHA-256 hash of selected content and 2 is an
SHA-512 hash of selected content.
11. In the field Certificate Association Date, specify the certificate association data to be
matched. The expected value in the field is a string of hexadecimal characters, it can include
spaces.
12. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a TXT Record

The Text (TXT) record allows to associate text with a name in your zone. You can use the TXT
record value to describe a host, provide services contacts or even define the Sender Policy
Framework (SPF) information record.

Note that on Amazon Route 53 servers, any TXT containing characters considered invalid by
AWS are listed in the GUI but are never synchronized.

To add a TXT record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.

681
 Managing DNS Resource Records

If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select TXT.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Text, specify the text of your choice. This field text can contain a maximum of
2100 characters, including spaces.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a URI Record

The Uniform Resource Identifier (URI) record allows to map a domain to a URI.

To add an URI record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select URI.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field Priority, specify a number, between 0 and 65535, to define which target URI has
priority if there are several URI records in the zone. The lowest value has the priority over
the other URI.
9. In the field Weight, specify a number, between 0 and 65535, to define the target URI weight.
If two URI records have the same priority, the weight defines which one is more used. The
field gives priority to the URI record with the greatest weight value: the greater the value is,
the more the URI is solicited. If you specify 0, there is no weighting.
10. In the field Target, specify targeted URI following the format described in RFC 3986.
11. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Adding a WKS Record

The Well-Known Services (WKS) record is used to define the services and protocols used by a
host.

682
 Managing DNS Resource Records

This record type is not obsolete, the SRV record can provide the same information.

To add a WKS record to a zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select WKS.
6. In the field RR name, you can name your RR. The field Complete name auto-completes
and displays the RR full name as follows: RRname.zonename .
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field IP address, specify the IPv4 Address of the host that contains the services listed
in the field Services.
9. In the drop-down list Protocol, select the protocol that suits your needs.
10. In the drop-down list Services, select the service that suits your needs.
11. Click on OK to complete the operation. The report opens and closes. The record is now listed
and its status is OK.

Editing Resource Records

You can edit all the records contained in a master zone.

From the list All RRs, you can differentiate the ones you can or cannot edit, refer to the image A
list of resource records above. For instance, the records of a physical server managed via a smart
architecture cannot be edited.

Note that SOA records cannot be edited like the other records: you can tick them to change their
TTL or value, but you cannot edit them individually from the page. For more details, refer to the
sections Editing Several Records at Once and Editing the SOA from the Zone Properties Page.

Editing One record

From the page All RRs, you can edit most records by clicking on their Name. Note that:
• You cannot edit the records of a physical server managed by a smart architecture. You need
to edit the record of the smart, all your changes are then pushed on the physical server(s)
managed by the smart architecture
• The SOA records cannot be edited that way. To edit an SOA record, refer to the sections
Editing Several Records at Once and Editing the SOA from the Zone Properties Page.

To edit a resource record

1. In the sidebar, go to DNS > RRs. The page All RRs opens.

683
 Managing DNS Resource Records

2. In the column Zone, click on the name of the zone of your choice to display the records it
contains.
3. In the column RR name, click on the name of the RR of your choice. The wizard Edit a DNS
RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit, if need be, the values and TTL of the record following the table appropriate procedure
in the Adding Resource Records section above. The default TTL of an RR is 1 hour.
Keep in mind that if several records in a zone share the same name, editing the TTL on one
also edits the TTL on the records sharing that name.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the page.

Editing Several Records at Once

From the page All RRs, you can tick any record, SOA included, to edit its TTL or Value. These
changes can also be performed on several records at once.

To replace the TTL of one or several resource records

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. Tick the record(s) for which you want to replace the TTL.
4. In the menu, select Edit > Replace > The TTL of an RR. The wizard Replace the TTL
of an RR opens.
5. In the field TTL, specify the expiration time of the record in seconds or use one of the pre-
defined values in the drop-down list. The default TTL for an RR is 1 hour.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the new TTL is visible.

You can tick several records and edit their Value. The wizard allows to replace existing values,
you can specify whole values or part of a value, for instance a domain name stated in all the re-
cords. Note that the wizard returns an error if you specify a value that does not exist.

To replace the value of one or several resource records

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. Tick the record(s) for which you want to replace a value.
4. In the menu, select Edit > Replace > The value of an RR. The wizard Replace the
value of an RR opens.
5. In the field Replace, specify the value you want to replace.
6. In the field By, specify the new value, it overwrites the content of Replace.
7. In the drop-down list Exact search, you can select Yes or No. By default, Yes is selected.

684
 Managing DNS Resource Records

Table 45.4. DNS resource records exact search options

Type Description
Yes The value specified in the field Replace is replaced as a whole. It is considered unique, so if any
record contains it several times in its Value, each of them has to be replaced individually.
No The value specified in the field Replace is replaced no matter how many times it appears in the
column Value of a record.

8. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the changes are visible in the list.

Editing the SOA from the Zone Properties Page

As the SOA is automatically generated by SOLIDserver when you add a Master zone, you can
edit it from the properties page of the zone. Keep in mind that the SOA contains information
critical to the zone and editing it can have heavy consequences on a zone management.

The SOA contains the zone's serial number, administrator email and configuration information
(refresh, retry, expiration...) all of which you can edit. Note that:
• You cannot rename an SOA, it is automatically named like the zone when you add it.
• The SOA also contains the name of the primary server, the DNS server that has authority over
the zone, but you cannot edit it.

To edit the TTL or Value of one or several SOA records, refer to the section Editing Several Re-
cords at Once.

To edit an SOA record

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the zone of your choice, click on . The properties page opens.
3. In the panel Main properties, click on EDIT. The wizard Edit a DNS zone opens.
4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Click on NEXT until you get to the last page of the wizard.
6. Edit the SOA parameters according to your needs:

Table 45.5. DNS zone SOA parameters

Field Description
Primary server The primary Master server for the zone, i.e. the MNAME of the SOA. When you add
a zone on a smart architecture, it is automatically filled and cannot be edited.
Responsible The administrator email address for the zone.
Serial number The zone serial number. It is automatically incremented for each zone change.
Refresh The refresh period for slave server(s). When the selected period is reached, the slave
server(s) read the Master SOA record and, if their data is not up-to-date, trigger a
zone transfer to get the latest version of the zone.
Retry The retry interval if the server fails to reach the master during a refresh cycle.
Expiration The period after which the records are considered to be no longer valid/authoritative
and the server stops responding to queries for the zone.

685
 Managing DNS Resource Records

Field Description
Minimum The negative caching period of the zone, in seconds. This period is used as TTL for
every NXDOMAIN returned to clients querying unexisting records.
TTL The TTL (Time to Live) of the SOA, its duration, in seconds. The drop-down list next
to the input field allows to select durations in human-readable format.

7. Click on OK to complete the operation. The wizard closes. The page refreshes, the changes
are listed.

Configuring the Delegation at Record Level

At RR level, the delegation parameters are managed through the Start of Authority (SOA), the
Name Server (NS) and the Address (A or AAAA) records.The SOA and NS records are generated
when the zone is added.

Note that the primary NS record of a zone is generated once the server is synchronized and in-
dicates the authoritative server of the zone.

Delegating a sub-domain simply consists of adding both an NS and an A (or AAAA) RR in the
parent zone pointing to the sub-domain:
• The NS record indicates which servers are authoritative for the zone. You can also add addi-
tional NS records to delegate authority for the zone to other DNS servers.
• The A / AAAA record indicates the IP address of the server that has authority over the sub-
domain and therefore needs to be added in the RRs list of the parent zone.

Let's consider the zones efficientip.com and support.efficientip.com for the purpose of illustrating
the delegation configuration. The parent zone, efficientip.com, is managed through the server
ns1.efficientip.com and the child zone, support.efficientip.com, is managed through ns2.efficien-
tip.com . You need to add the relevant records in the parent zone. On the one hand, add the NS
record, name it support (it is then listed as support.efficientip.com as the RR name auto-completes
with the domain name at the end) and indicate the server that has authority over it in the adequate
field, in our case ns2.efficientip.com. On the other hand, add the A record named ns2 (once
again, its name auto-completes with the zone name and obtain the server actual name) and in-
dicate its IP address. That way, you should have two new records in the parent zone: an NS RR,
support.efficientip.com, pointing toward the delegated child zone and a glue A record, ns2.effi-
cientip.com.

To add an NS record to a zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the column Name, click on the name of the zone of your choice. The page All RRs of the
zone opens.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field RR type, NS is displayed.
6. In the field RR name, name your RR after the sub-domain. Note that the Complete name
field auto-completes and displays the RR full name as follows: RRname.zonename .

686
 Managing DNS Resource Records

7. In the field DNS server, specify the name of the server that has authority over the sub-domain.
8. Click on OK to complete the operation. The report opens and closes. The record is now listed
and marked OK.

To add an A record to a zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the column Name, click on the name of the zone of your choice. The page All RRs of the
zone opens.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field RR type, A is displayed.
6. In the field RR name, name your RR after the server that has authority over the sub-domain
(the same one as the DNS server specified when adding the NS record). Note that the field
Complete name auto-completes and displays the RR full name as follows: RRname.zone-
name and should match the server name.
7. In the field TTL, specify an expiration time of the record in seconds. The default TTL for an
RR is 1 hour *. You can edit it if need be using the field on the left or one of the values listed
in the drop-down list on the right.
8. In the field IP address, specify the IP address of the authoritative server.
9. Click on OK to complete the operation. The report opens and closes. The record is now listed
and marked OK.

Copying or Moving Records

At some point you can use the option Migrate to move or copy RR(s) from one DNS server or
view to the other.

Note that this option has nothing to do with the zones database replication of the DNS command
allow-transfer. Duplication and migration of a zone includes the records it manages.

To copy a record
1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. Tick the record(s) you want to duplicate.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving RRs opens.
4. In the drop-down list Method, select Copy.
5. In the drop-down list Target server, select the server of your choice. The Target zone drop-
down list appears.
6. In the drop-down list Target zone, select the zone of your choice. If you added views in your
server, the zone is named zone (view).
7. In the drop-down list Existing records, choose if you want to overwrite RRs with the same
name. The wizard refreshes.
8. Click on OK to complete the operation. The report opens and closes. The page displays the
migrated record. Note that the complete name of the RR(s) in the column RR name is now
RRname.newzonename.

687
 Managing DNS Resource Records

To move a record
1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. Tick the record(s) you want to move.
3. In the menu, select Edit > Migrate. The wizard Copying/Moving RRs opens.
4. In the drop-down list Method, select Move.
5. In the drop-down list Target server, select the server of your choice. The Target zone drop-
down list appears.
6. In the drop-down list Target zone, select the zone of your choice. If you added views in your
server, the zone is named zone (view).
7. In the drop-down list Existing records, choose if you want to overwrite RRs with the same
name.
8. Click on OK to complete the operation. The report opens and closes. The page displays the
migrated record. Note that the complete name of the RR(s) in the column RR name is now
RRname.newzonename.

Changing the Hostname Convention

From the module Administration, you can change the RR naming convention and allow the use
of the underscore in the resource records full name. Before doing so, keep in mind that:
• Following RFC 1034, the hostname naming convention only allows alphanumeric characters
and hyphens. It does not include the underscore ("_").
• Once you allow the use of the underscore in the record names, dynamic updates from Microsoft
Active Directory controllers might not be accepted.

To change the SSH password security level

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, select Tools > Configuration registry database.The wizard Configuration
of registry database opens.
4. Click on NEXT . The last page of the wizard opens.
5. Tick the box Activated to allow the use of the underscore in the record naming convention.
6. Click on OK to complete the operation. The report opens and closes.

Load Balancing with Round-Robin

The load balancing or Round-Robin functionality is useful if you have a number of equivalent
network resources, like mirrored FTP servers, Web servers, and would like to spread the load
among them. You establish one domain name that refers to the group of resources, configure
clients to access that domain name, and the name server inverse-multiplexes the accesses
between the IP addresses you list.

For example, if you have three www servers with network addresses of 10.0.0.1, 10.0.0.2 and
10.0.0.3, a set of A resource records means that clients connect to each machine one third of
the time. When a resolver queries for these records, BIND rotates them and respond to the query
with the records in a different order. In the example above, clients randomly receive records in
the order 1, 2, 3; 2, 3, 1; and 3, 1, 2. Once the query is answered a first time with 1, the next client
querying the same name receives a different answer: 2; and so forth. There is no configuration

688
 Managing DNS Resource Records

needed, the balancing is automatically activated if three different servers resolve to the same
domain name (to follow the example: www.yourdomain.com).

Note that if you configured the DNS advanced properties Add a PTR, a PTR record is added only
for the first A record you add.

SPF Record
Sender Policy Framework (SPF) is an email validation system designed to prevent email spam
by detecting email spoofing using the senders' IP address. SPF allows administrators to specify
which hosts are authorized, or not, to send emails from a given domain. Mail exchangers use
the DNS to verify that the host sending the email from a given domain is sanctioned by that do-
main's administrators. The SPF record is actually a single string of text found in the value of a
single TXT record.

In 2003, when SPF was first being developed, the requirements for assignment of a new DNS
RR type were considerably more stringent than they are now. In its review of the RFC 4408, the
IETF SPFbis working group concluded that its dual RR type transition model was fundamentally
flawed since it contained no common RR type that implementers were required to serve and re-
quired to check.

The Simple Mail Transfer Protocol allows any computer to send email claiming to be from any
source address. This is exploited by spammers who often use forged email addresses, making
it more difficult to trace a message back to its sender, and easy for spammers to hide their
identity in order to avoid responsibility. It is also used in phishing techniques, where users can
be duped into disclosing private information in response to an email purportedly sent by an or-
ganization such as a bank. SPF allows the owner of an Internet domain to specify which computers
are authorized to send mail with sender addresses in that domain. Receivers verifying the SPF
records may reject messages from unauthorized sources before receiving the body of the message.
The sender address is transmitted at the beginning of the SMTP dialog. If the server rejects the
sender, the unauthorized client should receive a rejection message, and if that client was a relaying
message transfer agent (MTA), a bounce message to the original sending address may be gen-
erated. If the server accepts the sender, and subsequently also accepts the recipients and the
body of the message, it should insert a field Return-Path in the message header in order to save
the sender address.While the address in the Return-Path often matches other originator addresses
in the mail header such as From or Sender, this is not necessarily the case, and SPF does not
prevent forgery of these other addresses.

Examples of SPF records

example.com. IN TXT "v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"

example.com. 21600 IN SPF "v=spf1 +all"

IN TXT "v=spf1 mx -all"
IN TXT "v=spf1 redirect=_spf.example.com"
IN TXT "v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"
IN TXT "v=spf1 include:example.org -all"

Adding IP Addresses and Aliases from the Page All RRs

The advanced properties allow to automatically add an IP address or an alias in the IPAM for
every new A, AAAA, PTR or CNAME record. The IP address or alias shares the same address
and name as the record.

689
 Managing DNS Resource Records

This property must be set at server, view or zone level and propagated down to the records. For
more details, refer to the chapter Managing Advanced Properties in the section Configuring DNS
Advanced Properties.

Updating DNS Records from the IPAM

The advanced properties allow to automatically add records when you add or edit IP addresses
and aliases in the IPAM.

An A, AAAA, CNAME or PTR record is added in the zone configured at network level. The new
record is named after the complete IP address name and zone name.

For more details, refer to the chapter Managing Advanced Properties in the sections Network
Advanced Properties and IP Address Advanced Properties.

Adding Records from the DHCP

The advanced properties allow to automatically add an A record for every new DHCP lease.

Note that all DHCP to DNS properties rely on the IPAM and can only be configured if you set
IPAM to DNS and IPAM to DHCP advanced properties.

For more details, refer to the chapter Managing Advanced Properties in the section Configuring
DHCP Advanced Properties.

Exporting DNS Resource Records

From the page All RRs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Resource Records

Except for the basic SOA and NS records generated when you add a master zone, all the resource
records that you added within a zone can be deleted.

Note that the stale records dynamically added via GSS-TSIG are automatically deleted if the
DDNS scavenging is enabled at zone level. Each deletion is logged on the page Syslog of the
module Administration. For more details, refer to the section Configuring Scavenging on DNS
Zones in the chapter Managing DNS zones.

To delete a resource record

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the zone of your choice. The page refreshes and
only displays the records it contains.
3. Tick the record(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The RR is marked Delayed delete and is then no
longer listed.

690
Chapter 46. Implementing Dynamic
Update
Dynamic Domain Name Server (DDNS) is the system, detailed in RFC2136, through which IP
address assignment updates in the DHCP are immediately reflected in the DNS records for the
hosts. DDNS enables a DNS server to accept and receive an update every time a dynamic client
changes their IP address. Updating the DNS dynamically eliminates the need for an administrator
to manually set large numbers of records as authorized users can add, delete, and edit records
on the fly.

In the wrong hands, dynamic updates can open up your network to certain vulnerabilities as users
could update some or many of the records on a DNS server organization with incorrect information.
Which is why, within SOLIDserver, DDNS relies on the Transaction SIGnature (TSIG). Described
in RFC 2845, TSIG is based on the use of a symmetrical key, and we add one update key per
Efficient IP DNS server. That way, every transaction from DHCP servers to DNS servers is
automatically protected.

SOLIDserver supports both dynamic update via TSIG keys and secure dynamic update via
Generic Security Service Algorithm for Secret Key Transaction (GSS-TSIG) for DNS servers
serving Microsoft Active Directory clients.

You can configure your EfficientIP DNS server to authenticate your AD clients and grant or deny
them dynamic update rights on the master zone managing your AD server domain via the state-
ment update-policy. For more details, refer to the section Configuring Secure Dynamic Update.

Configuring Dynamic Update

To set dynamic update, you must configure your DNS server and then edit the statement allow-
update of master zones of your choice. The configuration requires to:
1. Secure the server. You must edit the server main properties and specify a TSIG key. For more
details, refer to the section Securing the Management of DNS Servers Using a TSIG Key.
2. Configure the server for dynamic update.
• Either edit the default ACL admin to include the same TSIG key to its permissions.
• Or add a new ACL that includes the TSIG key to its permissions. For more details, refer to
the section Configuring Access Control Lists for a Server.
For more details, refer to the section Authenticating the Zones Dynamic Update from the
Server.
3. Configure the statement allow-update of your master zones with the same TSIG key. For more
details, refer to the section Configuring DNS Update Authorizations on a Zone.
Note that if you edited the ACL admin of the server, the configuration is complete because,
by default, the ACL admin of the physical server is specified in the statement allow-update of
the master zones.

You can configure dynamic update on all DNS servers except Amazon Route 53 DNS servers.

Configuring Secure Dynamic Update

Secure dynamic update for AD domains can be configured thanks to GSS-TSIG keys. You can
configure an EfficientIP DNS server managing your AD domain to authenticate AD users. Once

691
 Implementing Dynamic Update

the server is set, you can configure the statement update-policy on the master zone managing
your AD domain to allow or deny dynamic update of your DNS server for AD users.

To properly set up secure dynamic update requires:

1. Meeting the prerequisites and taking into account the limitations.
2. Making Sure your Master Zone is Properly Configured, the master zone managing your AD
domain.
3. Generating and Uploading the GSS-TSIG key.
4. Configuring your DNS server for Secure Dynamic Update, i.e. configuring your server with the
GSS-TSIG key.
5. Configuring your Zone for Secure Dynamic Update, i.e. configuring the statement update-policy
on the zone managing your AD domain.

Prerequisites
• A windows Active Directory server porperly configured:
• Use an EfficientIP or EfficientIP Package DNS server, no need to rely on any Microsoft
Windows Server.
• With at least one user with sufficient DNS rights, able to generate GSS-TSIG keys. This user
must share the same name as your EfficientIP DNS server following the format my-ad-
user.my-ad-domain .
• At least one EfficientIP DNS server named after an AD user with sufficient DNS rights. The
server is named following the format my-ad-user.my-ad-domain .
The name of the DNS server can be set based on an existing user, or an AD user can be
named after the DNS server name. Either way, they must have the same name and that name
must include the full AD domain. For more details, refer to the procedure To add an EfficientIP
DNS server.
• The EfficientIP DNS server must contain a master zone managing your AD domain, so it named
with a format similar to my-ad-domain.corp . This master zone must be configured with 9 key
records (1 SOA, 2 A and 6 SRV) linking your AD server, AD domain and DNS server. For more
details, refer to the procedure To add a master zone.
• SOLIDserver and your AD server must be set at the same time.You should configure the same
NTP server on SOLIDserver and your AD server.

Limitations
• Secure dynamic update can only configured for EfficientIP or EfficientIP Package servers.
• For each physical DNS server there must be an AD user. Therefore, to configure secure dy-
namic update for a Multi-Master smart architecture, you need two AD users to generate the
GSS-TSIG key for the server named after them.

Making Sure your Master Zone is Properly Configured

As detailed in the prerequisites, the master zone managing the AD domain has to be configured
with records linking the domain, the AD server and the DNS server. Without these records, you
cannot set up the AD authentication for AD clients' dynamic update.

The zone configuration must contain the 9 records configured as detailed in the example below.
ad-domain.corp SOA TTL dns-server.ad-domain.corp X X X X X X dns-server.ad-domain.corp
A TTL IP ad-server.ad-domain.corp A TTL IP _kerberos._udp.ad-domain.corp SRV TTL 0 100
464 ad-server.ad-domain.corp _kerberos._udp.ad-domain.corp SRV TTL 0 100 88
ad-server.ad-domain.corp _kerberos._tcp.ad-domain.corp SRV TTL 0 100 464

692
 Implementing Dynamic Update

ad-server.ad-domain.corp _kerberos._tcp.ad-domain.corp SRV TTL 0 100 88

ad-server.ad-domain.corp _ldap._tcp.pdc._msdcs.ad-domain.corp SRV TTL 0 100 389
ad-server.ad-domain.corp _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ad-domain.corp
SRV TTL 0 100 389 ad-server.ad-domain.corp

Note that:
• These records can be added automatically, as detailed below.
• If you want to configure secure dynamic update on several AD domains, you must follow the
procedure for each of the relevant master zones.

To prepare the AD server and AD domain for dynamic updates

1. Configure the master zone managing your AD domain
a. Connect to SOLIDserver GUI.
b. In the sidebar, go to DNS > Zones. The page All zones opens.
c. At the end of the line of the zone managing your AD domain, click on . The properties
page opens.
d. In the panel Access Control, click on EDIT . The wizard opens: the page Allow-query
appears.
e. Click on NEXT . The page Allow-transfer appears.
f. Click on NEXT . The page Allow-update appears.
g. In the drop-down list Type, select IP address.
h. In the drop-down list Restriction, select Allow.
i. In the field IP address, specify the IP address of your AD server.
j. Click on ADD , the IP address is visible in the list ACL values. Make sure that the IP
address of the AD server was not denied in the list, denied hosts are preceded by (!).
k. Click on OK to complete the operation. The report opens and closes. The IP address is
visible in the panel Access control, in the list Allow-update.
2. Check the AD server configuration
a. Connect to your AD server.
b. Make sure the DNS resolver configured for the AD server is your EfficientIP DNS server.
If not, you must set your EfficientIP DNS server as the resolver of your AD server.
3. Complete the AD server configuration
a. Open a command prompt on the AD server.
b. Send the AD server details - an A record - to your EfficientIP DNS server using the fol-
lowing command.
ipconfig /registerdns

c. Add the missing key records to the DNS server using the command below.
nltest /server:<ad-server-name>.<full-ad-domain> /dsregdns

The missing records link your AD server, AD domain and DNS servers.
4. Make sure the configuration is complete
a. Go back to SOLIDserver GUI.
b. In the sidebar, go to DNS > Zones. The page All zones opens.
c. Tick the zone managing your domain.

693
 Implementing Dynamic Update

d. In the menu, select Edit > Status > Synchronize. The wizard Synchronization
opens.
e. Click on OK to complete the operation. The report opens and closes, the page reloads.
f. Click on the zone name, the page All RRs opens. The key records - 1 SOA, 2 A and 6
SRV - are listed and configured as expected.
5. If you want to configure secure dynamic update on several AD domains, you must follow the
steps 1 to 4 for each additional AD domain.

When the AD server, DNS server and master zone managing your AD domain are configured
properly, you can generate a GSS-TSIG key and upload it to SOLIDserver.

Generating and Uploading the GSS-TSIG Key

Once you prepared the AD server and AD domain for dynamic updates, you need to:
1. Generate a GSS-TSIG key.
2. Upload the GSS-TSIG key to SOLIDserver.

Keep in mind that the key must respect the following:

• The AD user named after the DNS server must generate the key.
• The key has the extension .keytab and is used by the DNS server to authenticate AD users.

If you want to configure secure dynamic update on several AD domains, you must follow the
procedure for each of the relevant AD domains.

To generate the GSS-TSIG key on the AD server

1. Connect to your AD server using the credentials of an AD administrator.
2. Open a command prompt.
3. Go to the directory of your choice.
4. Generate the GSS-TSIG key following the command below, on one line.
ktpass -princ DNS/<name>.<domain>@<domain> -mapuser <name>@<domain> -pass <password>
-ptype KRB5_NT_PRINCIPAL -crypto <encryption> -mapOp set -out <name>.<domain>.keytab

# <name> is the AD user sharing the same name as the DNS server. This user must be
used to generate all the GSS-TSIG you may need.
# <domain> is the full AD domain: domain.TLD .
# <password> is the password of the AD user specified.
# <encryption> is the encryption type: DES-CBC-CRC, DES-CBC-MD5, RC4-HMAC-NT,
AES256-SHA1, AES128-SHA1 or All.

5. Copy the file in the directory of your choice for the upload.
6. If you want to configure secure dynamic update on several AD domains, follow the steps 1
to 5 for each additional AD domain.
Each key must be generated using the same AD user.

Once you generated the key and saved it where you want, you must upload it to SOLIDserver.
Note that:
• SOLIDserver provides a page dedicated to All GSS-TSIG key. It details the key Name, Encryp-
tion Type and Encryption number in dedicated columns. You cannot edit the columns layout.
• If you want to configure secure dynamic update on several AD domains, you only need to
upload one GSS-TSIG key, even if you had to generate one key per AD domain. As they are

694
 Implementing Dynamic Update

all configured with a single user, once you uploaded one key all AD domains are trusted for
dynamic update.

To upload the GSS-TSIG key to SOLIDserver

1. Connect to SOLIDserver GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
4. In the breadcrumb, click on All GSS-TSIG keys. The page refreshes.
5. In the menu, click on Add. The wizard Add a GSS-TSIG Key opens.
6. Click on BROWSE to find and upload your .keytab file.
7. Double-click on the name to select it.
8. In the field File name, the file is displayed.
9. Click on OK to complete the operation. The report opens and closes. The key is listed.

In the column Name, the uploaded key is displayed following the format declared during the
generation: DNS/<name>.<domain>@<domain> .

You can delete a GSS-TSIG key if you no longer use it on any server or zone. For more details,
refer to the section Disabling Secure Dynamic Update.

Configuring your DNS server for Secure Dynamic Update

When the GSS-TSIG key is uploaded, you must configure the physical server managing your
AD domain with it.

On the page All servers, the column Multi-Status indicates if the smart architecture has GSS-
TSIG enabled but there is no GSS-TSIG key configured on the physical server(s) it manages.

If you manage your physical server via a smart architecture, you must first enable GSS-TSIG on
the smart and then specify the .keytab file on the physical server.

To configure and specify the GSS-TSIG on a physical server managed via a smart
1. Enable GSS-TSIG on the smart architecture
a. In the sidebar, go to DNS > Servers. The page All servers opens.
b. At the end of the line of the smart server, click on . The properties page opens.
c. Open the panel GSS-TSIG using and click on EDIT . The wizard Edit GSS-TSIG
properties opens.
d. Tick the box Use GSS-TSIG.
e. Click on OK to complete the operation. The report opens and closes. In the panel, the
GSS-TSIG status is now Enabled. Now you must specify the GSS-TSIG key on the
physical server.
2. Specify the GSS-TSIG key on the physical server
a. In the sidebar, go to DNS > Servers. The page All servers opens.
b. At the end of the line of the physical server managing your AD domain, click on . The
properties page opens.
c. Open the panel GSS-TSIG using and click on EDIT . The wizard Edit GSS-TSIG
properties opens

695
 Implementing Dynamic Update

d. The box Use GSS-TSIG is ticked.

e. In the drop-down list Select the key to use, select the .keytab file you uploaded.
f. Click on OK to complete the operation. The report opens and closes. In the panel, the
key details are displayed.
3. If you manage several physical servers via a Multi-Master architecture, you must repeat the
actions of the step 2 for each EfficientIP DNS server.

If you manage your physical server outside a smart server, you must enable GSS-TSIG and
specify the GSS-TSIG on the EfficientIP DNS server itself.

To configure a physical server with GSS-TSIG

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the physical server managing your AD domain, click on . The
properties page opens.
3. Open the panel GSS-TSIG using and click on EDIT . The wizard Edit GSS-TSIG properties
opens.
4. Tick the box Use GSS-TSIG. A drop-down list appears.
5. In the drop-down list Select the key to use, select the .keytab file you uploaded. If there is
only one file on the page All GSS-TSIG keys, it is automatically selected.
6. Click on OK to complete the operation. The report opens and closes. In the panel, the key
details are displayed.

Once you selected a keytab file on a physical server, the AD users can be authenticated, when
they query the AD domain. Now you need to configure the AD users permissions and restrictions
on the zone managing the AD domain.

Configuring your Zone for Secure Dynamic Update

When the physical server managing your AD domain is configured to authenticate AD users, you
can configure the statement update-policy with permissions and restrictions that suit your needs
directly on the zone managing your AD domain.

On the page All zones, the column GSS-TSIG indicates if the zones are configured with a GSS-
TSIG key. The column has three possible values:

Table 46.1. Values of the column GSS-TSIG

Value Description
N/A The zone cannot be configured with GSS-TSIG.
No The zone is not configured with GSS-TSIG: its update-policy statement has not been configured.
Yes The zone is configured with GSS-TSIG: its update-policy statement is activated and configured
with your entries and/or the default entries detailed below.

Before configuring the statement update-policy, keep in mind that:

• The first time you configure the statement, SOLIDserver automatically allows itself to edit the
zone. The panel contains the policy you configured in the wizard and the following policy:
grant "ipmadmin" wildcard "*" ANY;

If your zone is managed via a view, SOLIDserver automatically adds the following policy:
grant "<view-name>" wildcard "*" ANY;

696
 Implementing Dynamic Update

• If they suit your needs, we recommend that you configure the following update-policy entries:
1. Allow the AD server to edit the master zone managing your domain. That way the AD server
can advertise any hostname or IP address changes directly to the DNS server without con-
figuring dynamic update again. The final policy should look as follows:
grant "<server-name>$@<full-domain>" wildcard "*" ANY;
# In the GUI, this configuration is set as follows:
# Permission=grant, Identity=<server-name>$@<full-domain>,
# Matchtype=wildcard, Tname=*, RR type=Any

2. Allow Windows computers registered in the AD domain to add their A and AAAA records in
the zone.
grant "<full-ad-domain>" ms-self "<full-ad-domain>" specific A AAAA;
# In the GUI, this configuration is set as follows:
# Permission=grant, Identity=<server-name>$@<full-domain>, Matchtype=ms-self,
# Tname=<full-domain>, RR type=Specific, Selected type(s)=A, AAAA

Note that you can configure DDNS scavenging on GSS-TSIG zones to clean up the stale resource
records dynamically added via GSS-TSIG. For more details, refer to the section Configuring
Scavenging on DNS Zones in the chapter Managing DNS Zones.

To configure secure dynamic update on the zone managing your AD domain

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. At the end of the line of the master zone managing your AD domain, click on .The properties
page opens.
3. In the panel Access Control, click on EDIT .The wizard opens: the page Allow-query appears.
4. Click on NEXT . The page Allow-transfer appears.
5. Click on NEXT . The page Allow-update appears.
6. Tick the box Use GSS-TSIG/update-policy. The page reloads and is now named Update
policy. The box Enable DDNS scavenging appears.
7. You can tick the box Enable DDNS scavenging if you want to delete stale DDNS records.
This box is only taken into account if the scavenging is enabled on the appliance. For more
details, refer to the section Configuring Scavenging on DNS Zones on the chapter Managing
DNS Zones.
8. Configure the dynamic update permissions and restrictions for your zone:

Table 46.2. Update-policy configuration parameters

Option Description
Permission The access configuration to the update-policy rights, either grant or deny. This field applies to
all the following fields.
Identity The GSS-TSIG key sent by the client when they try to update the zone. It may look like <ad-
server-name>$@<full-ad-domain> . Its use depends on the Matchtype you select, it can
therefore partially depend on the Tname.
Matchtype The matchtype of your choice, either subdomain, krb5-self, krb5-subdomain, ms-self or ms-
subdomain, described below. The matchtype only applies to the record type specified in the
list Any.
subdomain Allows to define the subdomain being updated.You must specify the domain
in the field Tname following the format <domain>.<tld> , everything left of
the specified <domain> becomes a match.
wildcard Allows to define the record being updated. You must specify the record's
name in the field Tname using at least one wildcard (*). It can contain only
a wildcard, in which case any record name can match.

697
 Implementing Dynamic Update

Option Description
krb5-self Allows to define a rule based on Kerberos machine principal
(host/QDN@REALM). The record being updated matches the QDN part of
the Principal. The matching REALM must be specified exactly in the fields
Identity and Tname.
krb5-subdomain Allows to define a rule based on Kerberos machine principal
(host/QDN@REALM). The subdomain being updated matches the QDN
part of the Principal. The matching REALM is what is specified the field
Identity, or any subdomain of the specified Identity.
ms-self Allows to define a rule based on AD format principal (machine-
name$@REALM) to update machinename.realm in the DNS.The matching
REALM must be specified exactly in the fields Identity and Tname.
ms-subdomain Allows to define a rule based on AD format principal (machine-
name$@REALM) to update machinename.realm in the DNS.The matching
REALM is what is specified the field Identity, or any subdomain of the
specified Identity.
Tname A value to that applies the Matchtype subdomain, krb5-self, krb5-subdomain, ms-self or ms-
subdomain. The expected format is detailed above, with each Matchtype.
RR type The type(s) of records that the configuration applies to, either Specific or Any.
Specific The permissions of your choice for the record type A, AAAA, AFSDB,
CNAME, DNAME, HINFO, MX, NS, NSAP, PTR, SRV, TXT and/or WKS.
Select each type in the list Available types and click on . The record
type is moved to the list Selected type(s).
Repeat this action for as many record types as you need.
Any Allows to apply the configuration to all the update-policy record types, i.e.
A, AAAA, AFSDB, CNAME, DNAME, HINFO, MX, NS, NSAP, PTR, SRV,
TXT and WKS.

Once you configured the fields, click on ADD .Your update-policy entry is moved to the Update-
policy list. The page refreshes. Configure as many entries as you want.
To organize the list, use the buttons and . Each restriction or permission is reviewed
and processed following the order set in the list.
9. Click on OK to complete the operation. The report opens and closes. In the panel Access
control, the list Allow-update is now replaced by the list Update-policy.
Even if you do not configure any entry in the Update-policy list, once you click on OK ,
SOLIDserver automatically adds the entry grant "ipmadmin" wildcard "*" ANY; that allows it
to update your zone).

Each entry of the Update-policy list is listed on the page User tracking, in the column Description
as follows: DNS name: <name> Zone name: <name> Key: update-policy Value: <entry> .

Once you configured the update policy statement, all the AD users querying your DNS server
are authenticated by your AD server and only the allowed users can dynamically update the zone
managing your AD domain.

Troubleshooting Secure Dynamic Update

If your configuration is not running as expected, you should make sure that:
1. The AD server is running.
2. The DNS server and AD server are at the same time and date.
You should configure an NTP server on both SOLIDserver and the AD server. For more details
regarding NTP on SOLIDserver, refer to the section Configuring NTP Servers.
3. The .keytab file you are using is the correct one.

698
 Implementing Dynamic Update

a. Go the page All GSS-TSIG keys to make sure you uploaded the proper .keytab file. If not,
upload it following the procedure in the section Generating and Uploading the GSS-TSIG
key.
b. Go to the properties page of the physical server managing the zone dedicated to your AD
domain, in the panel GSS-TSIG the .keytab file is displayed. If the file is not the correct one,
edit it following the procedure To configure a physical server with GSS-TSIG.
4. The DNS server name is the same as the AD user declared in the .keytab file.
The AD user that generated it on the AD server and the physical DNS server managing your
AD domain have the same name. If not, you might need to generate the .keytab file again
following the section Generating and Uploading the GSS-TSIG key. Then complete the phys-
ical server and zone configuration.
5. Your update-policy statement is properly configured. The order of the entries in the Update
policy list is important: each restriction or permission is reviewed following the order you set
in the list.
For more details, refer to the recommendations and procedure in the section Configuring your
Zone for Secure Dynamic Update.

Disabling Dynamic Update and Deleting Keys

If you no longer want users to dynamically update a zone you manage, you must:
• Edit the zone to empty the statement allow-update or update-policy.
• Make sure the server configuration suits your needs after your edited the zone.

Note that you cannot delete TSIG or GSS-TSIG keys if they are used. To delete them, you
must first disable dynamic update or secure dynamic update.

Disabling Dynamic Update

To disable dynamic update, you must edit the zone to remove the relevant key from the statement
allow-update and make sure that the ACL admin configuration of the DNS server suits your needs.

To disable dynamic update on a zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Edit the zone:
a. At the end of the line of the zone of your choice, click on . The properties page opens.
b. In the panel Access Control, click on EDIT . The wizard opens: the page Allow-query
appears.
c. Click on NEXT . The page Allow-transfer appears.
d. Click on NEXT . The page Allow-update appears.
e. In the list ACL values, select an entry and click on DELETE . It is no longer listed.
f. Repeat these actions for each entry in the list.
Keep in mind that if you delete all entries, the entry admin is automatically added again
at the top of the ACL list. It matches the configuration set on the server, which is why
you must make sure that the ACL admin at server level suits your needs.
g. Click on OK to complete the operation. The report opens and closes. The parameters
are visible in the panel Access control, the list Allow-update is empty.
3. Check the server configuration:
a. In the breadcrumb, click on the zone's server name. The server properties page opens.

699
 Implementing Dynamic Update

b. In the panel ACL, in the list DNS ACLs select admin.

c. Click on EDIT . The wizard ACL configuration Edit a DNS server opens.
d. Edit the ACL configuration according to your needs using the fields Type, Restriction
and ACL values.
Keep in mind that this ACL sets permissions and restrictions for all the zones of your
server. So you must make sure that its content matches your needs.
e. Click on OK to complete the operation. The report opens and closes.

Once you cleared the content of the statement allow-update and checked the ACL configuration
of the server, you can remove TSIG keys following the section Deleting TSIG and GSS-TSIG
Keys.

Disabling Secure Dynamic Update

To disable secure dynamic update you must:
1. Edit the zone managing your AD domain. Go to the zone's properties page, edit the panel
Access control, and on the page Update policy and untick the box Use GSS-TSIG/update-
policy.
2. Edit the server managing your zone, it can be either the smart architecture managing your
DNS physical server or the physical server itself if you manage it on its own.
• Go the properties page of the relevant server, in the panel GSS-TSIG click on EDIT and
disable GSS-TSIG: untick the box Use GSS-TSIG and click on OK .
• From the same properties page, in the panel ACL: select admin and click on EDIT . Make
sure the configuration suits your needs, if not make edit and click on OK to complete the
operation.

Once you disabled dynamic update, you can delete the .keytab file following the procedure To
delete a GSS-TSIG key.

Deleting TSIG and GSS-TSIG Keys

You can delete DNS keys if:
• The TSIG key you want to delete from a server is no longer used by any of its zones. For more
details, refer to the section Disabling Dynamic Update.
• The GSS-TSIG key you want to delete from the page All GSS-TSIG keys is no longer used by
any zone and GSS-TSIG is disabled on the server managing the zone. For more details, refer
to the section Disabling Secure Dynamic Update.

To delete a TSIG key

1. Make sure the key is no longer used in any statement of the server, view or zone.
2. In the sidebar, go to DNS > Servers. The page All servers opens.
3. At the end of the line of the server of your choice, click on . The properties page opens.
4. Open the panel Keys using .
5. In the list DNS keys, select the key of your choice.
6. Click on DELETE . The wizard Delete opens.
7. Click on OK to complete the operation. The report opens and closes. The key is no longer
listed.

700
 Implementing Dynamic Update

To delete a GSS-TSIG key

1. Make sure you disabled secure dynamic update following the section Disabling Secure Dy-
namic Update.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
4. In the breadcrumb, click on All GSS-TSIG keys. The page refreshes.
5. Tick the key(s) of your choice.
6. In the menu, click on Delete. The wizard Delete opens.
7. Click on OK to complete the operation. The report opens and closes. The key is no longer
listed.

701
Chapter 47. DNS Firewall (RPZ)
A Response Policy Zone (RPZ) allows you to prevent DNS clients from accessing certain websites.
These zones allow to configure a DNS firewall on the server. When a client queries a domain,
subdomain or IP address listed in one of the RPZ zones, the server uses the configured response
policy to reply. This mechanism is similar to an email anti-spam blacklist.

An RPZ zone contains a set of resource records that associate domains, subdomains or IP ad-
dresses with specific response policies based on domain data feeds provided by an external
service or manually added by network administrators.

DNS Firewall Syslog server

Multi-vendor

Malware
data feed

Dynamic policy
update

Alert Botnet attack

Malwares
Management Viruses

Forbidden request

Figure 47.1. DNS firewall configured on a network

RPZ allows setting up a granular approach as, instead of blocking an entire domain, you can set
exceptions or add individual response rules for each subdomain.

At zone level, RPZ allows to decide which queries get a specific response and which ones are
answered normally. Each zone contains rules that identify specific domain names or IP addresses
and set up redirection, NODATA, NXDOMAIN or PASSTHRU policies.

Prerequisites
1. Managing an EfficientIP DNS server or a BIND DNS server. For more details, refer to the
sections Managing EfficientIP DNS Servers and Managing BIND DNS Servers.
2. Adding at least one RPZ zone, as detailed in the section Adding RPZ Zones.
3. Adding rules to the zone to implement specific policies based on the queries, as detailed
in the section Managing RPZ Rules.

Limitations
• You can only implement the RPZ on BIND servers.
Within the GUI, this implies remotely managing a BIND server or adding an EfficientIP DNS
server. For more details, refer to the section Managing EfficientIP DNS Servers or Managing
BIND DNS Servers.
• You cannot add more than 32 RPZ zones:

702
 DNS Firewall (RPZ)

• In one view of a BIND server.

• On a BIND server that does not contain any views.
• You cannot set the order of the rules. Therefore the order of the zones is important.
The RPZ rules are applied one after the other respecting first the order of the views, then the
order of the zones within a view and finally the rule type. Once a queried record is matched in
one zone, it is ignored in the following rules of the zone. For more details regarding the order
of the rules within a zone, refer to the section Understanding the RPZ Rules Order.

Managing RPZ Zones

Some DNS servers allow to manage RPZ zones. You can add, edit, order, convert, override and
delete RPZ zones. In each zone, you can manage rules that define the response policies of your
choice. Note that:
• You can monitor the queries answered by RPZ zones:
• In a dedicated chart of the server properties page. For more details, refer to the section
Monitoring DNS Servers from their Properties Page of the chapter Monitoring and Reporting
DNS Data.
• From the page Analytics. For more details, refer to the sectionDNS
Monitoring DNS RECORD
Servers from
the Page Analytics of the chapter Monitoring and Reporting DNS ZONEData.
• You can configureSERVER
RPZ zones from their properties
VIEW page. For more details, refer to the sections
Configuring Delegation at Zone Level, Configuring DNS NotifyRPZ Messages at Zone Level and
Managing DNS Security of the chapter Configuring DNS Zones. RULE
ZONE

Browsing RPZ Zones

Within the DNS hierarchy, the RPZ zone is the third level. It is compulsory to add an RPZ zone
to set response policies.

DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE

Figure 47.2. The RPZ zone in the DNS hierarchy

RPZ zones are managed from the page All RPZ zones. Their content is managed from the page
All RPZ rules.

703
 DNS Firewall (RPZ)

Figure 47.3. The page All RPZ zones

The column Order returns the position of the RPZ zone in the checking process, 0 being
the first zone to be checked. As soon as a domain name, IP address or name server is found
in one of the zones, its policies are applied and the following zones are ignored.
The page All RPZ rules details the zones content. All records, from the SOA and NS records,
to the policies configured via the rules.

Each zone configuration depends on the rules it contains. You can monitor the Status of each
one. For more details, refer to the section Understanding the RPZ Zone Statuses.

Browsing the RPZ Zones Database

To display the list of RPZ zones
1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. To display the RPZ zones of a specific server, in the column Server, click on the name of
the server of your choice. The page refreshes.

To display an RPZ zone properties page

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. At the end of the line pf the RPZ zone of your choice, click on . The properties page opens.

Customizing the Display on the Page All RPZ Zones

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Understanding the RPZ Zone Statuses

The column Status provides information regarding the zones you manage.

Table 47.1. DNS zone statuses

Status Description
OK The zone is operational.

Busy The zone is synchronizing.

Delayed create The creation or update is delayed until the zone is created on the physical server(s)
of the smart architecture. The creation is automatically done after a maximum of 1
minute.
Delayed delete The deletion is delayed until the zone is deleted from the physical server(s) of the
smart architecture. The deletion is automatically done after a maximum of 1 minute.

704
 DNS Firewall (RPZ)

Status Description
Timeout The zone is not available.

Unknown The zone is not synchronized yet.

Not authoritative The zone configuration is incorrect, in the SOA another server was set as authoritative.

Refused The DNS server refuses the transfer between the current zone and the management
platform, check the parameter allow-transfer on the zone or server properties page.
No RR Only for forward zones. There is no RR to transfer for the zone.

Unmanaged The zone is disabled, it is not available.

N/A Only for Amazon Route 53 servers. The zone is not a Master or does not have a
TLD.

Moreover, the column Multi-status provides you with emergency, warning, critical, error or in-
formational messages regarding the compatibility with Hybrid. For more details, refer to the section
Understanding the Column Multi-Status.

Adding RPZ Zones

From the page All RPZ zones, you can add RPZ zones to EfficientIP or BIND servers.

For security reasons, we recommend that you avoid using an obvious RPZ zone name, such as
RPZ-List, which could indicate that RPZ is implemented. Keep in mind that:
• You can only configure RPZ on Name zones, it does not work on reverse zones.
• You can only configure RPZ on Master zones or Slave zones. Any other type of zone is ir-
relevant to the RPZ configuration.
• You cannot use the name of an existing zone when you add an RPZ zone, otherwise the
domain name that you use can no longer be resolved using DNS.
• The zone name is returned in the DNS answer when you set NODATA and NXDOMAIN policies.
• You cannot add more than 32 RPZ zones in one view or in one server if the server does not
contain any views.
• If you add an RPZ zone to a smart architecture managing server(s), the last page of the wizard
returns a warning message if any server does not support RPZ zones.You can force the addition
to add it to the server(s) that do support them.

To add an RPZ zone

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the menu, click on Add. The wizard Add an RPZ zone opens.
3. In the list DNS server, select a BIND server.
4. Click on NEXT . The next page opens.
5. If the server contains views, in the list View, select the view of your choice. If the server only
has one view, this page is not displayed and the view is selected by default.
On servers without views, this page is not displayed.
6. Click on NEXT . The next page opens.
7. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.

705
 DNS Firewall (RPZ)

8. In the list DNS zone type, select Master or Slave.

9. Click on NEXT . The next page opens.
10. In the field Name, specify the name of the zone. It should strictly respect the syntax of
RFC1034.
For security reasons, we recommend that you avoid using an obvious RPZ zone name, such
as RPZ-List, which could indicate that RPZ is implemented.
11. The box DNS firewall (RPZ) is automatically ticked and displayed in gray.
12. In the drop-down list Overriding rule, select Given, Disabled, Passthru, Nxdomain, Nodata
or CNAME. By default, Given is selected. For more details, refer to the section Overriding
RPZ Rules.
13. The box Log RPZ operations is ticked by default, it allows to log all the operations triggered
by the RPZ rules of the zone. You can untick it.
14. Click on NEXT . The next page opens.
15. In the list RPZ zones order, select one by one the zones and click on the arrows to move
them up or down to order them. Their order defines how they are sorted, from the first
one to the last one.
16. If you are configuring a Master zone, go to the next step.
If you are configuring a Slave zone:
a. Click on NEXT . The last page opens.
b. Set up the list of master servers for the zone using the table below:

Table 47.2. DNS slave zone parameters

Field Description
Master IP address The master server IPv4 or IPv6 address. This field is required.
Port The number of the port dedicated to communicating with the slave zone. This
field is optional.
TSIG key The TSIG key of your choice, it was set at server level. This field is optional. For
more details, refer to the section Securing the Management of DNS Servers Using
a TSIG Key.

c. Click on ADD . The configuration is moved to the list Masters.

Repeat these actions for as many servers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

17. Click on OK to complete the operation. The report opens and closes. The RPZ zone is listed
and marked Delayed create before being marked OK.

You can now add the rules it contains, as detailed in the section Managing RPZ Rules.

Once you added a zone, you can monitor it from:

• A dedicated chart on the properties page of the physical server. For more details, refer to the
section Monitoring DNS Servers from their Properties Page.
• The page Analytics via the RPZ data samples. For more details, refer to the sections Monitoring
DNS Servers from the Page Analytics.

706
 DNS Firewall (RPZ)

Synchronizing RPZ Zones

Synchronizing RPZ zones means updating their content. You can synchronize all RPZ zones.
Note that each zone is regularly and automatically synchronized based on the refresh parameter
of its SOA record, but you can manually update each one of them.

You can synchronize zones to force a retrieval of the latest changes and records.

To synchronize RPZ zones

1. In the sidebar, go to DNS > RPZ zones. The page All RPZ zones opens.
2. Tick the RPZ zone(s) you want to synchronize.
3. In the menu, select Edit > Status > Synchronize. The wizard Synchronization opens.
4. Click on OK to complete the operation.The report opens and closes when the synchronization
is over. The page reloads.

You can also synchronize the entire content of a zone, rather than only the latest change. The
option Force full synchronization retrieves and uploads the complete content of a zone and resets
the serial number of the SOA of the zone.

Resetting the SOA serial ensures that the entire zone data is up to date. It can be useful if you
restored a server that you used to manage, as you might have a synchronization drift between
the data that SOLIDserver stored locally and all the changes that have been performed directly
on the server since you last managed it.

To force the full synchronization of RPZ zones

1. In the sidebar, go to DNS > RPZ zones. The page All RPZ zones opens.
2. Tick the RPZ zone(s) you want to synchronize.
3. In the menu, select Tools > Expert > Force full synchronization. The wizard Synchron-
ization opens.
4. Click on OK to complete the operation.The report opens and closes when the synchronization
is over. The page reloads.

Editing RPZ Zones

Once you have added an RPZ zone:
• You cannot rename it.
• You cannot reset its configuration and use it as a regular zone.
• You can edit its content and add as many RPZ rules as you want. For more details, refer to
the section Managing RPZ Rules.
• You can edit the class of the zone: add a new one, edit or remove it. For more details, refer to
the chapter Configuring Classes.
• You can configure an overriding rule or edit an existing one.
• You can edit the order in which the zones are checked.

To edit an RPZ zone

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Right-click over the Name of the RPZ zone you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a DNS zone opens.

707
 DNS Firewall (RPZ)

4. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. The field Name and the box DNS firewall (RPZ) are grayed out. You cannot edit them.
6. In the drop-down list Overriding rule, select Given, Disabled, Passthru, Nxdomain, Nodata
or CNAME. For more details, refer to the section Overriding RPZ Rules.
7. Tick or untick the box Log RPZ operations according to your needs.
8. Click on NEXT . The next page opens.
9. In the list RPZ zones order, select one by one the zones and click on the arrows to move
them up or down to order them. Their order defines how they are sorted, from the first
one to the last one.
10. If you are configuring a Master zone, go to the next step.
If you are configuring a Slave zone, click on NEXT . The last page opens.
To add a master zone, configure the Master IP address, Port and TSIG key as detailed in
the procedure To add an RPZ zone.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
11. Click on OK to complete the operation. The report opens and closes.

Keep in mind that you can also edit an RPZ zone from its properties page panels:
• From Name servers, you can edit the Authoritative DNS servers. For more details, refer to
the section Configuring Delegation at Zone Level.
• From Notify, you can edit IP addresses that should be notified of any changes on the master
zone. For more details, refer to the section Configuring DNS Notify Messages at Zone Level.
• From Access control, you can set or edit allow-query, allow-transfer and allow-update options
on the zone. For more details, refer to the section Managing DNS Security.

Ordering RPZ Zones

When a user queries a server that manages several RPZ zones, SOLIDserver looks for a match
in each RPZ zone, one after the other, following the configured order. The first matching zone
and the rules it contains are used and the other zones are ignored.

You can order RPZ zones to set exceptions by placing zones configured by hand before those
automatically updated by a 3rd party provider, for instance.

In addition, rules within a same zone respect some precedence order. For more details, refer to
the section Understanding the RPZ Rules Order.

To order RPZ zones

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Right-click over the Name of any RPZ zone. The contextual menu opens.
3. Click on . The wizard Edit a DNS zone opens.
4. Click on NEXT until you get to the page RPZ zones order.

708
 DNS Firewall (RPZ)

5. In the list RPZ zones order, the RPZ zones are sorted from the first one to be checked to
the last one.To order the zones, select them one by one and click on the arrows to move
them up or down .
6. Click on NEXT until you get to the last page of the wizard.
7. Click on OK to complete the operation. The report opens and closes. The RPZ zones position
is visible in the column Order.

Converting RPZ Zones

Like any master or slave zone, RPZ zones can be converted from slave to master and vice versa.

Note that converting a slave zone to master adds an apex NS record to the new master zone.
During the conversion, you can keep or delete all the apex NS records of the former slave zone.

To convert RPZ slave zones to master

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Tick the slave zone(s) you want to convert.
3. In the menu, select Edit > Convert > To master. The wizard Zone conversion from
slave to master opens.
4. In the drop-down list Remove apex NS records, you can:
a. Select No to keep all the former apex NS records, if you plan on using them in the future
master zone.
b. Select Yes to delete all the apex NS record of the former slave zone.
5. Click on OK to complete the operation. The report opens and closes. The page reloads. The
converted zone is displayed on the page.

To convert RPZ master zones to slave

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Tick the master zone(s) you want to convert.
3. In the menu, select Edit > Convert > To slave. The wizard Zone conversion from
master to slave opens.
4. In the field IP of master server, specify the IP address of the master server that now has
authority over the zone(s).
5. Click on OK to complete the operation. The report opens and closes. The page reloads. The
converted zone is displayed on the page.

Forcing the Update of RPZ Zones Content

By default, the content of RPZ zones is updated every hour. If you know changes were made
locally on the zones of the master or slave servers you manage, you can update the content of
one or several zones at a time.

You can force a notify, refresh or retransfer right away if needed.

Forcing RPZ Zones Notification

When the records of a zone are edited, slave servers have to be notified of this change to ask
for a zone transfer. Notify messages can be sent to name servers and/or IP address(es).

709
 DNS Firewall (RPZ)

SOLIDserver automatically triggers the notification when you are Configuring DNS Notify Messages
at Zone Level, but you can force the notification for RPZ Master and Slave zones.

The option Force notify allows to send a notify, or also-notify, from the RPZ zone(s) you select.
Keep in mind that:
• The option uses the information of NS records named like the zone you select. Therefore, it
cannot work if the selected zone does not contain at least one NS record named after the zone
itself.
• The notify, and also-notify, can be inherited from the server or view. If the notify is disabled on
the zone, the option cannot be used.

To force RPZ master or slave zones notification

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Tick the Master or Slave zone(s) of your choice. The notify or also-notify is sent only if the
zone contains NS records named like the zone itself.
3. In the menu, select Edit > Command > Force notify.The wizard Force zone notification
[force-notify] opens.
4. Click on OK to complete the operation. The report opens and closes when the operation is
over. The page reloads.

Forcing RPZ Zones Refresh

When the records of an RPZ Master zone are edited, the option Force refresh allows to force the
related RPZ Slave zone(s) to retrieve the new values, or RPZ rules, immediately.

To also force the record addition, refer to the section Forcing RPZ Zones Retransfer.

To force RPZ slave zones refresh

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Tick the Slave zone(s) you want to refresh using the missing record information of their
Master zone.
3. In the menu, select Edit > Command > Force refresh. The wizard Force zone refresh
[force-refresh] opens.
4. Click on OK to complete the operation. The report opens and closes when the operation is
over. The page reloads.

Forcing RPZ Zones Retransfer

When the records of a Master zone are edited and new records are added, you can force the
related Slave zone(s) to retrieve all the new values and records it now contains.

The option Force retransfer triggers the addition and update of the records, RPZ rules, present
in the RPZ Master zone(s), and their values, within the selected RPZ Slave zone(s). Note that:
• If your Slave zone contains more records than the Master zone, the option deletes the outdated
records.
• The option is taken into account immediately in the DNS database, but you need to synchronize
the zones to see them in the GUI.

To only update the values of the existing records of Slave zone(s), but not add new records, refer
to the section Forcing RPZ Zones Refresh.

710
 DNS Firewall (RPZ)

To force RPZ slave zones retransfer

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Force the zone retransfer:
a. Tick the Slave zone(s) for which you want the Master zone to retransfer all record in-
formation.
b. In the menu, select Edit > Command > Force retransfer. The wizard Force zone
retransfer [force-retransfer] opens.
c. Click on OK to complete the operation. The report opens and closes when the operation
is over. The page reloads.
3. Synchronize the zone(s) to see the changes in the GUI:
a. Tick the relevant zone(s).
b. In the menu, select Edit > Status > Synchronize. The wizard Synchronization
opens.
c. Click on OK to complete the operation. The report opens and closes when the synchron-
ization is over. The page reloads.

Overriding RPZ Rules

By default, all RPZ zones are set with the Overriding rule Given, which means that each rule of
the zone sets a specific policy for the domain name and IP address it is configured with.

From the page All RPZ zones, you can edit the zone Overriding rule to disable the policy of all
the rules it contains or to make them all respond to a specific policy different from the original
RPZ: <policy> they were added with.

You can set the Overriding rule when you add or edit RPZ zones. For more details, refer to the
section Overriding RPZ Rules.

Disabling and Enabling RPZ Zones

By default when you add an RPZ zone, it is enabled.

On smart architectures, you can disable an RPZ zone. Once disabled, a zone is no longer
available and therefore its rules are longer applied.

Disabling an RPZ zone allows to maintain or edit its content without impacting the physical
server that manages it, it can be helpful if you intend to move or repair its managing server(s).

To enable/disable an RPZ zone

1. In the sidebar, go to DNS > RPZ zones. The page All RPZ zones opens.
2. Tick the zones you want to enable or disable.
3. In the menu, select Edit > Status > Enable or Disable. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The RPZ zone Status
changes to OK or Unmanaged.

Exporting RPZ Zones

From the page All RPZ zones, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

711
 DNS Firewall (RPZ)

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting RPZ Zones

From the page All RPZ zones, you can delete RPZ zones. Note that it also deletes the rules they
contain.

To delete an RPZ zone

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. Tick the RPZ zone(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The zone is marked
Delayed delete until it is no longer listed. The rules within the zone are deleted.

Managing RPZ Rules

From the page All RPZ rules, you can add RPZ rules to set policies for a specific query through
the addition of records RPZ: <policy>. You can also import RPZ rules from an RPZ Master zone.
For more details, refer to the section Importing RPZ Rules in the chapter Importing Data from a
CSV File.

You cannot edit existing RPZ rules. You can only delete them. For more details, refer to the
section Deleting Rules.

You can add four different policies based either on the requested domain names (QNAME) or
on the requested IP addresses:
Redirection
The record RPZ: REDIRECT allows to define which domain or IP address should be redirected
toward a specific domain or IP address. You can set the following redirections:
• Domain > domain. The redirection source can be a domain name (QNAME) or a Name
Server Domain Name (NSDNAME).
• Domain > IP address.The redirection source can be a domain name (QNAME) or a Name
Server Domain Name (NSDNAME).
• IP address > domain.
• IP address > IP address.
NODATA
The record RPZ: NODATA allows to set a nodata response to a specific domain name
(QNAME), Name Server Domain Name (NSDNAME), IPv4 address, IPv6 address or Name
Server IP address (NSIP).
NXDOMAIN
The record RPZ: NXDOMAIN allows to set a denial of existence response to a specific domain
name (QNAME), Name Server Domain Name (NSDNAME), IPv4 address, IPv6 address or
Name Server IP address (NSIP).
PASSTHRU
The record RPZ: PASSTHRU allows to set an exception for a specific domain name (QNAME),
Name Server Domain Name (NSDNAME), IPv4 address, IPv6 address or Name Server IP
address (NSIP). The source you configure in the rule is identified to ensure it gets a DNS
answer that does not involve RPZ.

712
 DNS Firewall (RPZ)

Note that:
• Upon addition, each RPZ rule has a TTL of 3600 seconds. Once the policy is applied, the TTL
automatically drops to 5 seconds, following BIND behavior.
• Adding an RPZ rule edits the server it belongs to. It adds the option response-policy to declare
that the server manages RPZ zones.
• You can monitor RPZ rules from the page Analytics via the RPZ data samples. For more details,
refer to the sections Monitoring DNS Servers from the Page Analytics.

Browsing RPZ Rules

The RPZ rules are the lowest level of the RPZ hirearchy, they belong to RPZ zones.

DNS RECORD
ZONE
SERVER VIEW
RPZ RULE
ZONE

Figure 47.4. The RPZ rule in the DNS hierarchy

Browsing the RPZ Rules Database

To display the list of RPZ rules
1. In the sidebar, go to DNS > RPZ Rules. The page All RPZ rules opens.
2. To display the list of rules of a specific RPZ zone, in the column DNS zone name click on
the name of the zone of your choice. The page refreshes.

By default, the page All RPZ rules lists at least the SOA and NS record of each zone.

Customizing the Display on the Page All RPZ Rules

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

By default, the page All RPZ rules contains four columns:

Table 47.3. The default columns on the page All RPZ rules
Column Description
Partial RR name The partial name of the rule. It is defined automatically when you add it.
DNS RR type The type of the resource record.
RR value 1 The value of the resource record: either the target domain name or IP address for redirection
rules, * for NODATA responses, . for NXDOMAIN responses and rpz-passthru for passthru
exceptions.
Status The RPZ rule status, either OK, Delayed create, or Delayed delete.

713
 DNS Firewall (RPZ)

Understanding the Statuses on the Page All RPZ Rules

The column Status returns information regarding the rules you manage and their content.

Table 47.4. The statuses on the page All RPZ rules

Status Description
OK The rule is operational.

Delayed create The creation or update is delayed until the rule is created on the physical server(s)
of the smart architecture. The creation is automatically done after a maximum of 1
minute.
Delayed delete The deletion is delayed until the rule is deleted from the physical server(s) of the
smart architecture. The deletion is automatically done after a maximum of 1 minute.

Understanding the RPZ Rules Order

RPZ configurations respect a specific order that relies on the source they are configured with.
Like network firewall rules, RPZ rules are reviewed and implemented in order: once a match is
found, it stops looking for the other matches.

Within each server, all RPZ zones and rules respect the following order:
1. The RPZ zones ordering matters
When a user queries a server that manages several RPZ zones, all the zones are reviewed
one after the other in the order you set. The first matching rule is used and the other zones
and rules are ignored. For more details, refer to the section Ordering RPZ Zones.
2. Within a single RPZ zone:
a. Rules respect a specific precedence. They are checked in the following order:
• QNAME rules (i.e. domain name based rules)
• IP based rules
• NSDNAME rules (i.e. name server domain name rules)
• NSIP rules (i.e. name server IP address rules)
b. Among name based rules, rules follow a specific order: Among applicable QNAME or
NSDNAME rules, the rule with the smallest name is preferred.
c. Among IP based rules, rules follow a specific order:
• Among applicable IP or NSIP rules, the rule with the longest prefix length is preferred.
• Among IP or NSIP rules with the same prefix, the smallest IP address is preferred.

Adding Rules Based on Domain Names

You can add RPZ rules based on a domain name (QNAME) to set up redirections, NODATA re-
sponses, NXDOMAIN responses and PASSTHRU exceptions.

You can also add RPZ rules based on IP addresses or name servers. For more details, refer to
the section Adding Rules Based on IP Addresses and Adding Rules Based on Name Servers.

Adding a Redirection Based on a Domain Name

You can add RPZ rules to set redirections based on domain names.

Each domain redirection is listed as a record RPZ: REDIRECT.

714
 DNS Firewall (RPZ)

You can either use a full domain name or specify some parts as variable, to include all the sub-
domains of a particular domain.

To add a redirection rule based on a domain name

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select Domain.
5. In the field Domain, specify the domain name of your choice, it should respect the following
syntax.

Table 47.5. Domain name possible syntax when adding an RPZ rule
Value Description
domain.extension The DNS client requesting this domain is redirected toward the domain name or IP
address of your choice.
*.domain.extension The DNS client requesting any matching subdomain is redirected toward the domain
name or IP address of your choice.
Note that the * (asterisk) is called the wildcard when used in front of a domain name.
<value>.domain.ex- The DNS client requesting this specific name is redirected toward the domain name
tension or IP address of your choice.

6. In the drop-down list Policy, select Redirection.

7. If you want to set the redirection toward a domain name:
a. In the drop-down list Redirection target, select Domain. The page refreshes.
b. In the field Target domain, specify the target domain name of the redirection.
8. If you want to set the redirection toward an IP address:
a. In the drop-down list Redirection target, select IPv4 or IPv6. The page refreshes.
b. In the field Target address, specify the target IP address of the redirection, respecting
the selected protocol version syntax.
9. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the source domain name. The column RR value 1
is the target domain name or IP address depending on your configuration.

Adding a Specific Response or Exception Rule Based on a Domain Name

You can add RPZ rules to set NODATA or NXDOMAIN response policies and PASSTHRU ex-
ceptions based on domain names.

Each domain specific response is listed as a record RPZ: NODATA or RPZ: NXDOMAIN, depend-
ing on what you chose. Each domain exception is listed as a record RPZ: PASSTHRU.

You can either use a full domain name or specify some parts as variable, to include all the sub-
domains of a particular domain.

To add a specific response or exception rule based on a domain name

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.

715
 DNS Firewall (RPZ)

3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select Domain.
5. In the field Domain, specify the domain name of your choice, it should respect the following
syntax.

Table 47.6. Domain name possible syntax when adding an RPZ rule
Value Description
domain.extension The DNS client requesting this domain gets the Policy response of your choice.
*.domain.extension The DNS client requesting any matching subdomain gets the Policy response of your
choice.
<value>.domain.ex- The DNS client requesting this specific name gets the Policy response of your choice.
tension

6. In the drop-down list Policy, select Nodata, Nxdomain or Passthru.

Note that with passthru the DNS client requesting the Domain gets a regular response.
7. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the source domain name. The column RR value 1
displays * for Nodata, . for Nxdomain or rpz-passthru for Passthru.

Adding Rules Based on IP Addresses

You can add RPZ rules based on an IP address to set up redirections, NODATA responses,
NXDOMAIN responses and PASSTHRU exceptions.

You can also add RPZ rules based on domain names or name servers. For more details, refer
to the section Adding Rules Based on Domain Names and Adding Rules Based on Name Servers.

The details of RPZ rules based on IP addresses are managed using reverse:
IPv4 display
On the page All RPZ rules, the rules based on IPv4 addresses are displayed as follows:
<prefixlength.B4.B3.B2.B1>.
In the zone file, the rules based on IPv4 addresses respect the syntax: <pre-
fixlength.B4.B3.B2.B1.rpz-ip>.
IPv6 display
On the page All RPZ rules, the rules based on IPv6 addresses are displayed as follows:
<prefixlength.W8.W7.W6.W5.W4.W3.W2.W1>.
In the zone file, the rules based on IPv6 addresses respect the syntax: <pre-
fixlength.W8.W7.W6.W5.W4.W3.W2.W1.rpz-ip>.

On the page All RPZ rules, the column Partial RR name might contain .zz. for the rules configured
with IPv6 addresses. These letters assist the column filtering and represent the :: that you can
use when you add a rule to avoid specifying in full the omitted 0000: groups of the IPv6 addresses.

Adding a Redirection Based on an IP Address

You can add RPZ rules to set redirections based on a specific IPv4 or IPv6 address.

Each IP address redirection is listed as a record RPZ: REDIRECT.

You can set up a redirection from a specific IP address or a range of IP addresses, like a network.
However, the redirection target can only be a specific IP address or domain name.

716
 DNS Firewall (RPZ)

To add a redirection rule based on an IP address

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select IPv4 or IPv6.
5. In the field Address, specify the IP address of a device or the start address of any range of
addresses, following the appropriate syntax.
6. In the drop-down list Prefix, select a prefix in the list. Your prefix might correspond to one
IP address of a device or the start address of any range of addresses.
7. In the drop-down list Policy, select Redirection. You can set a redirection toward a domain
name (refer to step 8) or toward an IP address (refer to step 9).
8. If you want to set the redirection toward a domain name:
a. In the drop-down list Redirection target, select Domain. The page refreshes.
b. In the field Target domain, specify the target domain name of the redirection.
9. If you want to set the redirection toward an IP address:
a. In the drop-down list Redirection target, select IPv4 or IPv6. The page refreshes.
b. In the field Target address, specify the target IP address of the redirection, respecting
the selected protocol version syntax.
10. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the source IP address and prefix displayed in reverse
followed by the suffix rpz.ip. The column RR value 1 is the target domain name or IP address
depending on your configuration.

Adding a Specific Response or Exception Rule Based on an IP Address

You can add RPZ rules to set NODATA or NXDOMAIN response policies and PASSTHRU ex-
ceptions based on a specific IPv4 or IPv6 address.

Each IP address specific response is listed as a record RPZ: NODATA or RPZ: NXDOMAIN,
depending on what you chose. Each IP address exception is listed as a record RPZ: PASSTHRU.

To add a specific response or exception rule based on an IP address

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select IPv4 or IPv6.
5. In the field Address, specify the IP address of a device or the start address of any range of
addresses.
6. In the drop-down list Prefix, select a prefix in the list. Your prefix might correspond to one
IP address or to a range of IP addresses.
7. In the drop-down list Policy, select Nodata, Nxdomain or Passthru.
8. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the source IP address and prefix displayed in reverse.
The column RR value 1 displays * for Nodata policies, . for Nxdomain or rpz-passthru for
Passthru.

717
 DNS Firewall (RPZ)

Adding Rules Based on Name Servers

You can add RPZ rules based on the authoritative name servers.

These rules can either identify the Namer Server IP Address (NSIP) or the Name Server Domain
Name (NSDNAME). Like the other rules, they allow to configure a redirection, an NXDOMAIN
or NODATA response or a PASSTHRU exception to any query made to any zone managed by
the Name Server.

Keep in mind that the rules based on Name Servers are reviewed last within the RPZ zone
records. Therefore, if for instance your Name Server manages a domain name or IP address
used in any passthru exception, this rule is found and applied even before reviewing any existing
rule based on the Name server. For more details, refer to the section Understanding the RPZ
Rules Order.

You can also add RPZ rules based on domain names or IP addresses. For more details, refer
to the section Adding Rules Based on Domain Names and Adding Rules Based on IP Addresses.

Adding Redirection Rules Based on Name Server Details

You can add RPZ rules to set redirections based on a Name Server domain name or a Name
Server IP address.

Each Name Server redirection is listed as a record RPZ: REDIRECT.

Keep in mind that the rules based on Name Servers are reviewed last within the RPZ zone records.
For more details, refer to the section Understanding the RPZ Rules Order.

To add a redirection rule based on a Name Server domain name

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select NSDNAME (domain name).
5. In the field Domain, specify the name server domain name.
6. In the drop-down list Policy, select Redirection. You can set a redirection toward a domain
name (refer to step 7) or toward an IP address (refer to step 8).
7. If you want to set the redirection toward a domain name:
a. In the drop-down list Redirection target, select Domain. The page refreshes.
b. In the field Target domain, specify the target domain name of the redirection.
8. If you want to set the redirection toward an IP address:
a. In the drop-down list Redirection target, select IPv4 or IPv6. The page refreshes.
b. In the field Target address, specify the target IP address of the redirection, respecting
the selected protocol version syntax.
9. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the name server domain name followed by the suffix
rpz-nsdname. The column RR value 1 is the target domain name or IP address depending
on your configuration.

718
 DNS Firewall (RPZ)

To add a redirection rule based on a Name Server IP address

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select NSIP (IPv4) or NSIP (IPv6).
5. In the field Address, specify the name server IP address following the appropriate syntax.
6. In the drop-down list Prefix, select /32 for IPv4 or /128 for IPv6.
7. In the drop-down list Policy, select Redirection. You can set a redirection toward a domain
name (refer to step 8) or toward an IP address (refer to step 9).
8. If you want to set the redirection toward a domain name:
a. In the drop-down list Redirection target, select Domain. The page refreshes.
b. In the field Target domain, specify the target domain name of the redirection.
9. If you want to set the redirection toward an IP address:
a. In the drop-down list Redirection target, select IPv4 or IPv6. The page refreshes.
b. In the field Target address, specify the target IP address of the redirection, respecting
the selected protocol version syntax.
10. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the source IP address and prefix in reverse followed
by the suffix rpz-ip.The column RR value 1 is the target domain name or IP address depend-
ing on your configuration.

Adding Specific Responses or Exceptions Rules Based on a Name Server

Details
You can add RPZ rules to set NODATA or NXDOMAIN response policies and PASSTHRU ex-
ceptions based on a Name Server domain name or a Name server IP address.

Each Name Server specific response is listed as a record RPZ: NODATA or RPZ: NXDOMAIN,
depending on what you chose. Each Name Server exception is listed as a record RPZ:
PASSTHRU.

Keep in mind that the rules based on Name Servers are reviewed last within the RPZ zone records.
For more details, refer to the section Understanding the RPZ Rules Order.

To add a specific response or exception rule based on a Name Server domain

name
1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select NSDNAME (domain name).
5. In the field Domain, specify the name server domain name.
6. In the drop-down list Policy, select Nodata, Nxdomain or Passthru.
7. Click on OK to complete the operation.The report opens and closes.The record is now listed.

719
 DNS Firewall (RPZ)

The column Partial RR name displays the name server domain name followed by the suffix
rpz-nsdname. The column RR value 1 displays * for Nodata, . for Nxdomain or rpz-passthru
for Passthru.

To add a specific response or exception rule based on a Name Server IP address

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu , click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select NSIP (IPv4) or NSIP (IPv6).
5. In the field Address, specify the name server IP address following the appropriate syntax.
6. In the drop-down list Prefix, select /32 for IPv4 or /128 for IPv6.
7. In the drop-down list Policy, select Nodata, Nxdomain or Passthru.
8. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the source IP address and prefix in reverse followed
by the suffix rpz-ip. The column RR value 1 displays * for Nodata, . for Nxdomain or rpz-
passthru for Passthru.

Adding Rules Based on Other Sources

You can add RPZ rules with a different source than a domain name, IP address or name server
details. To answer more advanced RPZ needs, administratiors can set redirections, NODATA
responses, NXDOMAIN responses or PASSTHRU exceptions via rules based on the source
Other.

Rules based on the source Other require to specify a partial record name that is automatically
completed with the zone name upon addition. The rule full name is displayed as follows: <partial-
rr-name>.<zonename>.

Keep in mind that there is no data consistency check for the advanced rules, so make sure the
rule you add is RPZ-compliant or set with the proper syntax.

To add an RPZ rule based on a specific source

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. In the menu, click on Add. The wizard Add an RPZ Rule opens.
4. In the drop-down list Source, select Other.
5. In the field Address, specify the source identification following the RPZ syntax (with the
appropriate values and suffixes).
6. In the drop-down list Policy, select the policy that suits your needs. If you select Redirection,
you need to specify a domain name or an IP address.
7. Click on OK to complete the operation.The report opens and closes.The record is now listed.
The column Partial RR name displays the information you specified in the field Address of
the wizard.

720
 DNS Firewall (RPZ)

Overriding RPZ Rules

You can override all the RPZ rules of a specific zone from the page All RPZ zones. Thanks to
the drop-down list Overriding rule, you can decide to ignore all the rules of the zone or to set
them all with a specific response or redirection, even if the rules were set with a different policy
when you added them. By default, the drop-down list is set to Given to apply the policy of each
rule of the zone.

Before overriding all rules at once, keep in mind that:

• There are six overriding rules that are named after the existing policies: Given, Disabled,
Nxdomain, Nodata, CNAME and Passthru.
• The overriding rules must be set at zone level and they apply to all the rules of the zone.
• No matter the overriding rule, the zones are reviewed in the order you set. The first zone con-
taining a rule that matches the client query is used to respond. The Overriding rule of the zone
is applied to answer them.

You can override RPZ rules when you add or edit an RPZ zone. For more details regarding the
edition of RPZ zones, refer to the section Editing RPZ Zones.

To override the RPZ rules when adding an RPZ zone

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the menu, click on Add. The wizard Add an RPZ zone opens.
3. In the list DNS server, select a BIND server and click on NEXT . The next page opens.
4. If the server contains views, in the list View, select the view of your choice. If the server only
has one view, this page is not displayed and the view is selected by default.
On servers without views, this page is not displayed.
5. If custom classes are enabled at zone level, in the list DNS zone class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the list DNS zone type, select Master or Slave.
7. Click on NEXT . The next page opens.
1
8. In the field Name, name your zone following the syntax given in RFC1034 .
9. The box DNS firewall (RPZ) is automatically ticked and displayed in gray.
10. In the drop-down list Overriding rule, select the value of your choice. The page refreshes.

Table 47.7. Overriding rule available options

Field Description
Given All the rules specified in the zone are applied. It is the default value.
Disabled Disables all the RPZ rules of the zone. None of the domain names and IP addresses specified
as source get an RPZ response. All queries get a DNS answer.
Passthru Applies a PASSTHRU exception to all the RPZ rules of the zone. Each rule is considered a
passthru, no matter the policy it was added with.
Nxdomain Applies an NXDOMAIN response to all the RPZ rules of the zone.
Nodata Applies a NODATA response to all the RPZ rules of the zone.

1
For more details, refer to https://tools.ietf.org/html/rfc1034, on page 7.

721
 DNS Firewall (RPZ)

Field Description
CNAME Applies a redirection to all the RPZ rules of the zone. Once selected, the field Domain appears,
specify the FQDN of your choice.

11. Click on NEXT . The page RPZ Zones order opens.

12. In the list RPZ zones order, select one by one the zones and click on the arrows to move
them up or down to order them. Their order defines how they are sorted, from the first
one to the last one.
13. If you are configuring a Master zone, go to the next step.
If you are configuring a Slave zone:
a. Click on NEXT . The last page opens.
b. Set up the list of master servers for the zone using the table below:

Table 47.8. DNS slave zone parameters

Field Description
Master IP address The master server IPv4 or IPv6 address. This field is required.
Port The number of the port dedicated to communicating with the slave zone. This
field is optional.
TSIG key The TSIG key of your choice, it was set at server level. This field is optional. For
more details, refer to the section Securing the Management of DNS Servers Using
a TSIG Key.

c. Click on ADD . The configuration is moved to the list Masters.

Repeat these actions for as many servers as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

14. Click on OK to complete the operation. The report opens and closes. The selected overriding
rule is visible in the panel Main properties of the zone properties page.

Exporting RPZ Rules

From the page All RPZ rules, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Rules
You can delete the RPZ rules of any zone.

To delete an RPZ rule

1. In the sidebar, go to DNS > RPZ Zones. The page All RPZ zones opens.
2. In the column Name, click on the name of the RPZ zone of your choice. The page All RPZ
rules opens.
3. Tick the RPZ rule(s) of your choice.

722
 DNS Firewall (RPZ)

4. In the menu, click on Delete. The wizard Delete opens.

5. Click on OK to complete the operation. The report opens and closes. The rule is marked
Delayed delete until it is no longer listed.

723
Chapter 48. Hybrid DNS Service
SOLIDserver provides a Hybrid DNS service that reduces corruption risks for BIND DNS engines.
Hybrid DNS incorporates an alternative DNS engine based on NLnet Labs Unbound and NSD
engines that can automatically switch from standard BIND service to Hybrid if their configuration
is compatible.

Depending on your configuration, authoritative engines switch to BIND/NSD hybrid and re-
cursive engines switch to BIND/Unbound hybrid. Note that you cannot decide to switch to
NSD or Unbound, the switch is automatic and entirely dependent on the engine configuration.

Once the switch is complete, the DNS engine footprint is more complex to analyze and less prone
to malicious attacks as the DNS mechanism is different, it avoids BIND security flaws altogether.
Therefore, in the event of an attack or important security issue, the switch to Hybrid ensures data
security and avoids its potential corruption.

Keep in mind that Hybrid engines have some limitations compared to BIND engines.

Checking the Compatibility with Hybrid

Checking the compatibility with Hybrid implies to:
1. Match the basic Hybrid requirements.
2. Check that no parameter set at server or zone level is incompatible with Hybrid.
3. Generate the incompatibility report, if need be.
4. Edit the server configuration to make sure that none of the parameters set are incompatible
with Hybrid.

Before switching, you need to understand that you cannot decide if your physical server switches
to BIND/NSD or BIND/Unbound. As a general rule, if your server is compatible with Hybrid, the
following switch occurs:
• If the smart server recursion is set to yes, a Hybrid compliant server can switch to
BIND/Unbound.
• If the smart server recursion is set to no, a Hybrid compliant server can switch to BIND/NSD.

Matching Hybrid Basic Requirements

The first step toward switching to Hybrid is to match the following Hybrid basic requirements:
• You can only convert servers to Hybrid from SOLIDserver hardware or software appliance.
• The servers you want to switch must be EfficientIP DNS servers.
• The servers you want to switch must be managed via a smart architecture. The changes are
pushed to the physical server.
• The smart architecture is compatible with Hybrid if it manages only BIND servers.
• The physical server status must be OK, you cannot switch a server in Timeout.

On the page All servers, the columns Hybrid DNS compatibility and Forced Hybrid DNS
compatibility allow to see if you can switch your BIND physical servers. If they are managed by
a smart architecture, in the edition wizard you can also see in the field Compatible with a Hybrid
DNS Engine the Hybrid compatibility of the physical servers.

724
 Hybrid DNS Service

In addition, on the pages All servers, All zones and All RRs, the column Multi-status returns all
the potential incompatibilities with Hybrid. For more details, refer to the section Understanding
the Column Multi-Status.

For more details on how to add and display customized list templates, refer to the section Managing
List Templates.

Making Sure the Server Configuration is Compatible with Hybrid

Some configurations prevent from switching to Hybrid.

You cannot switch a physical server managed from a smart architecture to Hybrid if:
• On the page All servers, the smart architecture is marked No in the column Hybrid DNS com-
patibility.

You cannot switch a physical server to Hybrid if:

• The server is not an EfficientIP or EfficientIP Package server. Any other server vendor is in-
compatible with Hybrid.
• It contains views.
• It contains zones that are not master, slave, forward or stub zones.
• It contains master and forward zones, slave and forward zones, master and stub zones or
slave and stub zones.
With Hybrid, the server is either only authoritative or only recursive. It can contain only master,
slave, forward or stub zones; only forward and stub zones; or only master and slave zones.
• One or more of its zones are RPZ compliant.
• One or more of its zones are signed with DNSSEC.
• Its configuration combines authoritative and recursive zones:
• If the DNS recursion set to yes and the server contains master and/or slave zones, the
server cannot switch to Hybrid.
• If the DNS recursion set to no and the server contains forward and stub zones, the server
cannot switch to Hybrid.
• If the DNS recursion set to yes with TSIG keys.

You must change your configuration to match Hybrid requirements if you want to switch to Hybrid.
During the switch, SOLIDserver checks once more all the parameters to make sure that your
server is compatible once more.

If you want to have a complete list of all the parameters and options that need to be edited, refer
to the section Generating the Hybrid Incompatibilities Report below.

Generating the Hybrid Incompatibilities Report

If the smart architecture managing your BIND servers is not compatible with Hybrid, you can
generate the List Hybrid DNS Engine incompatibilities report to have a detailed list of al the
parameters that do not comply with hybrid following the procedure below.

To generate the Hybrid DNS Engine incompatibilities report

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the smart architecture managing the physical server you intend to switch to Hybrid.

725
 Hybrid DNS Service

3. In the menu, select Report > Hybrid DNS Engine incompatibilities. The wizard Hybrid
incompatibilities report opens.
4. In the Report format list, select HTML or PDF.
5. Click on NEXT . The last page of the report opens.
6. In the drop-down list Action, select Generate new data, Schedule the report or a former report,
they are listed using their date and time. By default, Generate new data is selected.
a. If you leave Generate new data selected, a report of all to the incompatibilities with Hybrid
is immediately generated.
b. If you select Schedule the report, you can configure the frequency at which all the reports
are generated.

Table 48.1. Scheduled report frequency parameters

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This
field is optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This
field is optional.
Month A specific month or every month. By default, every month is selected. This field
is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period.
The hour respects the UTC standard. By default, 20 is selected. This field is op-
tional.
Minute A moment of the hour, either 00, 15, 30 or 45. The minute respects the UTC
standard. By default, 00 is selected. This field is optional.
Name The name of the report on the page Scheduled reports. You can edit the default
name.
Mail to The name of the group which users should receive the export notification email.
By default, the first of your groups, in the ASCII alphabetic order, is selected. This
field is optional.
Note that no email can be sent if the users email address is not valid or if your
SMTP relay is not configured. For more details, refer to the section Configuring
the SMTP Relay in the chapter Configuring the Services.
Rights as The name of the user whose rights and limitations are applied in the report, as
follows <user> [<group>]. Only the items this user has access to are listed in the
export. By default, the first of your users, in the ASCII alphabetic order, is selected.
This field is optional.

7. Click on OK to complete the operation. The report opens and closes.

When each report is generated, it is available in the module Administration on the page
Reports.
8. If you left Generate new data selected:
a. You can click on DOWNLOAD to save the report immediately.
Otherwise, it is available on the page Reports.
b. Click on CLOSE to go back to the page.

Once you generated the report, you must review and correct all the parameters it contains that
are not compatible with Hybrid until your smart architecture is marked compatible. You can gen-
erate as many reports as you need.

726
 Hybrid DNS Service

To find the Hybrid DNS Engine incompatibilities report

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Reports. The page Reports opens.
3. In the column Name, you can look for the report DNS Hybrid Compliancy.

Once the physical server is Hybrid compliant, on the page All servers, the column Hybrid DNS
compatibility is marked Yes and, in the smart architecture edition wizard, the field Compatible
with a Hybrid DNS Engine is also marked Yes.

Switching to Hybrid DNS

Once your smart architecture is compatible with Hybrid, you can switch it. If your server is not
compatible with Hybrid, you need to change its configuration as some parameters might prevent
the switch. For more details, refer to the section Checking the Compatibility with Hybrid.

The smart architecture can contain one or several BIND servers that you can all switch. Keep in
mind that, if you only switch one server, the other servers share the same limitations that the
Hybrid servers. So, before switching to Hybrid you should probably make sure that none of its
limitations prevent you from using your server with all the parameters you usually need. For more
details, refer to the section Hybrid DNS Engines Limitations.

The switch to Hybrid actually follows this order:

1. All the Hybrid incompatibilities checks are made again.
2. If the server is actually compatible, the relevant Hybrid configuration is pushed to the physical
server.
3. Once the whole configuration is successfully pushed, BIND service is disabled and stopped
and the relevant Hybrid service (NSD or Unbound) is enabled and started.

In some rare cases, you might have a Hybrid server listed among your servers outside a smart
architecture. As you cannot manage a Hybrid server outside a smart architecture, you need to
switch it to BIND, add it to your smart architecture and then switch it again to Hybrid. For more
details, refer to the procedures To switch a physical server from Hybrid to BIND DNS and To
switch a physical server from BIND to Hybrid DNS.

To switch a physical server from BIND to Hybrid DNS

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Make sure the BIND physical server you want to switch to Hybrid belongs to a smart archi-
tecture compatible with Hybrid.
3. Make sure the server status is OK.
4. Tick the physical server you want to switch.
5. In the menu, select Tools > Expert > Switch DNS Engine > To NSD / Unbound. The
wizard Switching the DNS Engine opens.
6. Click on OK to complete the operation. The report opens and works until the relevant DNS
service restarts. The physical server Status is OK and its Version indicates the engine
name it switched to.

Your server configuration switches to Unbound or NSD on its own, based on its configuration.
Once the switch is complete, the compatibility with Hybrid is forced: this implies that a set of
configurations can no longer be set. For more details regarding NSD or Unbound specificities
and limitations, refer to the sections The Server Switched to NSD and The Server Switched to

727
 Hybrid DNS Service

Unbound below. As for the Hybrid limitations in general, refer to the section Hybrid DNS Engines
Limitations.

To display the Hybrid engine the server switched to in the DNS module
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the column Version, the engine and version are displayed.

Like any other server, you can check on a Hybrid server from the columns Status and Sync. For
instance, make sure that the smart architecture can push your configuration on the physical
server, if not the smart is marked Locked synchronization. For more details regarding this status,
refer to the section Handling the Status Locked Synchronization.

To display the Hybrid engine the server switched to in the Administration module
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Services configuration. The page Services configuration
opens.
3. Next to the DNS server, the engine that runs is indicated between brackets.

From the Services configuration page, you can enable, disable, stop and start the Hybrid DNS
server. For more details, refer to the section Handling Services.

In the same way, from this page you can download the NSD or Unbound configuration file de-
pending on which one is running. For more details, refer to the section Downloading a DNS or
DHCP Configuration File.

The Server Switched to NSD

NSD Engines are designed to manage authoritative DNS configurations. Once the switch was
successfully performed, a set of BIND options and configurations is emulated to suit NSD require-
ments.

However, you should be aware of a set of NSD engines specificities and limitations that shape
the configuration that you can or cannot set from the GUI.

NSD engines specificities

• NSD servers are exclusively authoritative: only master and slave zones are supported.
• All records handled by BIND are handled by NSD but DNSSEC records are only supported if
you use the BIND/NSD server as slave server in a Stealth or Master/Slave smart architecture.
• Each change made to the server or zones adds a new NSD configuration or zone file, copies
the former files and pushes the new configurations on the physical server.
• Every change made to the records database rebuilds the NSD database and adds a new zone
to ensure that the changes are pushed to the physical server as soon as possible.

NSD engines limitations

• You cannot add forward, stub, hint or delegation-only zones on an NSD server.
• Not all ACLs are supported:
• none, any, localhost and all the access control lists based on IP or network addresses are
supported.
• The localnets ACL is ignored.

728
 Hybrid DNS Service

• The allow-transfer and allow-notify clauses set on your BIND server are converted as follows
after a switch to NSD:
• If the allow-transfer clause is not specified at server or zone level, a default configuration is
pushed on the NSD server to allow any user to transfer master and slave zones via AXFR.
• If the allow-notify clause is not specified at server or zone level, the clause value on the NSD
server is set to respect BIND default behavior and allow proper synchronization of the master
and slave zones.
• NSD supports all the RRL settings except the Log only option. For more details, refer to the
section Limiting the Number of Responses of a Server.

The Server Switched to Unbound

Unbound Engines are designed to manage recursive DNS configurations. Once the switch was
successfully performed, a set of BIND options and configurations are emulated to suit Unbound
requirements. However, you should be aware of a set of Unbound engines specificities and lim-
itations that shape the configurations that you can or cannot set from the GUI.

Unbound Engines specificities

• Unbound servers are exclusively recursive: only forward and stub zones are supported.
• BIND statements are interpreted as follows:
• If the allow-recursion is specified on BIND, its value is used to set the allow-query statement
on Unbound.
• If the allow-recursion is not specified on BIND, the localhost is set on Unbound.
• ACLs are only supported to configure the allow-recursion statement only at server level. For
more details regarding ACLs, refer to the section Unbound Engines Limitations below.
• On forward zones, the forward parameter can only be set to first.
• If the BIND server is configured with the forward parameter (set to any value but none) and
forwarders, the switch to Hybrid DNS adds a forward zone named "." that emulates all specified
parameters. Keep in mind that if a "." forward zone already exists, the list of forwarders of both
zones are merged into one. Other parameters of the existing "." forward zone are ignored.

Unbound Engines Limitations

• You cannot add master, slave, hint or delegation-only zones on an Unbound server. Converting
master zones to slave on Unbound servers deletes all the records of the original master zone.
• Not all ACLs are supported:
• none, any, localhost and all the access control lists based on IP or network addresses are
supported.
• The localnets ACL and TSIG keys are not supported.
• Stub zones cannot be configured with:
• forward and parameter forwarders.
• stub-first and parameter stub-primes: they do not have any equivalent in BIND.
• Forward zones cannot be configured with the forward parameter set to only.
• Unbound handles the edns-udp-size option in a unique way:
• If the option was set before switching, the specified value is set on the Unbound ipv4-edns-
size and ipv6-edns-size options. Keep in mind that in this case, ipv4-edns-size has precedence
over ipv6-edns-size.
• Unbound does not support RRL. For more details regarding RRL, refer to the section Limiting
the Number of Responses of a Server.

729
 Hybrid DNS Service

• You cannot integrate Cisco Umbrella on Hybrid servers. For more details, refer to the section
Integrating Cisco Umbrella in the chapter Configuring DNS Servers.
• You cannot forward the client IP address on Hybrid DNS servers. For more details regarding
client IP address forwarding, refer to the section Forwarding the Client IP Address in the chapter
Configuring DNS Servers.

Hybrid DNS Engines Limitations

Once you switched your DNS service to Hybrid, you can configure and manage it through a smart
architecture. However, Hybrid has some limitations:
• It is impossible to import a Hybrid configuration.
• No statistics regarding Hybrid servers are retrieved, therefore the server properties page does
not contain any graph.
• You can only switch to Hybrid physical servers managed via a smart architecture
• After a fresh installation, the service default type is BIND. You need to manage the server
through a smart architecture and then switch it.
• Only the options compatible with BIND are supported: any hybrid vendor option that does not
have any counterpart in BIND cannot be set through SOLIDserver.
• The RNDC commands are not supported: you cannot perform the commands force-notify,
force-refresh, force-retransfer, querylog and flush cache on Hybrid compliant servers.
• The options inheritance is not supported per se. However, after switching to Hybrid, your
server configuration is directly set at zone level.
• SOLIDserver does not retrieve data from a Hybrid server. However, if you manage a Hybrid
server via a smart you can synchronize the architecture to push any changes made from the
GUI to the server (content or configuration file) from the smart to the physical server.
• Any change made to a Hybrid server restarts the service.
• Dynamic Update is not supported by Hybrid.
• ACL use is limited:
• All ACLs based on IP and network addresses are supported.
• The any, localhost and none ACL are supported in their IP address form.
• The localnet ACL is not supported.
• Views are not supported.
• RPZ zones are not supported.
• Signing zones with DNSSEC is only possible if the BIND/NSD Hybrid server is managed via
a smart architecture in which the BIND/NSD server is a slave which master is a BIND server.
Indeed, NSD servers cannot be signed in DNSSEC but as slave servers they can handle
DNSSEC records.

Forcing Compatibility with Hybrid

To provision a switch to Hybrid, you can force the compatibility with Hybrid on smart architectures.
This action allows you to make sure that all the parameters and configurations you set on your
server (at server and/or zone level) respect Hybrid requirements for BIND/NSD or BIND/Unbound.
That way, you wan switch your engine right away and do not need to perform any configuration
changes, whether you were planning to on a particular day or because a CVE release impacts
your BIND servers security.

Note that Hybrid DNS servers can only assume a limited number of roles within the architecture:

730
 Hybrid DNS Service

Table 48.2. Possible role of a physical server within a smart architecture per vendor
Physical server vendor
Role a
Hybrid DNS Amazon
EfficientIP Microsoft Generic Azure
NSD Unbound Route 53
Master X X X X X X X
Slave X X X X
Hidden-Master X X X
Pseudo-Master X X X X X
a
EfficientIP and EfficientIP Package servers

To force the compatibility with Hybrid

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Make sure the BIND physical server you want to switch to Hybrid belongs to a smart archi-
tecture compatible with Hybrid.
3. Right-click over the Name of the smart architecture that manages this server. The contextual
menu opens.
4. Click on . The wizard Edit a DNS server opens.
5. If you are editing a Master/Slave, Stealth, Multi-Master or Single-Server architecture follow
the steps below:
a. Click on NEXT until you get to the page DNS servers role configuration.
b. Tick the box Expert mode.
c. Click on NEXT . The page Advanced settings opens.
d. Tick the box Force Hybrid DNS compatibility.
6. If you are editing a Farm architecture follow the steps below:
a. Click on NEXT until you get to the page Advanced settings.
b. Tick the box Force Hybrid DNS compatibility.
7. Click on OK to complete the operation. The report opens and closes. The smart architecture
is marked Yes in the Forced Hybrid DNS compatibility.

Switching Back to BIND

As Hybrid engines imply a set of limitations that might prevent you from configuring your DNS
server according to your needs, mixing authoritative and recursive zone for instance, you can
switch back to BIND. As all the NSD and Unbound options that you can set from the GUI have
an equivalent in BIND, you can switch the engine back to BIND.

To switch a physical server from Hybrid to BIND DNS

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Make sure the BIND physical server you want to switch to Hybrid belongs to a smart archi-
tecture compatible with Hybrid.
3. Make sure the server status is OK.
4. Tick the physical server you want to switch.
5. In the menu, select Tools > Expert > Switch DNS Engine > To BIND. The wizard
Switching the DNS Engine opens.

731
 Hybrid DNS Service

6. Click on OK to complete the operation. The report opens and works until the relevant DNS
service restarts. The physical server Status is OK and its Version indicates it switched
to BIND.

Once you switched a Hybrid server engine to BIND, the option Force Hybrid DNS compatibility
is still enabled. To be able to configure the BIND server without the Hybrid limitations, you must
edit the smart architecture and untick the box.

To remove the forced compatibility with Hybrid

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Make sure that the smart architecture you want edit does not manage any Hybrid server.
3. Right-click over the Name of the smart architecture. The contextual menu opens.
4. Click on . The wizard Edit a DNS server opens.
5. If you are editing a Master/Slave, Stealth, Multi-Master or Single-Server architecture follow
the steps below:
a. Click on NEXT until you get to the page DNS servers role configuration.
b. Tick the box Expert mode.
c. Click on NEXT . The page Advanced settings opens.
d. Untick the box Force Hybrid DNS compatibility.
6. If you are editing a Farm architecture follow the steps below:
a. Click on NEXT until you get to the page Advanced settings.
b. Untick the box Force Hybrid DNS compatibility.
7. Click on OK to complete the operation. The report opens and closes. The smart architecture
is marked No in the Forced Hybrid DNS compatibility.

Administrating the Backup and Restoration of Hybrid

Configurations
As Hybrid DNS engines differ from BIND named engine, there are a set of actions to perform
whenever you restore a backup or upgrade an appliance configured with Hybrid DNS.

Generating a Backup with Hybrid Servers

Whenever you generate an appliance backup, the Hybrid DNS configuration is automatically
retrieved. For more details regarding backups, refer to the sections Creating an Instant Backup
and Editing the Backup Settings.

Restoring a Backup Containing Hybrid Servers

When you restore an NSD or Unbound server backup, you must to tick the box "Restore the
system configuration". Otherwise, BIND service is started and the smart architecture might
push an outdated DNS configuration to your physical server instead of your Hybrid configuration.
For more details regarding the restoration of a backup, refer to the section Restoring a Backup
File.

732
Chapter 49. DNSSEC
Domain Name System Security Extensions (DNSSEC) is used to strengthen DNS protocol security.
It controls the integrity of all DNS answers and ensures that client queries are answered by the
proper zone.

By providing origin authentication, it protects the DNS information exchanged between name
servers configured with DNSSEC. Within SOLIDserver, it can only be configured on EfficientIP
servers and smart architectures managed via SSL, you cannot configure it on other DNS vendors.

DNSSEC ensures data protection from one signed zone to the other, whether the answer is
successful or not:
1. DNS data in each zone is cryptographically signed with a couple of public and private Zone
Signing Keys (ZSK) that validate the integrity of the data of each zone. As a result:
a. Every RRset of the zone is assigned a new RRSIG record that includes its own signature.
b. The public key is then provided to the resolver or application that validates the integrity of
the received RR. The integrity is provided by a chain of trust starting with the public key of
a trust anchor.
2. NSEC3 records are generated for each RRset, thus creating an organized chain of all the
RRs of the zone that provides an authenticated denial of existence. If the data is supposed to
be located in an area of the zone where another RR is located, it means that it does not exist.
3. Delegated zones are part of a chain of trust that ensures that every zone is recognized as
legitimate by its parent zone. To implement the security of that relation, each delegated zone
ZSK is signed at the parent zone level thanks to a couple of cryptographic Key Signing Keys
(KSK) and a Delegation Signer (DS).

. (root) . (root) verification against

SOA KSK DNSKEY the trust anchor
NS DS

hash
comparison
Trust Anchor
.com .com
SOA KSK DNSKEY
DNS DNSSEC
NS DS
resolver validator
hash
comparison
.domain.com .domain.com
SOA KSK DNSKEY

Figure 49.1. DNS resolution and DNSSEC validation

Keep in mind that DNSSEC does not protect whole servers, it only protects the data exchanged
between signed zones.

Once DNSSEC is configured, the DNS packages sent and received often exceed 512 bytes, so
we recommend configuring EDNS to extend the size of your DNS messages. For more details,
refer to the section Configuring EDNS Options at Server Level.

Note that even signed zones can be exported from the page All zones. For more details, refer to
the chapter Exporting Data.

733
 DNSSEC

Managing DNSSEC on Authoritative Servers

On authoritative servers, implementing DNSSEC means signing at least one of its zones. During
the zone signature, a set of signing keys and records are generated:
DNSSEC signing keys
• Two Zone Signing Keys (ZSK), to protect the zone data. Every time a signed zone is
queried, the ZSK validation process is the following:

domain.com

ZSK DNSKEY KSK Validation

The response is verified
Hash algorythm verified? The hash values match
DNSKEY of the KSK and the KSK is valid
same
hash? The response is not verified
The hash values do not match
and/or the KSK is not valid

RRSIG

Public key
of the KSK

Figure 49.2. The ZSK validation process

One ZSK is active right away and the other is added to replace the first one when it expires
or in case of problem.
• One Key Signing Key (KSK), to protect the ZSKs. It is active right away. The KSK validation
process is the following:

.com
is the DS
RRset valid?
DS
The response is verified
verified? The hash values match
and the DS RRset is valid
same
hash? The response is not verified
The hash values do not match
domain.com and/or the DS RRset is not valid

KSK DNSKEY

Figure 49.3. The KSK validation process

Once generated, you can manage these keys. For more details, refer to the section Managing
DNSSEC Signing Keys.
DNSSEC records
• The DNSKEY or Domain Name System KEY. This record contains the public key data of
the zone and is used to generate the zone public cryptographic keys, its ZSKs and KSK,
it signs and authenticates RRsets.
The DNSKEY is used by DNSSEC clients during the authentication process, it validates
the signatures. Three DNSKEY records are generated every time a zone is signed, one
for each signing key. The hash of each DNSKEY is compared with the hash of the corres-
ponding RRSIG to ensure that the RRset has not changed.
If you did not sign zones from SOLIDserver, you might need to add DNSKEY records, for
more details refer to the section Adding a DNSKEY Record.

734
 DNSSEC

In case of unexpected KSK change, you might want to manually add CDNSKEY records
to inform the parent zone of these changes. For more details, refer to the table DNSSEC
resources records configuration fields in appendix.
• The RRSIG or Resource Record SIGnature.This record stores the digital private signatures,
it signs each set of RR of a zone. It does not sign individual records.
The RRSIG guarantees secure DNS operations, its hash is compared with the hash of the
DNSKEY to ensure that the RRset has not been changed.
• The NSEC, NSEC3 and NSEC3PARAM records. These records significantly extend zone
files.
NSEC or Next SECure. This record provides authenticated denial of existence for the re-
cords as it points to the next valid host name in the zone for each record. If the requested
name is not returned, it does not exist.
NSEC3 or NSEC version 3. This record was designed because NSEC records can help
map out the content of the zone. It hashes each label to prevent enumeration.
NSEC3PARAM or Next Secure 3 Parameter. This record assists the authoritative server
handling client requests. Thanks to it, they can calculate hashed owner names and choose
which set of NSEC3 records are included in the negative responses.
• The DS, or Delegation Signer. This record is used to secure delegations between a zone
and a subzone. In a parent zone, the DS stores the key tag, algorithm number and a digest
of the DNSKEY of its child zone. Both records allow DNSSEC resolvers to authenticate
the validity of a subzone. Therefore, once you signed a subzone, you must publish the DS
information in the parent zone to make sure it is integrated to the Chain of trust. For more
details, refer to the section Publishing the Delegation Signer in the Parent Zone.
In case of unexpected KSK change, you might want to manually add CDS records to inform
the parent zone of these changes. For more details, refer to the table DNSSEC resources
records configuration fields in appendix.

Once a zone is signed, querying it means validating its content.

domain.com

RR (A, ...) ZSK Validation

The response is verified
Hash algorythm verified? The hash values match
DNSKEY of the ZSK and the ZSK is valid
same
hash? The response is not verified
The hash values do not match
and/or the ZSK is not valid

RRSIG

Public key
of the ZSK

Figure 49.4. RRset validation of a signed zone

Once DNSSEC is configured, the DNS packages sent and received often exceed 512 bytes, so
we recommend configuring EDNS to extend the size of your DNS messages. For more details,
refer to the section Configuring EDNS Options at Server Level.

Signing a Zone
You can sign zones from the page All zones. It automatically generates the relevant signing keys
and records.

735
 DNSSEC

Private
ZSK

domain.com domain.com (signed)

Hashing Encoding

RR A RR A
RRSIG

ZSK DNSKEY
ZSK DNSKEY KSK DNSKEY
KSK DNSKEY
Hashing Encoding RRSIG

Private
KSK

Figure 49.5. The process of signing a zone

Keep in mind that:

• You can only sign Master zones managed by smart architectures or EfficientIP DNS servers.
• The first time you sign a zone, 3 signing keys are automatically generated, one KSK and two
ZSKs. During the zone signature you can configure their life span, a crucial element of the key
rollover. For more details, refer to the section Managing DNSSEC Signing Keys.
• When you sign a zone:
• DNSSEC records are automatically generated once the zone is DNSSEC-compliant. The
zone automatically orders these records. They are listed on the page All RRs, you cannot
edit them.
• We strongly recommend setting up notifications as any problem within a zone can invalidate
an entire server.
• Once you signed a zone, its signing keys are listed on the page All DNSSEC keys. You can
use these keys to sign the zone again if you unsigned it or if you want to sign that same zone
in a different view of the server or smart architecture.
• The hashing algorithm RSASHA1 is no longer recommended to generate the ZSKs and KSKs,
therefore it is no longer available in the GUI. If you upgraded your appliance to this version,
you can still use the algorithm if you set the registry database entry module.dns.en-
able_rsasha1_signing to 1.
• If you want to sign zones on a server but also associate it with one or more applications, you
must make sure that the A or AAAA record matching the FQDN of each application belongs
to a zone that is not signed.
Once you sign a zone that contains records matching any application FQDN, the zone can no
longer properly answer signed queries. For more details, refer to the part Application.

736
 DNSSEC

To sign a zone
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) you want to sign.
3. In the menu, select Tools > DNSSEC > Sign zones. The wizard Signing zones opens.
4. Configure the ZSK, either use existing keys or generate a new one.
a. To use existing keys, tick the box Use existing ZSK(s). Two lists appear.

Table 49.1. Existing ZSK selection fields

Field Description
Available ZSK(s) The ZSK of your choice, select it and click on . The key is moved to the list
Selected ZSK(s).
The list contains Enabled ZSKs generated for the zone. You can move as many
keys as you need to list Selected ZSK(s).
Selected ZSK(s) The ZSK(s) used to sign the zone. This field is required.
To remove a key from the list, select it and click on . The key is moved back to
the list Available ZSK(s).

b. To generate a new ZSK, configure the fields according to your needs.

Table 49.2. New ZSK configuration fields

Field Description
ZSK - Algorithm The hashing algorithm of the ZSK, either ECDSAP256SHA256, ECD-
SAP384SHA384, ED25519, ED448, RSASHA256 or RSASHA512. By default,
ECDSAP256SHA256 is selected. This field is required.
ZSK Validity unit The unit of the ZSK - Validity, either Day, Month, Year or Infinite. By default, Month
is selected. This field is required.
Keep in mind that we recommend setting a validity of 3 months for each ZSK.
ZSK - Validity The number of days, months or years of the ZSK. By default, it is set to 3. This
field is required, it is not displayed if you selected Infinite as ZSK Validity unit.
Keep in mind that we recommend setting a validity of 3 months for each ZSK.

5. Configure the KSK, either use existing keys or generate a new one.
a. To use existing keys, tick the box Use existing KSK(s). Two lists appear.

Table 49.3. Existing KSK selection fields

Field Description
Available KSK(s) The KSK of your choice, select it and click on . The key is moved to the list
Selected KSK(s).
The list contains Enabled KSKs generated for the zone. You can move as many
keys as you need to list Selected KSK(s).
Selected KSK(s) The KSKs used to sign the zone. This field is required.
To remove a key from the list, select it and click on . The key is moved back to
the list Available KSK(s).

b. To generate a new KSK, configure the fields according to your needs. Keep in mind
that your KSK value is probably set by your parent zone.

737
 DNSSEC

Table 49.4. New KSK configuration fields

Field Description
KSK - Algorithm The hashing algorithm of the KSK, either ECDSAP256SHA256, ECD-
SAP384SHA384, ED25519, ED448, RSASHA256 or RSASHA512. By default,
ECDSAP256SHA256 is selected. This field is required.
KSK Validity unit The unit of the KSK - Validity, either Day, Month, Year or Infinite. By default, Month
is selected. This field is required.
Keep in mind that we recommend setting a validity of 12 months for each KSK.
KSK - Validity The number of days, months or years of the KSK. By default, is set to 12. This
field is required, it is not displayed if you selected Infinite as KSK Validity unit.
Keep in mind that we recommend setting a validity of 12 months for each KSK.

6. Click on NEXT . The last page opens.

7. Configure the alert notifications, via mail or SNMP trap. You must configure at least one,
you can set them both. Make sure the SNMP service is properly configured, for more details
refer to the section Configuring the SNMP Server.
a. To set up email alert configuration, make sure the box Send mail is ticked. The related
fields are displayed.

Table 49.5. Send mail alert configuration parameters

Parameters Description
Mailing lists The group of users notified via email. Make sure that you configured an email
address for the users of the group you select, otherwise no one in the group will
receive the alert.
Additional Mail Another email address that should receive the alert. Specify an email address
and click on ADD , the address is moved to the field Additional Mail List. You can
add as many addresses as you want.
Additional Mail List The list of addresses that receive the alert, they all receive it at the same time no
matter the list order.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit
the field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

b. To set up an SNMP Trap, tick the box. The related fields appear. All the fields are
compulsory, except the last one.

Table 49.6. SNMP alert configuration parameters

Parameters Description
SNMP version The version of SNMP. Select v2c or v3.
SNMP Destination The IP address of the network management platform. You must type it in.
SNMP Community The community string that would act as a password to access the SNMP
agent. You must type it in.
Raised alert SNMP OID The custom OID to be sent when the alert is raised. You must type it in. You
can use and extend the default OID 1.3.6.1.4.1.2440.1.6.1.2.0.1.
Released alert SNMP The custom OID to be sent when the alert is released, this field is optional.
OID If this field is empty, no trap is sent when the alert is released.

8. Click on OK to complete the operation. The report wizard opens and closes.
On the page All zones, in the column DNSSEC, the zone is marked yes.

738
 DNSSEC

On the page All DNSSEC keys, in the column Status, the keys generated for the zone(s)
are marked Enabled. In the column Life span you can see which keys are active.

When the zone is signed, it contains DNSSEC records that hold the information of the Trust anchor
of the root zone ".". Therefore, your zone can be included in the chain of trust.

If you signed a subzone, you need to publish the DS record as detailed in the section below.

Publishing the Delegation Signer in the Parent Zone

The Delegation Signer (DS) allows to hold the information of a subzone in a parent zone and
ensure DNSSEC authentication at all levels of the chain of trust. Every time you sign a zone, a
DS is generated.

Without the DS pointing to the right subzone, DNSSEC resolvers cannot authenticate the subzone
as part of the chain of trust and clients cannot access it.

. IN DNSKEY sv0LR4loi...4rew89ctb (root KSK)

. IN DNSKEY du4tf3...4ss32DDS (root ZSK)
. IN ...
.com. IN DS <digest of the child zone KSK>
.com. IN ...

zone "." root

.com. IN DNSKEY r5e4d...7785dd5 (KSK)

.com. IN DNSKEY t457uc7...4ss362552 (ZSK)
.com. IN ...
.domain.com. IN DS <digest of the child zone KSK>
.domain.com. IN ...

zone .com
security point of entry

domain.com. IN DNSKEY sd6zf8q...8ze5d (KSK)

domain.com. IN DNSKEY 8c5dx...d45shc78 (ZSK)
domain.com. IN ...
support.domain.com. IN DS <digest of the child zone KSK>
support.domain.com. IN ...

zone domain.com

Figure 49.6. The DS record within authoritative zones

All the zones signed with SOLIDserver use the information of the trust anchor of the zone root
".". Therefore, you need to publish the DS of a subzone if its parent zone was signed, and
only in this case.

Note that if you added a trust anchor for a delegation of private zones, you also need to publish
your DS in the signed parent zone. For more details, refer to the section Adding a Trust Anchor.

To publish the DS in the parent zone you must:

1. Retrieve the DS information from the child zone, i.e. copy the DS information on the subzone
properties page. Note that you can also export the column DS of a zone in a CSV file, for more
details refer to the chapter Exporting Data.

739
 DNSSEC

2. If you manage the parent zone, add a DS with that information in the parent zone.
If you do not manage the parent zone of the subzone you signed, copy the entire line of the
DS record that suits your needs, paste it in the appropriate file and send it.

Note that:
• You cannot add a DS record in a parent zone if the subzone you are delegating does not
contain a DS and a NS record named like the subzone. For more details, refer to the section
Adding an NS Record.
• If your parent zone supports it, you can also add a CDS record to let the parent zone retrieve
information and be informed of any changes. For more details, refer to the table DNSSEC re-
sources records configuration fields in appendix.

To publish the DS information of a subzone in its parent zone

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Retrieve the DS information
a. At the end of the line of the signed zone of your choice, click on . The properties page
opens.
b. In the panel DS Keys, click on to expand it. It contains all the DS records of the zone.

Figure 49.7. Example of a panel DS Keys

For each DS record, you will find:

• On the first line: a key, a Start date and time and an Expire date and time.
• On the next two lines, the DS details. They are displayed twice, in two different digest
types. Both lines contain the same zone name and RR type (DS), followed by its
complete value.
c. Identify the DS you need via its key. In the image above, we want the details of the key
62946.
d. Copy the DS details encrypted with the digest type 2 on the second line. You need all
the values displayed right of DS, they are separated by a space.
In the image above, the values needed for the zone mycorp.com are the Key Tag
(62946), the Key Algorithm (7), the Digest Type (2) and the Digest
(3A23EE213657A556A98137DC2EC011C33882FDA715D50FF6FF7F1740CC084604).
3. Publish the DS information of the subzone in a signed parent zone
If you do not manage the parent zone of the subzone you signed, copy the entire line of the
DS record that suits your needs, paste it in the appropriate file and send it.
If you manage the parent zone of the subzone you signed, you need to add a DS record in
the parent zone using the child zone DS information:
a. In the sidebar, go to DNS > Zones. The page All zones opens.
b. Click on the Name of the signed parent zone of your choice. The page All RRs opens.
c. In the menu, click on Add. The wizard Add a DNS RR opens.

740
 DNSSEC

d. In the drop-down list RR type, select DS.

e. In the field RR name, name the record like the subzone.
f. In the field or drop-down list TTL, you can edit the default value. The field displays the
TTL in seconds. Editing the value of the field automatically edits the drop-down list, and
vice versa. By default, the TTL is set to 3600 seconds (1 hour).
g. In the field Key Tag, paste the child zone key tag.
h. In the field Key Algorithm, paste the child zone key algorithm.
i. In the field Digest Type, paste the child zone digest type.
j. In the field Digest, paste the child zone digest.
k. Click on OK to complete the operation. The report opens and closes. The record is listed
on the page All RRs, its Value contains the Key Tag, Algorithm Key, Digest Type and
Digest separated by a comma.

Once the parent zone contains a DS record for each child zone, the chain of trust includes both
the zone and all its delegated subzones.

Managing DNSSEC Signing Keys

From the page All DNSSEC keys, you can manage the ZSKs and KSKs.To manage trust anchors,
refer to the section Managing Trust Anchors.

Two Zone Signing Keys (ZSK) are generated every time you sign a zone to protect it, one is
active right away and the other is ready to replace the first one. You can use existing ZSKs to
sign other zones. You can revoke, disable, enable, delete and clean expired ZSKs.

One Key Signing Key (KSK) is generated every time you sign a zone to protect the ZSKs. You
can use existing KSKs to sign other zones. You can generate, revoke, disable, enable, delete
and clean expired KSKs.

For both key types, you must monitor and execute the key rollover whenever necessary. It
ensures the security of your DNSSEC zones.
• The ZSK rollover is automatic and relies on the two keys generated when you sign a zone.
If you suspect a ZSK is compromised you can force an earlier check and generate a new key
if relevant. For more details, refer to the section Executing a ZSK Rollover.
• The KSK rollover is manual. Only one key is generated when you sign a zone, so you must
generate a new one to replace the one protecting the ZSKs of a zone when it expires or if you
suspect it is compromised. For more details, refer to the section Executing a KSK Rollover.

Browsing DNSSEC Signing Keys

All the ZSKs, KSKs and trust anchors are listed on the page All DNSSEC keys.

To display the list of DNSSEC keys

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.

By default, all columns are displayed on the page. They return the keys Name, Type, Encryption
type and Key tag.

741
 DNSSEC

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

To display the properties of a DNSSEC key

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. At the end of the line of the key of your choice, click on . The properties page opens.

Executing a ZSK Rollover

The key rollover ensures the security of your DNSSEC system as it makes sure that signed zones
are protected by valid keys. The rollover option refreshes the key and generates a new one ready
to replace the current one if necessary.

The ZSK rollover is automatic within SOLIDserver for each zone:

• When you sign a zone, two ZSKs are generated and configured with the same parameters.
The first one is published in the zone and immediately active, the second one is published but
inactive until the active ZSK expires.
• When the active ZSK expires, the second one is activated and a third key is published and in-
active until the second ZSK expires, and so forth. All ZSKs share the parameters of the signed
zone.

The whole set of active keys is checked daily.

Zone signing

ZSK 0
published and active inactive key deletion
It is deleted The inactive ZSK is deleted from the
from the GUI DNS after one third of its lifespan
but remains
in the DNS

Future ZSK 1 ZSK 1

published key deletion
It is inactive until the
current ZSK expires
Future ZSK 2 ZSK 2
key deletion

Future ZSK 3 ZSK 3

key deletion
t0 t1 t2 t3 t4

Figure 49.8. ZSK rollover

All keys are listed on the page All DNSSEC keys. Inactive ZSKs are automatically deleted from
the GUI, but remain in the DNS for one third of their lifespan before being deleted from the DNS
as well. These inactive keys are kept in the DNS because that information has been cached by
other servers. Therefore, the information of the inactive ZSK is still used to secure the records,
unless you edited them after the activation of the new ZSK. Once the ZSK is deleted from the
DNS, all the records are automatically signed again using the currently active ZSK.

742
 DNSSEC

Even if the ZSK rollover is automatic on signed zones, you can force an earlier check if you
suspect they are compromised.

The option Force automatic ZSK rollover allows to make sure that the selected ZSK is not com-
promised or soon to expire. If it is the case, a new one is generated to replace it.

If a key is compromised you must revoke it, for more details refer to the section Revoking a ZSK.

To execute the ZSK rollover

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. In the menu, select Tools > Force automatic ZSK rollover. The wizard Forcing the
refresh of all the ZSKs opens.
5. Click on OK to complete the operation.The report opens and closes. A new ZSK is generated
only if necessary.

Executing a KSK Rollover

The key rollover ensures the security of your DNSSEC system as it makes sure that signed zones
are protected by valid keys. The rollover option refreshes the key and generates a new one ready
to replace the current one if necessary.

The KSK rollover is manual, so the option KSK rollover is all the more useful.

Ideally the KSK has to be replaced once a year.

KSK

KSK t+1

1 2 3 4 5 6 7 8 9 10 11 12 13 14

months

Figure 49.9. KSK rollover

If a KSK is compromised, you must revoke it. For more details, refer to the section Revoking a
KSK.

To execute the KSK rollover

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Tick the KSK of your choice.
5. In the menu, select Edit > KSK rollover. The wizard Performing a KSK rollover opens.
6. Click on OK to complete the operation.The report opens and closes. A new KSK is generated
only if necessary.

743
 DNSSEC

Generating a New KSK

Some time before the KSK expires, you are notified via email alert and/or an SNMP trap depending
on what you configured when you signed the zone.You may also need a new KSK to safely revoke
or disable the current one.

To properly enable the rollover of the KSK and protect the ZSKs of your zone you must:
1. Generate a new KSK.
2. Publish the Delegation Signer (DS) that signs the new KSK in your parent zone.

We strongly recommend setting an alert to be notified when the KSK you generate is about to
expire, using the column Time left for instance. For more details, refer to the section Managing
Alerts.

If you manage the zone on several servers, you may need to sign the zone on these servers
using the generated KSK. For more details, refer to the section Signing a Zone With an Additional
KSK.

To generate a new KSK

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Generate the KSK
a. Tick the signed zone(s) of your choice.
b. In the menu, select Tools > DNSSEC > Generate new KSK.The wizard Generating
a new KSK opens.
c. Configure the KSK according to your needs:

Table 49.7. New KSK configuration fields

Field Description
KSK - Algorithm The hashing algorithm of the KSK, either ECDSAP256SHA256, ECD-
SAP384SHA384, ED25519, ED448, RSASHA256 or RSASHA512. By default,
ECDSAP256SHA256 is selected. This field is required.
KSK Validity unit The unit of the KSK - Validity, either Day, Month, Year or Infinite. By default, Month
is selected. This field is required.
Keep in mind that we recommend setting a validity of 12 months for each KSK.
KSK - Validity The number of days, months or years of the KSK. By default, is set to 12. This
field is required, it is not displayed if you selected Infinite as KSK Validity unit.
Keep in mind that we recommend setting a validity of 12 months for each KSK.

d. Click on OK to complete the operation. The report wizard opens and closes.
3. Publish the DS of the new KSK in the parent zone
a. In the breadcrumb on the right of All zones, click on to display additional pages.
b. Click on All DNSSEC keys. The page opens.
c. At the end of the line of the new KSK, click on . The properties page opens.
d. In the panel DS, copy the content of the list DS.
e. Transmit the DS to the parent zone. For more details, refer to the precedure To publish
the DS information of a subzone in its parent zone.
Some parent zones may also require the DNSKEY record of the new KSK.

744
 DNSSEC

Revoking a KSK
If a KSK is compromised you should revoke it. Revoking a KSK invalidates its corresponding
DNSKEY record for the zone and can protect it from attacks.

To properly revoke a KSK you must:

1. Generate a new KSK and notify the parent zone to make sure you do not invalidate the whole
zone by revoking the compromised key. For more details, refer to the section Generating a
New KSK.
2. Revoke the compromised KSK.

Note that you cannot revoke a KSK if it is the only one protecting the ZSKs of a zone, it
would break the chain of trust and prevent from successfully querying your zone records, the
zone would be invalidated.

To revoke a KSK
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Generate a new KSK
a. Make sure that you have another KSK, a valid one, protecting the zone and that you
notified the parent zone.
b. If you do not have two KSKs attached to the zone listed on the page or if you have not
notified the parent zone of the new KSK generation, refer to section Generating a New
KSK.
5. Revoke the compromised KSK
a. Tick the KSK of your choice.
b. In the menu, select Edit > Revoke KSK Keys. The wizard Revoking Key Signing
Keys opens.
c. Click on OK to complete the operation. In the column Type, the KSK is now marked
KSK (invalidated) but its Status is still Enabled.
The KSK that now protects the zone is edited:
• Its Start date now matches the time and date of the revocation.
• Its Validity and Time left evolve to protect the zone until the intended End time and
date of the KSK you revoked.

Revoking a ZSK
If a ZSK is compromised, you must revoke it. As there are two ZSKs protecting a signed zone,
revoking a ZSK triggers the following behaviors:
• If the active ZSK is revoked
1. The revoked ZSK is deleted from the GUI and the DNS database.
2. The published ZSK is activated to replace it. The new ZSK lasts longer that the initial time
configured when you signed the zone: it lasts for the remaining time of the revoked key plus
it own lifespan.
3. Another ZSK is generated and published. It lasts as long as the active ZSK. When the active
ZSK expires, it replaces it, this time it lasts for the initial period configured when you signed
the zone.

745
 DNSSEC

ZSK revocation

ZSK n
published Immediate deletion
and active The ZSK is deleted from
the GUI and the DNS

ZSK n+1
published active key deletion
The published ZSK is activated. It stays
active for the remaining lifetime of
the revoked ZSK and its own lifespan.

ZSK n+2 ZSK n+2

published key deletion
Another ZSK is published Once active, its lifespan
and remains inactive until matches the one configured
the active ZSK expires. when the zone was signed

Figure 49.10. The mechanism when you revoke the active ZSK

• If the published ZSK is revoked

1. The revoked ZSK is deleted from the GUI and the DNS database.
2. Another ZSK is generated and published, matches the active ZSK configuration. It is activated
when the active ZSK expires.

ZSK n
published and active key deletion
ZSK revocation

ZSK n+1
published Immediate deletion
The ZSK is deleted from
the GUI and the DNS

ZSK n+1 ZSK n+1

published key deletion
Another ZSK is published
and remains inactive until
the active ZSK expires.

Figure 49.11. The mechanism when you revoke the published ZSK

To revoke a ZSK
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Tick the ZSK(s) of your choice.
5. In the menu, select Edit > Revoke ZSKs. The wizard Revoking ZSKs opens.
6. Click on OK to complete the operation. The wizard closes and the page refreshes.
If your revoked an inactive key, it is replaced by a new key with a different Key tag and the
same Start and End dates.
If you revoked an active key, it is replaced by the inactive key and a new one is generated
to replace it when it expires.

746
 DNSSEC

Disabling Signing Keys

You can disable ZSKs and KSKs, this may be useful if you need to complete your DNSSEC
configuration and then push it again on the server.

By default the generated ZSKs and KSKs are enabled, this does not mean that they are currently
used to protect the zone. In the column Life span, you can see that the KSK and one ZSK is
active, inactive keys are marked Not started yet.

Keep in mind that:

• Disabling a key does not delete it. To delete a key, refer to the section Deleting Signing Keys.
• You can disable keys whether they are currently active or not.
• Disabling a key deletes the corresponding DNSKEY and RRSIG records in the relevant zone.
• The active ZSK and the KSK both protect the zone. If you disable the KSK of a zone but not
its ZSKs, or vice versa, the zone appears Broken on the page All zones, in the column DNSSEC.
• When you disable a ZSK:
• If the ZSK is active, the zone is no longer protected. The inactive ZSK does not take over to
protect the zone, disabling an active key cancels the rollover. The zone is no longer protected
and marked Broken until you enable the key again.
• If the ZSK is inactive, the zone is protected until the active ZSK expires. The disabled ZSK
does not take over when the active ZSK expires, the zone is Broken.
• When you disable a KSK:
• If the KSK is active and no other KSK is configured for the zone, it breaks the chain of trust
and can affect a zone and its subzones.
• If the KSK is active and another KSK is configured for the zone, both keys are protecting
your ZSKs. If you disable one, the other KSK is still protecting your zone.
• If the KSK is inactive but the zone is still protected by the active one, the zone is protected
until the active KSK expires. The zone is Broken until you replace the KSK.
• Disabling a key prevents from using it to sign a zone. Disabled keys are not listed in the fields
Available ZSK(s) and Available KSK(s) of the wizard Signing a zone.
• It is possible to select all the keys of a zone and disable them but it is not recommended. Indeed,
disabling all keys at once partially unsigns the zone(s) as the DNSKEY and RRSIG records
are deleted but it does not properly purges all the DNSSEC records. To properly unsign zones,
refer to the section Unsigning a Zone.

To avoid breaking the chain of trust before disabling a KSK or ZSK you should:
• Make sure the key is inactive, and not currently used to sign any zone.
• Make sure another key is ready to protect the zone. Two ZSKs are generated when you
sign a zone, however you might need to generate a new KSK for the zone(s), before disabling
a KSK. For more details, refer to the section Generating a New KSK.

To disable a DNSSEC key

This operation should only be performed by administrators with good knowledge of DNSSEC
mechanisms.
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. From the column Status, you can filter the list to only display Enabled or Disabled keys.

747
 DNSSEC

5. Filter the list to only list enabled keys.

6. Tick the ZSK(s) or KSK(s) of your choice.
7. In the menu, click on Edit > Enable. The wizard opens.
8. Click on OK to complete the operation. In the column Status, the selected key(s) is marked
Disabled.

Enabling Signing Keys

You can enable again a disabled ZSK or KSK. Keep in mind that:
• Enabling a key adds again the corresponding DNSKEY and RRSIG records in the relevant
zone.
• Enabling a key again is not instantaneous. Until the cache of all the servers that queried the
zone expires, the new key information, including its life span, is not up-to-date and the change
is not taken into account.
• If the key you disabled was active, enabling it again allows to use it to protect the zone. Inactive
keys enabled again only change status, they are used when the active key expires.
• If the zone was Broken, enabling again the proper keys changes its DNSSEC status to yes on
the page All zones.
• Enabled keys are available again in the list of existing keys of the zone signature wizard.

To enable DNSSEC keys

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. From the column Status, you can filter the list to only display Enabled or Disabled keys.
5. Filter the list to only list disabled keys.
6. Tick the ZSK(s) or KSK(s) of your choice.
7. In the menu, click on Edit > Enable. The wizard opens.
8. Click on OK to complete the operation. In the column Status, the selected key(s) is marked
Enabled.

Deleting Signing Keys

You can only delete a KSK or ZSK if it has expired (Unused), is Disabled or was generated for
a zone that was unsigned.

To delete a signing key

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Tick the key(s) of your choice.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The key is no longer listed.

748
 DNSSEC

Cleaning Expired Signing Keys

By default, all expired ZSKs and KSKs are automatically deleted from the page All DNSSEC keys
every night. However, at any point you can look for expired signing keys in all relevant zone and
delete them if need be.

To clean expired signing keys

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. In the menu, select Tools > Clean expired keys. The wizard Remove expired DNSSEC
keys opens.
5. Click on OK to complete the operation. The report opens and closes. The relevant keys are
deleted.

Signing a Zone With an Additional KSK

You can manage a zone on several servers, sign it on one server and then use the generated
ZSKs and KSKs to sign this zone on every other server.

After generating a KSK for a zone, the additional KSK automatically signs the zone.You can sign
the zone on all other servers with this additional KSK. Keep in mind that:
• You can only protect a signed zone with a KSK generated for a zone with the same name.
• You can select several zones if they have the same name.

To sign a zone with an additional KSK

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) you want to sign with an additional KSK.
3. In the menu, select Tools > DNSSEC > Sign zone with additional KSK. The wizard
DNSSEC - Sign zone with additional KSK opens.
4. In the field Available KSK(s) select the newly generated KSK and click on . The key is
moved to the list Selected KSK(s). You can repeat this operation for as many keys as you
need.
To remove a key from the list Selected KSK(s), select it and click on . The key is moved
back to the list Available KSK(s).
5. Click on OK to complete the operation. The report wizard opens and closes.
On the page All DNSSEC keys, in the column Status, the keys generated for the zone(s)
are marked Enabled. In the column Life span you can see which keys are active.

Unsigning a Zone
You can unsign zones to stop using DNSSEC to secure your DNS organization.

Unsigning a zone disables DNSSEC for a zone. Note that disabling DNSSEC on a zone is different
than disabling the signing keys of a zone. For more details, refer to the section Disabling Signing
Keys.

749
 DNSSEC

Before unsigning a zone, keep in mind that:

• Unsigning a zone disables its signing keys and purges all the DNSSEC records generated
during the signature. The zone is no longer considered secure by other signed zones.
• Unsigning a parent zone breaks the chain of trust set with its child zone(s). As only the records
generated automatically are purged, the DS record you published for any child zone is still part
of the parent zone.
You must delete the DS record published in the parent zone for each child zone to ensure it
cannot compromise it. Once the parent zone is unsigned, its DS records are no longer authen-
ticated or secure.

Once a zone is unsigned, its signing keys are still listed on the page All DNSSEC keys and can
be used to sign the zone again.

To unsign DNSSEC zones

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. Tick the zone(s) of your choice.
3. In the menu, select Tools > DNSSEC > Unsign zones. The wizard Unsigning zones
opens.
4. Click on OK to complete the operation. The report wizard opens and closes.
On the page All zones, in the column DNSSEC, the zone is marked no.
On the page All DNSSEC keys, in the column Status, the keys are marked Unused, if they
were only used with the zone you unsigned.
5. If you unsigned a parent zone, you must delete the DS record of each of its signed zones
as it is no longer signed, secure and authenticated. For more details, refer to the section
Deleting Resource Records.

Managing DNSSEC on Recursive Servers

On recursive servers, DNSSEC relies on resolvers that you include to a chain of trust using trust
anchors.

Within SOLIDserver, you can enable DNSSEC validation, manage the trust anchors and disable
the validation.

Enabling DNSSEC Validation

Just like the DNS, DNSSEC validation relies on resolvers. They must be part of a chain of trust.

You can set Efficient DNS servers and smart architectures as DNSSEC resolvers and as-
sociate them with a trust anchor.

The chain of trust ensures that clients are directed to valid zones. All queries and answers are
signed and compared at every DNS lookup node to authenticate the exchange and make sure
that both sides can be trusted. That way, at all relevant levels, a verified encrypted signature
provides validating resolvers with the correct path to secured zones and prevents directing clients
toward bogus IP addresses. This validation can be set all the way up to the TLD.

The starting point of the chain of trust is the trust anchor. Once configured on a validating resolver,
it allows the resolver to validate the integrity of the records sent by DNS clients and ensure the
chain of trust between a zone and its parent. Therefore, a zone or subzone has to be secured

750
 DNSSEC

before being linked to the secured zone it is a delegated from. The trusted anchor of the parent
zone then covers the secured child zones that are delegated from it.

. IN DNSKEY sv0LR4loi...4rew89ctb (root KSK)

. IN DNSKEY ws4kz5...8ss3y6gD (root ZSK)...
.com IN DS KSK fg9gj7j...9tdr6
com IN RRSIG DS ... ZSK .com

"." root zone

.com IN DNSKEY sv0LR4loi...4rew89ctb (KSK)

DNSKEY du4tf3...4sh32qDS (ZSK)
RRSIG DNSKEY KSK .com ...
RRSIG DNSKEY ZSK .com ...
.domain.com IN DS KSK s8ez7ht...9zj1s
.domain.com IN RRSIG DS ... ZSK .domain.com ...

.com zone
security point of entry

.domain.com IN DNSKEY r5e4d...7T85dd5 (KSK)

.domain.com IN DNSKEY t457uc7...4s03oF5l2 (ZSK)
.domain.com IN RRSIG DNSKEY KSK .domain.com ...
.domain.com IN RRSIG DNSKEY ZSK .domain.com ...
.www.domain.com IN A 187.65.3.71
.www.domain.com IN RRSIG A ... ZSK .www.domain.com ...

.domain.com zone

Figure 49.12. The DNSSEC chain of trust from root to subzones

Keep in mind that:

• On smart architectures, enabling DNSSEC validation makes all the physical servers they
contain DNSSEC compliant.
• Maintaining a valid chain of trust is paramount because broken chains of trust would result in
data being marked as bogus and may cause entire zones or subzones to become invisible to
verifying clients. To verifying clients, a secure zone is either part of a chain or trust or insecure.
• By default, ICANN trust anchors are available on the page All DNSSEC keys. If you want to
add another trust anchor, refer to the section Adding a Trust Anchor.
• DNSSEC validation is all the more efficient if your chain of trust is complete before setting a
server as resolver. Indeed, when a DNSSEC resolver receives a response from an unsigned
zone that has a signed parent:
• It confirms with the parent that the zone was intentionally left unsigned. It verifies, via signed
and validated NSEC/NSEC3 records, that the parent zone contains no DS records for the
child.
• If the DNSSEC resolver can prove that the zone is secure, it accepts the response.
• If the DNSSEC resolver cannot prove that the zone is secure, it assumes that the response
is insecure and probably a forgery, rejects the response and logs an error.
• You can enable a server as DNSSEC resolver without signing the zones that the server man-
ages. This ensures that the information sent out to its DNS clients is valid and protected.
• A DNS servers used as DNSSEC resolver cannot validate records matching nodes in the
module Application. Once an application is deployed on a GSLB enabled physical server, all
its nodes replace DNS answers and do not update RRSIG records. For more details regarding
nodes, refer to the part Application.

751
 DNSSEC

. (root) verification against

KSK DNSKEY the trust anchor
DS

hash
Trust Anchor
comparison
.com
KSK DNSKEY
DNSSEC
validator DS
DNS client hash
comparison
.domain.com
KSK DNSKEY

Figure 49.13. DNSSEC validation

To enable DNSSEC validation

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. In the panel DNSSEC, click on EDIT . The wizard Edit DNSSEC properties opens.
The box is not available for servers managed via a smart architecture, in this case to tick
the box you must edit the smart architecture.
4. Tick the box Use DNS as DNSSEC resolver. The wizard refreshes.
5. In the list Available Trust Anchor, select a trust anchor and click on . The trust anchor is
moved to the list Configured Trust Anchors.
To remove a trust anchor from the list, select it and click on . It is moved back to the list
Available Trust Anchor.
6. Click on OK to complete the operation.The wizard closes. In the panel DNSSEC, the DNSSEC
resolution is now Enabled and the list Trust Anchors contains the chosen trust anchor(s).
On the page All servers, in the column DNSSEC the server is now marked Yes.
On the properties page of the trust anchor, in the panel DNS servers using this trust anchor,
the server is listed.

Once DNSSEC is configured, the DNS packages sent and received often exceed 512 bytes, so
we recommend configuring EDNS to extend the size of your DNS messages. For more details,
refer to the section Configuring EDNS Options at Server Level.

Managing Trust Anchors

From the page All DNSSEC keys, you can manage the trust anchors used to configure resolvers
for DNSSEC validation.

You can add trust anchors, use one trust anchor on several resolvers and delete them.

Browsing the Trust Anchor Database

To display the list of trust anchors
1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.

752
 DNSSEC

3. Click on All DNSSEC keys. The page opens.

4. At the end of the line of the key of your choice, click on . The properties page opens.

All trust anchors have a unique Name on the page All DNSSEC keys. By default, ICANN trust
anchors are available on the page.

Adding a Trust Anchor

If you want to set up your own chain of trust from one of your signed zones, you can add a trust
anchor.

If a local trust anchor is available, it is used to verify the zone without comparing the KSK protecting
the zone against all its signed parent zone.

Trust Anchor verified?

is the DS
RRset valid?
DS
verified?

same
hash?

KSK DNSKEY

Figure 49.14. The KSK is verified if a local trust anchor is available

To successfully set up your chain of trust you must:

1. Sign the zone used at the top of the chain of trust.
2. Retrieve the trust anchor information on the properties page of the KSK of that zone.
3. Add the new trust anchor to the page All DNSSEC keys.
4. Use the trust anchor on the relevant DNSSEC resolver.

To add a DNSSEC trust anchor

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Retrieve the trust anchor information
a. At the end of the line of the KSK of the zone of your choice, click on . The properties
page opens.
b. In the panel Trust anchor, copy the content of the list Key.
c. In the breadcrumb, click on DNSSEC Key to go back to the page All DNSSEC keys.
5. Add the trust anchor
a. In the menu, click on Add. The wizard Add trust anchor opens.

753
 DNSSEC

b. In the field Key, paste the trust anchor information you just retrieved.
c. Click on OK to complete the operation. The trust anchor is now listed on the page All
DNSSEC keys. In the column Zone, the name of the zone it was retrieved from is listed.
6. Now you must add the trust anchor to the resolver managing your zones as detailed in the
procedure To enable DNSSEC validation.

Using One Trust Anchor On Several Resolvers

You can use one trust anchor on several resolvers, provided that they support it.

To use one trust anchor on several resolvers

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. At the end of the line of the trust anchor of your choice, click on . The properties page
opens.
5. In the panel DNS servers using this Trust Anchor, click on EDIT . The wizard DNSSEC
chain of trust configuration opens.
6. In the DNS server list, select a server and click on . The server is moved in the list Selec-
ted. Repeat this action for as many servers as needed.
To stop using a trust anchor on a particular server, select it in the list Selected and click on
. It is moved back to the DNS server list.
7. Click on OK to complete the operation. The servers are now listed in the panel DNS servers
using this Trust Anchor.

Deleting a Trust Anchor

You can only delete a trust anchor no longer used by any DNSSEC resolver.

To delete a DNSSEC trust anchor

1. In the sidebar, go to DNS > Zones. The page All zones opens.
2. In the breadcrumb on the right of All zones, click on to display additional pages.
3. Click on All DNSSEC keys. The page opens.
4. Tick the trust anchor(s) of your choice.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The key is no longer listed.

Disabling DNSSEC Validation

You can disable DNSSEC validation on a resolver, you must edit it and untick the relevant box.

Once the validation is disabled, the server is no longer part of the chain of trust of the trust anchor.
Both the server and the trust anchor information are updated.

To disable DNSSEC validation

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.

754
 DNSSEC

3. In the panel DNSSEC, click on EDIT . The wizard Edit DNSSEC properties opens.
4. Untick the box Use DNS as DNSSEC resolver. The wizard refreshes and no longer displays
the lists Available Trust Anchor and Configured Trust Anchors.
The box is not available for servers managed via a smart architecture, in this case to untick
the box you must edit the smart architecture.
5. Click on OK to complete the operation.The wizard closes. In the panel DNSSEC, the DNSSEC
resolution is now Disabled and the list Trust Anchors is empty.
On the page All servers, in the column DNSSEC the server is now marked No.
On the properties page of the trust anchor, in the panel DNS servers using this trust anchor
no longer lists the server.

755
Chapter 50. Monitoring and Reporting
DNS Data
SOLIDserver provides a set of tools to monitor DNS servers and generate reports.
• The alerts that you can set on the DNS pages allow to customize your monitoring. For more
details, refer to the chapter Managing Alerts.
• A set of statistics are available in dedicated panels of the properties page of DNS servers, as
detailed in the section Monitoring DNS Servers from their Properties Page.
• A set of data sampling analytics are available on the page Analytics, as detailed in the section
Monitoring DNS Servers from the Page Analytics.
• A couple of tools allow to monitor a DNS server querylog and answerlog, as detailed in the
section Monitoring DNS Queries and Answers.
• A number of reports on servers, views and zones are available, as detailed in the section
Generating DNS Reports.

Monitoring DNS Servers from their Properties Page

On the properties page of a physical or smart DNS server, some panels are dedicated to monit-
oring queries and changes.
DNS - Successful queries - <server-name>
A chart returning the number of answers found in the cache (Success) and the number of
answers that were not cached (Recursion), in queries per second.
DNS - Failed queries - <server-name>
A chart returning all failed queries answers (Failure, NXRRSET, NXDOMAIN, Referral, Du-
plicate or Dropped), in queries per second.
DNS - Authoritative vs recursive queries - <server-name>
A chart returning all Authoritative and Recursive answers, in queries per second.
DNS - RPZ queries - <server-name>
A chart returning answers matching an RPZ rule configured on the server, in queries per
second. For more details regarding Response Policy Zone, refer to the chapter DNS Firewall
(RPZ).
State log
The server logs.
Audit
All the latest changes performed on the server by the user logged in.

Note that you might have additional panels called Guardian - <data> on the properties page, if
you have enabled DNS Guardian on your appliance. For more details, refer to the part Guardian.

Keep in mind that:

• The chart data is retrieved using SNMP, therefore, the graphs are empty if the SNMP is not
configured properly. To edit the SNMP parameters of an EfficientIP DNS server, refer to the
section Editing the SNMP Monitoring Parameters of an EfficientIP DNS Server.
• You can zoom in and out or decide the period and data to display in the charts. For more details,
refer to the section Charts.

756
 Monitoring and Reporting DNS Data

• The panels can be displayed on any dashboard, like the other gadgets. For more details, refer
to the section Assigning a Chart on a Properties Page as Gadget.

To display the query statistics of a DNS server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page open.
3. Click on to display the content of the panel DNS - <server statistics> of your choice.

By default, on a smart architecture properties page, statistics panels are displayed for maximum
ten physical servers. For more details, refer to the section Setting the number of DNS server
statistics panels to display.

To display a DNS server state log

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page open.
3. To open the panel State log, click on . The panel content retrieves the server state in the
logs: OK , KO, Invalid settings... and the time and date for each.

To display a DNS server audit

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server or smart architecture of your choice, click on . The
properties page open.
3. To open the panel Audit, click on . The panel displays the latest changes in the database.
The Date and time it occurred, the Service used, the user and the User performing the oper-
ation and the server basic information: DNS name, DNS type and Architecture if relevant.
By default, it lists the changes carried out by the user logged in, but if they belong to a group
with access to the changes from all users, the panel displays all the operations ever per-
formed. For more details, refer to the section Allowing Users to Display All the Operations
Performed.

Setting the Number of DNS Server Statistics Panels to Display

You can set the number of panels dedicated to DNS server statistics that are displayed on the
properties page of a smart architecture. By default, the value is set to 10.

Keep in mind that:

• If you display a large number of charts, it will take more time for the page to load when you
open the panels.
• The number of panels you set applies to the properties page of DHCP and DNS smart archi-
tectures.

To set the number of server statistics panels to display on the properties page of
a smart
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.

757
 Monitoring and Reporting DNS Data

3. Filter the column Name with www.display.properties_page.stats.max_servers.

4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value. The wizard Registry database edit a value opens.
6. In the field Value, specify the number of seconds of your choice. By default, it is set to 10.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new key value is displayed.

Monitoring DNS Servers from the Page Analytics

The page Analytics provides data sampling lists dedicated to DNS queries and RPZ responses
for EfficientIP and Hybrid DNS servers. Keep in mind that:
• There are some limitations.
• The analytics functionality is enabled by default and samples the DNS traffic over specific
periods of time. By default, it offers 5-minute samples. If you want to set a shorter or bigger
periodicity, refer to the section Configuring the Analytics Retrieval.
• You can set up an alert on the entries displayed. For more details, refer to the chapter Managing
Alerts.

Limitations
• The analytics are only available for EfficientIP DNS physical servers and Hybrid DNS servers.
• The analytics data is only retrieved based on UDP traffic.
• Only the first 50 entries matching the selected metrics are listed. Therefore, if on the selected
period of time, 100 pieces of information are identical, the GUI only displays the first 50.
• You might slow your appliance down if you edit the purge mechanism to include more lines or
keep data longer than the default 30 days.

Accessing the Page Analytics

The page Analytics offers dedicated DNSTOP and RPZ data samples based on the DNS queries
of the physical servers.

Each sample compares data retrieved over a specific periodicity, a limited period of time, that is
set by default to a sample time of 5 minutes. You can edit the sampling period following the pro-
cedure in the section Configuring the Periodicity.

Note that the page might display DNSTOP, RPZ and Guardian analytics. If you display the ana-
lytics of a specific server, either DNS and RPZ data or Guardian data is displayed. For more
details on DNS Guardian data, refer to the section Monitoring Guardian Statistics.

To display the page Analytics

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on Analytics. The page opens.
4. To only display the analytics of a specific physical server, in the column Server, click on the
name of your choice. The server name is displayed in the breadcrumb and only its data is
returned.

All the columns displayed on the page depend on the DNSTOP or RPZ data selected. Keep in
mind that each column provides and compares data over the specified sample time.

758
 Monitoring and Reporting DNS Data

Table 50.1. DNSTOP columns on the page Analytics

Column name Description
Server The name of the physical server. This column is displayed for all analytics if no server is
displayed in the breadcrumb.
Start date The time and date when the data retrieval started. This column is displayed for all analytics.
You can filter it with the keyword last to display the data retrieved in the last X minutes,
where X is the number of minutes set for the Period of the server. If no data is retrieved
in that period, the list is empty.
End date The time and date when the data retrieval stopped. The end date respects the number of
minutes set for the Period. This column is displayed for all analytics. By default the column
is filtered with the keyword last to only display the data retrieved in the last X minutes set
for the Period of the server.
Period The periodicity set for the sample of queries, 1, 5, 10 or 15 minutes. This column is dis-
played for all analytics. The periodicity is set on the physical server properties page, for
more details refer to the section Configuring the Periodicity.
Domain The name of the domain queried by the client. This column is displayed for DNSTOP -
Top 50 Domains and DNSTOP - Top 50 Domains / Source IPs.
TLD The TLD of the domain queried by the client. This column is displayed for DNSTOP - Top
50 TLDs and DNSTOP - TLDs / Source IP.
Source IP The IP address of the client querying the information. This column is displayed for DNSTOP
- Top 50 Domains / Source IPs, DNSTOP - Top 50 Source IP and DNSTOP - Top 50 TLDs
/ Source IP.
Destination IP The IP address of the client receiving the information. This column is only displayed for
DNSTOP - Top 50 Destination IPs.
OpCode The operation codes returned for each query during the selected period: Query, Status,
Notify, Update... This column is only displayed for DNSTOP - Opcodes.
RCode The return code sent with each query response during the selected period: Noerror, Servfail,
Nxdomain... This column is only displayed for DNSTOP - Rcodes.
Query type The type of DNS resource record returned to provide the answer to the client: SOA, NS,
A, AAAA, PTR, MX... This column is only displayed for DNSTOP - Query types.
Total queries The total number of messages on the DNS traffic during the selected period, it includes
the queries and the codes returned. This column is displayed for all analytics.
Number of hits The exact number of times any domain, TLD, IP address, record type and/or code was
identified in the inbound or outbound DNS traffic during the selected period. This column
is displayed for all analytics.
For the DNSTOP - Top 50 Domains / source IP and DNSTOP - Top 50 TLDs / source IP,
the number of hits is based on the value of the columns Source IP and End date. For in-
stance, the number of times an A record was queried by the IP address <1.2.3.4> during
a 5-minute period.
Ratio The percentage of Number of hits compared with the Total queries for the selected period.
This column is displayed for all analytics.
For instance, the percentage that represents the A records queried to find the IP address
of <example.com> compared with all the messages on the traffic for a period of 5 minutes.

Table 50.2. RPZ columns on the page Analytics

Column name Description
Server The name of the physical server. This column is displayed for all analytics if no server is
displayed in the breadcrumb.
Start date The time and date when the data retrieval started. This column is displayed for all analytics.
You can filter it with the keyword last to display the data retrieved in the last X minutes,
where X is the number of minutes set for the Period of the server. If no data is retrieved
in that period, the list is empty.
End date The time and date when the data retrieval stopped. The end date respects the number of
minutes set for the Period. This column is displayed for all analytics. By default the column

759
 Monitoring and Reporting DNS Data

Column name Description

is filtered with the keyword last to only display the data retrieved in the last X minutes set
for the Period of the server.
Period The periodicity set for the sample of queries, 1, 5, 10 or 15 minutes. This column is dis-
played for all analytics. The periodicity is set on the physical server properties page, for
more details refer to the section Configuring the Periodicity.
Query The received DNS query that matched an RPZ rule. This column is only displayed for RPZ
- Top 50 queries.
Client The source IP address of the client performing the DNS query that matched an RPZ rule.
This column is only displayed for RPZ - Top 50 clients.
Domain The name of the domain queried by the client that matched an RPZ rule. This column is
only displayed for RPZ - Top 50 domains.
Rule Source The Source configured on the matched RPZ rules: QNAME, IP, NSDNAME, NS-IP... This
column is only displayed for RPZ - Rules source.
Rule Policy The Policy configured on the matched RPZ rules: NXDOMAIN, PASSTHRU, DROP, Re-
direct... This column is only displayed for RPZ - Rules policy.
Total queries The total number of messages on the DNS traffic that were rewritten by RPZ rules during
the selected period. This column is displayed for all analytics.
Number of hits The exact number of times any domain, query, client IP address, source or policy was
identified in the inbound or outbound DNS traffic and rewritten by RPZ rules during the
selected period. This column is displayed for all analytics.
Ratio The percentage of Number of hits compared with the Total queries for the selected period.
This column is displayed for all analytics.
For instance, the percentage that represents the A records queried to find the IP address
of <example.com> compared with all the messages on the traffic for a period of 5 minutes.

Displaying the DNS and RPZ Analytics

From the page Analytics, you can display the physical server DNS and RPZ data samples retrieved
from the messages. It focuses by default on a sample period of 5 minutes to draw Top 50 com-
parisons.

To display specific DNS analytics data

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the column Name, click on the server or smart architecture of your choice to display the
zones it contains.
3. In the breadcrumb on the right of the server name, click on to display additional pages.
4. Click on Analytics. The page opens.
5. Under the menu, in the drop-down list Display, select a DNSTOP - <data> or RPZ - <data>.
The page data and columns refresh. All available analytics are detailed in the tables below.
If the drop-down list only contains data named Guardian - <sample>, refer to the section
Displaying Guardian Analytics Tops.
6. Under the drop-down list, you can tick the box Automatic refresh to automatically refresh
the data listed every minute. To edit the page refresh frequency, refer to the section Editing
the Automatic Refresh Frequency.

You can edit the sample time following the procedure in the section Configuring the Periodicity.

760
 Monitoring and Reporting DNS Data

Table 50.3. DNSTOP analytics

Statistic Description
Top 50 Domains The top 50 queried domains on the DNS traffic during the configured Period.
Selecting it displays the column Domain.
Top 50 Domains / source IP The top 50 domains queried by specific IP addresses on the DNS traffic during
the configured Period. Selecting it displays the columns Domain and Source
IP.
Top 50 Destination IPs The top 50 answered clients on the DNS traffic during the configured Period.
Selecting it displays the column Destination IP.
Top 50 Source IPs The top 50 querying clients on the DNS traffic during the configured Period.
Selecting it displays the column Source IP.
Top 50 TLDs The top 50 TLDs queried on the DNS traffic during the configured Period. Se-
lecting it displays the column TLD.
Top 50 TLDs / source IP The top 50 TLDs queried by specific IP addresses on the DNS traffic during
the configured Period. Selecting it displays the columns Domain and TLD.
Opcodes All the operation codes on the DNS traffic during the configured Period. Select-
ing it displays the column Opcode.
Rcodes All the return codes on the DNS traffic during the configured Period. Selecting
it displays the column Rcode.
Query types All the RR types of the queries answered on the DNS traffic during the con-
figured Period. Selecting it displays the column Query type.

In the following table, RPZ rule refers to a combination of source, pattern and policy configured
in rules that matched DNS client queries.

Table 50.4. RPZ analytics

Statistic Description
Top 50 Queries The top 50 queries that matched an RPZ rule during the configured Period.
Selecting it displays the column Query.
Top 50 Clients The top 50 clients whose query matched an RPZ rule during the configured
Period. Selecting it displays the column Client.
Top 50 Domains The top 50 queried domains that matched RPZ rules during the configured
Period. Selecting it displays the column Domain.
a
This top relies on the public suffix list to ensure that only registrable domains
are taken into account, even the ones that include a country code top-level
domain (ccSLD), like co.uk. For private domains, only TLDs are taken into ac-
count.
Rules source The distribution of the sources configured for the matched RPZ rules during
the configured Period. Selecting it displays the column Rule Source.
Rules policy The distribution of the policies configured for the matched RPZ rules during
the configured Period. Selecting it displays the column Rule Policy.
a
For more information, visit https://publicsuffix.org/.

Configuring the Analytics Retrieval

You can configure the DNS analytics retrieval according to your needs.You can edit the sampling
period, or periodicity, the page automatic refresh frequency, the data retrieval frequency and
even its purge frequency.

All DNS retrieval settings affect both DNS and RPZ analytics.

761
 Monitoring and Reporting DNS Data

Editing the Automatic Refresh Frequency

On the page Analytics, the box Automatic refresh allows to automatically refresh the page
display every 60 seconds. You can edit this frequency via a registry database key.

To edit the analytics automatic refresh frequency

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with www.dns.stat.refresh.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value. The wizard registry database edit a value opens.
6. In the field Value, specify the number of seconds of your choice. By default, it is set to 60.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new key value is visible.

Configuring the Periodicity

By default, the data sampling compare the DNS traffic over a sample periodicity of 5 minutes.
On the page Analytics, the sample time is specified in the column Period.

You can configure a shorter or larger periodicity on each physical server individually.

Note that no matter the periodicity, the data is available on the page at a frequency specified
through the rule 380. To edit that rule, refer to the section Configuring the DNS Analytics Retrieval
Frequency.

To edit the DNS analytics periodicity of a physical server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the physical server of your choice, click on . The properties page
opens.
3. Open the panel DNS analytics. It indicates if the retrieval is enabled and the periodicity.
4. Click on EDIT . The wizard Configure DNS analytics opens.
5. Make sure the box Enable analytics collection is ticked.
6. In the drop-down list Periodicity (min.), select 1, 5, 10 or 15. By default, 5 is selected.
7. Click on OK to complete the operation.

Configuring the DNS Analytics Retrieval Frequency

The frequency to which the analytics are displayed in the GUI is set by the rule 380, DNS Analytics.
By default, every 5 minutes it displays the data comparison results for messages sampled during
1, 5, 10 or 15 minutes, depending on the configured periodicity.

No matter the periodicity you set on the physical server, the data is available in the GUI depending
on the rule configuration.

To edit the rule 380 that sets the DNS analytics data retrieval
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

762
 Monitoring and Reporting DNS Data

2. In the section Expert, click on Rules. The page Rules opens.

3. In the column Rule #, type in 380 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. This field is required.
7. In the field Comment, you can insert, edit or delete the rule comment. This field is optional.
8. Click on NEXT . The page Rule filters opens.
9. Edit the rule frequency according to your needs.

Table 50.5. Frequency filters of the rule 380

Column Default value
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, every hour is selected. This field is op-
tional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, every 5 minutes is selected. This field is optional.

10. Click on OK to complete the operation.

Configuring the DNS Analytics Purge Frequency

You can configure the purge mechanism of the analytics retrieval. By default, it is based on:
• The data age. The rule 382, Purge DNS Analytics, deletes data older than 30 days. You can
set it to delete data earlier or later.
• A lines count. A registry key deletes data if the analytics database exceeds 100,000 lines, each
analytic can reach that many lines. You can set a lower or higher threshold.

As both thresholds work together, once the number of days or the number of lines is met, the
unwanted data the deleted.

No matter the way you want to purge your database, keep in mind that if you set very high
thresholds, you may slow down your appliance because the database contains too much
information.

To edit the rule 382 that purges the DNS analytics

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 382 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. This field is required.
7. In the field Comment, you can insert, edit or delete the rule comment. This field is optional.

763
 Monitoring and Reporting DNS Data

8. Click on NEXT . The page Rule filters opens

9. Edit the rule frequency according to your needs.

Table 50.6. Frequency filters of the rule 382

Column Default value
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 23 is selected. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, 30 is selected. This field is optional.

10. Click on NEXT . The page Rule parameters opens.

11. In the field Number of days, specify the number of days above which you want the logs
database to be purged. By default, it is set to 30, logs older than thirty days are automatically
deleted.
12. Click on OK to complete the operation.

To add a threshold to purge DNS analytics

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, click on Add. The wizard Registry database Add an item opens.
4. In the field Name, type in dns.stats.limit.
5. In the field Value, specify the number of lines of your choice, above that value the data is
purged. By default, it is set to 100000.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the key is listed.

Exporting the Analytics

From the page Analytics, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Disabling the Analytics

You can disable analytics and stop retrieving the data of any physical server.

To disable the analytics retrieval on a DNS physical server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the server of your choice, click on . The properties page opens.
3. Open the panel DNS analytics. It indicates if the retrieval is enabled and the periodicity.
4. Click on EDIT . The wizard Configure DNS analytics opens.

764
 Monitoring and Reporting DNS Data

5. Untick the box Enable analytics collection.The page refreshes, the drop-down list Periodicity
(min.) is no longer visible.
6. Click on OK to complete the operation. In the panel, the field Enable analytics collection
is marked no.

Monitoring DNS Queries and Answers

You can toggle the logs and monitor DNS physical servers queries and answers.

Monitoring DNS Queries

You can display all the DNS queries of an EfficientIP or a BIND DNS server. You can execute
the command querylog from the page All servers and then display the whole list of logs on the
page Syslog in the Administration module.

Querylog is a toggle command that provides an overview of all the DNS queries in IPv4 and IPv6.
The logs structure is as follows:
a. The requesting client IP address and port number, the query name, class and type.
b. The recursion detailed, + or -. The Recursion Desired flag: + is set (the query was recursive),
- is not set (the query was iterative).
c. DNS options details if relevant: whether the query is signed (S), whether EDNS was used (E),
whether TCP was used (T), whether DO - DNSSEC OK - was set (D), whether CD - Checking
Disabled - was used (C).
d. The IP address the information was sent to.

Keep in mind that all the logs can be displayed in the page Syslog in real time. They can slow
this page down consistently as the querylog command can generate a substantial volume of data
very quickly.

To toggle on the DNS querylog command

1. Enabling the querylog
a. In the sidebar, go to DNS > Servers. The page All servers opens.
b. Tick the server of your choice.
c. In the menu, select Edit > Command > Querylog. The wizard Toggle the querylog
command opens.
d. Click on OK to complete the operation. The report opens and closes. The server is
marked Enabled in the column Querylog.
2. Displaying the DNS query and answer logs
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Monitoring, click on Syslog. The page Syslog opens.
c. Under the menu, in the drop-down list SOLIDserver, make sure the hostname of the
appliance managing the DNS server for which you toggled on the querylog is selected.
d. In the drop-down list Services, select named.
e. You can tick the box Automatic refresh if you want the page Syslog to refresh the log
display every 10 seconds.
f. Filter the list via the column Time with the current date, and the time if you want.
g. In the column Log, all the query and answer logs of your server are displayed.

765
 Monitoring and Reporting DNS Data

The first logs are received control channel command 'querylog' and query logging is
now on; all the logs are listed below.

To toggle off the DNS querylog command

1. Disabling the querylog
a. In the sidebar, go to DNS > Servers. The page All servers opens.
b. Tick the server of your choice. It is marked Enabled in the column Querylog.
c. In the menu, select Edit > Command > Querylog. The wizard Toggle the querylog
command opens.
d. Click on OK to complete the operation. The report opens and closes. The server is
marked Disabled in the column Querylog.
2. Making sure the querylog is off
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Monitoring, click on Syslog. The page Syslog opens.
c. Under the menu, in the drop-down list SOLIDserver, make sure the hostname of the
appliance managing the DNS server for which you toggled on the querylog is selected.
d. In the drop-down list Services, select named.
e. You can tick the box Automatic refresh if you want the page Syslog to refresh the log
display every 10 seconds.
f. Filter the list via the column Time with the current date, and the time if you want.
g. In the column Log, two lines indicate the querylog is toggled off: received control
channel command 'querylog' and query logging is now off.

Monitoring DNS Answers

You can display all the DNS answers of an EfficientIP or a BIND DNS server from the CLI.

Answerlog is a toggle command that provides an overview of all the DNS answers in IPv4 and
IPv6. It uses the same information structure as querylog, each log contains: client information,
recursion details, DNS options when relevant... For more details, refer to the log structure in the
section Monitoring DNS Queries.

When answerlog is on, it displays two lines: first the initial query, second the answer received by
the client followed by the return code of the answer: NOERROR, SERVFAIL, NXDOMAIN...

To toggle on the DNS answerlog command

1. Connect to your appliance via a shell session.
2. Use the following command:
/usr/local/nessy2/bin/rndc answerlog

The logs look as follows:

# Line 1: the initial client query.
# Line 2: the answer sent to the client followed by the return code of the answer.

Nov 18 18:05:08 my-appliance-hostname named[1552]: client 127.0.0.1#31070

(www.google.com): view vue3: query: www.google.com IN A +E (127.0.0.1)
Nov 18 18:05:08 my-appliance-hostname named[1552]: client 127.0.0.1#31070
(www.google.com): view vue3: answer: www.google.com IN A +E (127.0.0.1) -> NOERROR

766
 Monitoring and Reporting DNS Data

www.google.com. 95 A 74.125.71.99 A 74.125.71.103 A 74.125.71.104 A 74.125.71.105

A 74.125.71.106 A 74.125.71.147

To toggle off the DNS answerlog command

1. Connect to your appliance via a shell session.
2. Use the following command:
/usr/local/nessy2/bin/rndc answerlog

Generating DNS Reports

EfficientIP provides dedicated DNS reports at server and zone level.The reports on inconsistencies
or misconfiguration details might be empty if the server or zone configuration is correct.

Table 50.7. Available DNS reports

Page Report
All servers Smart architecture incompatibilities
Route 53 incompatibilities
Zones NS and IP addresses
A records without an IPv4 address or alias
AAAA records without an IPv6 address or alias
CNAME records without an alias
PTR records without an IPv4 address
PTR records without an IPv6 address
Servers configuration
Hybrid DNS Engine incompatibilities
Server peak hour
Servers configuration comparison
Query rate per server
Server reply to queries charts
Server usage charts
All views View statistics
All zones Zones NS and IP addresses
Zones missing RRs
Zone statistics
Zones configuration comparison

For more details regarding the reports and their generation, refer to the section Managing Reports.

767
 Part VIII. Global Policies
Global policies are options that allow to set specific behaviors within a module or between modules. They
are available in the modules IPAM, DHCP, DNS and Device Manager.
• Inheritance and Propagation allows to use meta-data, advanced properties and class parameters across
the hierarchy of most modules. You can set, inherit, propagate or restrict an object's property from one
level to the other.
• Managing Advanced Properties allows to configure advanced properties that define interactions between
and/or within the modules IPAM, DHCP, DNS, Device Manager and VLAN Manager.
Table of Contents
51. Inheritance and Propagation ..................................................................................... 770
Prerequisites ........................................................................................................ 771
Limitations ............................................................................................................ 772
Configuring the Inheritance of a Parameter Value .................................................... 772
Configuring the Propagation of a Parameter Value ................................................... 774
Setting Class Parameters ...................................................................................... 775
Reconciling Class Parameters ............................................................................... 776
52. Managing Advanced Properties ................................................................................ 778
Prerequisites ........................................................................................................ 779
Browsing Advanced Properties .............................................................................. 779
Configuring IPAM Advanced Properties .................................................................. 780
Configuring DHCP Advanced Properties ................................................................. 806
Configuring DNS Advanced Properties ................................................................... 810
Setting Advanced Properties .................................................................................. 812

769
Chapter 51. Inheritance and Propagation
Within all modules, you can propagate parameter values throughout the internal hierarchy.

For each meta-data, advanced property and class parameter, you can configure the Inherit-
ance property to Set or Inherit and/or the Propagation property to Propagate or Restrict in a
dedicated window.

By default, each parameter value is automatically propagated from one level to the next. The
Propagation property at parent level is configured to Propagate, while the Inheritance property
at child levels is configured to Inherit.

SPACE DNS server: ns1.mycorp.com

NETWORK Default domain: lab.mycorp.com

BLOCK

NETWORK Gateway: 10.6.22.255

SUBNET

POOL

ADDRESS
DNS server: ns1.mycorp.com
Default domain: lab.mycorp.com
Gateway: 10.6.22.255

Figure 51.1. Example of the inheritance and propagation of some advanced properties in the IPAM

In the example above, advanced properties are automatically propagated and inherited within
the IPAM. Therefore, the IP addresses are configured with a DNS server set at space level, a
Default domain set at block-type network level and a Gateway set at subnet-type network level.

When you add or edit a resource, right of each meta-data, advanced property and class parameter,
an icon displays the current inheritance and propagation property configuration:

Table 51.1. Inheritance and Propagation property possible configurations

Icon Configuration
Inheritance: Set. Propagation: Propagate. The default value of both properties.
Inheritance: Set. Propagation: Restrict.
Inheritance: Inherit. Propagation: Propagate.
Inheritance: Inherit. Propagation: Restrict.

770
 Inheritance and Propagation

You can tailor the propagation and inheritance of each parameter within the hierarchy of a module.

SPACE DNS server: ns1.mycorp.com

NETWORK
BLOCK

NETWORK DNS server: ns8.mycorp.com

SUBNET

POOL

ADDRESS

DNS server: ns8.mycorp.com

Figure 51.2. Example of an advanced property changed at subnet-type network level

In the example above, the advanced property DNS server has one value from space down to
block-type network level, and a different value from subnet-type network down to IP address
level.

Prerequisites
The Inheritance property and/or the Propagation property can be configured on:
• Advanced Properties within the IPAM, the DNS and/or the DHCP at all levels. For more details
regarding advanced properties, refer to the chapter Managing Advanced Properties.
• Meta-data throughout SOLIDserver. By default, all resources include meta-data in the class
global. For more details regarding meta-data, refer to the chapter Configuring Classes.
In addition, note that the meta-data Description is available by default when you add or edit
IPAM networks and Device Manager devices. You can define its inheritance and propagation
without editing the class global.
• Class Parameters throughout SOLIDserver. When you apply a custom class added from the
page Class Studio, all the class objects it contains become the class parameters of the resource.
For more details regarding custom classes, refer to the chapter Configuring Classes.

771
 Inheritance and Propagation

Limitations
• The Inheritance property cannot be configured at some levels:
• At the top level of any module, you cannot switch the property to Inherit, it is forced to Set.
• The top level objects cannot inherit parameters, this includes IPAM spaces outside VLSM
organizations, DHCP servers, DNS servers, DNS RRs, NetChange devices, Workflow re-
quests, Device Manager devices, VLAN domains and groups of users, in the module Admin-
istration.
Note that within space-based VLSM organizations, this limitation only applies to the top level
space, all the spaces it contains can inherit parameters.
• The Propagation property cannot be configured at some levels:
• At the lowest level of any module, you cannot set the property to Propagate, it is forced to
Restrict.
• The lowest objects cannot propagate parameters, this includes IPAM IP addresses; DHCP
groups, ranges and statics; DNS zones and RRs; Device Manager interfaces and ports;
NetChange ports and VLAN Manager VLANs.
• Changing the inheritance/propagation of a parent object cannot trigger additions at
lower levels.
If parent objects already contain objects, changing the inheritance and propagation of advanced
properties that trigger additions does not automatically trigger additions at lower levels. For
instance, if you set and propagate the advanced property Add a DHCP static on a terminal
network, the assigned IP addresses it already contains are not added in the DHCP.
To trigger the addition behavior, you must tick all existing objects at lower levels and in the
menu select Tools > Expert > Initialize rules.
• Some operations are impossible, you cannot:
• Configure the Inheritance property and Propagation property to Inherit/Restrict in template
mode in the IPAM. An inherited parameter value must be propagated.
• Delete a class parameter from a parent object if its Inheritance property is Inherit.
• Restrict the propagation of a parameter that has already been propagated.
• Edit the inheritance or propagation property of an advanced property that is not displayed
by Default. Only users of the group admin can display All the available advanced properties
in the addition/edition wizard and configure them.
• Reconciling class parameter must follow a specific order.
If you plan on reconciling the meta-data, advanced properties and/or class parameters of all
the objects of a module, you must start from the lowest level of the hierarchy up to the highest
one.

Configuring the Inheritance of a Parameter Value

Before configuring the Inheritance property, keep in mind that:
• The Inheritance property can be configured to Inherit or Set.
• The Inheritance property default value is Inherit if on the parent object the Propagation property
is Propagate.
• The Inheritance property is forced to Set if on the parent object the parameter is not configured.
• The Inheritance property is forced to Set if on the parent object the parameter is configured
with the Propagation property to Restrict.

772
 Inheritance and Propagation

SPACE Default domain: lab.mycorp.com

NETWORK
BLOCK

NETWORK
SUBNET

POOL Default domain: priv.mycorp.com

ADDRESS

No inherited Domain

Figure 51.3. Example of an advanced property changed and restricted at pool level

Once configured on a parent object, the value is used on all the objects it contains if their
inheritance property is configured to Inherit. In the example above, all objects from space
down to pool level have the property Default domain, but not the IP addresses. At space level,
a domain is configured to Set/Propagate. At network level, the same domain is configured to In-
herit/Propagate. At pool level, the domain has a different value configured to Set/Restrict, it ignores
the configuration of higher levels, therefore the IP addresses of the pool are not configured with
the property Domain.

In the following procedure, is only used to illustrate the inheritance and propagation properties
icon, it may not match your current configuration.

The inheritance property has to be configured directly in the addition/edition wizard of an object.
In this section, configuring includes defining the inheritance property for the first time or editing
its value.

To configure the inheritance of an advanced property or class parameter

1. Take into account the inheritance prerequisites and limitations.
2. Go to the module and page of your choice.
3. Add or edit a resource. The corresponding wizard opens.
4. If custom classes are enabled, in the list <object> class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Right of the field of your choice, click on . The configuration window opens.
6. In the drop-down list Inheritance property, click on Set or Inherit.
Keep in mind that you cannot configure the inheritance property at the highest level of a
module.
7. Click on OK to complete the operation. The report opens and closes.
The inheritance/propagation property icon details the object configuration on its properties
page.

773
 Inheritance and Propagation

Note that deleting some objects of the IPAM and DNS hierarchy triggers the automatic
inheritance:
• When you delete a non-terminal subnet-type network, an IPAM pool or a DNS view that contains
other objects at lower levels, the child objects are automatically moved higher in the hierarchy.
• If the child objects inherited class parameters from the deleted container, for each class para-
meter:
• The Inheritance property is forced to Inherit or Set to match the configuration of the deleted
parent object. This way, the value and the source of the value remain the same.
• The Propagation property remains the same.

Configuring the Propagation of a Parameter Value

Before configuring the Propagation property, keep in mind that:
• The Propagation property can be configured to Propagate or Restrict.
• The Propagation property default value is Propagate. A parent object propagates the parameter
value to its child objects, if they are not yet configured with this parameter. On said child objects,
the new parameter Inheritance property is automatically configured to Inherit.
Note that you cannot propagate a parameter to child objects if they are already configured with
a different value of this parameter, whether the parameter was set or inherited.
• The Propagation property is forced to Restrict if it is impossible to propagate parameters on
the child objects.

SPACE DHCP failover channel: dhcp-clust1.mycorp.com

NETWORK
BLOCK

NETWORK
SUBNET

POOL

ADDRESS

No DHCP failover channel

Figure 51.4. Example of an advanced property inherited and restricted at network level

Once configured on a parent object, the value is used on all the objects it contains if their
propagation property is configured to Inherit. In the example above, all objects from the space
level down to subnet-type network level have the property DHCP failover channel, but not the
pools and IP addresses. At space level, a failover channel is configured to Set/Propagate. At
block-type networks level, the same failover channel is configured to Inherit/Propagate. At subnet-
type network level, it is configured to Inherit/Restrict, so the pools and IP addresses do not inherit
the property.

In the following procedure, is only used to illustrate the inheritance and propagation properties
icon, it may not match your current configuration.

774
 Inheritance and Propagation

The propagation property has to be configured directly in the addition/edition wizard of an object.
In this section, configuring includes defining the propagation property for the first time or editing
its value.

To configure the propagation of an advanced property or class parameter

1. Take into account the propagation prerequisites and limitations.
2. Go to the module and page of your choice.
3. Add or edit a resource. The corresponding wizard opens.
4. If custom classes are enabled, in the list <object> class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Right of the field of your choice, click on . The configuration window opens.
6. In the drop-down list Propagation property, click on Propagate or Restrict depending on
your needs.
Keep in mind that you cannot configure the propagation property at the lowest level of a
module.
7. Click on OK to complete the operation. The report opens and closes.
The inheritance/propagation property icon details the object configuration on its properties
page.

Setting Class Parameters

You can set class parameters for several objects at once using the option Set class parameters.
This option also allows to edit or define the inheritance and propagation configuration of the
parameters of an object. This operation is quite advanced and should not be delegated lightly to
users that do not belong the group admin.

If you only want to set advanced properties on several objects at once, we recommend that you
use the option Set advanced properties because the wizard already contains all the available
values and allows to choose them in dedicated drop-down lists rather than specifying them in
fields. For more details, refer to the section Setting Advanced Properties.

Using the option Set class parameters allows, as long as you are aware of the limitations, to:
• Set any parameter on an object: either a class parameter or meta-data.
• Overwrite any parameter configured or not.
• Overwrite the value of the Inheritance property and/or Propagation property of a parameter.
• Propagate a configured parameter to child objects if their Inheritance property is Inherit.
• Restrict a parameter at the level of your choice.

Note that, in the wizard, the drop-down lists Inheritance property and Propagation property are
only displayed if they are relevant to the object you selected.

To set parameters inheritance and/or propagation property on several objects

1. Go to the module and page of your choice.
2. Tick the object(s) for which you want to set the inheritance and/or propagation property on
one or more parameter.
3. In the menu, select Tools > Expert > Set class parameters. The wizard Set class
parameters opens.

775
 Inheritance and Propagation

4. In the drop-down list Parameter, select the class parameter or meta-data of your choice.
The page refreshes.
5. In the drop-down list Inheritance property, select Set or Inherit. By default, Set is selected.
If you select Set, you can either configure a value for the parameter or overwrite its current
value.
If you select Inherit, you configure the parameter with the value of its parent object. The field
Value is no longer displayed.
6. If you selected Set, in the field Value specify the parameter value.
7. In the drop-down list Propagation property, select Propagate or Restrict. By default,
Propagate is selected.
If you select Propagate, you propagate the current parameter value to all child objects. The
propagation is only possible if the child objects have their Inheritance property configured
to Inherit.
If you select Restrict, you only configure the current parameter value to the object(s) you
ticked, it prevents the propagation to the child objects.
8. Click on ADD to move your parameter configuration to the Parameters list.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
9. Repeat the steps 5 to 8 for as many parameters as you need.
10. Click on OK to complete the operation. The report opens and closes. Any parameter value
and configuration previously set for the selected object(s) is overwritten.

Reconciling Class Parameters

The option Reconcile class parameters allows to adjust the inheritance property of your meta-
data, advanced properties and class parameters on several objects at once.

For instance, after a migration of your database, from a version prior to 6.0.0, with parameters
configured that are all Set with the same value at all levels, you can use the option to make sure
they respect the internal module hierarchy and make the lower levels Inherit the top level para-
meter value. If you configured or edited classes, your objects are configured at each level but
the inheritance between each level is not implemented yet. Running this option allows comparing
all the properties and parameters set on the parent, for the selected child objects. If they are
configured on both levels and their values match, the inheritance property of the child objects is
forced to Inherit to set up the inheritance.

The option allows to force the Inheritance property of a parameter based on the value of the
parameter in the parent object. Therefore:
• The parameter value is forced to Set if it is not configured on the parent object.
• The parameter value is forced to Set if it is configured on the parent object with the Propagation
property configured to Restrict.
• The parameter value is forced to Set if it has a different value on the parent object.
• The parameter value is forced to Inherit if on the parent object: the parameter is configured,
has the same value and has the Propagation property configured to Propagate.

Keep in mind that the option is only available on pages managing objects that can inherit data.
Some class parameters might not be reconciled, for more details refer to the section limitations.

776
 Inheritance and Propagation

To reconcile a parameter inheritance property

1. Go to the module and page of your choice.
If you plan on reconciling meta-data, advanced properties and class parameters on all the
objects of a module, you must start from the lowest level and execute the option on all levels
up to the highest one.
2. Tick the object(s) for which you want to reconcile the class parameters inheritance property
with their parent object.
3. In the menu, select Tools > Expert > Reconcile the class parameters. The wizard
Reconcile the class parameters opens.
4. Click on OK to complete the operation. The report opens and works for a while. The report
opens.

777
Chapter 52. Managing Advanced
Properties
Advanced properties are specific class parameters that allow to set up replication behaviors
between the modules IPAM, DHCP, DNS, Device Manager and VLAN Manager.
DNS server: ns1.mycorp.com
SPACE
Update DNS: yes
America

NETWORK Default domain: lab.mycorp.com

BLOCK
USA
10.6.0.0/15

NETWORK
SUBNET
New York
10.6.0.0/24

POOL
Manhattan
10.6.0.1-10.6.0.50

NEW NEW IP NEW

LEASE ADDRESS RECORD

DHCP IPAM DNS

IP Address: 10.6.0.42
MAC address: be:ef:12:34:be:ef
Name: client.mycorp.com
IPAM advanced properties
Push leases to IPAM: yes
Use client name (FQDN): yes
IP Address: 10.6.0.42 Type: A
MAC address: be:ef:12:34:be:ef RR name: client.mycorp.com
Name: client.mycorp.com IP address: 10.6.0.42
DNS advanced properties
DNS server: ns1.mycorp.com
Update DNS: yes
Default domain: mycorp.com

Figure 52.1. Replication from the DHCP to the DNS via the IPAM

These properties can edit interactions and behaviors:

• Within the IPAM:
• You can define the gateway addition behavior for terminal networks.
• You can add pools when you add terminal networks.
• You can set up a semi-automated way to transition from IPv4 to IPv6 when adding IPv4
objects.
• Between the IPAM and the DHCP:
• From the IPAM, adding or editing networks, pools or IP addresses can update the DHCP.
• From the DHCP, adding or editing leases can update the IPAM.
• Between the IPAM and the DNS:
• From the IPAM, adding networks or IP addresses can update the DNS.
• From the DNS, adding resource records can update the IPAM.
• Within the DNS: you can add a PTR resource record every time you add an A resource record.
• From the IPAM to Device Manager: you can link IP addresses with existing interfaces, add
devices and link them using their ports and interfaces.
• From the IPAM to VLAN Manager: you can link IPAM subnet-type networks with Virtual
Local Area Networks (VLANs).

All the advanced properties are represented in the appendix Advanced Properties.

778
 Managing Advanced Properties

Configuring advanced properties involves two operations:

1. Selecting at each level the advanced properties fields to display or enable in the addition and
edition wizards. This selection defines the wizard Default display.
2. In the addition or edition wizard, configuring the property. The configuration of the properties
implies that the end user has sufficient rights and resources.

The advanced properties value is inherited by all the objects at lower levels, unless you configure
them otherwise. Therefore, you can configure spaces with properties that apply to IP addresses,
or servers with properties that apply to leases or records.

You can edit the advanced properties inheritance and propagation of several objects at a time.
For more details, refer to the section Setting Advanced Properties.

Prerequisites
• Defining the Internal module setup to select the modules IPAM, DNS and DHCP.
It is accessible from the pages Main dashboard and Admin Home. For more details, refer to
the section Defining the Internal Module Setup.
• Configuring or being granted access to the proper rights and resources.
• Any user can configure the advanced properties that are part of the Default display of the
addition/edition wizard, as long as the group they belong to is granted rights and resources
over the relevant modules and objects.
They can display All the advanced properties, if some are not part of the Default display,
however, only users of the group admin can configure these remaining properties.
• Users can define which properties are part of the Default display of the addition/edition wizards
if they belong to a group granted the right Edit: the wizard Advanced properties customization.

Browsing Advanced Properties

All the objects that can be configured with advanced properties have a dedicated panel on their
properties page. It displays which properties are configured and, when relevant, it indicates
between brackets from which level they are inherited.

Figure 52.2. The panel Advanced properties

779
 Managing Advanced Properties

To display the panel Advanced properties

1. Go to the properties page of the object of your choice using .
2. If the panel Advanced properties is closed, click on to open it. The panel displays the
advanced properties configuration of the object.

Configuring IPAM Advanced Properties

You can configure IPAM spaces, networks, pools and IP addresses with IPAM properties,
DHCP replication properties, DNS replication properties, Device Manager interaction properties
and VLAN Manager interaction properties.

The IPAM can be the reference point of all addressing decisions involving DHCP and DNS. Indeed,
the IPAM can update the DHCP and the DNS, and vice versa. However, the DHCP can only
update the DNS if the information is sent to the IPAM first. To have an overview of all the advanced
properties that can originate from the IPAM, refer to the appendix Advanced Properties.

In addition, from the IPAM you can impact Device Manager and VLAN Manager. Indeed, you
can add devices or link existing ones through ports and interfaces at IP address level, or allow
two subnet-type networks to communicate by associating them with the same VLAN.

Within the IPAM, you can configure dedicated properties. To set up the transition from IPv4 to
IPv6, refer to the section Configuring the Transition from IPv4 to IPv6.

Space Advanced Properties

At space level, you can configure IPAM, DHCP and DNS properties.

Each property can be inherited at lower levels to automate the replication from the IPAM.

IPAM DHCP
DHCP failover channel: DHCP
SPACE SERVER
failover-dhcp1.mycorp.com
America dhcp1.mycorp.com

NETWORK
BLOCK
USA
10.6.0.0/15
NEW NEW
NETWORK SCOPE
SUBNET

Name: New York Name: New York

Start address: 10.6.0.0 Start address: 10.6.0.0
End address: 10.6.0.255 End address: 10.6.0.255
DHCP advanced properties
DHCP failover channel: failover-dhcp1.mycorp.com

Figure 52.3. IPAM to DHCP replication at network level inherited from the space

780
 Managing Advanced Properties

You must first select the advanced properties to display and then configure them.

To select the advanced properties to display at space level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

4. Tick the properties you want to display or enable in the addition/edition wizard.
a. To configure properties Within the IPAM, you can tick the following box.
By default, the box is not ticked.
• Display the IPv4 to IPv6 transition fields. For more details, refer to the section Config-
uring the Transition from IPv4 to IPv6.
b. To configure IPAM to DNS replication properties, you can tick the following boxes.
By default, all boxes are ticked.
• Display the selection field "DNS server".
• Display the selection field "DNS view".
• Display the selection fields "Domains list".
• Display the selection field "Default domain".
• Add a DNS reverse zone for every terminal network added.
The zone is added in the specified DNS server for reverse zone and DNS view for
reverse zone. This field is not displayed in the addition/edition wizard.
• Display the selection field "DNS sever for reverse zone".
• Display the selection field "DNS view for reverse zone".
• Display the box "Update DNS".
You must tick this box to be able to save any DNS replication configuration in the
addition/edition wizard.
c. To configure IPAM to DHCP replication properties, you can tick the following boxes.
By default, all boxes are ticked.
• Display the selection field "DHCP failover channel".
• Display the box "Add a DHCP static".

5. Click on OK to complete the operation. The report opens and closes.

In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

To configure advanced properties at space level

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Add or edit a space. The corresponding wizard opens.
For more details, refer to the chapter Managing Spaces.
3. On the last page of the wizard, configure the advanced properties of your choice.
Note that:
• The advanced properties are distributed in dedicated sections, the available fields depend
on the Wizard customization.
• Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.

781
 Managing Advanced Properties

• Some fields may not be visible, if they are not part of the wizard Default display.
In the drop-down list Advanced properties at the bottom of the page, you can select All.
The remaining fields appear in the sections, they are grayed out and not in the default
order. Only users of the group admin can configure or edit properties that are not displayed
by Default.
• All the advanced properties are described in the following tables:
• Available properties in the section Within the IPAM at space level.
• Available properties in the section IPAM to DNS replication at space level.
• Available properties in the section IPAM to DHCP replication at space level.
4. Click on OK to complete the operation. The report opens and closes.
Your configuration details are displayed on the space properties page, in the panel Advanced
properties.

Table 52.1. Available properties in the section Within the IPAM at space level
Activate the IPv4 to IPv6 transition
Default value Unticked
Description Tick this box to configure the IPv4 to IPv6 transition. For more details, refer to the section Con-
figuring the Transition from IPv4 to IPv6.

Table 52.2. Available properties in the section IPAM to DNS replication at space level
DNS server
Default value None
Description The server(s) of your choice, either All, None or a specific one. It defines the views and zones
to display in the next fields and allows to define which zone is updated when you add or edit IP
addresses.
You must tick the box Update DNS to take this parameter into account.
Once you select All or a server name, the lists DNS view, Domains list, Selected domains list
and Default domain appear if they were ticked during the Wizard customization.
All: allows to display all the views and zones in the next fields.
None: prevents the IPAM to DNS replication.
<server-name>: allows to display only the views and zones of the selected server in the next
fields.
DNS view
Default value All
Description The view(s) of your choice, either All or a specific one. It defines the zones to display in the next
fields.
You must tick the box Update DNS to take this parameter into account.
All: allows to display the zones of all existing views in the next fields.
<view-name>: allows to display only the zones of the selected view in the next fields.
Domains list and Selected domains list
Default value /
Description A domain, i.e. Master zone. Select it and click on to move it to the Selected domains list.
You can select several zones to make them all available in the drop-down list Default domain.
You must tick the box Update DNS to take this parameter into account.
Default domain
Default value None
Description The Master zone used by default, either None or a specific one. The list content depends on
the Selected domains list.
You must tick the box Update DNS to take this parameter into account.

782
 Managing Advanced Properties

None: allows to provide a list of all the Master zones when you add or edit an IP address, you
can choose the zone to update in the drop-down list Domain.
<zone-name>: allows to select the Master zone to update when you add or edit an IP address,
the selected zone name is displayed in the grayed out field Domain.
DNS server for reverse zones
Default value None
Applies to Terminal networks only
Description The server(s) of your choice, either All, None or a specific one. This defines where are added
the PTR records matching the IP addresses you add or edit in the terminal network. If you select
All or a server name, the field DNS view for reverse zones appears, its content depends on your
selection.
If the box Add a DNS reverse zone for every terminal network added was ticked during the
Wizard customization, a reverse zone matching the terminal network you are adding or editing
is also added in the selected server.
You must tick the box Update DNS to take this parameter into account.
Keep in mind that deleting a network configured with this option also deletes the corres-
ponding reverse zone from the DNS, if it only contains the default records (SOA and NS).
DNS view for reverse zones
Default value All
Applies to Terminal networks only
Description The view(s) of your choice, either All or a specific one. This defines where are added the PTR
records matching the IP addresses you add or edit in the terminal network.
If the box Add a DNS reverse zone for every terminal network added was ticked during the
Wizard customization, a reverse zone matching the terminal network you are adding/editing is
also added in the selected view.
You must tick the box Update DNS to take this parameter into account.
Keep in mind that deleting a network configured with this option also deletes the corres-
ponding reverse zone from the DNS, if it only contains the default records (SOA and NS).
Update DNS
Default value Unticked
Description Tick this box to update the relevant zone(s) with A, AAAA and/or PTR records matching the IP
addresses you add or edit in the terminal network(s). The terminal network Gateway address
does not add any A or AAAA record in the DNS.
If an address is configured with aliases, it can also update the relevant zone(s) with CNAME
records.
Keep in mind that leaving this box unticked can delete any matching records, whether
they were added from the IPAM or directly within the DNS.

Table 52.3. Available properties in the section IPAM to DHCP replication at space level
DHCP failover channel
Default value None
Description The failover channel of your choice, to define in which servers is added the scope matching the
terminal network you add. The box Add a shared network using the Address and Prefix appears.
The scope name and addresses match the ones of the terminal network. In IPv4, the new scope
is automatically set with the option routers, its value is the network gateway address.
If an existing scope already manages the same addresses as the terminal network, its name is
overwritten. In IPv4, the option routers of the scope is set or updated.
In IPv6, the DHCP failover channel set at space level is not inherited, you must set it at network
level.
Add a DHCP static
Default value Unticked
Description Tick this box to add a DHCP static whenever you add an IP address. The box Use IPAM name
instead of DHCP client name appears.
Note that you can only add statics if you selected a DHCP failover channel.

783
 Managing Advanced Properties

Use IPAM name instead of DHCP client name

Default value Unticked
Description Tick this box to name each static you add like its corresponding IP address. Each new static is
automatically configured with the IP address Shortname as value of its option host-name. If you
selected a Default domain, the static is also set with the selected domain as value of its option
domain-name.
If you do not tick the box, a nameless static is added. The static is named when the next DHCP
client connects to the network, it is named after the client.

Network Advanced Properties

At network level, you can configure IPAM, DHCP, DNS and VLAN Manager properties. You can
configure properties for block-type networks and/or subnet-type networks.

Adding networks in the IPAM can automatically add zones in the DNS.

IPAM DNS
SPACE Update DNS: yes DNS
SERVER
America ns1.mycorp.com
Add a DNS reverse zone for every
terminal network added: yes
NETWORK
BLOCK DNS server for reverse zone: VIEW
USA ns1.mycorp.com intranet
10.6.0.0/15 DNS view for reverse zone: intranet

NEW NEW
NETWORK REVERSE
SUBNET ZONE

Name: New York Name: 0.6.10.in-addr.arpa

Start address: 10.6.0.0
End address: 10.6.0.255
DNS advanced properties
Update DNS: yes
Add a DNS reverse zone for every terminal network added: yes
DNS server for reverse zone: ns1.mycorp.com
DNS view for reverse zone: intranet

Figure 52.4. IPAM to DNS replication at network level

784
 Managing Advanced Properties

In the same way, adding a terminal network can automatically add a scope in the DHCP failover
channel of your choice. As the properties are inherited, the Gateway address of the terminal
network configures the option routers of that scope.

IPAM DHCP
DHCP failover channel: DHCP
SPACE SERVER
failover-dhcp1.mycorp.com
America dhcp1.mycorp.com

NETWORK
BLOCK
USA
10.6.0.0/15
NEW NEW
NETWORK Gateway offset: -1 SCOPE
SUBNET
Name: New York
Name: New York Address: 10.6.0.0/24
Address: 10.6.0.0/24
NEW IP NEW DHCP OPTION
ADDRESS routers: 10.6.0.254
Name: Gateway
Address: 10.6.0.254
DHCP advanced properties
DHCP failover channel: failover-dhcp1.mycorp.com
IPAM advanced properties
Gateway offset: -1

Figure 52.5. IPAM to DHCP replication at IP address level

You can also link terminal or non-terminal subnet-type networks to a common VLAN to make
them communicate. From that point on, no matter what network they belong to or IP addresses
they manage, they can send and receive each other's packets.

IPAM VLAN Manager

SPACE DOMAIN
America sales

NETWORK
BLOCK
USA
12.3.0.0/16
Add a VLAN: yes
NEW VLAN domain: sales
NETWORK NEW VLAN
SUBNET VLAN ID: 1
VLAN name: domestic ID: 1
New York Name: domestic
12.3.0.0/24 The VLAN is associated
with New York
NEW VLAN domain: sales EDITED
NETWORK VLAN ID: 1 (domestic - #) VLAN
SUBNET
ID: 1
Los Angeles Name: domestic
12.3.15.0/24 The VLAN is now
VLAN Manager advanced properties associated with
Add a VLAN: yes New York
VLAN domain: sales and Los Angeles
VLAN ID: 1

Figure 52.6. Enabling the communication between networks via a VLAN

785
 Managing Advanced Properties

Note that editing an existing non-terminal subnet-type network that contains terminal networks
to link it to a VLAN does not link the networks it contains to the VLAN.

You must first select the advanced properties to display and then configure them.

To select the advanced properties to display at network level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to IPAM > Networks. The page All networks opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

4. Tick the properties you want to display or enable in the addition/edition wizard.
a. To configure properties Within the IPAM, you can fill in and/or tick the following field
and boxes.
By default, the box Display the IPv4 to IPv6 transition fields is not ticked.
• Gateway offset allows to automatically calculate and add a gateway when adding
terminal networks.
By default, it is set to -1, the penultimate address of the network is used as gateway.
You can specify a positive value to calculate the gateway from the start address of
the network, or a negative value to calculate it from the end address of the network.
To disable the addition, and add terminal networks without gateway, you need to
leave the field empty.
• Display the field "Gateway".
If your Gateway offset disables the gateway addition, the field Gateway is never dis-
played in the addition/edition wizard even if this box is ticked.
• Display the selection field "Number of pools".
This property is only available when you add terminal networks.
• Display the IPv4 to IPv6 transition fields.
For more details, refer to the section Configuring the Transition from IPv4 to IPv6.
b. To configure IPAM to DNS replication properties, you can tick the following boxes.
By default, only the box Add a DNS reverse zone for every terminal network added is
ticked.
• Display the selection field "DNS server".
• Display the selection field "DNS view".
• Display the selection fields "Domains list".
• Display the selection field "Default domain".
• Add a DNS reverse zone for every terminal network added.
The zone is added in the specified DNS server for reverse zone and DNS view for
reverse zone. This field is not displayed in the addition/edition wizard.
• Display the selection field "DNS sever for reverse zone".
• Display the selection field "DNS view for reverse zone".
• Display the box "Update DNS".
You must tick this box to be able to save any DNS replication configuration in the
addition/edition wizard.
c. To configure IPAM to DHCP replication properties, you can tick the following boxes.
By default, no box is ticked.
• Display the selection field "DHCP failover channel".

786
 Managing Advanced Properties

• Display the box "Add a shared network using the Address and Prefix".
This box is only displayed if the box Display the selection field "DHCP failover channel"
is ticked.
• Display the box "Add a DHCP static".
d. To configure the IPAM / VLAN Manager interaction properties, you can tick the following
boxes.
By default, no box is ticked.
• Display the VLAN association fields.
• Display the field "Add a VLAN".
This box is only displayed if the box Display the VLAN association fields is ticked.

5. Click on OK to complete the operation. The report opens and closes.

In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

In the procedure below, all properties are detailed but most fields are already filled with the value
set at higher level and inherited. For more details, refer to the chapter Inheritance and Propagation.

To configure advanced properties at network level

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Add or edit a network. The corresponding wizard opens.
For more details, refer to the chapter Managing Networks.
4. On the last page of the wizard, configure the advanced properties of your choice.
Note that:
• The advanced properties are distributed in dedicated sections, the available fields depend
on the Wizard customization.
• Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
• Some fields may not be visible, if they are not part of the wizard Default display.
In the drop-down list Advanced properties at the bottom of the page, you can select All.
The remaining fields appear in the sections, they are grayed out and not in the default
order. Only users of the group admin can configure or edit properties that are not displayed
by Default.
• All the advanced properties are described in the following tables:
• Available properties in the section Within the IPAM at network level.
• Available properties in the section IPAM to DNS replication at network level.
• Available properties in the section IPAM to DHCP replication at network level.
• Available properties in the section IPAM / VLAN interaction at network level.
5. Click on OK to complete the operation. The report opens and closes.
Your configuration details, whether set or inherited, are displayed on the network properties
page, in the panel Advanced properties.

The existing networks are not impacted, to configure them like their container refer to the section
Setting Advanced Properties. You cannot use this option on VLAN Manager properties.

787
 Managing Advanced Properties

Table 52.4. Available properties in the section Within the IPAM at network level
Activate the IPv4 to IPv6 transition
Default value Unticked
Applies to All networks
Description Tick this box to configure the IPv4 to IPv6 transition. For more details, refer to the section Con-
figuring the Transition from IPv4 to IPv6.
Gateway
Default value Matches the offset
Applies to Terminal networks only
Description The IP address displayed in the field is calculated from the Gateway offset, you can edit it.
The field is only displayed if, during the Wizard customization, the box Display the field "Gateway"
was ticked and a Gateway offset was specified.
Number of pools
Default value 0
Applies to Terminal networks, only during additions
Description The number of pool(s), between 1 and 5, to add within the terminal network you are adding.
The fields Size and Name or Size and Type appear for each pool.
If you select 0, no pool is added. This drop-down list is only available when you add terminal
networks.
Size
Default value /
Applies to Pools
Description If you selected a Number of pools of 1 or more, specify the number of IP addresses of each
pool.
Name
Default value /
Applies to Pools
Description If you selected a Number of pools of 1 or more, specify the name of each pool. This field is only
displayed if no custom class is enabled at pool level.
Type
Default value /
Applies to Pools
Description If you selected a Number of pools of 1 or more and custom classes are enabled at pool level,
select the class to apply to each pool. The class name is used as pool name.

Table 52.5. Available properties in the section IPAM to DNS replication at network level
DNS server
Default value None
Applies to Terminal networks only
Description The server(s) of your choice, either All, None or a specific one. It defines the views and zones
to display in the next fields and allows to define which zone is updated when you add or edit IP
addresses.
You must tick the box Update DNS to take this parameter into account.
Once you select All or a server name, the lists DNS view, Domains list, Selected domains list
and Default domain appear if they were ticked during the Wizard customization.
All: allows to display all the views and zones in the next fields.
None: prevents the IPAM to DNS replication.
<server-name>: allows to display only the views and zones of the selected server in the next
fields.

788
 Managing Advanced Properties

DNS view
Default value All
Applies to Terminal networks only
Description The view(s) of your choice, either All or a specific one. It defines the zones to display in the next
fields.
You must tick the box Update DNS to take this parameter into account.
All: allows to display the zones of all existing views in the next fields.
<view-name>: allows to display only the zones of the selected view in the next fields.
Domains list and Selected domains list
Default value /
Applies to Terminal networks only
Description A domain, i.e. Master zone. Select it and click on to move it to the Selected domains list.
You can select several zones to make them all available in the drop-down list Default domain.
You must tick the box Update DNS to take this parameter into account.
Default domain
Default value None
Applies to Terminal networks only
Description The Master zone used by default, either None or a specific one. The list content depends on
the Selected domains list.
You must tick the box Update DNS to take this parameter into account.
None: allows to provide a list of all the Master zones when you add or edit an IP address, you
can choose the zone to update in the drop-down list Domain.
<zone-name>: allows to select the Master zone to update when you add or edit an IP address,
the selected zone name is displayed in the grayed out field Domain.
DNS server for reverse zones
Default value None
Applies to Terminal networks only
Description The server(s) of your choice, either All, None or a specific one. This defines where are added
the PTR records matching the IP addresses you add or edit in the terminal network. If you select
All or a server name, the field DNS view for reverse zones appears, its content depends on your
selection.
If the box Add a DNS reverse zone for every terminal network added was ticked during the
Wizard customization, a reverse zone matching the terminal network you are adding or editing
is also added in the selected server.
You must tick the box Update DNS to take this parameter into account.
Keep in mind that deleting a network configured with this option also deletes the corres-
ponding reverse zone from the DNS, if it only contains the default records (SOA and NS).
DNS view for reverse zones
Default value All
Applies to Terminal networks only
Description The view(s) of your choice, either All or a specific one. This defines where are added the PTR
records matching the IP addresses you add or edit in the terminal network.
If the box Add a DNS reverse zone for every terminal network added was ticked during the
Wizard customization, a reverse zone matching the terminal network you are adding/editing is
also added in the selected view.
You must tick the box Update DNS to take this parameter into account.
Keep in mind that deleting a network configured with this option also deletes the corres-
ponding reverse zone from the DNS, if it only contains the default records (SOA and NS).
Update DNS
Default value Unticked
Applies to Terminal networks only

789
 Managing Advanced Properties

Description Tick this box to update the relevant zone(s) with A, AAAA and/or PTR records matching the IP
addresses you add or edit in the terminal network(s). The terminal network Gateway address
does not add any A or AAAA record in the DNS.
If an address is configured with aliases, it can also update the relevant zone(s) with CNAME
records.
Keep in mind that leaving this box unticked can delete any matching records, whether
they were added from the IPAM or directly within the DNS.

Table 52.6. Available properties in the section IPAM to DHCP replication at network level
DHCP failover channel
Default value None
Applies to Terminal networks only
Description The failover channel of your choice, to define in which servers is added the scope matching the
terminal network you add. The box Add a shared network using the Address and Prefix appears.
The scope name and addresses match the ones of the terminal network. In IPv4, the new scope
is automatically set with the option routers, its value is the network gateway address.
If an existing scope already manages the same addresses as the terminal network, its name is
overwritten. In IPv4, the option routers of the scope is set or updated.
Note that, on the properties page of the terminal network, the panel DHCP options details the
options set on the scope.
Add a shared network using the Address and Prefix
Default value Ticked
Applies to Terminal networks only
Description Tick this box to use the Address and Prefix of the IPv4 network you are adding as a shared
network.
This box is only visible when the DHCP failover channel is Set and has a value. It adds a new
scope in the DHCP servers of the selected failover channel.
Add a DHCP static
Default value Unticked
Applies to All networks
Description Tick this box to add a DHCP static whenever you add an IP address. The box Use IPAM name
instead of DHCP client name appears.
Note that you can only add statics if you selected a DHCP failover channel.
Use IPAM name instead of DHCP client name
Default value Unticked
Applies to All networks
Description Tick this box to name each static you add like its corresponding IP address. Each new static is
automatically configured with the IP address Shortname as value of its option host-name. If you
selected a Default domain, the static is also set with the selected domain as value of its option
domain-name.
If you do not tick the box, a nameless static is added. The static is named when the next DHCP
client connects to the network, it is named after the client.

Table 52.7. Available properties in the section IPAM / VLAN Manager interaction at network level
VLAN domain
Default value None
Applies to Terminal networks only
Description The domain containing the VLAN you want to associate with your subnet-type network, whether
you add it or not. The fields VLAN range, Add a VLAN and VLAN ID appear.
If you select None, the IPAM / VLAN interaction is removed.
VLAN range
Default value All

790
 Managing Advanced Properties

Applies to Terminal networks only

Description The range of your choice, either All, None or a specific one.
If you are associating your terminal network with an existing VLAN, your selection impacts the
auto-completion results in the field VLAN ID.
All: allows to take into account all the Used VLANs of the VLAN domain, no matter which range
they belong to.
None: allows to associate a VLAN or to Add a VLAN not belonging to any range. Select this
value if the VLAN domain does not contain any range.
<range-name>: allows to narrow down the search for Used VLANs within a specific range.
Add a VLAN
Default value Unticked
Applies to Terminal networks only
Description Tick this box to add a VLAN in the specified VLAN domain, or even VLAN range. The field VLAN
name appears at the end of the section.
Note that this property is not available in Template Mode, for more details refer to the chapter
Managing IPAM Templates.
VLAN ID
Default value /
Applies to Terminal networks only
Description The ID of the VLAN you want to associate with the terminal network.
It is displayed as follows: <VLAN_ID> (<VLAN_name> - <range_name>). Note that the VLAN
name can be empty and the range name can be # if the VLAN does not belong to any range.
The field provides auto-completion.
For a Used VLAN, you can specify the first digit(s) of its ID or letter(s) of its name. It either displays
the matching VLAN or a list of partial matches to choose from, the available value(s) depend
on the selected VLAN range.
For a new VLAN, specify its ID and fill in the field VLAN name. If you selected a VLAN range,
the ID must belong to the relevant range or to None of them.
VLAN name
Default value /
Applies to Terminal networks only
Description If you ticked the box Add a VLAN, specify the name of the VLAN you are adding.

791
 Managing Advanced Properties

Pool Advanced Properties

At pool level, you can configure DHCP properties.

Adding pools in the IPAM can automatically add ranges in the DHCP.

IPAM DHCP
DHCP failover channel: DHCP
SPACE SERVER
failover-dhcp1.mycorp.com
America dhcp1.mycorp.com

NETWORK
BLOCK
USA
10.6.0.0/15 SCOPE

NETWORK New York

SUBNET 10.6.0.0/24
New York
10.6.0.0/24
NEW Add a DHCP range: yes NEW
POOL RANGE

Name: Manhattan Name: 10.6.0.1-10.6.0.50

Start address: 10.6.0.1
End address: 10.6.0.50
DHCP advanced properties
DHCP failover channel: failover-dhcp1.mycorp.com
Add a DHCP range: yes

Figure 52.7. IPAM to DHCP replication at pool level

You must first select the advanced properties to display and then configure them.

To select the advanced properties to display at pool level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to IPAM > Pools. The page All pools opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

4. Tick the properties you want to display in the addition/edition wizard.

To configure IPAM to DHCP replication properties, you can tick the following boxes.
By default, no box is ticked.
• Display the field "Add a DHCP range".
• Display the field "Add a DHCP static". This field is only available in IPv4.
5. Click on OK to complete the operation. The report opens and closes.
In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

In the procedure below, all properties are detailed but most fields are already filled with the value
set at higher level and inherited. For more details, refer to the chapter Inheritance and Propagation.

To configure advanced properties at pool level

1. In the sidebar, go to IPAM > Pools. The page All pools opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.

792
 Managing Advanced Properties

3. Add or edit a pool. The corresponding wizard opens.

For more details, refer to the chapter Managing Pools.
4. Select the properties you want to display or enable in the addition/edition wizard.
On the last page of the wizard, configure the advanced properties of your choice.
Note that:
• The advanced properties are distributed in dedicated sections, the available fields depend
on the Wizard customization.
• Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
• Some fields may not be visible, if they are not part of the wizard Default display.
In the drop-down list Advanced properties at the bottom of the page, you can select All.
The remaining fields appear in the sections, they are grayed out and not in the default
order. Only users of the group admin can configure or edit properties that are not displayed
by Default.
• All the advanced properties are described in the following tables:
• Available properties in the section IPAM to DHCP replication at pool level
5. Click on OK to complete the operation. The report opens and closes.
Your configuration details, whether set or inherited, are displayed on the pool properties
page, in the panel Advanced properties.

The existing pools are not impacted, to configure them like their container refer to the section
Setting Advanced Properties.

Table 52.8. Available properties in the section IPAM to DHCP replication at pool level
Add a DHCP range
Default value Unticked
Description Tick this box to add a DHCP range matching the start and end address of the pool you are
adding. The range is added in the scope matching the terminal network the pool belongs to.
Add a DHCP static
Default value Unticked
Description Tick this box to add a DHCP static whenever you add an IP address. The box Use IPAM name
instead of DHCP client name appears.
Note that you can only add statics if you selected a DHCP failover channel.
Use IPAM name instead of DHCP client name
Default value Unticked
Description Tick this box to name each static you add like its corresponding IP address. Each new static is
automatically configured with the IP address Shortname as value of its option host-name. If you
selected a Default domain, the static is also set with the selected domain as value of its option
domain-name.
If you do not tick the box, a nameless static is added. The static is named when the next DHCP
client connects to the network, it is named after the client.

793
 Managing Advanced Properties

IP Address Advanced Properties

At IP address level, you can configure IPAM, DHCP, DNS and Device Manager properties.

Enabling the advanced properties allows to automatically add a DHCP static when you add an
IP address.

IPAM DHCP
DHCP failover channel: DHCP
SPACE
failover-dhcp1.mycorp.com SERVER
America dhcp1.mycorp.com

NETWORK
BLOCK
USA
10.6.0.0/15 SCOPE
NETWORK
SUBNET New York
10.6.0.0/24
New York
10.6.0.0/24

NEW IP NEW
ADDRESS Add a DHCP static: yes STATIC

IP Address: 10.6.0.100 IP Address: 10.6.0.100

MAC address: ba:ba:00:00:ba:ba MAC address: ba:ba:00:00:ba:ba
DHCP advanced properties
DHCP failover channel: failover-dhcp1.mycorp.com
Add a DHCP static: yes

Figure 52.8. IPAM to DHCP replication at IP address level

You can automatically add a DNS record when you add an IP address.

IPAM DNS
DNS server: ns1.mycorp.com DNS
SPACE SERVER
Update DNS: yes
America ns1.mycorp.com

NETWORK Default domain: lab.mycorp.com

BLOCK
USA
10.6.0.0/15 ZONE
NETWORK lab.mycorp.com
SUBNET
New York
10.6.0.0/24
Enable the automatic
NEW IP construction of the IP address NEW
ADDRESS RECORD
hostname: shortname.domain

Shortname: pc1 Type: A

IP address name: pc1.mycorp.com RR name: pc1.mycorp.com
Address: 10.6.0.1 IP address: 10.6.0.1
DNS advanced properties
DNS server: ns1.mycorp.com
Update DNS: yes
Default domain: mycorp.com
Enable the automatic construction of the IP address hostname: yes

Figure 52.9. IPAM to DNS replication at IP address level

794
 Managing Advanced Properties

You can link IP addresses with existing interfaces as illustrated below. Note that this link can also
be set without the advanced properties, for more details refer to the chapter Managing IP Ad-
dresses.

IPAM Device Manager

SPACE DEVICE
America device1

NETWORK
BLOCK
USA
12.3.0.0/16
NETWORK
SUBNET
Texas
12.3.1.0/24

NEW IP Device name: device1 INTERFACE

ADDRESS Interface name: interface1
Name: interface1
Name: Dallas IP address: 12.3.1.24
IP address: 12.3.1.24 MAC address: be:ef:be:ef:be:ef
MAC address: be:ef:be:ef:be:ef The IP address is linked
Device Manager advanced properties with interface1
Display the device topology fields: yes
Device name: device1
Interface name: interface1

Figure 52.10. Association of an IP address with an interface

You can also link an IP address with a port even if it is already linked with an interface, this
changes the device topology.

IPAM Device Manager

SPACE DEVICE
America device2

NETWORK
BLOCK
USA
12.3.0.0/16
NETWORK
SUBNET
Texas
12.3.1.0/24

EDIT IP Link with device: device2

ADDRESS Link with port: port1 PORT
Name: port1 (device2)
Name: San Antonio Edited topology
IP address: 12.3.1.24 The port port1 (device2) is now
MAC address: be:ef:be:ef:be:ef linked with interface1 (device1)
Already linked with the interface interface1 in the device device1
Device Manager advanced properties
Enable to edit the devices topology from the IPAM: yes
Link with device: device2
Link with port: port1

Figure 52.11. Associating an interface and a port using an IP address

795
 Managing Advanced Properties

Finally, you can add a device and an interface when adding or editing an IP address.

IPAM Device Manager

SPACE
America

NETWORK
BLOCK
USA
12.3.0.0/16

NETWORK
SUBNET
Texas
12.3.1.0/24
Add a device: yes
NEW IP Device name: device3 NEW
ADDRESS DEVICE
Interface name: interface3
Name: device3
Name: Houston
IP address: 12.3.1.23
MAC address: be:ef:12:34:be:ef NEW
Device Manager advanced properties INTERFACE
Add a device: yes Name: interface3
Device name: device3 IP address: 12.3.1.23
Interface name: interface3 MAC address: be:ef:12:34:be:ef

Figure 52.12. Device addition at IP address level

You must first select the advanced properties to display and then configure them.

To select the advanced properties to display at IP address level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

4. Tick the properties you want to display or enable in the addition/edition wizard.
a. To configure properties Within the IPAM, you can select the following:
• IPv4 to IPv6 transition policy. This field is a drop-down list. For more details, refer to
the procedure Configuring the Transition at IP address Level.
b. To configure IPAM to DNS replication properties, you can tick the following boxes.
By default, only the first box is ticked.
• Enable the automatic construction of the IP address hostname: shortname.domain.
This box allows to display the field Shortname and automate the IP address name to
include a specific domain.
• Make the Domain selection mandatory in the hostname of the IP address and its ali-
ases.
This box is only displayed if the box Enable the automatic construction is ticked.
• Display the selection field "DNS server".
• Display the selection field "DNS view".
• Display the field "Domain".
• Display the box "Update DNS".
You must tick this box to be able to save any DNS replication configuration in the
addition/edition wizard.
c. To configure IPAM to DHCP replication properties, you can tick the following box.

796
 Managing Advanced Properties

By default, the box is ticked.

• Display the box "Add a DHCP static".
d. To configure the IPAM / Device Manager interaction properties, you can tick the fol-
lowing boxes.
By default, no box is ticked.
• Display the box "Add a device".
This box allows to link an IP address with an interface and parent device, that you
both add from the IPAM.
• Display the device topology fields.
This box allows to link an IP address with an existing device or interface.
• Enable to edit the devices topology from the IPAM. It displays the fields Link with
device, and Link with port in the addition/edition wizard.
This box allows to link an IP address with an existing device or port.

5. Click on OK to complete the operation. The report opens and closes.

In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

In the procedure below, all properties are detailed but most fields are already filled with the value
set at higher level and inherited. For more details, refer to the chapter Inheritance and Propagation.

To configure advanced properties at IP address level

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Add or edit an IP address. The corresponding wizard opens.
For more details, refer to the chapter Managing IP Addresses.
4. On the last page of the wizard, configure the advanced properties of your choice.
Note that:
• The advanced properties are distributed in dedicated sections, the available fields depend
on the Wizard customization.
• Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
• Some fields may not be visible, if they are not part of the wizard Default display.
In the drop-down list Advanced properties at the bottom of the page, you can select All.
The remaining fields appear in the sections, they are grayed out and not in the default
order. Only users of the group admin can configure or edit properties that are not displayed
by Default.
• All the advanced properties are described in the following tables:
• Available properties in the section Within the IPAM at IP address level.
• Available properties in the section IPAM to DNS replication at IP address level.
• Available properties in the section IPAM to DHCP replication at IP address level.
• Available properties in the section IPAM / Device Manager interaction at IP address
level.
5. Click on OK to complete the operation. The report opens and closes.
Your configuration details, whether set or inherited, are displayed on the IP address properties
page, in the panel Advanced properties.

797
 Managing Advanced Properties

The existing addresses are not impacted, to configure them like their container refer to the section
Setting Advanced Properties. You cannot use this option on Device Manager properties.

Table 52.9. Available properties in the section Within the IPAM at IP address level
Corresponding IPv6 address
Default value IP address
Description The field is read-only and matches the transition configuration. For more details, refer to the
section Configuring the Transition from IPv4 to IPv6.

Table 52.10. Available properties in the section IPAM to DNS replication at IP address level
DNS server
Default value None
Description The server(s) of your choice, either All, None or a specific one. It defines the views and zones
to display in the next fields and allows to define which zone is updated when you add or edit IP
addresses.
You must tick the box Update DNS to take this parameter into account.
Once you select All or a server name, the lists DNS view, Domains list, Selected domains list
and Default domain appear if they were ticked during the Wizard customization.
<server-name>: allows to display only the views and zones of the selected server in the next
fields.
All: allows to display all the views and zones in the next fields.
None: prevents the IPAM to DNS replication.
DNS view
Default value All
Applies to Terminal networks only
Description The view(s) of your choice, either All or a specific one. It defines the zones to display in the next
fields.
You must tick the box Update DNS to take this parameter into account.
All: allows to display the zones of all existing views in the next fields.
<view-name>: allows to display only the zones of the selected view in the next fields.
Shortname
Default value /
Description The name of the IP address. The value updates the field IP address name as follows: <short-
name>.<domain_name>.
The full address name indicates in which zone, i.e. the selected Domain, the corresponding A
record is added.
This field is only displayed if the box Enable the automatic construction of the IP address host-
name: shortname.domain was ticked during the Wizard customization. Otherwise, you can directly
fill in the field IP address name.
Domain
Default value None
Description The domain, i.e. Master zone, updated when you add or edit the IP address. It completes the
IP address name.
It can be a field displaying the name of the domain inherited from a higher level, or a drop-down
list containing domains to choose from.
This field is required if the box Make the Domain selection mandatory in the hostname of the
IP address and its aliases is ticked during the Wizard customization.
Update DNS
Default value Unticked

798
 Managing Advanced Properties

Description Tick this box to update the relevant zone(s) with A, AAAA and/or PTR records matching the IP
addresses you add or edit in the terminal network(s). The terminal network Gateway address
does not add any A or AAAA record in the DNS.
If an address is configured with aliases, it can also update the relevant zone(s) with CNAME
records.
Keep in mind that leaving this box unticked can delete any matching records, whether
they were added from the IPAM or directly within the DNS.

Table 52.11. Available properties in the section IPAM to DHCP replication at IP address level
Add a DHCP static
Default value Unticked
Description Tick this box to add a DHCP static whenever you add an IP address. The box Use IPAM name
instead of DHCP client name appears.
Note that you can only add statics if you selected a DHCP failover channel.
Use IPAM name instead of DHCP client name
Default value Unticked
Description Tick this box to name each static you add like its corresponding IP address. Each new static is
automatically configured with the IP address Shortname as value of its option host-name. If you
selected a Default domain, the static is also set with the selected domain as value of its option
domain-name.
If you do not tick the box, a nameless static is added. The static is named when the next DHCP
client connects to the network, it is named after the client.

Table 52.12. Available properties in the section IPAM / Device Manager interaction at IP address level
Add a device
Default value Unticked
Description Tick this box to link the IP address you add or edit with an interface and a device you add from
the IPAM. The fields Device name and Interface name are now required.
Device name
Default value /
Description The name of a device managing the interface to link with the IP address you are adding or
editing.
If you are adding a device, name the device.
If you are linking the IP address with existing objects, specify the name of a device. The field
provides auto-completion, you can specify the first letter(s) of a device name, the matching
device or a list of partial matches to choose from are displayed.
Interface name
Default value /
Description The interface linked with the IP address you are adding or editing. It is displayed as follows:
<interface name> (<device name> - <number of addresses linked with the interface>).
If you are adding a device and an interface, specify the name of the interface.
If you are linking the IP address with existing objects, you can specify an interface name or
leave the field empty to only link the IP address with the device. The field provides auto-comple-
tion, you can specify the first letter(s) of an interface name, the matching interface or a list of
partial matches to choose from are displayed.
Link with device
Default value /
Description The name of an existing device to link with the IP address you are adding or editing. You can
leave the field empty if you fill in the Link with port instead.
The field provides auto-completion, you can specify the first letter(s) of a device name, the
matching device or a list of partial matches to choose from are displayed.
Link with port
Default value /

799
 Managing Advanced Properties

Description The name of an existing port. It is displayed as follows: <port name> (<device name>).
The field provides auto-completion, you can specify the first letter(s) of a port name, the
matching port or a list of partial matches to choose from are displayed.
You can leave the field empty if you only want to link the IP address with a device.

On the page All addresses, the columns Device manager name and Device manager interface
allow to display the interactions. For more details on how to add or display customized list tem-
plates, refer to the section Managing List Templates.

On the page Ports & Interfaces, any changes made from the IPAM change the content of the
column Manually linked to. For more details, refer to the section Tracking Changes on the Page
All ports & interfaces.

Configuring the Transition from IPv4 to IPv6

You can set up a semi-automated way to transition from IPv4 to IPv6 when adding IPv4 objects.
You can link the IPv4 networks or addresses you add with existing IPv6 networks or addresses
as long as they belong to the same space. If you ever stop using IPv4, your addressing plan is
already configured with IPv6.

IPv4 IPv6
SPACE
America

NETWORK Activate the IPv4 to IPv6 transition: yes NETWORK

BLOCK IPv6 network (block): beef:beef BLOCK
USA USA
12.3.0.0/16 beef:beef::/32

NEW IPv6 network (subnet): NEW

NETWORK beef:beef:0c03:0000::/64 NETWORK
SUBNET SUBNET
New York New York
12.3.0.0/24 beef:beef:c03::/64
Transition policy: Offset
NEW IP Corresponding IPv6 address: NEW IP
ADDRESS beef:beef:c03:0:ffff:ffff:f3fd:0
ADDRESS
Name: New York City
Name: New York City Address:
Address: 12.3.0.25 beef:beef:c03:0:ffff:ffff:f3fd:0
IPAM Advanced properties
Activate the IPv4 to IPv6 transition: yes
IPv6 network (block): beef:beef
IPv6 network (subnet): beef:beef:0c03:0000::/64
IPv4 to IPv6 transition policy: Offset
Corresponding IPv6 address: beef:beef:c03:0:ffff:ffff:f3fd:0

Figure 52.13. Transition from IPv4 to IPv6 of a terminal network and an IP address

Transition Specificities
The transition options are configured at space or network level and inherited at lower levels where
you can apply them.
• For block-type networks, if the transition options are configured:
• The transition to IPv6 can be set when adding or editing IPv4 networks.
• The transition can only be set with existing IPv6 block-type networks.

800
 Managing Advanced Properties

• For subnet-type networks, if the transition options are configured:

• The transition to IPv6 requires the address of an existing block-type network, you either
specify it or inherit it from a configured parent network.
• The transition to IPv6 automatically adds the appropriate IPv6 subnet-type network within
the specified block-type network when you add or edit an IPv4 subnet-type network.
• The IPv6 subnet-type network added is named after its IPv4 counterpart.
• For IP addresses, if the transition options are configured:
• The transition is only possible if it was set at network level.
• You can choose the IPv6 address addition behavior.
• Adding or editing an IPv4 address adds the corresponding IPv6. The IPv6 address is named
after the IPv4 address, has the same MAC address, device and class parameters.

If you edit an IPv4 subnet-type network already configured with a VLAN to set the transition to
IPv6, the IPv6 corresponding network inherits the IPAM/VLAN interaction properties, both networks
then belong to the VLAN.

Limitations
• The transition can only be set within one space: you cannot add IPv4 subnet-type networks in
one space and expect to link them with IPv6 subnet-type networks in another space.
• If you set the transition parameters on an existing organization, they are not inherited and have
to be set one object at a time. For more details, refer to the section Setting Advanced Properties.
• For block-type networks, the transition can only be configured and activated with existing IPv6
block-type networks. The transition options do not add block-type networks in IPv6 but only
link IPv4 blocks with existing IPv6 blocks.
• The advanced properties set in IPv4 are not inherited by the corresponding IPv6 objects.
• At pool level, the transition options are not available.
• If you add an object in IPv4 and their IPv6 counterpart overlaps existing objects, only the IPv4
object is added.
• Deleting an IPv4 object linked to an IPv6 object does not delete the corresponding IPv6 object.

1. Configuring the Transition at Space Level

We recommend configuring the transition options at space level to propagate them down to the
IP addresses.

You must first select the advanced properties to display and then configure them.

To select the transition advanced properties to display at space level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

4. Tick the box Display the IPv4 to IPv6 transition fields. It displays the fields Activate the
IPv4 to IPv6 transition and IPv6 network (block) in the addition/edition wizard.
5. Click on OK to complete the operation. The report opens and closes.
In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

801
 Managing Advanced Properties

To configure the transition advanced properties at space level

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Add or edit a space. The corresponding wizard opens.
For more details, refer to the chapter Managing Spaces.
3. In the section Within the IPAM, tick the box Activate the IPv4 to IPv6 transition. The field
IPv6 network (block) appears.
4. In the field IPv6 network (block), specify the beginning of the address of an existing block-
type network of the space.
The value specified must look as 1234 or 1234:4678. It cannot exceed the first 2 bytes of
the IPv6 address of the block-type network and it cannot include two consecutive semi-colons
(::).
The network you specify becomes the container of the IPv6 terminal subnet-type networks
and addresses you add later on.
5. In the drop-down list Advanced properties at the bottom of the page, Default is selected.
If some fields are not visible, you can select All. The remaining fields appear in the sections,
they are grayed out and not in the default order. Only users of the group admin can configure
or edit properties that are not displayed by Default.
Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
6. Click on OK to complete the operation. The report opens and closes.
Your transition details are displayed on the space properties page, in the panel Advanced
properties.

The options you set at this level are inherited by the IPv4 blocks you add in your space. The
property can be inherited at lower levels.

Once the options are configured, the IPv4 networks it contains inherit them. You can untick the
box Activate the IPv4 to IPv6 transition if you do not want to set a transition for the objects at
lower levels.

2. Configuring the Transition at Network Level

Now that you have a space set with transition options, the block-type network and subnet-type
networks it contains inherit the properties.

You must first select the advanced properties to display and then configure them.

To select the transition advanced properties to display at network level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to IPAM > Networks. The page All networks opens.
3. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
4. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

5. Tick the box Display the IPv4 to IPv6 transition fields. It displays the fields Activate the
IPv4 to IPv6 transition, IPv6 network (block) and IPv6 network (subnet) in the addition/edition
wizard.
6. Click on OK to complete the operation. The report opens and closes.

802
 Managing Advanced Properties

In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

To configure the transition advanced properties at block-type network level

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Click on the name of the space you applied the transition options to. The page All networks
of the space opens.
3. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
4. Add or edit a block-type network. The corresponding wizard opens.
For more details, refer to the chapter Managing Networks.
5. On the last page of the wizard, in the section Within the IPAM, the box Activate the IPv4 to
IPv6 transition is ticked.
6. The field IPv6 network (block) displays the value set at space level. It is grayed out.
If you have sufficient rights, you can edit the inherited value displayed. Click on to Set the
Inheritance property, the field is no longer grayed out. The bytes entered must correspond
to an existing IPv6 block-type network and look as 1234 or 1234:4678 without consecutive
semi-colons.
7. In the drop-down list Advanced properties at the bottom of the page, Default is selected.
If some fields are not visible, you can select All. The remaining fields appear in the sections,
they are grayed out and not in the default order. Only users of the group admin can configure
or edit properties that are not displayed by Default.
Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
8. Click on OK to complete the operation. The report opens and closes.
Your transition details are displayed on the network properties page, in the panel Advanced
properties.

Once the option is configured, the IPv4 networks you add within the block-type network inherit
it. You can untick the box Activate the IPv4 to IPv6 transition if you do not want to set a
transition for some of the objects at lower levels.

Once you have added the block-type network, you can add a subnet-type network.

To configure the transition advanced properties at subnet-type network level

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Click on the name of the block-type network you applied the transition options to. The page
All networks of that network opens.
4. Add or edit a subnet-type network. The corresponding wizard opens.
For more details, refer to the chapter Managing Networks.
5. On the last page of the wizard, in the section Within the IPAM, the box Activate the IPv4 to
IPv6 transition is ticked.
6. The field IPv6 network (block) displays the value set at space or block-type network level.
It is grayed out.
If you have sufficient rights, you can edit the inherited value displayed. Click on to Set the
Inheritance property, the field is no longer grayed out. The bytes entered must correspond

803
 Managing Advanced Properties

to an existing IPv6 block-type network and look as 1234 or 1234:4678 without consecutive
semi-colons.
7. The field IPv6 network (subnet) displays the start address and prefix of the IPv6 subnet-
type network added for the IPv4 network you are adding. It is automatically filled using the
value of IPv6 network (block) and cannot be edited.
8. In the drop-down list Advanced properties at the bottom of the page, Default is selected.
If some fields are not visible, you can select All. The remaining fields appear in the sections,
they are grayed out and not in the default order. Only users of the group admin can configure
or edit properties that are not displayed by Default.
Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
9. Click on OK to complete the operation. The report opens and closes.
Your transition details are displayed on the network properties page, in the panel Advanced
properties.

The existing networks are not impacted, to configure them like their container refer to the section
Setting Advanced Properties.

Once the options are configured, the IPv4 terminal networks and addresses you add within your
subnet-type network inherit them. You can untick the box Activate the IPv4 to IPv6 transition
if you do not want to set a transition for some of the objects at lower levels.

3. Configuring the Transition at IP address Level

At IP address level, all the configurations set at higher levels are inherited. Therefore, within a
terminal network configured with the transition options, the IP address addition wizard automat-
ically displays the transition dedicated field.

You must first select the transition policy and then configure it.

To select the transition advanced properties to display at IP address level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
3. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
4. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

5. In the drop-down list IPv4 to IPv6 transition policy, select the IP address addition policy
to implement in the networks configured with the transition:
• Offset allows to take into account the position of the address you are adding within the
IPv4 terminal network and reuse it when adding the corresponding IPv6 address. The
100th address of the IPv4 subnet-type network adds the 100th address of the related IPv6
subnet-type network.
• Injection allows to convert in hexadecimal the IPv4 address you are adding and use the
whole address in its hexadecimal from as the last two bytes of the corresponding IPv6
address.
• First IP address available allows to add the first available IP address in the IPv6 terminal
network when you add an address in the IPv4 terminal network.
6. Click on OK to complete the operation. The report opens and closes.
In the addition/edition wizard, the selected policy is now part of the Default display.

804
 Managing Advanced Properties

To configure the transition advanced properties at IP address level

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
The page refreshes and the button turns black.
3. Click on the Name of a terminal subnet-type network you applied the transition options to.
The page All addresses of the network opens.
4. Add or edit an IP address. The corresponding wizard opens.
For more details, refer to the chapter Managing IP Addresses.
5. In the section Within the IPAM, the field Corresponding IPv6 address displays the IPv6
address. It is grayed out.
This calculated IPv6 address depends on the transition you chose during the Wizard custom-
ization, in the previous procedure.
6. In the field Shortname, name the IP address. The IPv6 address is named the same. The
IP address name field displays the shortname you specified.
7. In the drop-down list Advanced properties at the bottom of the page, Default is selected.
If some fields are not visible, you can select All. The remaining fields appear in the sections,
they are grayed out and not in the default order. Only users of the group admin can configure
or edit properties that are not displayed by Default.
Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
8. Click on NEXT . The last page opens.
9. Click on OK to complete the operation. The report opens and closes. The corresponding
IPv6 address is added, it has the same name and MAC address.
Your transition details are displayed on the properties page of both IP addresses, in the
panel Advanced properties.

The existing addresses are not impacted, to configure them like their container refer to the section
Setting Advanced Properties.

805
 Managing Advanced Properties

Configuring DHCP Advanced Properties

You can configure DHCP servers, scopes and ranges with IPAM properties and DNS properties.

For instance, you could add an IP address every time you allocate a DHCP lease.

DHCP IPAM
DHCP Push leases to IPAM: yes SPACE
SERVER
dhcp1.mycorp.com America

NETWORK
Use client name BLOCK
SCOPE USA
(FQDN): yes 10.6.0.0/15
New York
10.6.0.0/24 NETWORK
SUBNET
New York
10.6.0.0/24
RANGE
10.6.0.1 POOL
-10.6.0.50
Manhattan
10.6.0.1-10.6.0.50
NEW NEW IP
LEASE ADDRESS
IP Address: 10.6.0.42 IP Address: 10.6.0.42
MAC address: be:ef:12:34:be:ef MAC address: be:ef:12:34:be:ef
Name: client.mycorp.com Name: client.mycorp.com
IPAM advanced properties
Push leases to IPAM: yes
Use client name (FQDN): yes

Figure 52.14. DHCP to IPAM replication at lease level

Keep in mind that:

• On servers managed via a smart architecture, the advanced properties must be configured on
the smart architecture itself. The addition/edition wizard of the physical server and the scopes
and ranges it contains do not display the advanced properties fields.
• All configured DHCP to IPAM advanced properties directly update the IPAM database.
• All configured DHCP to DNS advanced properties only update the DNS database if they are
sent to the IPAM first. Therefore, you must configure IPAM to DHCP advanced properties to
update the DNS with DHCP data.
On EfficientIP DHCP servers, the static reservations cannot update the DNS until the client
connects to the network and is allocated a lease. For more details, refer to the image The
replication of DHCP statics in the DNS for EfficientIP DHCP servers.
• You can protect the name of your DHCP objects.
As updating the DNS database relies on names, you can protect DHCP names. If you add an
IP address in a network configured with IPAM to DNS properties but without IPAM to DHCP
properties, the new IP address and its name are sent to the DNS. From that point on, the record
is used as reference. Therefore, even if any lease matches said name, that name is not sent
to the IPAM and does not update the DNS. The name you configured directly in the IPAM is,
and remains, only referenced in the IPAM.

You must first select the advanced properties to display and then configure them.

806
 Managing Advanced Properties

To select the advanced properties to display at server, scope or range level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to DHCP > Servers, Scopes or Ranges. The page opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

4. Tick the properties you want to display or enable in the addition/edition wizard.
a. To configure DHCP to IPAM replication properties, you can tick the following boxes.
By default, only the box Push leases to IPAM is ticked at server and range level.
• Display the box "Push leases to IPAM".
You must tick this box to be able to display the box Update DNS in the addition/edition
wizard.
• Display the drop-down list "Lease name".
In the addition/edition wizard, you can only display this box if the box "Push leases
to IPAM" is ticked.
• Display the box "Use client name (FQDN)".
In the addition/edition wizard, you can only display this box if the box "Push leases
to IPAM" is ticked.
b. To configure DHCP to DNS replication properties, you can tick the following box.
By default, the box is ticked at server and range level.
• Display the box "Update DNS".
You must tick this box to be able to save the DNS replication configuration in the ad-
dition/edition wizard.
In the addition/edition wizard, you can only display this box if the box Push leases to
IPAM is ticked.

5. Click on OK to complete the operation. The report opens and closes.

In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

In the procedure below, all properties are detailed. You must configure them at server level, if
you propagate them, most fields can already be filled at lower levels. For more details, refer to
the chapter Inheritance and Propagation.

To configure advanced properties at server, scope or range level

1. In the sidebar, go to DHCP > Servers, Scopes or Ranges. The page opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Add or edit the server, scope or range of your choice. The corresponding wizard opens.
For more details, refer to the part DHCP.
4. On the last page of the wizard, configure the advanced properties of your choice.
Note that:
• The advanced properties are distributed in dedicated sections, the available fields depend
on the Wizard customization.
• Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
• Some fields may not be visible, if they are not part of the wizard Default display.

807
 Managing Advanced Properties

In the drop-down list Advanced properties at the bottom of the page, you can select All.
The remaining fields appear in the sections, they are grayed out and not in the default
order. Only users of the group admin can configure or edit properties that are not displayed
by Default.
• All the advanced properties are described in the following tables:
• Available properties in the section DHCP to IPAM replication at server, scope and range
level.
• Available properties in the section DHCP to DNS replication at server, scope and range
level.
5. Click on OK to complete the operation. The report opens and closes.
Your configuration details, whether set or inherited, are displayed on the object properties
page, in the panel Advanced properties.

The existing scopes and ranges are not impacted, to configure them like their container refer to
the section Setting Advanced Properties.

Table 52.13. Available properties in the section DHCP to IPAM replication at server, scope and range
level
Push leases to IPAM
Default value Unticked
Description Tick this box to add an IP address in the IPAM matching the client name and MAC address of
each allocated lease. The fields Lease name, Use client name (FQDN) and Update DNS appear
in the relevant sections.
If you set a space for the scope, the IP address is added or edited in that space. If you did not
set any space for the scope, the IPAM update applies to any matching IP address in the smallest
terminal network possible.
Lease name
Default value Only one client can update the IPAM
Description Allows to decide which name to send to the IPAM, either Only the first client updates the IPAM,
Only one client can update the IPAM or Clients always update the IPAM.
This box is useful in case of hostname conflict between the DHCP and the IPAM.
Keep in mind that, if the IPAM to DNS properties are set, what you chose to send from the DHCP
also affects the DNS as only the information of the IPAM updates the DNS.
Only the first client updates the IPAM: select this value if multiple clients with the same name
obtain a lease, only the first client sends their name to the IPAM. The following clients with the
same name, only send their IP and MAC addresses to the IPAM.
If the IPAM to DNS properties are set, only the first client updates the DNS.
Only one client can update the IPAM: select this value if you have mobile clients. If multiple
clients with the same name and different MAC addresses obtain a lease, the first client sends
their name to the IPAM, the next client only sends their IP and MAC addresses. That way, if the
IPAM to DNS properties are set, only one client updates the DNS, the first who obtained the
lease.
Note that if a client with a known name and known MAC address obtains a lease, their name,
MAC address and IP address are sent to the IPAM, and therefore may update the DNS.
Clients always update the IPAM: select this value to send the lease name to the IPAM no
matter what it already contains. This is the most permissive mode, every DHCP client sends their
lease information to the IPAM, no matter their name, IP or MAC address. The information of each
lease is sent to the IPAM even if it already contains entries of the same name.
If the IPAM to DNS properties are set, the latest lease information sent to the IPAM updates the
DNS, any existing record with same name, previously added from a lease, is deleted.
Use client name (FQDN)
Default value Unticked
Description Tick this box to push the lease client name in the IPAM, instead of the lease name.

808
 Managing Advanced Properties

If you tick the box Update DNS as well, the zone matching the FQDN of the client name is updated.

Table 52.14. Available properties in the section DHCP to DNS replication at server, scope and range level
Update DNS
Default value Unticked
Description Tick this box to update the relevant records with the lease information. It is only displayed if the
box Push leases to IPAM is ticked.
Keep in mind that DHCP data can only update the DNS if it is sent to the IPAM first. For this
reason, the DNS server(s) configured for the IPAM to DNS replication are the ones updated by
the changes in the DHCP.

809
 Managing Advanced Properties

Configuring DNS Advanced Properties

You can configure DNS servers, views and zones with IPAM properties and DNS properties.

Adding a record in the DNS can automatically add an IP address in the IPAM.

DNS IPAM
DNS Update IPAM: yes SPACE
SERVER
ns1.mycorp.com America

NETWORK
BLOCK
USA
ZONE 10.6.0.0/15
mycorp.com NETWORK
SUBNET
New York
10.6.0.0/24

NEW NEW IP
RECORD ADDRESS
Type: A Name: pc.mycorp.com
RR name: pc IP address: 10.6.0.142
Complete name: pc.mycorp.com
IP address: 10.6.0.142
IPAM advanced properties
Update IPAM: yes

Figure 52.15. DNS to IPAM replication at record level

Keep in mind that on servers managed via a smart architecture, the advanced properties must
be configured on the smart architecture itself. The addition/edition wizard of the physical server
and the scopes and ranges it contains do not display the advanced properties fields.

You must first select the advanced properties to display and then configure them.

To select the advanced properties to display at server, view or zone level

1. Make sure the internal module setup is configured, as detailed in the prerequisites.
2. In the sidebar, go to DNS > Servers, Views or Zones. The page opens.
3. In the menu, select Extra options > Wizard customization. The wizard Advanced
properties customization opens.
Ancienne taille de la page

4. Tick the properties you want to display in the addition/edition wizard.

a. To configure DNS to IPAM replication properties, you can tick the following box.
By default, the box is ticked at all levels.
• Display the box "Update IPAM".
b. To configure properties Within the DNS, you can tick the following box.
By default, the box is only ticked at zone level.
• Display the box "Add a PTR".

5. Click on OK to complete the operation. The report opens and closes.

810
 Managing Advanced Properties

In the addition/edition wizard, all the properties you ticked are now configurable, they are
part of the Default display.

In the procedure below, all properties are detailed. You must configure them at server level, if
you propagate them, most fields can already be filled at lower levels. For more details, refer to
the chapter Inheritance and Propagation.

To configure advanced properties at server, view or zone level

1. Go to DNS > Servers, Views or Zones. The page opens.
2. Add or edit the server, view or zone of your choice. The corresponding wizard opens.
For more details, refer to the part DNS.
3. On the last page of the wizard, configure the advanced properties of your choice.
Note that:
• The advanced properties are distributed in dedicated sections, the available fields depend
on the Wizard customization.
• Right of each property, you can click on to define its inheritance and/or propagation
property. For more details, refer to the chapter Inheritance and Propagation.
• Some fields may not be visible, if they are not part of the wizard Default display.
In the drop-down list Advanced properties at the bottom of the page, you can select All.
The remaining fields appear in the sections, they are grayed out and not in the default
order. Only users of the group admin can configure or edit properties that are not displayed
by Default.
• All the advanced properties are described in the following tables:
• Available properties in the section DNS to IPAM replication at server, view and zone
level.
• Available properties in the section Within the DNS at server, view and zone level.
4. Click on OK to complete the operation. The report opens and closes.
Your configuration details, whether set or inherited, are displayed on the object properties
page, in the panel Advanced properties.

The existing views and zones are not impacted, to configure them like their container refer to the
section Setting Advanced Properties.

Table 52.15. Available properties in the section DNS to IPAM replication at server, view and zone level
Update IPAM
Default value Unticked
Applies to Master and Hint zones
Description Tick this box to update the IPAM when you add A, AAAA or CNAME resource records.
If you set a space for the zone, the IP address and alias are added or edited in that space. If you
did not set any space for the zone, the IPAM update applies to any matching IP address in the
smallest terminal network possible.

Table 52.16. Available properties in the section Within the DNS at server, view and zone level
Add a PTR
Default value Unticked
Applies to Master zones
Description Tick this box to add a PTR record for each A or AAAA resource record added in the DNS.
Note that if you add several A records with one IP address pointing to several names, only the
first PTR record is added.

811
 Managing Advanced Properties

Setting Advanced Properties

Advanced properties can be set on or several regardless of any preexisting configuration. This
operation is quite advanced and should not be delegated lightly to users that do not belong the
group admin. Standard users can view but not edit the advanced properties configuration of an
object. They appear in gray in the addition and edition wizards.

You cannot use this option on VLAN and Device Manager advanced properties.

Using the option Set advanced properties allows to:

• Set a property on an object.
• Overwrite any advanced property already configured.
• Overwrite the value of the Inheritance property and/or Propagation property of an advanced
property.
• Propagate a configured advanced property to child objects if their Inheritance property is con-
figured to Inherit.
• Restrict an advanced property at the level of your choice.

Note that, in the wizard, the drop-down lists Inheritance property and Propagation property are
only displayed if they are relevant to the object you selected.

To set advanced properties on several objects

This operation should only be performed by users of the group admin.
1. Depending on your needs, in the sidebar:
a. Go to IPAM > Spaces, Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Servers, Scopes or Ranges. The page opens.
c. Go to DNS > Servers, Views or Zones. The page opens.
2. Tick the object(s) for which you want to set advanced properties.
3. In the menu, select Tools > Expert > Set advanced properties. The wizard Set ad-
vanced properties opens.
4. In the drop-down list Property, select the advanced property of your choice. The page re-
freshes and the drop-down list Value appears.
5. In the drop-down list Inheritance property, configure the advanced property inheritance
behavior:
a. Select Set to set the advanced property or overwrite the value of the advanced property
if it is already set on the object. This value is selected by default.
b. Select Inherit to inherit the advanced property from a parent object. Selecting this value
hides the drop-down list Value.
6. If you selected Set, in the drop-down list Value select the parameter value.
7. In the drop-down list Propagation property, configure the advanced property propagation
behavior:
a. Select Propagate to propagate the advanced property value on the child objects. The
propagation is only possible if the child objects Inheritance property is Inherit. This value
is selected by default.
b. Select Restrict to only configure the advanced property on the object(s) selected and
prevent its propagation to the child objects.

812
 Managing Advanced Properties

8. Click on ADD to move your advanced property configuration to the Advanced properties
list.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
9. Repeat the steps 5 to 9 for as many advanced properties as you need.
10. Click on OK to complete the operation. The report opens and closes. Any property value and
configuration previously set for the selected object(s) is overwritten.

813
 Part IX. Application
The module Application allows to maintain an application inventory, tailor application traffic on your network
and optimize user experience.

Every application you add is registered with a Fully Qualified Domain Name (FQDN) and configured with a
set of pools and nodes that define its infrastructure. The application infrastructure allows to define a traffic
policy.

Each traffic policy can be enforced on your network thanks to an existing DNS infrastructure. After enabling
Global Server Load Balancing (GSLB) on compatible SOLIDserver appliances, you can associate application
traffic policies with one or more GSLB servers and deploy the traffic policy on your network.

The way you configure your traffic policies can therefore maximize application availability and optimize the
way users access your applications.

Once an application is deployed, your application traffic policy takes over the DNS resolution if and only if
the query matches the FQDN of the application. If it does, the query is routed to the appropriate pool, the
load balancing configuration of that pool determines which node is the most suited to answer the query and
the node IP address is sent out to the querying client if its last health check was successful. Even if an ex-
isting record could have answered the query it does not, whether the server cached it or has authority over
it, the standard DNS answer is ignored.

When traffic policy deployments are complete, the GSLB server only handles queries if they match a registered
FQDN and if at least one application node is operational. In any other case, the DNS server answers the
queries.

domain
www.mydomain.com GSLB server FQDN: www.domain.com

mydomain
FQDN: www.mydomain.com
pool-v4
192.168.2.2 associated with the applications 192.168.2.1
mydomain and domain 192.168.2.2

192.168.2.3

Figure 212. How a deployed application takes over the DNS resolution

The Application hierarchy includes 3 levels:

• Applications: The highest level of the hierarchy. It contains pools and nodes. An application is configured
with a unique FQDN and once associated with one or more GSLB enabled server(s), it can deploy its
configuration on your network. For more details, refer to the chapter Managing Applications.
• Pools: The second level of the hierarchy. They contain nodes. A pool can manage IPv4 or IPv6 addressing,
its load balancing configuration determines how the traffic is directed toward the nodes it manages. For
more details, refer to the chapter Managing Pools.
• Nodes: The last level of the hierarchy. They belong to a pool. They have a unique IPv4 or IPv6 address
and can be configured with a health check that ensures they are responsive. For more details, refer to
the chapter Managing Nodes.

Before managing the Application objects you must configure the module as detailed in the chapter
Configuring Application.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
53. Configuring Application ............................................................................................ 816
Prerequisites ........................................................................................................ 816
Limitations ............................................................................................................ 816
Configuring and Enabling the Service GSLB Server ................................................ 817
54. Managing Applications ............................................................................................. 819
Browsing Applications ........................................................................................... 819
Adding and Deploying Applications ......................................................................... 820
Adding and Deploying Applications and Traffic Policies ............................................ 821
Editing Applications ............................................................................................... 823
Deleting Applications ............................................................................................. 824
55. Managing Pools ....................................................................................................... 825
Browsing Pools ..................................................................................................... 825
Adding Pools ........................................................................................................ 826
Editing Pools ......................................................................................................... 827
Deleting Pools ....................................................................................................... 828
56. Managing Nodes ..................................................................................................... 829
Browsing Nodes .................................................................................................... 829
Adding Nodes ....................................................................................................... 831
Editing Nodes ....................................................................................................... 834
Managing or Unmanaging Nodes ........................................................................... 834
Deleting Nodes ..................................................................................................... 835

815
Chapter 53. Configuring Application
To configure the module Application and use it to the fullest you must:
• Meet the prerequisites.
• Take into account the limitations.
• Configure and enable the service GSLB Server.

Prerequisites
• A SOLIDserver appliance in version 7.1 or higher.
• An appliance with at least 8 GB of RAM:
• Either one of our hardware appliance models, except SOLIDserver-260 and SOLIDserver-
3300.
• Or a virtual appliances must be configured with an intel network card (em*, ig*, igb*, ix*, ixg*,
ixv* or ixl*) or a VMware VMXNET network card (vmx*).
• The license DNS GSLB:
• Without it you cannot associate applications with GSLB servers, and therefore you cannot
deploy traffic policies on your network.
• It must be activated on every SOLIDserver appliance meant to load balance application
traffic.
• An appliance properly configured:
• The communication between a GSLB enabled SOLIDserver and its clients has to be over
UDP and/or TCP.
• Both DNS and GSLB dedicated services must be running to ensure service continuity. Make
sure that either the services GSLB Server and DNS server (named) or the services GSLB
Server and DNS server (unbound) are both enabled and started.
• Any FQDN registered for an application must be resolvable to be properly deployed. Either
the GSLB server manages an A or AAAA record matching the FQDN or it can cache the
initial FQDN answer.
• Make sure traffic policies can actually take over the resolution. You must adapt the TTL of
the resource records matching the FQDNs you register for any application. The new TTL
must take into account your traffic policy details, the pool session duration you may configure
and the configuration of your nodes health check.
• The appropriate rights and resources configured for end users.
• To be able to see the module Application and its content, users must belong to a group
granted the right Display: applications list, allowed by default.
• To be able to manage all objects, users must belong to a group granted access to all the
module Application rights.
• To be able to configure an application with a GSLB server, users must belong to a group
that is granted the right Display: DNS servers list and has the server among its resources.

Limitations
• One DNS server cannot be used for DNSSEC and GSLB.
If you associate an application with a GSLB server used as DNSSEC resolver and/or that has
signed zones, its resolution and/or answers are no longer DNSSEC compliant.
• DNS round-robin is not supported by the Application nodes.

816
 Configuring Application

If a node does not answer, the server associated with the application answers the query.
However, any round-robin configuration in the DNS is ignored, only one record is used to answer
the query, the rest of the records configured are ignored.
• When you deploy an application on a GSLB server from the GUI, a comparison between the
GSLB objects in the GUI and the ones already on the GSLB server is done. The objects that
are on the GSLB server and also in the GUI are kept. The objects that are only present on the
GSLB server are deleted and the objects only in the GUI are added on the GSLB server.
When restoring a backup, whether you added, edited or deleted objects since the backup was
saved, all changes are lost and may not even be visible in the GUI. Before restoring a backup,
make sure you saved it when the Application database was up-to-date.
• You can only configure and apply classes at application level. For more details regarding
classes, refer to the chapter Configuring Classes.

Configuring and Enabling the Service GSLB Server

Once you have met the prerequisites and have taken into account the limitations, you must
configure the listening interfaces of all GSLB enabled servers and enable the service. Without
this configuration, the traffic policies are listed in the module but never deployed on your network.

The DNS must be running as well. Make sure the services GSLB server and DNS server
(named / nsd / unbound) are both enabled and started.

Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.

To configure the listening interfaces of GSLB server and enable the service
Only users of the group admin can perform this operation.
1. Configure the listening interfaces of GSLB server
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section System, click on Services configuration. The page Services configur-
ation opens.
c. In the column Name, click on GSLB server or DNS Guardian / GSLB server. The
wizard GSLB server configuration or DNS Guardian & GSLB server configuration
opens.
d. In the list Available interfaces, select the interface of your choice and click on . The
interface is moved to the list Selected interfaces.
Each interface is listed <interface-name> (<MAC-address>), whether it is active or not.
Only Intel network interfaces are listed as no other interface card can be configured for
the service.
e. Repeat this action for as many interfaces as you need.
To remove an interface from the list Selected interfaces, select it and click on . The
interface is moved back to the list Available interfaces.
f. Click on OK to complete the operation. The report opens and closes.
2. Enable the service GSLB server
a. In the column Name, look for GSLB server or DNS Guardian / GSLB server.
b. In the column Enabled, click on the link Disabled to enable the service. The wizard
opens.
c. Click on OK to complete the operation. The wizard closes.

817
 Configuring Application

3. Apply your configuration

a. Right now your configuration is pending. In the menu, select Tools > Apply config-
uration to save your changes. The wizard Commit the system configuration changes
opens.
b. Click on OK to complete the operation. The page refreshes.
If the service is marked ! Warning, it might mean that the system has not enough
memory installed, that a configuration file is corrupt or that the license is not valid.
Once the service is enabled, on the page All servers all compatible DNS servers are marked
Enabled in the column Guardian/GSLB.

To stop or disable the service GSLB server, refer to the section Handling Services in the chapter
Configuring the Services.

818
Chapter 54. Managing Applications
From the page All applications you can manage applications and set up entire traffic policies.

Each application must be configured with a Fully Qualified Domain Name (FQDN) that can be
resolved.

To deploy an application or traffic policy on your network you must associate it with one or more
GSLB enabled servers able to resolve the application FQDN:
• On recursive servers, the initial query of the FQDN is cached in order to answer all the following
queries.
• On authoritative server, the FQDN must be declared as A or AAAA record in one of its zones.

Once an application is deployed on at least one GSLB server, when a client queries a domain:
1. The application handles the query if it is configured with the relevant FQDN.
2. It directs the query to the relevant pool and node.

You can either add an application and then add the pools and nodes it contains, or you can add
the application and its traffic policy from the page All applications. For more details, refer to the
section Adding and Deploying Applications and Traffic Policies.

Browsing Applications
The application is the highest level of the Application hierarchy.

NODE

APPLICATION POOL

NODE

Figure 54.1. The application in the Application hierarchy

Browsing the Application Database

To display the list of applications
1. In the sidebar, go to Application > Applications. The page All applications opens.
2. To display or hide deployed applications, on the right-end side of the menu, click on . The
page refreshes.
In the column Name, the icon precedes every application.
If there are deployed applications, they are preceded by the icon and listed under the
parent application name as many times as there are GSLB servers associated with the ap-
plication.

To display an application properties page

1. In the sidebar, go to Application > Applications. The page All applications opens.

819
 Managing Applications

2. At the end of the line of the application of your choice, deployed or not, click on . The ap-
plication properties page opens.

Customizing the Display on the Page All Applications

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

All the columns are displayed by default.

Table 54.1. The columns on the page All applications

Column Description
Name The name of the application.
FQDN The FQDN of the application.
GSLB server The name of the physical server associated with a deployed application, it answers the
queries made to the application FQDN.
Class The class applied to the application, the column is empty for the deployed application and
traffic policies. For more details, refer to chapter Configuring Classes.
Multi-status The message(s) regarding deployed nodes of the application. For more details, refer to
the section Understanding the Column Multi-Status or Multi-Status Messages.
The column is always empty for applications not associated with any server.
Status The status of the application or the service GSLB server. For more details, refer to the
section Understanding the Statuses on the Page All Applications.

Understanding the Statuses on the Page All Applications

The column Status returns information regarding the applications, their content and the service
GSLB server.

Table 54.2. The statuses on the page All applications

Status Description
OK The application and its content are configured and running.

! Warning The Operational status of at least one of the nodes of the application is Inactive.

Down The Operational status of all the nodes of the application is Inactive.

Delayed delete The content of the application is being deleted from the physical servers it is
deployed on.
GSLB Timeout The service GSLB server is unreachable.

GSLB Invalid credentials The SSL credentials of the GSLB server associated with the application are
invalid or this server is already managed by another appliance and you need
to specify your credentials again. For more details, refer to the section Editing
DNS Servers.
GSLB Stopped The service GSLB server is not running.

Adding and Deploying Applications

From the page All applications you can add applications, they are the entry point to managing
pools and nodes. To add an application and its content in a single wizard, refer to the section
Adding and Deploying Applications and Traffic Policies.

820
 Managing Applications

Before adding an application, keep in mind that:

• An application must have a unique name and FQDN.
Several applications can share the same name if they manage different FQDNs. In the same
way, several applications can manage the same FQDN if they have different names.
• The FQDN of an application must be resolvable.
• To deploy an application and its content on your network, you must associate it with at least
one GSLB server.
• A GSLB server can only be associated once with one FQDN.
Once associated with an application, a GSLB server cannot be associated with another applic-
ation managing the same FQDN.
• Any FQDN registered for an application must be resolvable to be properly deployed. Either the
GSLB server manages an A or AAAA record matching the FQDN or it can cache the initial
FQDN answer.

You can add as many applications as you need.

To add an application and deploy it

1. In the sidebar, go to Application > Applications. The page All applications opens.
2. In the menu, select Add > Application. The wizard Add an application opens.
3. If custom classes are enabled at application level, in the list Application class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, specify the name of the application.
5. In the field FQDN, specify the Fully Qualified Domain Name of the application.
6. In the list Available GSLB servers, you can select a server and click on . The server is
moved to the list Selected GSLB servers.
Only GSLB enabled physical servers are listed, whether they are managed by a smart archi-
tecture or not.
To remove a server from the Selected GSLB servers, select it and click on . The server
is moved back to the list Available GSLB servers.
7. Repeat the operation for as many as servers as needed.
8. Click on OK to complete the operation. The report opens and closes. The application is listed.
If you associated the application with one or more GSLB servers, click on on the right-
end side of the menu. Several lines appear under the application itself, there is a line for
each of the server(s) the application is deployed on.

Once added, you can edit the GSLB server association of an application. For more details, refer
to the section Editing Applications.

Adding and Deploying Applications and Traffic Policies

From the page All applications you can add applications and their traffic policies, that is to say a
pool and its nodes, in one wizard.

Before adding an application and its traffic policy keep in mind that:
• An application must have a unique name and FQDN.

821
 Managing Applications

Several applications can share the same name if they manage different FQDNs. In the same
way, several applications can manage the same FQDN if they have different names.
• To deploy an application and its traffic policy on your network, you must associate it with at
least one GSLB server.
• Any FQDN registered for an application must be resolvable to be properly deployed. Either the
GSLB server manages an A or AAAA record matching the FQDN or it can cache the initial
FQDN answer.
• A GSLB server can only be associated once with one FQDN.
Once associated with an application, a GSLB server cannot be associated with another applic-
ation managing the same FQDN.
• After adding an application and traffic policies, the application, pool and node(s) it contains are
managed individually. To edit any, you must refer to the edition section of each object.

To add an application and deploy it with traffic policies

1. In the sidebar, go to Application > Applications. The page All applications opens.
2. In the menu, select Add > Application and traffic policy. The wizard opens.
3. If custom classes are enabled at application level, in the list Application class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, specify the name of the application.
5. In the field FQDN, specify the Fully Qualified Domain Name of the application.
6. In the list Available GSLB servers, you can select a server and click on . The server is
moved to the list Selected GSLB servers.
Only GSLB enabled physical servers are listed, whether they are managed by a smart archi-
tecture or not.
To remove a server from the Selected GSLB servers, select it and click on . The server
is moved back to the list Available GSLB servers.
7. Repeat the operation for as many as servers as needed.
8. Click on NEXT . The page Add a pool opens.
9. Configure the pool:

Field Description
Name The name of the pool. This field is required.
Protocol The IP protocol version of the pool and its nodes, either IPv4 or IPv6. This field is required.
Load balancing The mode of the pool, either Round-robin, Latency or Weighted. By default, Round-robin
mode is selected. This field is required.
Round-robin The traffic is evenly directed to all active nodes.
Latency The traffic is directed to the active nodes with the best latency. If you select
this mode, the field Max. preferred nodes appears.
Max. preferred The number of active nodes with the best latency that must
nodes answer queries.
Weighted The traffic is directed to the active nodes depending on their weight.
Enable session Allows to set a period of time during which all traffic is directed to the nodes. If you tick the
affinity box, the field Session duration appears.
Session The period of your choice, in seconds. By default, it is set to 300. This field
duration is required.

822
 Managing Applications

10. Click on NEXT . The page Add a node opens.

11. Add at least one node.
a. Configure the node:

Field Description
Name The name of the node. Each node name must be unique.
IP address The IPv4 or IPv6 address of the node, depending on the selected Pool protocol.
Each node IP address must be unique.
Mode The mode of the node, either Active or Backup. If the pool is configured with the
load balancing mode Latency, the field is in read-only and the node is Active by
default.
Health Check type The type of node health check, either None, HTTP(S), Ok, Ping or TCP. None is
selected by default.
None There is no health check configured for the node, whether the
node is answering queries or not, its Status is always OK.
HTTP(S) The health check of the node is performed via HTTPS.
Ok The health check of the node always marks the node Operational
status as OK.
Ping The health check of the node is performed using ping commands.
TCP The health check of the node is performed via TCP.

b. Click on ADD . The node is moved to the Node list and listed as follows: <node-name>
- <IP-address> - <health-check-type> (<mode>).
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
Repeat the operation for as many nodes as needed
12. Click on OK to complete the operation. The report opens and closes. The application is listed.
If you associated the application with one or more GSLB servers, click on on the right-
end side of the menu. Several lines appear under the application itself, there is a line for
each of the server(s) the application is deployed on.

If you associated the application with a GSLB server and configured it with a resolvable FQDN,
the application and the traffic policies are deployed right away.

Once added, you cannot edit a traffic policy. However you can individually edit the application,
pool and node(s) that compose it. For more details, refer to the sections Editing Applications,
Editing Pools and Editing Nodes.

Editing Applications
You can edit applications, whether they were added via the addition menu Application or Applic-
ation and traffic policy.

Before editing an application, note that:

• You cannot edit the name or FQDN of an application.
• You cannot edit a deployed application. You must edit the application itself.
• The application edition consists of:

823
 Managing Applications

• Associating it with extra GSLB servers or different ones.

• Dissociating it from one or more GSLB servers.

To edit an application
1. In the sidebar, go to Application > Applications. The page All applications opens.
2. At the end of the line of the application of your choice, deployed or not, click on . The ap-
plication properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit an application opens.
4. If custom classes are enabled at application level, in the list Application class select a class
or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. The Name and FQDN are displayed in a read-only gray field. You cannot edit them.
6. Edit the list Selected GSLB servers according to your needs. Only GSLB enabled physical
servers are listed, whether they are managed by a smart architecture or not.
Select a server in the list Available GSLB servers and click on to add it the list Selected
GSLB servers. Select a server in the list Selected GSLB servers and click on to remove
it move it back to the list Available GSLB servers.
7. Repeat the operation for as many as servers as needed.
8. Click on OK to complete the operation. The report opens and closes. The application prop-
erties are updated.

Deleting Applications
You can delete an application. Note that:
• Deleting an application also deletes the pools and nodes it contains.
• You cannot delete a deployed application.
You must either delete the application itself or dissociate the relevant GSLB server from the
application, the dedicated deployment line is no longer listed. For more details, refer to the
section Editing Applications.

To delete an application
1. In the sidebar, go to Application > Applications. The page All applications opens.
2. Tick the application(s) of your choice.
3. In the menu, click on . The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The application is no
longer listed, the deployed application lines are deleted as well.

824
Chapter 55. Managing Pools
From the page All pools you can manage IPv4 and IPv6 pools. Pools belong to applications and
manage nodes.

If the application they belong to is associated with a GSLB enabled server, the pools are deployed
on your network.

When an application is deployed on at least one GSLB server, when a client queries a domain:
1. The application handles the query if it is configured with the relevant FQDN.
2. It directs the query to the appropriate pool.
3. The pool load balancing configuration determines towards which node the query is directed.

Browsing Pools
The pool is the second level of the Application hierarchy.

NODE

APPLICATION POOL

NODE

Figure 55.1. The pool in the Application hierarchy

Browsing the Pool Database

To display the list of pools
1. In the sidebar, go to Application > Pools. The page All pools opens.
2. If need be, filter the column Protocol to display only IPv4 or IPv6 pools.
3. To display or hide the pools of deployed applications, on the right-end side of the menu, click
on . The page refreshes.
The same node name can be listed multiple times. In the column Application name, each
application is listed once, preceded by and, if it is deployed, its name is preceded by
and is listed as many times as their are GSLB servers associated with it.
4. To display the pools of a specific application, in the column Application Name, click on the
name of the application of your choice. The page refreshes.

To display a pool properties page

1. In the sidebar, go to Application > Pools. The page All pools opens.
2. At the end of the line of the pool of your choice, whether it belongs to a deployed application
or not, click on . The pool properties page opens.

825
 Managing Pools

Customizing the Display on the Page All Pools

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

All the columns are displayed by default.

Table 55.1. Available columns on the page All applications

Column Description
Name The name of the pool.
Protocol The protocol version of the pool, either IPv4 or IPv6.
Mode The load balancing mode of the pool, either Round-robin, Latency or Weighed.
Nodes (max.) The maximum number of active nodes with the lowest latency of the pool that answer
the queries made to the application FQDN. It only contains data for pools configured
with the load balancing mode Latency.
Application name The name of the application the pool belongs to.
Application FQDN The FQDN of the application the pool belongs to.
Application GSLB The name of the physical server associated with the deployed application the pool
belongs to.
Affinity state The pool session affinity state, either Enabled or Disabled.
Session duration (sec.) The affinity state session duration, in seconds.
Multi-status The message(s) regarding deployed nodes of the pool. For more details, refer to the
section Understanding the Column Multi-Status or Multi-Status Messages.
The column is always empty for applications not associated with any server.
Status The status of the pool, either Delayed create, Delayed delete, Warning, Down or
OK.

Understanding the Statuses on the Page All Pools

The column Status returns information regarding the pools you manage and their content.

Table 55.2. The statuses on the page All pools

Status Description
Delayed create The content of the pool is being deployed on the physical servers associated with
the application it belongs to.
Delayed delete The content of the pool is being deleted from the physical servers associated with
the application it belongs to.
! Warning The Operational status of at least one of the nodes of the pool is Inactive.

Down The Operational status of all the nodes of the pool is Inactive.

OK The nodes of the pool are configured and running.

Adding Pools
From the page All pools you can add IPv4 and IPv6 pools in your applications, they allow to
manage nodes.

The page may list pools added from the page All applications via the menu Application and traffic
policy. For more details, refer to the section Adding and Deploying Applications and Traffic
Policies.

826
 Managing Pools

Before adding a pool, keep in mind that:

• A pool must belong to an application.
• Each pool must have a unique name in one application.
• You cannot add more than two pools in one application.
• You cannot manage more than one IPv4 pool and one IPv6 pool in one application.

To add a pool
1. In the sidebar, go to Application > Pools. The page All pools opens.
2. In the menu, select Add. The wizard Add a pool opens.
3. In the list Application name, select the application of your choice. If some application classes
are enabled, only the applications matching the selected Application class are displayed.
Click on NEXT . The last page opens.
4. In the field Name, specify the name of the pool.
5. In the drop-down list Protocol, select IPv4 or IPv6. The page refreshes. By default, IPv4 is
selected.
6. In the drop-down list Load balancing mode, select Round-robin, Latency or Weighted. By
default, Round-robin is selected.

Mode Description
Round-robin The traffic is evenly directed to all active nodes. Within the pool, all active nodes weight
1 and backup nodes weight 0.
Latency The traffic is directed to the active nodes with the best latency. If you select this mode,
the field Max. preferred nodes appears.
Max. preferred The maximum number of nodes with the lowest latency that must
nodes answer the queries made to the application FQDN. Only the active
nodes of the pool answer the queries. By default, it is set to 1.
Weighed The redirection of traffic depends on the weight you set for the active nodes, the nodes
set with the greater weight answer first. All backup nodes weight 0 .

7. You can tick the box Enable session affinity to set a period of time during which the pool
sends out the same answer to a given client, no matter how many times they query the same
information. If you tick the box, the field Session duration appears.
8. In the field Session duration, specify the duration of the session affinity, in seconds. By
default, it is set to 300.
9. Click on OK to complete the operation. The report opens and closes. The pool is listed.
If the application it belongs to is associated with one or more GSLB servers, click on on
the right-end side of the menu. Several lines appear under the pool itself, there is a line for
each of the server(s) the application is deployed on.

Editing Pools
You can edit pools, whether they were added from the page All pools or the page All applications
via the menu Application and traffic policy.

Before editing a pool, note that:

• You cannot edit a pool protocol.
• You cannot edit a deployed pool. You must edit the corresponding pool.
In the column Application name, a deployed pool belongs to a deployed application.

827
 Managing Pools

To edit a pool
1. In the sidebar, go to Application > Pools. The page All pools opens.
2. At the end of the line of the pool of your choice, whether it belongs to a deployed application
or not, click on . The pool properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a pool opens.
4. Edit the pool Name, Load balancing mode and/or Enable session affinity configuration
according to your needs.
5. Click on OK to complete the operation. The report opens and closes. The pool properties
are updated.

Deleting Pools
You can delete a pool. Note that:
• Deleting a pool also deletes the nodes it contains.
• You cannot delete a deployed pool. In the column Application name, a deployed pool belongs
to a deployed application.
You must either delete the pool itself or dissociate the relevant GSLB server from the parent
application. Once the GSLB server is dissociated from the application, the dedicated pool de-
ployment line is no longer listed. For more details, refer to the section Editing Applications.

To delete a pool
1. In the sidebar, go to Application > Pools. The page All pools opens.
2. Tick the pool(s) of your choice.
3. In the menu, click on . The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The pool is no longer
listed, the deployed pool lines are deleted as well.

828
Chapter 56. Managing Nodes
From the page All nodes you can manage IPv4 and IPv6 nodes. As nodes belong to pools they
are configured with either an IPv4 or IPv6 address.

If the application they belong to is associated with a GSLB enabled server, the nodes are deployed
on your network.

A node is the endpoint of a query. Each node must be configured with a unique IP address and
can be configured with a heath check that verifies its status and allows it to answer queries.

When a traffic policy is set and deployed on at least one GSLB server, when a client queries a
domain:
1. The application handles the query if it is configured with the relevant FQDN.
2. It directs the query to the appropriate pool.
3. All the node health checks are executed within the pool. If the health checks succeed and the
node status is cleared, the IP address of one or all the nodes can be sent out to the client.
4. Depending on the pool load balancing mode and configuration, it determines which node is
best suited to answer the query.

You can monitor initial health check failures and node status changes on the page Syslog. For
more details, refer to the section Managing the Logs.

Browsing Nodes
The node is the lowest level of the Application hierarchy.

NODE

APPLICATION POOL

NODE

Figure 56.1. The node in the Application hierarchy

Browsing the Node Database

To display the list of nodes
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. You can filter the columns IPv4 address and IPv6 address to only display IPv4 or IPv6
nodes.
3. To display or hide the nodes of deployed applications, on the right-end side of the menu,
click on . The page refreshes.
The same node name can be listed multiple times. In the column Application name, each
application is listed once, preceded by and, if it is deployed, its name is preceded by
and is listed as many times as their are GSLB servers associated with it.

829
 Managing Nodes

4. To display the nodes of a specific application, in the column Application Name, click on the
name of the application of your choice. The page refreshes.
5. To display the nodes of a specific pool, in the column Pool Name, click on the name of the
pool of your choice. The page refreshes.

Note that for IPv6 addresses, you can compress or uncompress the display via the button or
display IPv6 labels above parts of the addresses listed via the button . For more details, refer
to the chapter Managing IPv6 Labels.

To display a node properties page

1. In the sidebar, go to Application > Pools. The page All pools opens.
2. At the end of the line of the node of your choice, whether it belongs to a deployed application
or not, click on . The node properties page opens.

Customizing the Display on the Page All Nodes

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

The following columns are displayed by default.

Table 56.1. Default columns on the page All nodes

Column Description
Name The name of the node.
IPv4 address The IP address of the node if it belongs to an IPv4 pool. The column displays N/A if the
pool belongs to an IPv6 pool.
IPv6 address The IP address of the node if it belongs to an IPv6 pool. The column displays N/A if the
pool belongs to an IPv4 pool.
Pool name The name of the pool the node belongs to.
Application name The name of the application the node belongs to.
Application FQDN The FQDN of the application the node belongs to.
Application GSLB The name of the physical server associated with the deployed application the node belongs
to.
Mode The load balancing mode of the pool the node belongs to, either Round-robin, Latency or
Weighed.
Weight The weight of the node, backup nodes are set to 0, any other weight means that the node
is active.
Health check (HC) The selected health check of the node, either None, Custom, HTTP(S), Ok, Ping or TCP.
Operational status The operating status of a deployed node. For more details, refer to the table node operating
statuses.
Status The management status of each node. For more details, refer to the table node statuses.

Extra columns, dedicated to health checks are available. They display the Expert mode configur-
ation details or N/A.

Table 56.2. Available columns on the page All nodes

Column Description
HC Parameters Any extra parameter you configured for the health check.

830
 Managing Nodes

Column Description
HC Failback threshold The number of times, between 1 and 10, the health check should return the same result
before setting the node Operational status to Active.
HC Failover threshold The number of times, between 1 and 10, the health check should return the same result
before setting the node Operational status to Inactive.
HC Frequency The number of seconds between health checks, either 10, 30, 60 or 500. The total number
of health checks performed depend on the HC Failback threshold and HC Failover
threshold.
HC Timeout The health check timeout, between 1 and 10 seconds. Beyond this period, the health check
times out if the node is not responding.

Understanding the Statuses on the Page All Nodes

The column Operational status provides status information on deployed nodes. The health
check results determine this status.

Table 56.3. The node operational statuses

Status Description
Inactive The health check configured for the node determined that the node is down.

Active The health check configured for the node determined that the node is up.

Unknown The operating status of the node at first, it changes after the initial health check.

N/A The operating status is not applicable. The column only displays values for deployed
nodes.

The column Status provides management status information on all nodes.

Table 56.4. The node statuses

Status Description
Delayed create The content of the node is being deployed on the physical servers associated with the
application it belongs to.
Delayed delete The content of the node is being deleted from the physical servers associated with the
application it belongs to.
Unmanaged The node is unmanaged.

OK The node is managed, configured and running.

Adding Nodes
From the page All nodes you can add nodes to IPv4 and IPv6 pools.

The page may list nodes added from the page All applications via the menu Application and traffic
policy. For more details, refer to the section Adding and Deploying Applications and Traffic
Policies.

Before adding a node, keep in mind that:

• A node must belong to a pool.
• Each node must have a unique name in one pool.
• Each node must have a unique IP address in one pool.
• Each node can be configured with a health check.

831
 Managing Nodes

• The health checks can only be performed if the GSLB server(s) associated with the application
the node belongs to and the node itself can communicate. You can monitor initial health check
failures on the page Syslog. For more details, refer to the section Managing the Logs.
• Within a pool configured with the load balancing mode Latency:
• All nodes must be configured with the same health check type to guaranty a fair comparison
of the latency of each node and ensure an appropriate traffic redirection.
• You must not configure nodes with the health check None because any node configured
without health check is directed traffic, in addition to the configured Maximum number of
preferred nodes.
• Each node status change is detailed in the logs. For more details, refer to the section Managing
the Logs.

Note that you can display labels on IPV6 nodes, for more details refer to the chapter Managing
IPv6 Labels.

To add a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. In the menu, select Add. The wizard Add a node opens.
3. In the list Application name, select the application of your choice, each application is followed
by its FQDN. If application classes are enabled, only the application(s) matching the selected
Application class are displayed.
Click on NEXT . The next page opens.
4. In the list Pool name, select the pool of your choice, each pool is listed as follows: <pool-
name> [protocol-version].
Click on NEXT . The last page opens.
5. In the field Name, specify the name of the node.
6. In the field IP address, specify the IPv4 or IPv6 address of the node, depending on the se-
lected Pool protocol.
7. In the drop-down list Mode, select Active or Backup.
This field is not displayed if you selected a pool with the load balancing mode Latency, as
all nodes are active by default.
8. In the field Weight, specify the value of your choice. It must be an integer between 0 and
255. Within the pool, the active nodes with the greater weight are queried first.
This field is only displayed for Active nodes belonging to a pool set with the load balancing
mode Weighted. All Backup nodes have a weight of 0.
9. In the drop-down list Health Check type, select None, Custom, HTTP(S), Ok, Ping or TCP.
By default, None is selected. For all types, except None, one or more fields appear.

Health Check type Description

None No health check is executed on the node, no further configuration is needed, you can
go straight to the last step. You should not select this type if the node belongs to a
pool with the load balancing mode Latency.
Custom The health check is performed by the script of your choice.
HTTP(S) The health check is performed via HTTP or HTTPS.
Ok The health check always returns its Operational status as OK.
Ping The health check ensures that the node IP address answers a ping command.
TCP The health check ensures that the TCP port is listening.

832
 Managing Nodes

10. Configure the health check following the table below.

11. Click on OK to complete the operation. The report opens and closes. The node is listed.
If the application it belongs to is associated with one or more GSLB servers, click on on
the right-end side of the menu. Several lines appear under the node itself, there is a line for
each of the server(s) the application is deployed on.

Table 56.5. The health check configuration and expert parameters

Field Description and available extra field(s)
Common fields for all Health Check types
Expert Tick this box to configure the health check details. The fields Health check frequency, Health check
mode failover threshold, Health check failback threshold and/or Health check timeout in seconds appear.
This field is optional.
Health check The frequency of the node health check, either every 10 seconds, every 30
frequency seconds, every minute or every 5 minutes. By default, it is set to every 30 seconds.
This field is optional.
If you selected the Health Check type Ok, this is the only field available.
Health check The number of times before the node Operational status is set to Inactive due to
failover threshold the health check result, a value between 1 and 10. By default, it is set to 3. This
field is required.
Health check The number of times before the node Operational status is set to Active due to
failback threshold the health check result, a value between 1 and 10. By default, it is set to 3. This
field is required.
Health check The number of seconds before the health check times out if the node is not re-
timeout in seconds sponding, a value between 1 and 10. This field is required.
Extra fields for the Health Check type Custom
Script The name of the script performing the health check of the node. Only the name of the file is accepted,
name do not specify its extension fct_ prefix. The file must be located in the directory /data1/gslb/script of
the appliance. This field is required.
Expert Tick this box to configure the Custom health check details. The field Script parameters appears. This
mode field is optional.
Script parameters The parameters of your script. This field is optional.
Extra fields for the Health Check type HTTP(S)
Expert Tick this box to configure the HTTP(S) health check conditions. The fields HTTP host, HTTP port, URL
mode to retrieve, Use HTTPS, Check HTTPS certificate, Expected HTTP status, Response string to match
and HTTP authentication credentials appear. This field is optional.
HTTP host The name of the virtual host providing the Server Name Indication (SNI) during
the HTTP checks. The virtual host must be associated with application. This field
is optional.
If you leave the field empty, the IP address is used during the check.
HTTP port The port to use during the health check, an integer greater than 0. This field is
optional.
If you do not specify any port, the port 80 is used for a health check via HTTP
and the port 443 is used for a health check via HTTPS.
URL to retrieve The end of the URL that the node should respond to. The full URL to retrieve and
check is composed of the specified HTTP host, HTTP port and URL to retrieved
as follows: <http-or-https>://<http-host>:<http-port>/<URL-to-retrieve>. This field
is optional.
If you leave the field empty, / is used to complete the URL.
Use HTTPS The protocol preceding the full URL of the health check, either HTTPS (Yes) or
HTTPS (No). By default, Yes is selected. This field is required.
If you leave Yes selected, the field Check HTTPS certificate is displayed.
Check HTTPS A way to check the validity the SSL certificate of the specified
certificate HTTP host, either Yes or No. By default, No is selected. If you

833
 Managing Nodes

Field Description and available extra field(s)

select Yes and the SSL certificate is not valid, the health check
fail. This field is required.
Expected HTTP The HTTP status code(s) of your choice to match in answer. If any other code is
status returned the health check fails. The field accepts an integer composed of up to
3 digits between 1 and 999, or a range of codes using x, e.g. 3xx matches any
code between 300 and 399. This field is optional.
If you leave the field empty, the HTTP code returned is ignored during the health
check.
Response string to A string to match in the body of the answer. If the string specified is not matched
match at least partially in the body of the answer, the health check fails. This field is
optional.
If you leave the field empty, the body of the answer is ignored during the health
check.
HTTP authentication The authentication credentials used to perform the health check following the
credentials format <login>:<password> . This field is optional.
Extra field for the Health Check type TCP
Expert Tick this box to configure the TCP health check details. The field TCP port appears. This field is optional.
mode TCP port The port to use during the health check, an integer greater than 0. This field is
optional.
If you do not specify any port, the port 80 is used.

Editing Nodes
You can edit nodes, whether they were added from the page All nodes or the page All applications
via the menu Application and traffic policy.

Before editing a node, note that:

• You cannot edit the IP address of a node.
• You cannot edit a deployed node. You must edit the corresponding node.
In the column Application name, a deployed node belongs to a deployed application.

To edit a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. At the end of the line of the node of your choice, whether it belongs to a deployed application
or not, click on . The node properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a node opens.
4. Edit the node Name, Mode, Health Check type and/or Expert mode configuration according
to your needs. For more details regarding the types and expert configuration, refer to the
table above.
5. Click on OK to complete the operation. The report opens and closes. The pool properties
are updated.

Managing or Unmanaging Nodes

You can stop managing nodes, or manage them again.

By default, all nodes are managed when you add them. Unmanaging a node allows to make sure
that queries are never redirected toward the node you chose.

834
 Managing Nodes

Keep in mind that you cannot unmanage a deployed node. In the column Application name, a
deployed node belongs to a deployed application.

To manage/unmanage a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. Tick the node(s) of your choice.
3. In the menu, select Edit > Manage > Yes or No. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. In the column Status,
the selected nodes are marked OK or Unmanaged.

Deleting Nodes
You can delete a node. Note that:
• Instead of deleting a node, you may need to unmanage it. For more details, refer to the section
Managing or Unmanaging Nodes.
• You cannot delete a deployed node. In the column Application name, a deployed node belongs
to a deployed application.
You must either delete the node itself, delete the pool it belongs to, or dissociate the relevant
GSLB server from the parent application. Once the GSLB server is dissociated from the applic-
ation, the dedicated node deployment line is no longer listed. For more details, refer to the
section Editing Applications.

To delete a node
1. In the sidebar, go to Application > Nodes. The page All nodes opens.
2. Tick the node(s) of your choice.
3. In the menu, click on . The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The node is no longer
listed, the deployed node lines are deleted as well.

835
 Part X. Guardian
Guardian offers adaptive security to DNS cache and recursive services by detecting threats and activating
adapted counter measures to ensure DNS services continuity and attack mitigation.

Guardian operates in a secured framework, with the cache separated from the recursive DNS engines. It
performs a continuous real-time analysis of the inbound and outbound traffic and therefore offers complete
DNS Transactions Inspection (DTI).

This analysis is especially reliable if a large number of queries is cached. By default, Guardian caches all
the answers to client queries. The answers not cached yet, are sent to the DNS resolver and transmitted to
Guardian, that caches them and sends them back to the client. That way, Guardian has an ever-growing
number of queries to refine its analysis of the network and avoid potential threats.

cached answers missing

answers from the cache

Figure 216. Guardian default behavior

Guardian is managed from the graphical user interface and via command-line interface:
1. From the GUI, you can configure the module, monitor the server, set Guardian parameters, flush clients
and cache, manage and configure policies and triggers.
2. Via CLI, you can connect to Guardian using SSH to display its configuration, monitor and manage its
cache and client statistics, configure lists.

This part contains the following:

• Configuring Guardian details how to configure the module and get started.
• Setting Guardian Parameters details the available parameters and how to edit or configure them.
• Monitoring Guardian describes the statistics and analytics available to monitor the server from the GUI.
• Managing Guardian Statistics describes how to monitor and manage server and client statistics via CLI.
• Managing Guardian Cache describes how to monitor and manage the server and client cache via CLI.
• Managing Policies describes how to configure and deploy policies on a Guardian server.
• Managing Triggers describes how to customize Guardian policies with specific triggers.
• Managing Guardian Views describes how to configure specific traffic restrictions using the views of a
Guardian server.
• Managing Lists describes how to configure and use lists to set up traffic exceptions for specific domains
and clients on a Guardian server.
• Managing the Rescue Mode describes the default rescue mode configuration and how to customize, force
or disable it on a Guardian server.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
57. Configuring Guardian ............................................................................................... 839
Prerequisites ........................................................................................................ 839
Limitations ............................................................................................................ 839
Enabling the Service DNS Guardian ....................................................................... 840
Getting Started With Guardian ............................................................................... 841
58. Setting Guardian Parameters .................................................................................... 844
Browsing Guardian Configuration ........................................................................... 844
Available Guardian Parameters .............................................................................. 845
Editing Guardian Configuration .............................................................................. 848
Configuring the Action Quarantine Redirect ............................................................ 849
Enabling or Disabling Guardian Cache ................................................................... 850
Capturing Guardian Traffic ..................................................................................... 852
59. Monitoring Guardian ................................................................................................ 853
Monitoring Guardian Statistics ............................................................................... 853
Monitoring Guardian Analytics ............................................................................... 857
60. Managing Guardian Statistics ................................................................................... 864
Managing Guardian Server Statistics ...................................................................... 864
Managing Guardian Client Statistics ....................................................................... 874
61. Managing Guardian Cache ....................................................................................... 884
Displaying Guardian Cache Content ....................................................................... 884
Resetting Guardian Cache ..................................................................................... 889
Saving Guardian Cache ......................................................................................... 890
Restoring Guardian Cache .................................................................................... 890
Forcing Cache Entries as Expired .......................................................................... 890
Clearing Guardian Cache Manually ........................................................................ 891
Clearing Guardian Cache Automatically .................................................................. 893
Sharing the Cache Between Several Guardian Servers ........................................... 895
62. Managing Policies .................................................................................................... 898
Browsing Policies .................................................................................................. 898
Adding and Deploying Policies ............................................................................... 899
Duplicating Policies ............................................................................................... 900
Editing Policies ...................................................................................................... 900
Deleting Policies ................................................................................................... 901
63. Managing Triggers ................................................................................................... 902
Prerequisites ........................................................................................................ 902
Limitations ............................................................................................................ 903
Browsing Triggers .................................................................................................. 903
Adding Triggers ..................................................................................................... 904
Enabling Querylog and Answerlog on Triggers ........................................................ 918
Editing Triggers ..................................................................................................... 920
Managing or Unmanaging Triggers ......................................................................... 921
Deleting Triggers ................................................................................................... 921
64. Managing Guardian Views ........................................................................................ 922
Displaying the Views Configuration ......................................................................... 922
Enabling or Disabling Views ................................................................................... 923
Identifying the Clients Querying the Views .............................................................. 924
Using Lists to Filter Guardian Views ....................................................................... 927
Logging List Filters Client Activity ........................................................................... 932
Setting a Transparent DNS Proxy for Guardian Views .............................................. 933
65. Managing Lists ........................................................................................................ 934
Displaying the Lists Content ................................................................................... 935

837
 Guardian

Renaming a List .................................................................................................... 937

Defining the Type of a List ...................................................................................... 937
Configuring the Content of a List ............................................................................ 938
Identifying Clients via a List .................................................................................... 942
Setting a List Saving Mechanism ............................................................................ 944
Resetting the Counter of a List ............................................................................... 945
Clearing a List ....................................................................................................... 945
66. Managing the Rescue Mode ..................................................................................... 946
Prerequisites ........................................................................................................ 946
Configuring the Rescue Mode ................................................................................ 947
Forcing the Rescue Mode ...................................................................................... 949
Disabling the Rescue Detection .............................................................................. 950

838
Chapter 57. Configuring Guardian
To configure the module Guardian and use it to its fullest, you must:
• Meet the prerequisites.
• Take into account the limitations.
• Configure and enabling the service DNS Guardian.

Once the module is configured, we recommend that your make the first configurations detailed
in the section Getting Started.

Prerequisites
• An appliance with at least 8 GB of RAM:
• Either a Blast-series hardware appliance, or any hardware model, except SOLIDserver-260
and SOLIDserver-3300, with a license including the option Guardian.
• Or a virtual appliance with a license including the option Guardian. It must be configured
with an intel network card (em*, ig*, igb*, ix*, ixg*, ixv* or ixl*) or a VMware VMXNET network
card (vmx*).
SOLIDserver-4000 Blast and SOLIDserver-Blast-4070 virtual appliances require a PCI Pass-
1
through to a physical Intel X520 NIC in virtual environments .
• A license key on every appliance where DNS Guardian is enabled.
• An appliance properly configured:
• The communication between the server and its clients has to be over UDP and/or TCP.
• Both DNS and Guardian dedicated services must be running to ensure Guardian is used at
its full potential. Make sure that either the services DNS Guardian and DNS server (named)
or the services DNS Guardian and DNS server (unbound) are both enabled and started.
• The appropriate rights and resources configured for end users:
• To see the module Guardian and its content, users must belong to a group that is granted
the right Display: policies list. This right is allowed by default.
• To manage the objects in the module Guardian, users must belong to a group that is granted
access to the policies and triggers Guardian rights.
• To deploy a policy on a Guardian server, users must belong to a group that is granted the
right Display: DNS servers list and has the server among its resources.
• To manage Guardian parameters in the module DNS, users must belong to a group that is
also granted the rights Add: Guardian parameters.

Note that Guardian is designed to express its full potential when combined with SOLIDserver
Blast series hardware appliances, whose recursive service can manage up to 17 million QPS.

Limitations
• Guardian servers in version lower than 7.1 can only be configured and managed through CLI.
If the server is in a lower version, you cannot manage it from the GUI.
• Guardian servers cannot be configured with more than 16 views.
• Guardian servers do not allow capturing the network traffic answered by the service.

1
As in VMware environments: https://kb.vmware.com/s/article/1010789

839
 Configuring Guardian

Enabling the Service DNS Guardian

To enable DNS Guardian properly you need to:
1. Configure the listening interfaces, as detailed in the procedure below.
2. Enable the service DNS Guardian.
3. Apply the configuration.

Note that if your license includes both DNS Guardian and DNS GSLB, you must configure the
line DNS Guardian / GSLB server as both features rely on the same service.

To configure listening interfaces and enable DNS Guardian

Only users of the group admin can perform this operation.
1. Configure DNS Guardian listening interface
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section System, click on Services configuration. The page Services configur-
ation opens.
c. In the column Name, click on DNS Guardian or DNS Guardian / GSLB server. The
wizard DNS Guardian configuration or DNS Guardian & GSLB server configuration
opens.
d. In the list Available interfaces, select the interface of your choice and click on . The
interface is moved to the list Selected interfaces.
Each interface is listed <interface-name> (<MAC-address>), whether it is active or not.
Only Intel network interfaces are listed as no other interface card can be configured for
the service.
e. Repeat this action for as many interfaces as you need.
To remove an interface from the list Selected interfaces, select it and click on . The
interface is moved back to the list Available interfaces.
f. Click on OK to complete the operation. The report opens and closes.
2. Enable the service DNS Guardian
a. In the column Name, look for DNS Guardian or DNS Guardian / GSLB server.
b. In the column Enabled, click on the link Disabled to enable the service. The wizard
opens.
c. Click on OK to complete the operation. The wizard closes.
3. Apply your configuration
a. Right now your configuration is pending. In the menu, select Tools > Apply config-
uration to save your changes. The wizard Commit the system configuration changes
opens.
b. Click on OK to complete the operation. The page refreshes.
If the service is marked ! Warning, it might mean that the system has not enough
memory installed, that a configuration file is corrupt or that the license is not valid.
Once the service is enabled, on the page All servers, your local EfficientIP DNS server is
marked Enabled in the column Guardian/GSLB.

When the configuration is set:

• All the cached queries are saved in the file /data1/dnsblast_cache.dump. It is used to answer
clients queries and matches the server configuration, it contains:

840
 Configuring Guardian

• Each cached query.

• All the ACLs configured on the server, they are listed as a set of IP addresses/network ad-
dresses that are granted or denied access.
• The views match-clients and match-destinations configurations of the server.
• Guardian server is recursive and authoritative.
The parameter recursive is by default set to 2, the server is recursive and authoritative.
This configuration allows to always give an accurate answer. The authoritative queries are al-
ways sent to the resolver even if an answer to this query was cached previously. If the answer
is cached, Guardian answers. If it is not cached, the resolver answers the client. Guardian
servers do not answer queries on authoritative records.
For this reason:
• You can configure Response Rate Limiting (RRL) to mitigate amplification attacks on a re-
cursive and authoritative Guardian server. For more details, refer to the section Limiting the
Number of Responses of a Server in the chapter Configuring DNS servers.
• The server analytics, statistics and triggers detection may be impacted, because each au-
thoritative query results in a cache miss.
To lower this impact on the trigger executions, you can add a list containing the domain
names that the server has authority over and update the relevant trigger(s). For more details,
refer to the section Configuring the Content of a List in the chapter Managing Lists and to
the section Adding Triggers Relying on Lists Metrics in the chapter Managing Triggers.

You can manage the service DNS Guardian, like any other service. For more details, refer to the
section Enabling or Disabling a Service in the chapter Configuring the services. Note that:
• Disabling DNS Guardian:
• Stops the service and automatically saves Guardian cache.
• In the GUI, the server statistics and analytics are no longer available, on Guardian properties
page and on the page Analytics.
• Enabling DNS Guardian again, starts the service and restores the latest saved version of the
cache.
• Stopping DNS Guardian does not disable it, all the server statistics and analytics data is still
available but the information is outdated and therefore no longer reliable.

Getting Started With Guardian

Once you have configured the service DNS Guardian and your server has received some traffic
and cached information, you can get started with Guardian. We advise you to:
1. Duplicate and deploy the policy default
The page All policies provides by default the read-only policy default that contains 5 triggers.
As you cannot edit a read-only policy, you must:
a. Duplicate the policy default following the procedure in the section Duplicating Policies in
the chapter Managing Policies.
Once duplicated, your new policy contains the 5 triggers of the policy default, you need to
edit them to suit your needs.
b. Deploy the policy on your Guardian server to ensure that its triggers are taken into account
and can actually be executed. You must edit it and associate it with your server following
the procedure in the section Editing Policies in the chapter Managing Policies.
2. Edit the new policy triggers
Being a duplicated policy, your new policy contains the same 5 triggers as the policy default.

841
 Configuring Guardian

You can edit or delete any of these triggers according to your needs. Note that configuring a
trigger with the action quarantine provides service continuity to your clients, as all cached
queries would get answered. For more details, refer to the sections Editing Triggers and De-
leting Guardian Triggers in the chapter Managing Triggers.
Your changes are applied to the trigger deployment.
3. Analyze the statistics and analytics
When your triggers match your needs, you should monitor them to analyze which of their
metric(s) and threshold(s) armed and disarmed the triggers:
• The GUI provides cache, client and request data statistics on the server properties page,
and analytics on a dedicated page. For more details, refer to the chapter Monitoring
Guardian.
• Via CLI, you can also display and manage client and server statistics. For more details,
refer to the chapter Managing Guardian Statistics.
4. Update your triggers
After analyzing the statistics and analytics, you have an overview of your network traffic and
actions triggered.
You can now update your triggers. You may need to prevent executing some triggers on
trusted clients, configure new thresholds on existing triggers or even add new triggers for un-
wanted clients. For more details, refer to the sections Editing Triggers and Adding Triggers in
the chapter Managing Triggers.
5. Use the client information in your triggers
The statistics and analytics analysis allowed to highlight specific client data, like who regularly
queried your server. Thanks to Guardian lists, you can gather this client information and use
it in your trigger configurations.
There are two client dedicated list types, client and specific client-id, that you can take into
account in your triggers, to avoid false positive on trusted clients or to execute specific actions
on untrusted ones.
For more details on how to configure lists, refer to the section Configuring the Content of a
List in the chapter Managing Lists.
For more details on list use, refer to the section Adding Triggers Relying on Lists Metrics in
the chapter Managing Triggers or to the section Identifying Clients via a List in the chapter
Managing Lists.
6. Manage Guardian cache
The statistics and analytics analysis also gave you an overview of cached answered.
You can display the server cache, reset it, save it, restore it, clear it and share it with other
Guardian servers. For more details, refer to the chapter Managing Guardian Cache.
7. Customize the Rescue mode
By default, Guardian is configured with a Rescue mode that can take over answering clients
if the server is saturated to ensure service continuity.
Its default values are set high enough to avoid unintentionally switching the server to Rescue
mode.
You can customize the Rescue mode settings or to force the Rescue mode. For more details,
refer to the chapter Managing the Rescue Mode.

You can configure further the server with up to 16 views. By default, only view0 is enabled and
used. The views configuration relies on a set of dedicated parameters, that can take into account
your lists, and allow for instance to redirect traffic or even identify clients in the statistics. For
more details, refer to the chapter Managing Guardian Views.

842
 Configuring Guardian

In addition, as your Guardian server can be both recursive and authoritative, you may need to
manage the zones it has authority over, and the records they contain. For more details, refer to
the chapters Managing DNS Zones and Managing DNS Resource Records of the part DNS.

843
Chapter 58. Setting Guardian Parameters
Once you configured the module and started the service DNS Guardian, you can manage your
Guardian server parameters.

You can display, set or edit and save Guardian configuration from the GUI or via CLI.

Browsing Guardian Configuration

Guardian configuration can be displayed and managed from the GUI.

To display the Guardian parameters you configured in the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the column Guardian/GSLB, look for the server marked Yes.
3. At the end of the line of the Guardian server, click on . The properties page opens.
4. Open the panel Options:
• The section Advanced options contains all the Guardian parameters set with a value
different from the default value. For more details, refer to the section Available Guardian
Parameters.
• Each parameter listed has its own status. For more details, refer to the section Understand-
ing Guardian Parameter Statuses.
To display all the available parameters, refer to the section Editing Guardian Configuration.

A command allows to display all parameters via CLI.

To display all Guardian parameters via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Display Guardian current configuration, all its parameters and values, use the command:
show config

Understanding Guardian Parameter Statuses

On the properties page of a Guardian server, the section Advanced options of the panel Options
provides the status of all parameters set with a customized value.

Table 58.1. Guardian Parameter Statuses

Status Description
<No status> The parameter has already been pushed onto the server.
from smart The parameter value was set at smart level and is different from the default value.
Delayed create The parameter is being pushed onto the server.

Note that if a parameter is configured with its default value, it is not displayed in the panel is only
available in the configuration wizard, accessible if you click on EDIT.

844
 Setting Guardian Parameters

Available Guardian Parameters

All Guardian parameters can be displayed and configured from the GUI and via CLI. To configure
them, refer to the section Editing Guardian Configuration.

Table 58.2. Guardian configuration parameters

Configuration parameter Description
Additional time keep in cache = <sec> An additional period of time, in seconds, added to the cached re-
additional_time_keep_in_cache cords before letting a record expire. By default, it is set to 1.
Answerlog = <0|1|2> The answerlog activation status, either disabled (0), enabled (1)
answerlog or enabled only for client log (2). It is disabled (0) by default. If you
enable it, the service Guardian logs the answers sent to clients.
Note that if you set it to 2, you can configure it on triggers or on
views, as detailed in the sections Enabling Querylog and Answerlog
on Triggers and Logging List Filters Client Activity.
Blast=<0|1> DNS Guardian cache activation status, either enabled (1) or dis-
blast abled (0). Depending on your license, it can be enabled (1) by
default. If you disable it, the cache is no longer updated and stat-
istics are no longer retrieved. For more details, refer to the section
Enabling or Disabling Guardian Cache.
Clean cache#.cmd=<filter> The ten automatic cache clearing commands, named Clean
clean_cache#.cmd cache0.cmd to Clean cache9.cmd. They are executed in order and
meant to clear cache entries only if you configured clearing filters
via the parameters Max cache entries, Max clean cache percent
and Min clean cache percent. For more details, refer to the section
Clearing Guardian Cache Automatically.
Clean client#.cmd=<filter> The ten automatic client clearing commands, named Clean cli-
clean_client#.cmd ent0.cmd to Clean client9.cmd. They are executed in order and
meant to clear client related cache entries only if you configured
clearing filters via the parameters Max client entries, Max clean
client percent and Min clean client percent. For more details, refer
to the section Clearing Guardian Client Statistics Automatically.
Client ipv6 prefix=<prefix> A way to decide which prefix-length, for IPv6 addresses allocated
client_ipv6_prefix to clients, must be taken into account in all client metrics (statistics,
rate limit, etc). By default, it is set to 128.
Client stats=<0|1> The client statistics retrieval status, either disabled (0) or enabled
client_stats (1). It is enabled (1) by default. These statistics are based on the
client identifier sent with the queries, for more details refer to the
chapter Monitoring Guardian and to the section Managing Guardian
Client Statistics. If you disable it, statistics are no longer retrieved.
Doh nat=<0|1> The DNS over HTTPS (DoH) activation status, either yes (1) or no
doh_nat (0). It is disabled (0) by default. Note that DoH relies on the same
SSL certificate as the appliance and required to enable the TCP
port 443. For more details, refer to Guardian matrices of network
flows and to the section Adding a Firewall Rule.
Doh passthru destination=<ip-address> If Doh nat is enabled, a way to define a list of the destination IP
doh_passthru_destination addresses of DoH queries that Guardian will not have any impact
on. It is set to any by default, you can specify IPv4 and/or IPv6
addresses separated by semi-colons. As DoH relies on the port
443, configuring an ACL pass-through allows to prevent all HTTPS
queries from being sent to your Guardian server.
Dscp=<number> A way to edit the quality of service (TOS/DSCP) of DNS answers.
dscp By default, it is set to 0.
Gslb=<0|1> GSLB server activation status, either enabled (1) or disabled (0).
gslb It is enabled (1) by default. For more details, refer to the section
service GSLB Server.

845
 Setting Guardian Parameters
Configuration parameter
List#.name=<list-name>
list#.name
List#.refresh period=<seconds>
list#.refresh_period
List#.request xfer=<dig-parameters>
list#.request_xfer
List#.save=<0|1>
list#.save
List#.type=<0|1|2>
list#.type
List#.zone name=<zone-name>
list#.zone_name
List log=<0|1|2>
list_log
List redirect aaaa=<ipv6-address>
list_redirect_aaaa
List redirect a=<ipv4-address>
list_redirect_a
List redirect ttl=<seconds>
list_redirect_ttl
Max cache entries=<number>
max_cache_entries
Max clean cache percent=<percent>
max_clean_cache_percent
Max clean client percent=<percent>
max_clean_client_percent
Max client entries=<number>
max_client_entries
Min clean cache percent=<percent>
min_clean_cache_percent
Min clean client percent=<percent>
min_clean_client_percent
Min ttl cache=<seconds>
min_ttl_cache
Description
The configuration parameters of Guardian lists. Using lists is op-
tional, they allow to gather specific domain and client information
and use it on views and triggers. By default, all lists are domain
lists, or type 0.
Guardian provides 8 empty lists that you can configure. Each
parameter includes the list ID, a number between 0 and 7, all
parameters are ordered from list0 to list7. For more details, refer
to the chapter Managing Lists.
The list log activation status, either disabled (0), enabled (1) or
enabled only for client log (2). It is disabled (0) by default. If you
enable it, the queries and the name of the list that matched the
queries are logged. Note that you can configure it individually on
the lists that filter views, as detailed in the section Logging List
Filters Client Activity.
The redirection IPv6 address for clients queries associated with
the view action Redirect. It is set by default to ::1 . To change its
value, refer to the section Configuring the Action Redirect.
The redirection IPv4 address for clients queries associated with
the view action Redirect. It is set by default to 127.0.0.1 . To
change its value, refer to the section Configuring the Action Redir-
ect.
The TTL of both List redirect aaaa and List redirect a. It is set by
default to 300 . To change its value, refer to the section Configur-
ing the Action Redirect.
The maximum number of cache entries stored. Depending on the
appliance memory, setting a large number might prevent it from
running smoothly. For more details, refer to the section Clearing
Guardian Cache Automatically.
The percentage of Max cache entries that defines when the
cleaning cache commands Clean cache#.cmd are launched. Its
default value is 95%. For more details, refer to the section Clearing
Guardian Cache Automatically.
The percentage of Max client entries that defines when the cleaning
cache commands Clean client#.cmd are launched. Its default value
is 95%. For more details, refer to the section Clearing Guardian
Cache Automatically.
The maximum number of client entries stored. Depending on the
appliance memory, setting a large number might prevent it from
running smoothly. For more details, refer to the section Clearing
Guardian Client Statistics Automatically.
The percentage of Max cache entries that you want to keep in the
cache. Its default value is 5%. For more details, refer to the section
Clearing Guardian Cache Automatically.
The percentage of Max client entries that you want to keep in the
cache. Its default value is 5%. For more details, refer to the section
Clearing Guardian Client Statistics Automatically.
A way to enforce a minimum TTL for all the records that Guardian
receives from the local recursive server before sending them to
the DNS clients. The minimum only applies to records that have
a TTL lower than the one you set for the parameter. By default,
846
 Setting Guardian Parameters
Configuration parameter
Pcap=<0|1>
pcap
Quarantine redirect aaaa=<ipv6-address>
quarantine_redirect_aaaa
Quarantine redirect a=<ipv4-address>
quarantine_redirect_a
Quarantine redirect ttl=<seconds>
quarantine_redirect_ttl
Querylog=<0|1|2>
querylog
Recursive=<0|1|2>
recursive
Rescue detection=<0|1|2>
rescue_detection
Rescue high rec packet=<number>
rescue_high_rec_packet
Rescue min rec packet=<number>
rescue_min_rec_packet
Rescue ratio servfail=<number>
rescue_ratio_servfail
Rescue servfail qps=<number>
rescue_servfail_qps
Rescue time=<seconds>
rescue_time
Rescue ttl=<seconds>
rescue_ttl
Rescue unanswered rate=<number>
rescue_unanswered_rate
Servfail diff=<0|1>
servfail_diff
Description
the parameter is disabled (0). The maximum value accepted is 4
294 967 295 seconds.
The activation status of the interface dedicated to capturing
Guardian traffic, either disabled (0) or enabled (1). Once enabled,
you can perform the capture via CLI. For more details, refer to the
section Capturing Guardian Traffic.
The redirection IPv6 address for client queries associated with the
trigger or view action Quarantine redirect. It is set by default to
::1 . To change its value, refer to the section Configuring the Action
Quarantine Redirect.
The redirection IPv4 address for client queries associated with the
trigger or view action Quarantine redirect. It is set by default to
127.0.0.1 . To change its value, refer to the section Configuring
the Action Quarantine Redirect.
The TTL of both the Quarantine redirect aaaa and Quarantine re-
direct a records. It is set by default to 30 . To change its value,
refer to the section Configuring the Action Quarantine Redirect.
The querylog activation status, either disabled (0), enabled (1) or
enabled only for client log (2). It is disabled (0) by default. If you
enable it, the service Guardian logs the client queries. Note that if
you set it to 2, you can configure it on triggers or on views, as de-
tailed in the sections Enabling Querylog and Answerlog on Triggers
and Logging List Filters Client Activity.
The Guardian server recursion configuration, disabled (0), recursive
(1) or both recursive and authoritative (2). It is set to 2 by default.
Setting this parameter to 0 is not recommended.
The Guardian rescue mode detection configuration, either disabled
(0), enabled (1) or forced (2). It is enabled (1) by default. For
more details, refer to the chapter Managing the Rescue Mode.
The configuration parameters of the Rescue mode. It can only be
triggered if the parameters blast and Rescue detection are enabled.
Note that Guardian is by default ready to automatically switch to
the Rescue mode. However, the default values of the Rescue mode
parameters are set high enough to prevent an unexpected switch.
For more details, refer to the chapter Managing the Rescue Mode.
A way to identify and differentiate cached records based on the
rcode they return the first time they are queried. If enabled, this
parameter force DNS Guardian to answer clients querying cached
records even if the local recursive server sent out a SERVFAIL. In
this case, the records are returned with a TTL 30 seconds. This
parameter only applies to records that previously sent out any
other rcode than a SERVFAIL, and is enabled (1) by default. You
can disable this parameter, for more details refer to the section
Ignoring the SERVFAIL Error Message Differences.
847
 Setting Guardian Parameters

Configuration parameter Description

Shared cache key=<key> The cache sharing configuration parameters of the server. For
shared_cache_key more details, refer to the section Sharing the Cache Between
Several Guardian Servers.
Shared cache mcast addr=<ip-address>
shared_cache_mcast_addr
Shared cache mcast port=<port-number>
shared_cache_mcast_port
Shared cache mcast source addr=<ip-ad-
dress>
shared_cache_mcast_source_addr
Shared cache mcast source port=<port-num-
ber>
shared_cache_mcast_source_port
Shared cache mcast ttl=<0|1>
shared_cache_mcast_ttl
Shared cache=<0|1>
shared_cache
Tcp passthru clients=<ip-address> If the TCP protocol is used, a way to define the list of the IP address
tcp_passthru_clients of appliances that Guardian will not have any impact on, separated
by semi-colons. For instance, it can be useful to prevent the DNS
Guardian to have an impact on secondary DNS servers and man-
agers.
Tls nat=<0|1> The DNS over TLS (DoT) activation status, either yes (1) or no (0).
tls_nat It is enabled (1) by default. Note that DoT relies on the same
SSL certificate as the appliance and required to enable the TCP
port 853. For more details, refer to Guardian matrices of network
flows and to the section Adding a Firewall Rule.
View#.enabled=<0|1> The configuration parameters of Guardian views.You can configure
View#.enabled up to 16 views on a server. By default, only view0 is enabled
(1).
View#.client identifiers=<all|default> <identifi-
Each parameter includes the view ID, a number between 0 and
er>
15, all parameters are ordered from view0 to view15. For more
view#.client_identifiers
details, refer to the chapter Managing Guardian Views.
View#.list id filter=<any|all|none|default>
<space-separated-list-ids> <action>
view#.list_id_filter
View#.nat destination=<none|network-ad-
dress/prefix>
view#.nat_destination

Editing Guardian Configuration

You can edit Guardian parameters to set the configuration of your choice from the GUI and via
CLI.

Note that you can define Guardian parameters on a smart architecture so that the servers in the
smart inherit them. At server level, you can override the inherited values.

If you set a parameter via CLI, after a couple of minutes, it appears in the GUI.

To edit Guardian configuration

1. In the sidebar, go to DNS > Servers. The page All servers opens.

848
 Setting Guardian Parameters

2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard. The list of all Guardian parameters
is displayed.
5. In the drop-down list Display options(s), select which parameters to display: all, using non-
default values, using default values or different from smart.
6. For the parameters of your choice, select or specify a value. For more details, refer to the
table Guardian configuration parameters.
Note that if you change the filter in the drop-down list Display option(s), and if you have
changed the value of a parameter that is not displayed anymore, it is not saved.
7. Click on OK . The report works for a while and closes.
In the panel Options, the parameters with a value different from the default one are displayed.

To edit Guardian configuration via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To display Guardian current configuration, use the command:

show config

4. Configure the parameter of your choice using the command:

set <parameter>=<value>

where the expected parameter and value are detailed in the table Guardian configuration
parameters. Note that hitting the tabulation key on your keyboard returns help information.

Configuring the Action Quarantine Redirect

The action Quarantine redirect is set at server level, it can be configured on triggers and views.

By default the action is disabled, as it redirects clients to the localhost.You must set the redirection
to the IP address of your choice.

Before configuring the quarantine redirect, keep in mind that it relies on:
1. A target IP address, where clients are redirected when the trigger is armed or when their
query matches a list configuration on a view.
• In IPv4, the target IP is defined by the parameter Quarantine redirect a. By default, it is
set to 127.0.0.1
• In IPv6, the target IP is defined by the parameter Quarantine redirect aaaa. By default, it
is set to ::1
2. A duration defined by the parameter Quarantine redirect ttl. By default, it is set to 30 seconds,
it applies to the IPv4 and IPv6 redirections.

To configure the quarantine redirect parameters of a server from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.

849
 Setting Guardian Parameters

2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard. The list of all Guardian parameters
is displayed.
5. In the drop-down list Display options(s), all is selected.
6. Scroll down until you get to the parameters, they are listed in alphabetical order:
a. In the field Quarantine redirect a, specify the IPv4 address of your choice. By default,
it is set to 127.0.0.1.
b. In the field Quarantine redirect aaaa, specify the IPv6 address of your choice. By default,
it is set to ::1.
c. In the field Quarantine redirect ttl, specify the number of seconds of your choice. By
default, it is set to 30.
7. Click on OK . The report works for a while and closes.
In the panel Options, the values you changed are displayed.

To configure the quarantine redirect parameters of a server via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Specify the IPv4 address of your choice in the parameter quarantine_redirect_a using
the command:
set quarantine_redirect_a=<IPv4-address>

By default, it is set to 127.0.0.1 .

4. Specify the IPv6 address of your choice in the parameter quarantine_redirect_aaaa
using the command:
set quarantine_redirect_aaaa=<IPv6-address>

By default, it is set to ::1 .

5. Specify the TTL of your choice for the redirection in the parameter quarantine_redir-
ect_ttl using the command:
set quarantine_redirect_ttl=<seconds>

By default, it is set to 30.

Once your configuration is complete, it applies to all the triggers and views configured with the
action Quarantine redirect. For more details, refer to the sections Adding Triggers and Using
Lists to Filter Guardian Views.

Enabling or Disabling Guardian Cache

Guardian servers are by design intended to cache entries that you can monitor and use to protect
the server or provide service continuity to your clients.

The parameter blast allows to enable or disable the server cache. Disabling the cache allows
to stop answering clients while updating its content.

850
 Setting Guardian Parameters

Note that the cache must be enabled to manage triggers or the Rescue mode.

Enabling Guardian Cache

By default, caching is enabled when the service is started. For more details, refer to the section
Enabling the Service DNS Guardian.

However it can be disabled to stop using Guardian cache to answer client queries directly but
still update its content. For more details, refer to the section Disabling Guardian Protection.

To enable Guardian protection

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. To enable DNS Guardian protection, in the field Blast, select yes (1).
7. Click on OK to complete the operation. The wizard closes.

Disabling Guardian Cache

Disabling Guardian cache allows to stop using the cache to answer client queries while still up-
dating its content:
• Guardian still caches the local recursive server queries/answers but does not send any inform-
ation to DNS clients. This can be useful to fill in the cache.
• The server receives and sends new entries to the other Guardian servers if you configured
cache sharing. For more details, refer to the section Sharing the Cache Between Several
Guardian Servers.
• Guardian server ignores the Rescue mode configuration and can never switch to that mode.
For more details, refer to the section Managing the Rescue Mode.
• Guardian server ignores the triggers configured, they are never armed. For more details, refer
to the section Managing Triggers.

To disable Guardian protection

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display options(s), select which parameters to display: all, using non-
default values, using default values or different from smart.
6. To disable DNS Guardian protection, in the field Blast, select no (0).
7. Click on OK to complete the operation. The wizard closes.

851
 Setting Guardian Parameters

Capturing Guardian Traffic

You can capture Guardian inbound and outbound traffic via CLI, through the dedicated interface
tap99. To capture the traffic of a Guardian server you must:
1. Enable the parameter pcap.
2. Execute the command tcpdump.

When the capture is done, you can disable the parameter pcap. Note that you can also enable
and disable this parameter from the GUI, for more details refer to the section Editing Guardian
Configuration.

To capture Guardian traffic

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Enable the parameter pcap using the command:

set pcap=1

4. Capture Guardian traffic using the command:

tcpdump -ni tap99

You can complete the command and specify the UDP port number of your choice.
5. You can disable the parameter pcap using the command:
set pcap=0

852
Chapter 59. Monitoring Guardian
Once you configured the module, the GUI allows to monitor the cache, client and request data
of the local DNS EfficientIP Guardian thanks to:
Statistics
Guardian cache is monitored in dedicated charts on the server properties page. For more
details, refer to the section Monitoring Guardian Statistics.
Analytics
Guardian client and request data is analyzed in dedicated tops on the page Analytics. For
more details, refer to the section Monitoring Guardian Analytics.

Malicious operations on the DNS infrastructure, such as DDoS, DNS tunneling or data exfiltration
attacks, usually result in overloaded servers and service loss for legitimate clients. You can use
the information provided by the Guardian client statistics to identify the different types of threats.

Note that:
• You can also display and manage statistics via CLI. For more details, refer to the chapter
Managing Guardian Statistics.
• By default, Guardian servers are both authoritative and recursive, the parameter recursive is
set to 2. This configuration may impact your statistics and analytics data as each authoritative
query results in a cache miss.
To lower this impact on the trigger executions, you can add a list containing the domain names
that the server has authority over and take it into account in your trigger(s). For more details,
refer to the section Configuring the Content of a List in the chapter Managing Lists and to the
sections Adding Triggers Relying on Lists Metrics in the chapter Managing Triggers.

Monitoring Guardian Statistics

From the properties page of the local EfficientIP DNS server, you can monitor a set of Guardian
cache statistics in dedicated panels.

Note that:
• All the information returned is based on server statistics available via CLI. Each panel
chart relies on statistics described in the table Guardian Server statistics of the chapter Managing
Guardian Statistics, where you can find more server statistics, client statistics and options via
CLI.
• All the panels contain at least one chart. The y-axis of these charts indicates the unit, the axis
scale and unit prefix depend on the period selected and maximum value displayed. Following
the standard ISO 80000-1, all the y-axis units can have no prefix or any SI prefix such as: m
(milli), k (kilo) or M (mega).
• Each panel can be used as a gadget and displayed on any dashboard. For more details, refer
to the section Assigning a Chart on a Properties Page as Gadget in the chapter Managing
Gadgets.

To display Guardian statistics

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the column DNS Guardian, the server is marked Enabled.
3. At the end of the line of the server of your choice, click on . The server properties pages
opens.

853
 Monitoring Guardian

All Guardian statistics panel are named Guardian - <data>.

4. Click on to open the panel of your choice and display its chart. You can zoom in and out
of all charts or decide the period and data to display. For more details, refer to the section
Charts in the chapter Understanding the GUI.

The available Guardian statistics are the following:

Guardian - Cache Size (Bytes)
A chart displaying Guardian cache size evolution over time, in bytes. For more details, refer
to the chapter Managing Guardian Cache.
Based on: Cache size.
Guardian - Cache Hits/Misses
A chart displaying the ratio, in percent, of Guardian answered and unanswered queries. For
more details, refer to the chapter Managing Guardian Cache.
Based on: Cache hit rate and Cache miss rate.
Guardian - Hits in Quarantine
A chart displaying the number of queries per seconds that Guardian answered to clients im-
pacted by the trigger or view action Quarantine or Quarantine redirect. For more details, refer
to the chapter Managing Triggers and to the section Using Lists to Filter Guardian Views in
the chapter Managing Views.
Based on: Cache hit in quarantine mode.
Guardian - Cache Statistics
A chart displaying Guardian cache statistics, in queries per second, for all DNS traffic. The
results include traffic in quarantine and rescue mode. For more details, refer to the chapter
Managing Guardian Cache.
Based on: Cache hit, Cache missed, Cache missed but exists (expired) and Cache missed,
never queried.
Guardian - Quarantine statistics
A chart displaying Guardian cache statistics, in queries per second, for clients impacted by
the trigger or view action Quarantine or Quarantine redirect. For more details, refer to the
chapter Managing Triggers and to the section Using Lists to Filter Guardian Views in the
chapter Managing Views.
Based on: Cache hit in quarantine mode, Cache missed in quarantine mode, Cache missed
but exists (expired) in quarantine mode and Cache missed, never queried in quarantine
mode.
Guardian - Rescue mode statistics
A chart displaying Guardian cache hit statistics, in queries per second, for clients in rescue
mode. For more details regarding the rescue mode, refer to the chapter Managing the Rescue
Mode.
Based on: Cache hit in rescue mode, Cache missed in rescue mode, Cache missed but exists
(expired) in rescue mode and Cache missed, never queried in rescue mode.
Guardian - Blocked traffic (Queries)
A chart displaying the cumulated number of queries, per second, generated by all the clients
impacted by the trigger action Block. For more details, refer to the chapter Managing Triggers.
Based on: Blocked queries.
Guardian - Tracked clients
A chart displaying the number of client IP addresses impacted by the trigger or view action
Quarantine or Quarantine redirect. For more details, refer to the chapter Managing Triggers
and to the section Using Lists to Filter Guardian Views in the chapter Managing Views.
Based on: Client size.

854
 Monitoring Guardian

Guardian - Sent/Received traffic (Queries)

A chart displaying the number of queries, per second, sent and received by Guardian. For
more details, refer to the section Sending the Cache Content to Another Guardian Server in
the chapter Managing Guardian Cache.
Based on: Sent DNS answers and Received DNS queries.
Guardian - Sent/Received traffic (Bytes)
A chart displaying the overall traffic, in bytes per second, generated by the queries sent and
received by Guardian. For more details, refer to the section Sending the Cache Content to
Another Guardian Server in the chapter Managing Guardian Cache.
Based on: Sent DNS answers (bytes) and Received DNS queries (bytes).
Guardian - Answers in Quarantine/Rescue Mode (Queries)
A chart displaying the number of queries, per second, answered by Guardian for clients im-
pacted by the trigger or view action Quarantine or Quarantine redirect or clients in rescue
mode. For more details, refer to the chapter Managing Triggers, to the section Using Lists
to Filter Guardian Views in the chapter Managing Views and to the chapter Managing the
Rescue Mode.
Based on: Sent DNS answers in quarantine mode and Sent DNS answers in rescue mode.
Guardian - Answers in Quarantine/Rescue Mode (Bytes)
A chart displaying the overall traffic generated by the queries answered by Guardian for clients
impacted by the trigger or view action Quarantine or Quarantine redirect and clients in rescue
mode, in bytes per second. For more details, refer to the chapter Managing Triggers, to the
section Using Lists to Filter Guardian Views in the chapter Managing Views and to the chapter
Managing the Rescue Mode.
Based on: Sent DNS answers in quarantine mode (bytes) and Sent DNS answers in rescue
mode (bytes).
Guardian - Invalid traffic (Queries)
A chart displaying the total number of invalid queries that were dropped by Guardian. For
more details, refer to the chapter Managing Guardian Cache.
Based on: Received Invalid DNS queries.
Guardian - Invalid traffic (Bytes)
A chart displaying the traffic generated by all the invalid queries that were dropped by
Guardian, in bytes. For more details, refer to the chapter Managing Guardian Cache.
Based on: Received Invalid DNS queries (bytes).
Guardian - Cache sharing statistics
A chart displaying the number of entries sent and received via shared Guardian cache, in
queries per second. For more details, refer to the section Sharing the Cache Between Sev-
eral Guardian Servers in the chapter Managing Guardian Cache.
Based on: DNS entries received via shared cache and DNS entries sent via shared cache.
Guardian - Cache sharing statistics (Bytes)
A chart displaying the traffic generated by all the entries sent and received via shared
Guardian cache, in bytes. For more details, refer to the section Sharing the Cache Between
Several Guardian Servers in the chapter Managing Guardian Cache.
Based on: DNS entries received via shared cache (bytes) and DNS entries sent via shared
cache (bytes)
Guardian - Return codes statistics
A chart displaying the number of return codes sent by Guardian, in queries per second. For
more details, refer to the chapter Managing Guardian Cache.
Based on: Sent NOERROR rcode, Sent FORMERR rcode, Sent SERVFAIL rcode, Sent
NXDOMAIN rcode, Sent NOTIMP rcode, Sent REFUSED rcode, Sent YXDOMAIN rcode,

855
 Monitoring Guardian

Sent YXRRSET rcode, Sent NXRRSET rcode, Sent NOTAUTH rcode and Sent NOTZONE
rcode.
Guardian - Triggers
A chart displaying the number of times each of the first 8 available triggers were armed. The
chart is generated using the position of each trigger, therefore even if you edit the trigger
name, action, period and/or threshold, the graph keeps evolving but might not always have
the same meaning, especially if you duplicate a policy as it resets the trigger positions. For
more details, refer to the chapters Managing Policies and Managing Triggers.
Based on: Number of time trigger #0 was armed, Number of time trigger #1 was armed,
Number of time trigger #2 was armed, Number of time trigger #3 was armed, Number of time
trigger #4 was armed, Number of time trigger #5 was armed, Number of time trigger #6 was
armed and Number of time trigger #7 was armed.
Guardian - Recursive queries latency
A chart displaying the recursive query latency distribution of Guardian, in queries per second.
The latency is divided into 6 periods and ranges from less than 10 milliseconds to more than
1600 milliseconds. Clients traffic rate can be limited to 100 queries per second using the
trigger action Ratelimit. For more details, refer to the chapter Managing Triggers.
Based on: Recursive queries with latency < 10ms, Recursive queries with latency >= 10ms
and < 100ms, Recursive queries with latency >= 100ms and < 500ms, Recursive queries
with latency >= 500ms and < 800ms, Recursive queries with latency >= 800ms and < 1600ms
and Recursive queries with latency >= 1600ms.
Guardian - Rate limited traffic (Queries)
A chart displaying the number of queries dropped by Guardian because source clients reached
the configured query limit rate (of 100 QPS), in queries per second. Clients traffic rate can
be limited to 100 queries per second using the trigger action Ratelimit. For more details, refer
to the chapter Managing Triggers.
Based on: Ratelimited queries.

856
 Monitoring Guardian

Monitoring Guardian Analytics

From the page Analytics, a set of tops are dedicated to monitoring Guardian client or request
data.

All Guardian tops allow to monitor metrics measured via 5-minute samples over a specific time
window. As illustrated below, a dedicated chart allows to set the time widow and filter the data
to display.

Figure 59.1. The page Analytics displaying Guardian - Top queries

The drop-down list Display allows to select the top of your choice. If you are displaying the
page Analytics of a Guardian server, only Guardian - Top <data> are listed.
Three view displays are available, Overview, Detailed view and Consolidated view. The
number of entries they return depend on the time window you set.
The time window displayed. The two buttons allow to open the calendar where you set
the start and end date and time.
The calendar displays in light gray the selected date. All the dates when data is available
are underlined, you can click on any one to set it as start or end. At the bottom, you can
select the hour and minute of your choice. If you click on NOW you can use the current date
and time as start or end.
A chart representation of the data returned by the top. It allows to zoom in and out to narrow
down the data returned and filter the list.
The timeline provides an overview of the chart. It also allows, like in the image, to select a
specific period to display in the chart and return in the list. For more details, refer to the
section Charts in the chapter Understanding the GUI.
The data matching the selected top, view and time window. Some columns are always empty
in Overview and Consolidated view.

To monitor Guardian tops, you must:

1. Meet the prerequisites.
2. Go to the module DNS, on the page Analytics, and select a top and define a time window and
view.

857
 Monitoring Guardian

Note that with Guardian analytics enabled:

• On the page Analytics, standard DNSTOP and RPZ analytics may no longer be available. For
more details, refer to the section Displaying the DNS and RPZ Analytics in the chapter Monit-
oring and Reporting DNS Data.
• On the properties page of the Guardian server, the panel DNS Analytics and its edition wizard
no longer provides the Periodicity (min.) as it is not configurable.

Prerequisites
• Making sure that client statistics are enabled on the Guardian server. They are enabled by
default.
If on the server properties page, in the panel Options, the parameter Client stats is listed, it
means that it is not set with the default value and you need to enable it. For more details, refer
to the section Making Sure Guardian Client Statistics Are Enabled.
• Making sure the analytics are collected, as detailed below.

To make sure Guardian Analytics are collected

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Filter the column Guardian/GSLB to only display Enabled servers.
3. In the column Name, right-click over the server of your choice. The contextual menu opens.
4. Click on Properties. The server properties page opens.
5. In the panel DNS Analytics, click on EDIT . The wizard Configure DNS Analytics opens.
6. Tick the box Enable analytics collection.
7. Click on OK to complete the operation. The report opens and closes. In the panel Analytics,
the option Enable analytics collection is set to yes.

Accessing the Page Analytics

In the module DNS, once you meet the prerequisites, the page Analytics offers dedicated
Guardian tops to monitor client or request data.

Note that until you display the analytics of a specific server, the page might display DNSTOP,
RPZ and Guardian analytics. For more details on DNS and RPZ data, refer to the section Monit-
oring DNS Servers from the Page Analytics in the chapter Monitoring and Reporting DNS Data.

To display the page Analytics

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the breadcrumb on the right of All servers, click on to display additional pages.
3. Click on Analytics. The page opens. It displays the data of all the servers you manage.
4. In the drop-down list Display, all DNSTOP, RPZ and Guardian tops are available.

To display the page Analytics of a specific server

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the column Name, click on the Guardian server of your choice. The page All zones of the
server opens.
3. In the breadcrumb on the right of the server name, click on to display additional pages.
4. Click on Analytics. The page opens and only displays the data of the Guardian server.
Next to the drop-down list Display, another drop-down list allows to select a view.

858
 Monitoring Guardian

Under these lists, a chart allows to set a time window and narrow down the data to return in
the columns. If no data is available for the selected top, the chart is empty.

Guardian analytics provide dedicated columns., depending on the top and view selected some
of them may be empty or not displayed.

You can filter and sort data through all columns, except Start date and Period that you can only
sort.

Table 59.1. Guardian analytics columns

Column Description
Server The name of the Guardian server. This column is displayed for all analytics if no server is
displayed in the breadcrumb.
Start date If you display the Overview, the start date and time of the 5-minute sample Period. This
column is always displayed.
If you display the Consolidated view, the start date and time of the first sample Period
during which the metric has been measured, within the analytics time window. This column
is always displayed.
If you display the Detailed view, the start date and time of the 5-minute sample Period.
This column is always displayed.
Period The sample period, either detailed (5 minutes) or consolidated (multiple of 5 minutes),
during which metrics have been measured. This column is always displayed.
Client's IP address The IP address of the client querying Guardian.This column is displayed for all client-related
Guardian tops. Depending on the view selected, it may be empty.
Domain The name of the domain queried. This column is displayed for all query-related Guardian
tops. Depending on the view selected, it may be empty.
RR type The record returned when the domain was queried: A, AAAA, PTR... This column is dis-
played for all query-related Guardian tops. Depending on the view selected, it may be
empty.
Queries The number of queries received by the server on the sample period, either from a Client's
IP address or for a specific Domain and RR Type. This column is displayed for all Guard-
ian tops, except the traffic related ones. Depending on the view selected, it may be empty.
Time (ms) The recursion time, in milliseconds, of the queries received by the server on the sample
period, either from a Client's IP address or for a specific Domain and RR Type. This column
is only displayed for Guardian - Top recursion time by client and Guardian - Top recursion
times by FQDN. Depending on the view selected, it may be empty.
Size (bytes) The size, in bytes, of the queries received by the server on the sample period, either from
a Client's IP address or for a specific Domain and RR Type. This column is only displayed
for Guardian - Top clients generating recursive incoming traffic and Guardian - Top clients
generating recursive outgoing traffic. Depending on the view selected, it may be empty.
Trigger hits The number of times, in the sample period, a Client's IP address armed a trigger. This
column is only displayed for Guardian - Top clients triggering policies. Depending on the
view selected, it may be empty.
Total The value of all the metrics measured during the same sample period, regardless of the
Client's IP address, Domain or RR Type. This column is always displayed.
Ratio The proportion of the metric value compared to the total value within the same period, in
percent. This column is always displayed.

Displaying Guardian Analytics Tops

On the page Analytics, Guardian tops allow to monitor specific client or request data for all
Guardian servers.

859
 Monitoring Guardian

All tops return detailed 5-minute samples of data measurements of the server traffic, in number
of queries, size or recursion time. These metrics either return information based on the IP address
of a client or queried domain/record.

The information returned by each Guardian top depends on the selected view and on the
time window set.

All Guardian tops provide three different views for the chosen time window:
1. Overview returns a simplified display of the data for each 5-minute sample within the selected
time window. With the column Total, you can identify peaks in the traffic and get more inform-
ation with the consolidated or detailed view. These peaks are also displayed in the chart.

Figure 59.2. Overview of Guardian Analytics

2. Consolidated view focuses on the client or query data, depending on the selected Top. When
a client IP address or a queried domain/record is repeatedly identified over the different 5-
minute samples within the selected time window, these sampling periods add up in the column
Period.

Figure 59.3. Consolidated view of Guardian Analytics

3. Detailed view focuses on a sampling period. For each 5-minute sampling period, this view
lists the number of times one IP address or a domain and RR type has been identified within
the selected time window.

Figure 59.4. Detailed view of Guardian Analytics

In addition, a chart allows to set the time window. Note that:

• By default, the timeline of the analytics chart displays a maximum of 365 days. You can edit
the timeline duration of this chart and all time-based charts, refer to the section Editing the
Number of Days Available on the Timeline in the chapter Understanding the GUI.
• The chart is essentially a filter, the time window you set filters and refreshes the data on the
page. Therefore, the chart cannot be used as gadget and displayed on Dashboards.
• If no data is available for the selected top, the chart is empty and you cannot set any time
window or display data.
• Even if you display the analytics of several Guardian server, the chart only contains one line.

860
 Monitoring Guardian

All tops are based on some of the server statistics available via CLI. The data used is indicated
after each description. For more details, refer to the tables Guardian client statistics and Guardian
analytics columns.

To display Guardian Analytics data

1. Make sure you meet Guardian analytics prerequisites.
2. In the sidebar, go to DNS > Servers. The page All servers opens.
3. In the column Name, click on the Guardian server of your choice. The page All zones of the
server opens.
4. In the breadcrumb on the right of the server name, click on to display additional pages.
5. Click on Analytics. The page opens.
6. Under the menu, in the drop-down list Display, select a Guardian - Top <data>. The chart
and columns refresh. All tops are described below.
7. In the next drop-down list, select Overview, Consolidated view or Detailed view according
to your needs. The page refreshes. Depending on the view you chose, some columns on
the page may be empty. The columns are described in the table Guardian analytics columns.
8. To set the time window using the chart calendars:
a. Set the start date and time. At the top of the chart, click on the left . The calendar
opens.
b. Click on and to select a month and click on the date of your choice. You can only
click on light gray dates.
c. At the bottom of the calendar, in the drop-down lists, select the hour and minute of your
choice.
d. Click on OK . The page refreshes and the selected date is displayed next to .
e. Set the end date and time. At the top of the chart, click on the right . The calendar
opens.
f. Repeat the same operations.
Note that you can click on NOW at the bottom of the calendar window to use the current date
and time as start or end.
9. To set the time window directly from the chart:
a. You can zoom in or out of the chart. The page refreshes.
b. You can select the period of your choice in the timeline. The page refreshes
For more details on charts, refer to the section Charts in the chapter Understanding the GUI.

The available Guardian analytics are the following:

Guardian - Top clients generating dropped queries (BLOCK)
The clients, whose query was received and dropped because a trigger with the action Block
was armed. For more details, refer to the section Managing Triggers.
Metrics: Queries by Client's IP address.
Based on: blocked-Q.
Guardian - Top clients querying records missing from the cache
The clients querying records not in the cache. For more details, refer to the chapter Managing
Guardian Statistics.
Metrics: Queries by Client's IP address.
Based on: C-miss.

861
 Monitoring Guardian

Guardian - Top clients querying records present in the cache

The clients querying records in the cache. For more details, refer to the chapter Managing
Guardian Statistics.
Metrics: Queries by Client's IP address.
Based on: C-hit.
Guardian - Top clients generating recursive incoming traffic
The total size of the answers queried by clients that were not in the cache and were received
from the local recursive server. For more details, refer to the section Managing Guardian
Client Statistics in the chapter Managing Guardian Statistics.
Metrics: Size (bytes) by Client's IP address.
Based on: miss-A-sz.
Guardian - Top clients generating recursive outgoing traffic
The total size of the queries whose answer was not in the cache and that were sent to the
local recursive server. For more details, refer to the section Managing Guardian Client Stat-
istics in the chapter Managing Guardian Statistics.
Metrics: Size (bytes) by Client's IP address.
Based on: miss-Q-sz.
Guardian - Top clients
The clients querying Guardian. For more details, refer to the section Managing Guardian
Client Statistics in the chapter Managing Guardian Statistics.
Metrics: Queries by Client's IP address.
Based on: Query.
Guardian - Top clients receiving NOERROR rcodes
The clients whose queries were answered with the rcode NOERROR. For more details, refer
to the section Managing Guardian Client Statistics in the chapter Managing Guardian Statistics.
Metrics: Queries by Client's IP address.
Based on: NOERROR.
Guardian - Top clients receiving NXDOMAIN rcodes
The clients whose queries were answered with the rcode NXDOMAIN. For more details, refer
to the section Managing Guardian Client Statistics in the chapter Managing Guardian Statistics.
Metrics: Queries by Client's IP address.
Based on: NXDOMAIN.
Guardian - Top recursion time by client
The clients for whom the cumulative queries took the longest time to be answered by the
local recursive server, in milliseconds. For more details, refer to the section Managing
Guardian Client Statistics in the chapter Managing Guardian Statistics.
Metrics: Time (ms) by Client's IP address.
Based on: recurs-time.
Guardian - Top clients receiving SERVFAIL rcodes
The clients whose queries were answered with the rcode SERVFAIL. For more details, refer
to the sections Managing Guardian Client Statistics and Ignoring the SERVFAIL Error Message
Differences in the chapter Managing Guardian Statistics.
Metrics: Queries by Client's IP address.
Based on: SERVFAIL.

862
 Monitoring Guardian

Guardian - Top clients triggering policies

The number of times a client query armed a trigger and, therefore, triggered an action. For
more details, refer to the section Managing Guardian Client Statistics in the chapter Managing
Guardian Statistics and to the chapter Managing Triggers.
Metrics: Trigger Hits by Client's IP address.
Guardian - Top queries of records missing from the cache
The queries sent to Guardian for records not in the cache. For more details, refer to the
section Managing Guardian Server Statistics in the chapter Managing Guardian Statistics.
Metrics: Queries.
Based on: C-miss.
Guardian - Top queries
The queries sent to Guardian. For more details, refer to the section Managing Guardian
Server Statistics in the chapter Managing Guardian Statistics.
Metrics: Queries.
Based on: Used.
Guardian - Top SLD creating new cache entries
The queries for a sub-level domain name that has not been queried before. For more details,
refer to the section Managing Guardian Server Statistics in the chapter Managing Guardian
Statistics.
Metrics: Queries by Domain and RR Type.
Based on: Query and first-used.
Guardian - Top queries returning NXDOMAIN rcodes
The queries returned with the rcode NXDOMAIN. For more details, refer to the section
Managing Guardian Server Statistics in the chapter Managing Guardian Statistics.
Metrics: Queries.
Based on: RCODE.
Guardian - Top recursion time by FQDN
The recursion of all queries, one fully qualified domain name at a time. For more details, refer
to the section Managing Guardian Server Statistics in the chapter Managing Guardian Stat-
istics.
Metrics: Time (ms) by Domain and RR Type.
Based on: R-time.
Guardian - Top queries returning SERVFAIL rcodes
The queries returned with the rcode SERVFAIL. For more details, refer to the sections
Managing Guardian Server Statistics and Ignoring the SERVFAIL Error Message Differences
in the chapter Managing Guardian Statistics.
Metrics: Queries.
Based on: RCODE.

863
Chapter 60. Managing Guardian
Statistics
Once you configured the module, you can fully manage Guardian statistics via CLI.

Malicious operations on the DNS infrastructure, such as DDoS, DNS tunneling or data exfiltration
attacks, usually result in overloaded servers and service loss for legitimate clients. You can use
the information provided by the Guardian client statistics to identify the different types of threats.

DNS Guardian statistics gather all the metrics related to the client-server interactions in:
Server statistics
You can display, monitor or reset all server statistics, as detailed in the section Managing
Guardian Server Statistics.
Client statistics
You can display, reset and clear client statistics, as detailed in the section Managing
Guardian Client Statistics.

Note that:
• From the GUI, you can monitor Guardian cache, client and request data through statistics and
analytics. For more details, refer to the chapter Monitoring Guardian.
• By default, Guardian servers are both authoritative and recursive, the parameter recursive is
set to 2. This configuration may impact your server statistics data as each authoritative query
results in a cache miss.
To lower this impact on the trigger executions, you can add a list containing the domain names
that the server has authority over and take it into account in your trigger(s). For more details,
refer to the section Configuring the Content of a List in the chapter Managing Lists and to the
section Adding Triggers Relying on Lists Metrics in the chapter Managing Triggers.
• You can also monitor Guardian data yourself via SNMP. For more details, refer to the section
Monitoring Using SNMP in the chapter Monitoring.

Managing Guardian Server Statistics

The server statistics allow you to have a detailed overview of the traffic processed by Guardian
server. They are based on the analysis of Guardian cache and clients data to display the type,
number, size and recursion time of all queries and answers. For more details, refer to the chapter
Managing Guardian Cache and to the section Managing Guardian Client Statistics.

The management of Guardian server statistics includes:

• Displaying Guardian Server Statistics.
• Monitoring Guardian Server Statistics in Real-Time.
• Resetting Guardian Server Statistics.
• Ignoring the SERVFAIL Error Message Differences when you display and monitor statistics.

Displaying Guardian Server Statistics

A command allows to display your Guardian server statistics:
DNS Blast> show stats

864
 Managing Guardian Statistics

2010M Cache hit

17311k Cache missed
17311k Cache missed but exists (expired)
0 Cache missed, never queried
0 Cache hit in quarantine mode
0 Cache missed in quarantine mode
0 Cache missed but exists (expired) in quarantine mode
0 Cache missed, never queried in quarantine mode
0 Cache missed in quarantine_redirect mode
0 Cache hit in rescue mode
0 Cache missed in rescue mode
0 Cache missed but exists (expired) in rescue mode
0 Cache missed, never queried in rescue mode
0 Blocked queries
0 Ratelimited queries
63021 Cache size
0 Client size
0 Client added
0 Client deleted
0 Server size
2027M Sent DNS answers
172GB Sent DNS answers (bytes)
0 Sent TCP DNS answers
0 Sent TLS DNS answers
0 Sent DOH DNS answers
2027M Received DNS queries
141GB Received DNS queries (bytes)
17311k Queries sent to the local recursive server
1172MB Queries sent to the local recursive server (bytes)
17072k Answers sent by the local recursive server
1405MB Answers sent by the local recursive server (bytes)
0 Sent DNS answers in quarantine mode
0B Sent DNS answers in quarantine mode (bytes)
0 Sent DNS answers in quarantine_redirect mode
0B Sent DNS answers in quarantine_redirect mode (bytes)
0 Sent DNS answers in rescue mode
0B Sent DNS answers in rescue mode (bytes)
0 Received Invalid DNS queries
0B Received Invalid DNS queries (bytes)
743661 Received SERVFAIL from local recursive server (rcode changed)
0 List matched queries
0 Discarded outgoing DNS packets
0 Discarded outgoing DNS packets (received by local recursive server)
0 Discarded incoming packets
0 Discarded DNS queries (sent to local recursive server)
15782k Recursive queries with latency < 10ms
1026k Recursive queries with latency >= 10ms and < 100ms
67408 Recursive queries with latency >= 100ms and < 500ms
393 Recursive queries with latency >= 500ms and < 800ms
16177 Recursive queries with latency >= 800ms and < 1600ms
180065 Recursive queries with latency >= 1600ms
2026M Sent NOERROR rcode
0 Sent FORMERR rcode
743661 Sent SERVFAIL rcode
0 Sent NXDOMAIN rcode
0 Sent NOTIMP rcode
0 Sent REFUSED rcode
0 Sent YXDOMAIN rcode
0 Sent YXRRSET rcode
0 Sent NXRRSET rcode
0 Sent NOTAUTH rcode
0 Sent NOTZONE rcode
0 Received NOERROR rcode from local recursive server
0 Received FORMERR rcode from local recursive server
0 Received SERVFAIL rcode from local recursive server
0 Received NXDOMAIN rcode from local recursive server
0 Received NOTIMP rcode from local recursive server

865
 Managing Guardian Statistics

0 Received REFUSED rcode from local recursive server

0 Received YXDOMAIN rcode from local recursive server
0 Received YXRRSET rcode from local recursive server
0 Received NXRRSET rcode from local recursive server
0 Received NOTAUTH rcode from local recursive server
0 Received NOTZONE rcode from local recursive server

The command returns the following data:

Table 60.1. Guardian server statistics

Metrics Description
Cache hit The number of queries answered by the cache, they match a cached
entry.
Cache missed The number of queries that cannot be answered by the cache.
Cache missed but exists (expired) The number of queries that cannot be answered by the cache be-
cause they match a cached entry that expired.
Cache missed, never queried The number of queries that cannot be answered by the cache be-
cause the entry queried does not exist.
Cache hit in quarantine mode The number of queries answered by the cache to quarantined cli-
ents, the matching entry is never sent to the local recursive server.
Cache missed in quarantine mode The number of queries that cannot be answered by the cache to
quarantined clients.
Cache missed but exists (expired) in quarant- The number of queries that cannot be answered by the cache to
ine mode quarantined clients because they match a cached entry that expired.
Cache missed, never queried in quarantine The number of queries that cannot be answered by the cache to
mode quarantined clients because the entry queried does not exist.
Cache missed in quarantine_redirect mode The number of queries that cannot be answered by the cache be-
cause a trigger or view executed the action Quarantine redirect and
specific clients were redirected to the configured IP address. For
more details, refer to the section Configuring the Action Quarantine
Redirect.
Cache hit in rescue mode The number of queries answered by the cache if the server switched
to Rescue mode.
Cache missed in rescue mode The number of queries that cannot be answered by the cache in
rescue mode.
Cache missed but exists (expired) in rescue The number of queries that cannot be answered by the cache in
mode rescue mode because the records expired.
Cache missed, never queried in rescue mode The number of queries that cannot be answered by the cache in
rescue mode because the entry queried does not exist.
Blocked queries The number of blocked clients, or queries that are blocked because
a trigger executed the action Block for specific clients. For more
details, refer to the section Adding Triggers.
Ratelimited queries The number of queries that dropped because source clients reached
the configured query limit rate of 100 queries per second.
Cache size The total number of entries in the cache.
Client size The total number of clients for which statistics are maintained. Each
client has a unique IP addresses or identifier. For more details, refer
to the section Managing Guardian Client Statistics.
Client added The number of clients newly detected, a new IP address or any
other client identifier queried the server.
Client deleted The number of clients that have not recently queried the server, a
clearing operation deleted them.
Sent DNS answers The number of answers sent out by Guardian.
Sent DNS answers (bytes) The total size of the packets sent out by Guardian.

866
 Managing Guardian Statistics

Metrics Description
Sent TCP DNS answers The number of answers sent out by Guardian via TCP.
Sent TLS DNS answers The number of answers to DoT queries (DNS over TLS) sent out
by Guardian.
Sent DOH DNS answers The number of answers to DoH queries (DNS over HTTPS) sent
out by Guardian.
Received DNS queries The number of queries received by Guardian.
Received DNS queries (bytes) The total size of the packets received by Guardian.
Queries sent to the local recursive server The number of queries not already cached by Guardian that were
sent to the local DNS recursive server.
Queries sent to the local recursive server The total size of the packets not already cached by Guardian that
(bytes) were sent to the local DNS recursive server.
Answers sent by the local recursive server The number of queries not already cached by Guardian that were
answered by the local DNS recursive server.
Answers sent by the local recursive server The total size of the packets not already cached by Guardian that
(bytes) were answered by the local DNS recursive server.
Sent DNS answers in quarantine mode The number of answers sent out by Guardian to quarantined clients.
Sent DNS answers in quarantine mode The total size of the packets sent to quarantined clients.
(bytes)
Sent DNS answers in quarantine_redirect The number of answers redirected to an IP address because a
mode trigger or view executed the action Quarantine redirect. For more
details, refer to the section Configuring the Action Quarantine Re-
direct.
Sent DNS answers in quarantine_redirect The total size of the packets redirected to an IP address because
mode (bytes) a trigger or view executed the action Quarantine redirect. For more
details, refer to the section Configuring the Action Quarantine Re-
direct.
Sent DNS answers in rescue mode The number of queries sent by Guardian once it switched to rescue
mode.
Sent DNS answers in rescue mode (bytes) The total size of the packets sent by Guardian once it switched to
rescue mode.
Received Invalid DNS queries The number of invalid queries received by Guardian.
Received Invalid DNS queries (bytes) The total size of the invalid queries packets received by Guardian.
Received SERVFAIL from local recursive The number of SERVFAIL error messages received by Guardian
server (rcode changed) from the local recursive server that previously returned a different
rcode for the same query. To stop taking into account these results,
refer to the section Ignoring the SERVFAIL Error Message Differ-
ences.
List matched queries The number of queries that match a Guardian list entry. For more
details, refer to the chapter Managing Lists.
Discarded outgoing DNS packets The number of DNS packets received and discarded by Guardian.
Discarded outgoing DNS packets (received The number of DNS packets sent to the local DNS recursive server
by local recursive server) and transmitted to the client.
Discarded incoming packets The number of incoming packets that were discarded.
Discarded DNS queries (sent to local recurs- The number of packets sent to the local DNS recursive server that
ive server) were discarded.
Recursive queries with latency < 10ms The number of recursive queries which answering time is lower than
10 milliseconds.
Recursive queries with latency >= 10ms and The number of recursive queries which answering time is equal to
< 100ms 10 or lower than 100 milliseconds.
Recursive queries with latency >= 100ms The number of recursive queries which answering time is equal to
and < 500ms 100 or lower than 500 milliseconds.

867
 Managing Guardian Statistics

Metrics Description
Recursive queries with latency >= 500ms The number of recursive queries which answering time is equal to
and < 800ms 500 or lower than 800 milliseconds.
Recursive queries with latency >= 800ms The number of recursive queries which answering time is equal to
and < 1600ms 800 or lower than 1600 milliseconds.
Recursive queries with latency >= 1600ms The number of recursive queries which answering time is equal to
or higher than 1600 milliseconds.
Sent NOERROR rcode The number of NOERROR error messages sent by Guardian.
Sent FORMERR rcode The number of FORMERR error messages sent by Guardian.
Sent SERVFAIL rcode The number of SERVFAIL error messages sent by Guardian.
Sent NXDOMAIN rcode The number of NXDOMAIN error messages sent by Guardian.
Sent NOTIMP rcode The number of NOTIMP error messages sent by Guardian.
Sent REFUSED rcode The number of REFUSED error messages sent by Guardian.
Sent YXDOMAIN rcode The number of YXDOMAIN error messages sent by Guardian.
Sent YXRRSET rcode The number of YXRRSET error messages sent by Guardian.
Sent NXRRSET rcode The number of NXRRSET error messages sent by Guardian.
Sent NOTAUTH rcode The number of NOTAUTH error messages sent by Guardian.
Sent NOTZONE rcode The number of NOTZONE error messages sent by Guardian.
Received NOERROR rcode from local recurs- The number of NOERROR error messages received by Guardian
ive server from the local recursive server.
Received FORMERR rcode from local recurs- The number of FORMERR error messages received by Guardian
ive server from the local recursive server.
Received SERVFAIL rcode from local recurs- The number of SERVFAIL error messages received by Guardian
ive server from the local recursive server.
Received NXDOMAIN rcode from local re- The number of NXDOMAIN error messages received by Guardian
cursive server from the local recursive server.
Received NOTIMP rcode from local recursive The number of NOTIMP error messages received by Guardian from
server the local recursive server.
Received REFUSED rcode from local recurs- The number of REFUSED error messages received by Guardian
ive server from the local recursive server.
Received YXDOMAIN rcode from local re- The number of YXDOMAIN error messages received by Guardian
cursive server from the local recursive server.
Received YXRRSET rcode from local recurs- The number of YXRRSET error messages received by Guardian
ive server from the local recursive server.
Received NXRRSET rcode from local recurs- The number of NXRRSET error messages received by Guardian
ive server from the local recursive server.
Received NOTAUTH rcode from local recurs- The number of NOTAUTH error messages received by Guardian
ive server from the local recursive server.
Received NOTZONE rcode from local recurs- The number of NOTZONE error messages received by Guardian
ive server from the local recursive server.

Note that:
• You can filter the server statistics by view.
• Some of the server statistics are used to generate charts available in the GUI, for more details
refer to the section Monitoring Guardian Statistics.
• By default, Guardian servers are both authoritative and recursive, the parameter recursive is
set to 2. This configuration may impact your server statistics data as each authoritative query
results in a cache miss.
To lower this impact on the trigger executions, you can add a list containing the domain names
that the server has authority over and take it into account in your trigger(s). For more details,

868
 Managing Guardian Statistics

refer to the section Configuring the Content of a List in the chapter Managing Lists and to the
section Adding Triggers Relying on Lists Metrics in the chapter Managing Triggers.
• You can also monitor the server or view statistics to display more information, refreshed every
second. For more details, refer to the section Monitoring Guardian Server Statistics in Real-
Time.

To display Guardian server statistics

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To display Guardian server statistics, use the command:

show stats

4. To display the Guardian server statistics of a specific view, use the command:
show stats view=#

where # is an integer between 0 and 15 that corresponds to the order you set for the local
recursive server views. For more details, refer to the chapter Managing Guardian Views.

Monitoring Guardian Server Statistics in Real-Time

You can monitor in real-time all the server statistics of your Guardian server, or only some inform-
ation.

The monitoring command returns Guardian data statistics as follows, the column Avg /s is updated
every second, while the column Cumulative displays the values collected since the last reset.
DNS Blast> monitor

DNS BLAST monitoring:

-----------------------------------------------------------------------------
Cumulative ( Avg /s ) Name
-----------------------------------------------------------------------------
99.99% ( 100.00% ) Cache hit rate
0.00% ( 0.00% ) Cache miss rate
0.00% ( 0.00% ) Block query rate
15690M ( 17080k ) Cache hit
2 ( 0 ) Cache missed
2 ( 0 ) Cache missed but exists (expired)
0 ( 0 ) Cache missed, never queried
0 ( 0 ) Cache hit in quarantine mode
0 ( 0 ) Cache missed in quarantine mode
0 ( 0 ) Cache missed but exists (expired) in quarantine mode
0 ( 0 ) Cache missed, never queried in quarantine mode
0 ( 0 ) Cache missed in quarantine_redirect mode
0 ( 0 ) Cache hit in rescue mode
0 ( 0 ) Cache missed in rescue mode
0 ( 0 ) Cache missed but exists (expired) in rescue mode
0 ( 0 ) Cache missed, never queried in rescue mode
0 ( 0 ) Blocked queries
0 ( 0 ) Ratelimited queries
1003 ( 0 ) Cache size
0 ( 0 ) Client size
0 ( 0 ) Client added
0 ( 0 ) Client deleted
0 ( 0 ) Server size

869
 Managing Guardian Statistics

15690M ( 17080k ) Sent DNS answers

1403GB ( 1564MB ) Sent DNS answers (bytes)
0 ( 0 ) Sent TCP DNS answers
0 ( 0 ) Sent TLS DNS answers
0 ( 0 ) Sent DOH DNS answers
15690M ( 17080k ) Received DNS queries
1169GB ( 1303MB ) Received DNS queries (bytes)
2 ( 0 ) Queries sent to the local recursive server
166B ( 0B ) Queries sent to the local recursive server (bytes)
2 ( 0 ) Answers sent by the local recursive server
284B ( 0B ) Answers sent by the local recursive server (bytes)
0 ( 0 ) Sent DNS answers in quarantine mode
0B ( 0B ) Sent DNS answers in quarantine mode (bytes)
0 ( 0 ) Sent DNS answers in quarantine_redirect mode
0B ( 0B ) Sent DNS answers in quarantine_redirect mode (bytes)
0 ( 0 ) Sent DNS answers in rescue mode
0B ( 0B ) Sent DNS answers in rescue mode (bytes)
0 ( 0 ) Received Invalid DNS queries
0B ( 0B ) Received Invalid DNS queries (bytes)
0 ( 0 ) Received SERVFAIL from local recursive server (rcode changed)
0 ( 0 ) List matched queries
0 ( 0 ) Discarded outgoing DNS packets
0 ( 0 ) Discarded outgoing DNS packets (received by local recursive
server)
0 ( 0 ) Discarded incoming packets
0 ( 0 ) Discarded DNS queries (sent to local recursive server)
2 ( 0 ) Recursive queries with latency < 10ms
0 ( 0 ) Recursive queries with latency >= 10ms and < 100ms
0 ( 0 ) Recursive queries with latency >= 100ms and < 500ms
0 ( 0 ) Recursive queries with latency >= 500ms and < 800ms
0 ( 0 ) Recursive queries with latency >= 800ms and < 1600ms
0 ( 0 ) Recursive queries with latency >= 1600ms
15690M ( 17080k ) Sent NOERROR rcode
0 ( 0 ) Sent FORMERR rcode
0 ( 0 ) Sent SERVFAIL rcode
4 ( 0 ) Sent NXDOMAIN rcode
0 ( 0 ) Sent NOTIMP rcode
0 ( 0 ) Sent REFUSED rcode
0 ( 0 ) Sent YXDOMAIN rcode
0 ( 0 ) Sent YXRRSET rcode
0 ( 0 ) Sent NXRRSET rcode
0 ( 0 ) Sent NOTAUTH rcode
0 ( 0 ) Sent NOTZONE rcode
15 ( 0 ) Received NOERROR rcode from local recursive server
0 ( 0 ) Received FORMERR rcode from local recursive server
4 ( 0 ) Received SERVFAIL rcode from local recursive server
3 ( 0 ) Received NXDOMAIN rcode from local recursive server
0 ( 0 ) Received NOTIMP rcode from local recursive server
0 ( 0 ) Received REFUSED rcode from local recursive server
0 ( 0 ) Received YXDOMAIN rcode from local recursive server
0 ( 0 ) Received YXRRSET rcode from local recursive server
0 ( 0 ) Received NXRRSET rcode from local recursive server
0 ( 0 ) Received NOTAUTH rcode from local recursive server
0 ( 0 ) Received NOTZONE rcode from local recursive server

The command returns the following data, it includes all the statistics described in the table
Guardian Server statistics, and are preceded by the current measurement rates:

Table 60.2. Guardian monitoring rate statistics

Metrics Description
Cache hit rate The percentage of queries answered by the cache, all modes taken together
(normal, quarantine and rescue mode). This line is only returned if you
monitor the statistics. For more details, refer to the section Monitoring
Guardian Server Statistics in Real-Time.

870
 Managing Guardian Statistics

Metrics Description
Cache miss rate The percentage of queries that cannot be answered by the cache, all modes
taken together. This line is only returned if you monitor the statistics. For
more details, refer to the section Monitoring Guardian Server Statistics in
Real-Time.
Block query rate The percentage of queries that are blocked. This line is only returned if you
monitor the statistics. For more details, refer to the section Monitoring
Guardian Server Statistics in Real-Time.

Note that:
• A set of filters allow to monitor more specific data.
• You can reset the data of the column Cumulative. For more details, refer to the section Resetting
Guardian Server Statistics.

To monitor Guardian server statistics in real-time

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To monitor all the statistics at once, use the command:

monitor

4. To monitor specific statistics, use the command:

monitor <filter>

where filter is one of the following:

Table 60.3. Available filters for Guardian servers real-time monitoring

Filter Description
view = # Only the statistics of a specific view, where # identifies the view using
an integer, between 0 and 15, that corresponds to the order you set for
the local recursive server views. For more details, refer to the chapter
Managing Guardian Views.
show-qps Only the statistics returning queries per second data, a number or size
in bytes.
show-trigger Only trigger related statistics, the information returned is detailed in the
section Monitoring Trigger Statistics in Real-Time.
show-rcode Only the RCODE statistics, named Sent * rcode.
show-rtt Only the round-trip time or recursion time based statistics, named Re-
cursive queries with latency *.
show-cache-sharing Only the statistics regarding cache data shared between Guardian
servers, the information returned is detailed in the section Monitoring
Guardian Cache Sharing Statistics in Real-Time.
show-debug Only the statistics regarding sessions size, fragment size and hardware
packets.

5. Hit enter to stop monitoring.

871
 Managing Guardian Statistics

Monitoring Trigger Statistics in Real-Time

You can monitor all the server trigger statistics in real-time. For more details on how to configure
triggers, refer to the chapter Managing Triggers.

The monitoring command returns trigger statistics as follows:

DNS Blast> monitor show-trigger

DNS BLAST monitoring:

-----------------------------------------------------------------------------
Cumulative ( Avg /s ) Name
-----------------------------------------------------------------------------
54001 ( 121 ) Restricted IPv4 entries
2660 ( 23 ) Restricted IPv6 entries
0 ( 0 ) Number of time trigger #0 was armed
0 ( 0 ) Number of time trigger #1 was armed
0 ( 0 ) Number of time trigger #2 was armed
0 ( 0 ) Number of time trigger #3 was armed
0 ( 0 ) Number of time trigger #4 was armed
0 ( 0 ) Number of time trigger #5 was armed
0 ( 0 ) Number of time trigger #6 was armed
0 ( 0 ) Number of time trigger #7 was armed
0 ( 0 ) Number of time trigger #8 was armed
0 ( 0 ) Number of time trigger #9 was armed
0 ( 0 ) Number of time trigger #10 was armed
...
0 ( 0 ) Number of time trigger #63 was armed

The command returns the following data:

Table 60.4. Guardian server real-time trigger statistics

Data returned
Restricted IPv4 entries
Restricted IPv6 entries
Number of time trigger #0 was armed
Number of time trigger #... was armed
Number of time trigger #63 was armed
Description
The number of IPv4 addresses for which a trigger was armed.
The number of IPv6 addresses for which a trigger was armed.
The number of times the first trigger, #0, has been armed.
The number of times one of the triggers, all identified with a number
between #1 and #62, has been armed.
The number of times the last trigger, #63, has been armed.

Monitoring Guardian Cache Sharing Statistics in Real-Time

You can monitor the statistics of the cache data shared among several Guardian servers in real-
time. For more details, refer to the section Sharing the Cache Between Several Guardian Servers
in the chapter Managing Guardian Cache.

The monitoring command returns cache sharing statistics as follows:

DNS Blast> monitor show-cache-sharing

DNS BLAST monitoring:

-----------------------------------------------------------------------------
Cumulative ( Avg /s ) Name
-----------------------------------------------------------------------------
0 ( 0 ) DNS entries received via shared cache
0B ( 0B ) DNS entries received via shared cache (bytes)
0 ( 0 ) DNS entries sent via shared cache
0B ( 0B ) DNS entries sent via shared cache (bytes)

The command returns the following data:

872
 Managing Guardian Statistics

Table 60.5. Guardian server real-time cache-sharing statistics

Data returned
DNS entries received via shared cache
DNS entries received via shared cache
(bytes)
DNS entries sent via shared cache
DNS entries sent via shared cache (bytes)
Description
The number of queries received by the local Guardian via shared
cache.
The total size of the packets received by the local Guardian via
shared cache.
The number of queries sent to another Guardian via shared cache.
The total size of the packets sent to another Guardian via shared
cache.

Resetting Guardian Server Statistics

To make sure that the data you monitor is up to date, you can reset the statistics of your Guard-
ian server.

Resetting the data updates the content of the column Cumulative returned by the command
monitor.

To reset Guardian server statistics

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Reset the statistics results using the command:

reset stats

Ignoring the SERVFAIL Error Message Differences

By default, Guardian detects SERVFAIL message differences as a record queried several times
can have any rcode at first and then a SERVFAIL.

You can force Guardian to stop detecting this difference in the commands show stats and
monitor, it allows to ignore the line Received SERVFAIL from local recursive server (rcode
changed) when you execute either command. For more details, refer to the sections Displaying
Guardian Server Statistics and Monitoring Guardian Server Statistics in Real-Time.

Before ignoring the SERVFAIL messages, note that:

• Guardian provides you with two Guardian tops dedicated to queries and clients returning
SERVFAIL error message: Top clients receiving SERVFAIL rcodes and Top queries returning
SERVFAIL rcodes. For more details, refer to the section Monitoring Guardian Analytics.
• You can configure Guardian switch to Rescue Mode based on the number of SERVFAIL error
messages received by local recursive servers. For more details, refer to the section Configuring
the Rescue Mode.

To disable the detection of SERVFAIL message differences from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.

873
 Managing Guardian Statistics

3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. To disable the detection of SERVFAIL message differences, in the field Servfail diff, select
no (0).
7. Click on OK to complete the operation. The wizard closes.

To disable the detection of SERVFAIL message differences via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To ignore SERVFAIL messages, use the command:

set servfail_diff=0

Managing Guardian Client Statistics

The client statistics allow you to have an detailed view of the server usage and determine which
clients queried Guardian server based on their IP address or any other client identifier. They are
based on the analysis of Guardian cache and the server statistics in general. For more details,
refer to the chapter Managing Guardian Cache and to the section Managing Guardian Server
Statistics.

The management of Guardian client statistics includes:

• Displaying Guardian Client Statistics.
• Resetting Guardian Client Statistics.
• Clearing Guardian Client Statistics Manually.
• Clearing Guardian Client Statistics Automatically.

Making Sure Guardian Client Statistics Are Enabled

To manage Guardian client statistics, make sure that the feature is enabled. It is enabled by default.

If on the Guardian server properties page, in the panel Options, the parameter Client stats is
listed, it means that it is not set with the default value and you need to enable it.

To enable Guardian client statistics

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. To enable Guardian client statistics, in the field Client stats, select yes (1).

874
 Managing Guardian Statistics

7. Click on OK to complete the operation. The wizard closes.

Displaying Guardian Client Statistics

Guardian allows to display detailed statistics on the different clients that have queried the server.
Here below is an example of the command result limited to 10 entries:
DNS Blast> show clients limit=5

Query | Client ID | View | Last-used | C-hit | C-miss | hit-Q-sz | miss-Q-sz

| hit-A-sz | miss-A-sz | recurs-time | invalid-Q | restricted | block-Q | NOERROR |
NXDOMAIN | SERVFAIL | list-hit | trig-hit | auth | client OID
235213 | 10.0.200.1 | 0 | 238 | 12891 | 222322 | 567KB | 9571KB
| 1109KB | 20229KB | 16536k | 0 | | 0 | 8684 |
218595 | 6502 | 0 | 98 | 254 | 152a5
54364 | a1:54:78:54:55:e2 | 1 | 2 | 51384 | 2980 | 1736KB | 106KB
| 2763KB | 278KB | 181434 | 0 | | 0 | 54249 |
111 | 4 | 24 | 0 | 7812 | e1a254
38674 | 241.13.0.10 | 2 | 2 | 17684 | 20990 | 650KB | 796KB
| 1512KB | 2002KB | 753664 | opcode:5 | | 0 | 37082 |
1548 | 16 | 0 | 0 | 42 | 84a7b
28925 | 10.0.0.10 | 0 | 32 | 25077 | 3848 | 843KB | 164KB
| 1923KB | 361KB | 44819 | 0 | block | 816 | 28280 |
645 | 0 | 0 | 0 | 849 | 95ab87
27557 | 4052 | 3 | 22 | 17584 | 9973 | 781KB | 404KB
| 1893KB | 1256KB | 214175 | 0 | | 0 | 27413 |
120 | 24 | 0 | 10 | 15791 | c78a69

RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 569609 | ( 63.87%)
SERVFAIL | 6673 | ( 0.75%)
NXDOMAIN | 308101 | ( 34.55%)

245 entries found (891816 total utilization)

search time: 0ms

The Client ID may return more information:

DNS Blast> show clients

Query | Client ID | View | Last-used | C-hit | C-miss | hit-Q-sz | miss-Q-sz

| hit-A-sz | miss-A-sz | recurs-time | invalid-Q | restricted | block-Q | NOERROR
| NXDOMAIN | SERVFAIL | list-hit | trig-hit | auth | client OID
1 | 70.0.0.24.4.3.2.1 | 4 | 2 | 1 | 1 | 62KB | 0KB |
54B | 0B | 0 | 0 | | 0 | 1 |
218595 | 6502 | 0 | 98 | 0 | f2b55
1 | 70.0.0.24 | 0 | 79 | 51384 | 2980 | 1736KB | 106KB |
2763KB | 278KB | 181434 | 0 | | 0 | 54249 |
111 | 4 | 0 | 0 | 0 | 243bac

RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 2 | (100.00%)

2 entries found (2 total utilization)

search time: 0ms

The results of the command are described in the following table:

875
 Managing Guardian Statistics

Table 60.6. Guardian client statistics

Data returned Description
Query The number of queries received from the client.
Client ID The source IP address of the DNS query sent by the client, or, if you identify clients, a
client identifier. That identifier can be the IP address or DSCP of the original query; a
specific client identifier declared in an EDNS option of the original query; or several identi-
fiers separated by a dot.
View The view number, an integer between 0 and 15 that corresponds to its order, it identifies
the view that answered the client query.
Last-used The number of seconds since the client queried Guardian for the last time.
C-hit The number of queries for which the answer was in the cache.
C-miss The number of queries for which the answer was not in the cache.
hit-Q-sz The total size (in bytes) of the queries which answer was in the cache.
miss-Q-sz The total size (in bytes) of the queries which answer was not in the cache.
hit-A-sz The total size (in bytes) of the answers that were in the cache.
miss-A-sz The total size (in bytes) of the answers that were not in the cache.
recurs-time The time needed to get the answer from the local recursive server, in milliseconds.
invalid-Q The number of invalid queries received from the client returned as follows: n (<cause:#>)
where n is the total sum of invalid queries received, and # indicates the number of hits per
cause. The possible causes are detailed below.
class An Invalid class (IN).
overfl An Overflow (wrong size).
nbQ A Discrepancy on the number of questions.
diffsize A Discrepancy between DNS packet announced in UDP and the real size received.
bdcast An IP SRC address is a broadcast address.
badsrc An Invalid UDP source.
src=dst An IP SRC and IP DST are the same.
opcode A Wrong opcode (use of reserved code).
restricted The action applied on the client: any, none, quarantine or block.
blocked-Q The number of queries received and blocked by the server.
NOERROR The number of queries returning a NOERROR error code.
NXDOMAIN The number of queries returning a NXDOMAIN error code.
SERVFAIL The number of queries returning a SERVFAIL error code.
list-hit The number of times the client matched a list.
trig-hit The number of hits triggered by the client.
auth The number of authoritative answers.
client OID The internal OID of the client, in hexadecimal format.
Client statistics summary
RCODE RETURNED The number and percentage of RCODEs returned, by type: NOERROR, SERVFAIL,
NXDOMAIN...
<n> entries found The total number of different results matching the command filter(s).
<n> total utilization The total number of queries received matching the command filter(s).
search time: The total number of seconds spent to return the statistics.
<seconds>

876
 Managing Guardian Statistics

Note that:
• Some of the client data is used to generate analytics available in the GUI. For more details,
refer to the section Displaying Guardian Analytics Tops.
• You can limit and order the statistics, even if you filter them.

To display Guardian client statistics

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Make sure the client data retrieval is enabled.

a. Display Guardian current configuration, using the command:
show config

b. Make sure the parameter client_stats is set to 1 as follows:

set client_stats=1

4. To display all Guardian client statistics, use the command:

show clients

5. To limit the number of clients to display, use the command:

show clients limit=<0-999999>

By default, the command displays 50 clients, the ones with the highest number of queries.
6. To sort the entries in descending order based on specific data, use the command:
show clients order=<data-type>

where data-type is one of the following.

Table 60.7. Available values to filter the order

Data returned Description
c-hit The number of queries for which the answer was in the cache.
c-miss-not-exist The number of cache misses never queried, queries for which the answer was not in
the cache because they were never queried.
c-miss The number of queries for which the answer was not in the cache.
hit-a-sz The total size (in bytes) of the answers that were in the cache.
hit-q-sz The total size (in bytes) of the queries which answer was in the cache.
invalid-Q The number of invalid queries received from the client returned as follows: n (<cause:#>)
where n is the total sum of invalid queries received, and # indicates the number of hits
per cause. The possible causes are detailed below.
class An Invalid class (IN).
overfl An Overflow (wrong size).
nbQ A Discrepancy on the number of questions.
diffsize A Discrepancy between DNS packet announced in UDP and the real size re-
ceived.
bdcast An IP SRC address is a broadcast address.
badsrc An Invalid UDP source.

877
 Managing Guardian Statistics

Data returned Description

src=dst An IP SRC and IP DST are the same.
opcode A Wrong opcode (use of reserved code).
last-used The number of seconds since the client queried Guardian for the last time.
miss-a-sz The total size (in bytes) of the answers that were not in the cache.
miss-q-sz The total size (in bytes) of the queries which answer was not in the cache.
qa-sz-ratio The ratio of the queries and answers size (in bytes), returned by hit-q-sz, miss-q-sz, hit-
a-sz and miss-a-sz.
recurs-time The time needed to get the answer from the local recursive server, in milliseconds.
trigger The trigger armed by the client query.
used The used counter.

7. To only display specific client statistics, use the command:

show clients <filter>

where filter is one of the following, that you can combine with limit and order.

Table 60.8. Available filters for Guardian client statistics

Filter
used (>|<|=|!=) <queries>
view (>|<|=|!=) #
c-miss (>|<|=|!=) <queries>
c-hit (>|<|=|!=) <queries>
lastused (>|<|=|!=) <seconds>
restricted (=|!=) <trigger-action>
client_oid = <OID>
distribution-range = <number>
distribution-minimum = <number>
distribution-value = <value>
<string>
Description
The number of queries received from the client.
The view number, where # is an integer between 0 and 15 that identi-
fies the queried view. For more details, refer to the chapter Managing
Guardian Views.
The number of queries which answer was not in the cache.
The number of queries for which the answer was in the cache.
The last time the client queried the server, in seconds.
The clients based on the trigger they armed. For more details, refer
to the trigger actions in the chapter Managing triggers.
any The clients with any of the restrictions described
below.
block The clients that armed a trigger with the action
Block.
log The clients that armed a trigger with the action
Log only.
none The clients with no restriction at all.
quarantine_redirect The clients that armed a trigger configured with
the action Quarantine redirect.
quarantine The clients that armed a trigger with the action
Quarantine.
ratelimit The clients that armed a trigger with the action
Ratelimit.
The OID of any client in hexadecimal format, as follows <0-9a-f>{16}.
The client OID is returned by the command show clients, for more
details refer to the section Displaying Guardian Client Statistics.
A way to distribute the data in ranges based on their value. For more
details, refer to the section Distributing the Client Statistics.
The IP address of your choice. You can specify the <IP-address> of
a specific client, or a range of addresses <IP-address>/<prefix>.

878
 Managing Guardian Statistics

Distributing the Client Statistics

You can distribute some client statistics in ranges and choose which data to display based on
the value of your choice via the following parameters:

Table 60.9. Available distribution data filters for Guardian client statistics
Filter Description
distribution-value = <value> The information to return and distribute, the available data is detailed below.
avg-recurs-time The average recursion time, recurs-time, spent by the local
recursive server to answer queries, in milliseconds.
c-hit The number of cache hits, queries for which the answer was
in the cache.
c-miss-not-exist The number of cache misses never queried, queries for which
the answer was not in the cache because they were never
queried.
c-miss The number of cache misses, queries for which the answer
was not in the cache.
last-used The last time the client queried the server, in seconds.
qa-sz-ratio The ratio of the queries and answers size, in bytes, returned
by hit-Q-sz, miss-Q-sz, hit-A-sz and miss-A-sz.
distribution-range = <number> The range of distribution of the data specified in the distribution-value.
distribution-minimum = <number> The minimum value to return. Only the data specified in the distribution-value
that match or exceed the minimum value you set are returned and distributed
into ranges specified in distribution-range.

The distributed data is displayed below the client statistics as follows:

DNS Blast> show clients limit=5 distribution-range=40 distribution-minimum=20
distribution-value=qa-sz-ratio
Query | Client ID | View | Last-used | C-hit | C-miss | hit-Q-sz | miss-Q-sz |
hit-A-sz | miss-A-sz | recurs-time | invalid-Q | restricted | block-Q | NOERROR |
NXDOMAIN | SERVFAIL | list-hit | trig-hit | auth | client OID
1167k | 10.0.115.16 | 0 | 6 | 1112k | 54905 | 41684KB | 2043KB |
251MB | 10522KB | 342855 | 0 | | 0 | 1160k |
6940 | 0 | 0 | 60 | 17281 | 5a97
785311 | 10.0.6.66 | 0 | 3 | 607459 | 177852 | 24157KB | 6608KB |
137MB | 36265KB | 1745k | 0 | | 0 | 764800 |
20407 | 9 | 0 | 292 | 21206 | ac1d
383203 | 10.0.204.1 | 0 | 55 | 7302 | 375901 | 291KB | 15126KB |
674KB | 37858KB | 679084 | 0 | | 0 | 176153 |
203278 | 3750 | 0 | 2069 | 369827 | 3aa4
278142 | 10.0.50.14 | 0 | 9 | 44 | 278098 | 2101B | 8607KB |
5180B | 24555KB | 192591 | 0 | LOG | 0 | 140849 |
137265 | 0 | 0 | 4 | 277950 | 180b
247921 | 10.0.231.214 | 0 | 2 | 7 | 247914 | 289B | 9916KB |
613B | 28728KB | 103984 | 0 | | 0 | 1628 |
246274 | 11 | 0 | 45 | 247868 | d037

RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 6985k | ( 73.88%)
SERVFAIL | 147597 | ( 1.56%)
NXDOMAIN | 2267k | ( 23.98%)

Question/Answer size ratio distribution:

Value range | Total | Percent | % sum
20 -> 59 | 8 | ( 2.02%) | ( 2.02%)
60 -> 99 | 0 | ( 0.00%) | ( 2.02%)
100 -> 139 | 4 | ( 1.01%) | ( 3.02%)
140 -> 179 | 8 | ( 2.02%) | ( 5.04%)

879
 Managing Guardian Statistics

180 -> 219 | 54 | ( 13.60%) | ( 18.64%)

220 -> 259 | 107 | ( 26.95%) | ( 45.59%)
260 -> 299 | 130 | ( 32.75%) | ( 78.34%)
300 -> 339 | 45 | ( 11.34%) | ( 89.67%)
340 -> 379 | 21 | ( 5.29%) | ( 94.96%)
380 -> 419 | 8 | ( 2.02%) | ( 96.98%)
420 -> 459 | 1 | ( 0.25%) | ( 97.23%)
460 -> 499 | 1 | ( 0.25%) | ( 97.48%)
500 -> 539 | 1 | ( 0.25%) | ( 97.73%)
540 -> 579 | 5 | ( 1.26%) | ( 98.99%)
580 -> 619 | 2 | ( 0.50%) | ( 99.50%)
620 -> 659 | 1 | ( 0.25%) | ( 99.75%)
660 -> 699 | 0 | ( 0.00%) | ( 99.75%)
700 -> 739 | 0 | ( 0.00%) | ( 99.75%)
740 -> 779 | 0 | ( 0.00%) | ( 99.75%)
780 -> INF | 1 | ( 0.25%) | (100.00%)

397 entries found (9454k total utilization)

search time: 1ms

Resetting Guardian Client Statistics

You can reset client statistics, and bring the client entry counters of your choice to 0. This can
be useful for a real-time analysis of the traffic.

To reset Guardian client statistics

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To reset Guardian client statistics, use the command:

reset clients

4. To reset only a part of the client statistics, use the command:

reset clients <filter>

where any accepted filter is described of the table Available filters for Guardian client statistics.
You can combine the filters.

Clearing Guardian Client Statistics Manually

You can manually delete client entries, or client identifiers, and therefore clear the client statistics.

Before clearing Guardian client statistics manually, keep in mind that:

• This action is irreversible.
• The more cached data you have, the more efficient your responses are and the more reliable
your statistics and analytics are.
• From the GUI, you can clear all client entries, or IP address related client entries.
• Via CLI, you can clear all client entries, or use specific search parameters.

880
 Managing Guardian Statistics

To clear Guardian client statistics from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the Guardian server for which you want to flush clients.
3. In the menu, select Edit > Command > Flush clients. The wizard Flush Guardian clients
opens.
4. In the field IP address or network address (CIDR), specify the IP address of the client you
want to flush or a network address to flush all the clients part of this network.
To flush all clients, type .* in the field.
5. Click on OK to complete the operation. The wizard closes.

To clear Guardian client statistics via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To clear Guardian all client entries, use the command:

clear clients

4. To clear only a part of the client entries, use the command:

clear cache <filter>

where any accepted filter is described of the table Available filters for Guardian client statistics.
You can combine the filters.

Clearing Guardian Client Statistics Automatically

You can use a set of parameters in Guardian configuration to automate the client data clearing
process. This process deletes client identifiers, and therefore clears the client statistics.

clean_client0.cmd=lastused>86400
clean_client1.cmd=lastused>3600

max_client_entries
1000000 max_clean_client_percent
95
The clean commands are executed
if they match entries and 95%
of max_client_entries is reached

Each client All the client identifier entries

identifier adds matching one or more
an entry clean commands are cleared

min_clean_client_percent
5
The clean commands are stopped
to keep 5% of max_client_entries

Figure 60.1. The automated client clearing process

881
 Managing Guardian Statistics

A set of parameters allow to define a maximum number of client identifiers in the cache, the
threshold to be reached to start the automatic clearing of the client entries and the maximum
number of remaining entries after the clearing:
• Clean client#.cmd allows to set up to 10 different clearing commands, numbered between 0
and 9. These parameters trigger clearing commands matching the filters of your choice.
The clearing commands are the entry point of the automated client clearing. The amount of
entries, or client identifiers, cleared depends on the parameters Max client entries, Max clean
client percent and Min clean client percent.
The automated clearing is only executed if:
1. At least one parameter Clean client#.cmd has a value. By default, the first two clearing
commands are configured.
2. The number of client identifiers left in the cache matches or exceeds the value of Min clean
client percent.
• Max client entries sets the maximum number of client identifiers, client entries, to store in the
cache. It applies to all the parameters Clean client#.cmd.
Its default value depends on the memory of each appliance:

Table 60.10. Max client entries default values

SOLIDserver model Max client entries default value
SOLIDserver-550, SOLIDserver-570 20000
SOLIDserver-1100, SOLIDserver-1170 75000
SOLIDserver-2200, SOLIDserver-2270 500000
SOLIDserver-3300 & all Blast series appliances 1000000

• Max clean client percent sets the percentage of Max client entries to reach before clearing
the client entries matching one or more parameters Clean client#.cmd.
When the maximum percentage of client identifiers is reached, the clearing commands are
automatically executed in ascending order.
• Min clean client percent sets the percentage of Max client entries to keep in the cache after
clearing the client entries matching one or more parameters Clean client#.cmd.
The clearing commands are automatically executed until the number of remaining entries
equals or exceeds the minimum percentage of client entries.

Once Max clean client percent is reached, the cleaning command Clean client0.cmd is executed.
If the cache still contains more entries than the value of Min clean client percent, the command
Clean client1.cmd is executed. All the commands Clean client#.cmd are executed in order until
the percentage of entries remaining in the cache matches or is lower than the value of Min clean
client percent.

Before clearing Guardian client statistics automatically, keep in mind that:

• This action is irreversible.
• The more cached data you have, the more efficient your responses are and the more reliable
your statistics and analytics are.
• Client entries can also be cleared manually, partially or entirely. For more details, refer to the
section Clearing Guardian Client Statistics Manually.

882
 Managing Guardian Statistics

To automate Guardian client statistics clearing

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the field Clean client#.cmd, specify the filter of your choice. By default:
• Clean client0.cmd is set to lastused>86400.
• Clean client1.cmd is set to lastused>3600.
The field can contain any of the Available filters for Guardian client statistics.
7. In the field Max client entries, specify the maximum number of entries in Guardian cache.
As detailed in introduction, its default value depends on your SOLIDserver model.
8. In the field Max clean client percent, specify the percentage of the Max client entries that
executes the automatic clearing of the cache.
By default, it is set to 95.
9. In the field, Min clean client percent, specify the percentage of the Max client entries that
you want to keep in the cache after the clearing.
By default, it is set to 5.
10. Click on OK to complete the operation. The wizard closes.
In the panel Options, your configuration is listed if it differs from the default values.

883
Chapter 61. Managing Guardian Cache
Once you configured the module, you can manage Guardian cache.

Most cache management operations must be done via CLI.

From the GUI, you can clear Guardian cache or share it incrementally.

The management of Guardian cache includes:

• Displaying Guardian Cache Content.
• Resetting Guardian Cache.
• Saving Guardian Cache.
• Restoring Guardian Cache.
• Forcing Cache Entries as Expired.
• Clearing Guardian Cache Manually.
• Clearing Guardian Cache Automatically.
• Sharing the Cache Between Several Guardian Servers, incrementally or as a whole.

Note that the cache data is then used at server and client levels to generate statistics that you
can manage via CLI and visualize from the GUI. For more details, refer to the chapter Managing
Guardian Statistics.

Displaying Guardian Cache Content

You can display, filter and sort as many entries in the cache as needed. Below is an example of
the command result limited to the 10 most queried entries:
DNS Blast> show cache limit=10

Used | Query | RCODE | Type | TTL | EOL | Last-used

| C-miss | R-time | AVG R-time | View | Origin | OPT
213201 | license.intranet | NOERROR | A | 3600 | 1167 | 0
| 35 | 20 | 0 | 0 | L | -
180971 | apidata.googleusercontent.com | NOERROR | A | 267 | 57 | 210
| 281 | 1438 | 5 | 0 | L | -
180088 | apidata.googleusercontent.com | NOERROR | AAAA | 300 | -827 | 1125
| 145 | 1487 | 10 | 0 | L | -
80249 | vbox.validation.intranet | NOERROR | A | 600 | 143 | 457
| 266 | 160 | 0 | 0 | L | -
67366 | debian1.intranet | NOERROR | A | 3600 | 1684 | 24
| 46 | 0 | 0 | 0 | L | -
57276 | core.intranet | NOERROR | A | 600 | 56 | 0
| 265 | 180 | 0 | 0 | L | -
54283 | clients4.google.com | NOERROR | A | 176 | 169 | 5
| 982 | 14704 | 14 | 0 | L | -
52764 | clients6.google.com | NOERROR | A | 144 | 139 | 3
| 988 | 10563 | 10 | 0 | L | -
49970 | mail.google.com | NOERROR | A | 299 | 61 | 31
| 560 | 7561 | 13 | 0 | L | -
47958 | play.google.com | NOERROR | A | 300 | 32 | 14
| 527 | 16102 | 30 | 0 | L | -

RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 62362 | ( 81.61%)
SERVFAIL | 1481 | ( 1.94%)
NXDOMAIN | 12576 | ( 16.46%)

884
 Managing Guardian Cache

RR TYPE:
Type | Total | Percent
A | 67047 | ( 87.74%)
NS | 34 | ( 0.04%)
CNAME | 10 | ( 0.01%)
SOA | 76 | ( 0.10%)
PTR | 1815 | ( 2.38%)
MX | 26 | ( 0.03%)
TXT | 555 | ( 0.73%)
AAAA | 6739 | ( 8.82%)
SRV | 80 | ( 0.10%)
NAPTR | 3 | ( 0.00%)
DS | 2 | ( 0.00%)
SSHFP | 12 | ( 0.02%)
DNSKEY | 3 | ( 0.00%)
ANY | 16 | ( 0.02%)

ORIGIN:
Origin | Total | Percent
L | 76419 | (100.00%)

76419 entries found (5115k total utilization avg_pkt_size: 91)

search time: 20ms

The results of the command are described in the following table:

Table 61.1. Guardian cache statistics

Data returned Description
Used The number of times the query was made, or used. The results are listed from most
queried to least queried.
Query The name of the queried domain.
RCODE The query response status, it indicates possible errors.
Type The type of records queried.
TTL The record time to live in seconds.
EOL The record expiration time in seconds, or end of life. A negative eol means that the
record has expired.
Last-used The period in seconds since the record was queried for the last time.
R-time The cumulated recursion time, in milliseconds.
AVG R-time The average recursion time, in milliseconds.
C-miss The number of queries for which the TTL has expired.
View The view the record belongs to. If there are no views on the server, the view 0 is the
only one displayed.
Origin The record origin, either L for records cached by the local Guardian server or S for
records shared or sent by another Guardian server. For more details, refer to the
sections Sharing the Cache Between Several Guardian Servers and Sending the
Cache Content to Another Guardian Server.
Cache statistics summary
RCODE RETURNED The number and percentage of RCODEs returned, by type: NOERROR, SERVFAIL,
NXDOMAIN...
RR TYPE The number and percentage of resource records returned, by type: A, AAAA, NS,
CNAME...
ORIGIN The number and percentage of queries, by origin.
<n> entries found The total number of different results matching the command filter(s).
<n> total utilization The total number of queries received matching the command filter(s).

885
 Managing Guardian Cache

Data returned Description

avg_pkt_size: <bytes> The average size of the packets returned matching the command filter(s).
search time: <seconds> The total number of seconds spent to return the statistics.

To display Guardian cache statistics

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To display all Guardian cache statistics, use the command:

show cache

4. To limit the entries to be displayed, use the command:

show cache limit=<0-999999>

By default, the command displays 50 entries, in particular, the 50 most queried domains.
5. To sort the entries in descending order based on specific data, use the command:
show cache order=<data-type>

where data-type is one of the following.

Table 61.2. Available values to filter the order

Data returned Description
avg-recurs-time The average recursion time, in milliseconds.
c-miss The number of queries for which the TTL has expired.
eol The record expiration time in seconds, or end of life. A negative eol means that
the record has expired.
last-used The last time the record was queried, in seconds.
pkt-sz-all-hit The packet size of all query hits.
pkt-sz The packet size of the query.
qname-depth The depth of the domain name queried, the records including the biggest number
of subdomains are returned first.
qname-sz The size of the domain name queried.
recurs-time The recursion time of the query, in milliseconds.
used The number of times the query was made, or used.

6. To display specific cache entries, use the command:

show cache <filter>

where filter is one of the following. You can combine the order and limit parameters with one
or several filters in one command.

Table 61.3. Available filters for Guardian cache statistics

Filter Description
eol (>|<) <seconds> The record expiration time, in seconds. To exclude expired val-
ues, use the filter expired.
used (>|<|=|!=) <number> The number of times the records were queried, its number of
hits.

886
 Managing Guardian Cache
Filter
c-miss (>|<|=|!=) <number>
recurs-time (>|<|=|!=) <milliseconds>
avg-recurs-time (>|<|=|!=) <milliseconds> The average recursion time, in milliseconds.
client_oid = <OID>
nb_client (>|<|=|!=) <number>
ttl (>|<|=|!=) <seconds>
pkt-sz (>|<|=|!=) <bytes>
qname-sz (>|<|=|!=) <bytes>
qname-depth (>|<|=|!=) <number>
lastused (>|<|=|!=) <seconds>
first-used (>|<|=|!=) <seconds>
view = #
origin = <L|S>
opt = <-|DNSSEC|EDNS>
aa-flag = <0|1>
error (=|!=) <ERROR>
type_number = <0-65535>
type = <RRTYPE>
expired = <0|1>
distribution-range = <number>
distribution-minimum = <number>
distribution-value = <value>
(!) <string>
Distributing the Cache Statistics
You can distribute some cache statistics in ranges and choose which data to display based on
the value of your choice via the following parameters:
887
Description
The number of queries for which the TTL has expired.
The query recursion time, in milliseconds.
The OID of any client in hexadecimal format, as follows <0-9a-
f>{16}. The client OID is returned by the command show clients,
for more details refer to the section Displaying Guardian Client
Statistics.
The number of clients who queried the record, an integer
between 0 and 16.
The record TTL value, in seconds.
The packet size of the query, in bytes.
The size of the domain name queried, in bytes.
The depth of the domain name queried, the number of subdo-
mains that the record includes.
The last time the entry was queried, in seconds.
The first time the entry was queried, in seconds.
The entries matching a specific view, where # is an integer
between 0 and 15. If you did not enable any view, only view=0
returns data.
The origin of the record, either L for records cached by the local
Guardian server or S for records shared or sent by another
Guardian server. For more details, refer to the section Sharing
the Cache Between Several Guardian Servers.
The type of option configured on the record, either DNSSEC or
EDNS. Note that - indicates that no option was set.
The AA flag setting returned by the server. All cached entries
set to 1 belong to an authoritative zone, all cached entries set
to 0 were obtained via recursion.
The errors returned, either FORMERR, NOERROR, NOTIMP,
NXDOMAIN, REFUSED or SERVFAIL.
The number matching each record type, an integer between 0
and 65535., for instance, 1 for A records.
The type of the record in capital letters: A, AAAA, PTR, DS...
The records TTL expiration status, where 0 returns cached re-
cords with a valid TTL and 1 returns the expired records in the
cache. If you do not specify this filter, all the records are returned
no matter their TTL.
A way to distribute the data in ranges based on their value. For
more details, refer to the section Distributing the Cache Statistics.
A regular expression or a domain, you can specify a full or partial
name. The specified value is excluded if preceded by !.
If you specify a domain, it must be the last parameter of the
command.
 Managing Guardian Cache

Table 61.4. Available distribution data filters for Guardian cache statistics
Filter
distribution-value = <value>
distribution-range = <number>
distribution-minimum = <number>
Description
The information to return and distribute, the available data is detailed
below.
avg-recurs-time-all-hit: The average recursion time spent to answer all
the query hits, in seconds.
avg-recurs-time: The average recursion time spent to answer each query
hit, in seconds.
last-used: The last time the record was queried, in seconds.
pkt-sz-all-hit: The packet size of all query hits.
pkt-sz: The packet size of each query hit.
qname-depth-all-hit: The depth of all domain name query hits.
qname-depth: The depth of each domain name queried.
qname-sz-all-hit: The size of all domain name query hits.
qname-sz: The size of the domain name queried.
ttl-all-hit: The TTL of all query hits.
ttl: The TTL of each query hit.
The range of distribution of the data specified in the distribution-value.
The minimum value to return. Only the data specified in the distribution-
value that match or exceed the minimum value you set are returned and
distributed into ranges specified in distribution-range.

The distributed data is displayed below the client statistics as follows:

DNS Blast> show cache distribution-value=ttl distribution-range=100
Used | Query | RCODE | Type | TTL | EOL |
Last-used | C-miss | R-time | AVG R-time | View | Origin | OPT
157121k | www.freebsd.org | NOERROR | A | 60 | -53069 |
53129 | 82 | 4735 | 57 | 0 | L | -
39961k | management.azure.com | NOERROR | A | 7 | -3 |
9 | 102560 | 893238 | 8 | 0 | L | -
39961k | management.azure.com | NOERROR | AAAA | 34 | 4 |
9 | 38787 | 287464 | 7 | 0 | L | -
3561k | login.microsoftonline.com | NOERROR | A | 79 | 49 |
10 | 13896 | 204502 | 14 | 0 | L | -
3542k | login.microsoftonline.com | NOERROR | AAAA | 5 | -5 |
10 | 42351 | 322391 | 7 | 0 | L | -
1396k | route53.amazonaws.com | NOERROR | AAAA | 60 | -1 |
1 | 15125 | 732922 | 48 | 0 | L | -
1396k | route53.amazonaws.com | NOERROR | A | 44 | 23 |
1 | 20325 | 185575 | 9 | 0 | L | -
790860 | ssl.gstatic.com | NOERROR | A | 281 | 55 |
40 | 3761 | 40294 | 10 | 0 | L | -
775439 | www.googleapis.com | NOERROR | A | 300 | 242 |
58 | 2955 | 28586 | 9 | 0 | L | -
610190 | play.google.com | NOERROR | A | 174 | 34 |
17 | 3853 | 52447 | 13 | 0 | L | -
604587 | www.googleapis.com | NOERROR | AAAA | 300 | 92 |
208 | 870 | 10973 | 12 | 0 | L | -
470822 | signaler-pa.clients6.google.com | NOERROR | A | 300 | 138 |
12 | 3487 | 72636 | 20 | 0 | L | -
...
117344 | google.com | NOERROR | A | 300 | 208 |
35 | 2376 | 33119 | 13 | 0 | L | -
117044 | query2.finance.yahoo.com | NOERROR | AAAA | 21 | -1210524 |
1210545 | 0 | 0 | 0 | 0 | L | -
117023 | query2.finance.yahoo.com | NOERROR | A | 45 | -1210520 |
1210565 | 0 | 0 | 0 | 0 | L | -
112261 | 0.client-channel.google.com | NOERROR | A | 300 | -126 |

888
 Managing Guardian Cache

426 | 2241 | 45562 | 20 | 0 | L | -

108152 | lh3.googleusercontent.com | NOERROR | A | 300 | -253 |
416 | 2039 | 20048 | 9 | 0 | L | -

RCODE RETURNED:
RCODE | Total | Percent
NOERROR | 40743 | ( 86.49%)
SERVFAIL | 3861 | ( 8.20%)
NXDOMAIN | 2501 | ( 5.31%)

RR TYPE:
Type | Total | Percent
A | 34748 | ( 73.77%)
NS | 5 | ( 0.01%)
SOA | 10 | ( 0.02%)
PTR | 2735 | ( 5.81%)
MX | 19 | ( 0.04%)
TXT | 59 | ( 0.13%)
AAAA | 5994 | ( 12.72%)
SRV | 71 | ( 0.15%)
NAPTR | 3 | ( 0.01%)
TYPE65 | 3461 | ( 7.35%)

ORIGIN:
Origin | Total | Percent
L | 47105 | (100.00%)

TTL distribution:
Value range | Total | Percent | % sum
0 -> 99 | 24744 | ( 52.53%) | ( 52.53%)
100 -> 199 | 2797 | ( 5.94%) | ( 58.47%)
200 -> 299 | 2406 | ( 5.11%) | ( 63.57%)
300 -> 399 | 5434 | ( 11.54%) | ( 75.11%)
400 -> 499 | 280 | ( 0.59%) | ( 75.71%)
500 -> 599 | 329 | ( 0.70%) | ( 76.40%)
600 -> 699 | 1123 | ( 2.38%) | ( 78.79%)
700 -> 799 | 212 | ( 0.45%) | ( 79.24%)
800 -> 899 | 271 | ( 0.58%) | ( 79.81%)
900 -> 999 | 1279 | ( 2.72%) | ( 82.53%)
1000 -> 1099 | 113 | ( 0.24%) | ( 82.77%)
1100 -> 1199 | 108 | ( 0.23%) | ( 83.00%)
1200 -> 1299 | 182 | ( 0.39%) | ( 83.38%)
1300 -> 1399 | 113 | ( 0.24%) | ( 83.62%)
1400 -> 1499 | 202 | ( 0.43%) | ( 84.05%)
1500 -> 1599 | 109 | ( 0.23%) | ( 84.28%)
1600 -> 1699 | 87 | ( 0.18%) | ( 84.47%)
1700 -> 1799 | 118 | ( 0.25%) | ( 84.72%)
1800 -> 1899 | 1114 | ( 2.36%) | ( 87.08%)
1900 -> INF | 6084 | ( 12.92%) | (100.00%)

47105 entries found (265454k total utilization avg_pkt_size: 128)

search time: 23ms

Resetting Guardian Cache

You can reset the number of hits for some or all of the listed used entries in the cache.

To reset Guardian cache entries

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

889
 Managing Guardian Cache

3. To completely reset the current version of Guardian cache, use the command:
reset cache

4. To reset only a part of Guardian cache, use the command:

reset cache <filter>

where any accepted filter is described in the table Available filters for Guardian cache stat-
istics. You can also limit and order the data.

Saving Guardian Cache

You can save the last version of Guardian cache to use it as a point of restoration.

Keep in mind that every time you stop or restart DNS Guardian, the cache is automatically saved
or restored.

To save Guardian cache

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Save Guardian cache using the command:

save cache

The cache is saved in the file /data1/dnsblast_cache.dump . Note that you cannot browse the
content of this file, it can only be used for restoration purposes.

Restoring Guardian Cache

Whether the cache was saved automatically or at a specific time you can use a command to restore
the latest saved version.

The file /data1/dnsblast_cache.dump contains the latest version of the cache and is automatically
used when you restore the Guardian server cache.

To restore Guardian cache

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Restore the last saved version of Guardian cache using the command:
load cache

Forcing Cache Entries as Expired

You can set all or part of the cache entries as expired, via CLI or from the GUI.

890
 Managing Guardian Cache

Forcing cache entries as expired allows to keep them in the cache. These entries are no longer
used to answer client queries, but they are still monitored in the statistics.

To set Guardian cache entries as expired via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To set all Guardian cache entries as expired, use the command:

expire cache

4. To set only a part of Guardian cache entries as expired, use the command:
expire cache <filter>

where any accepted filter is described in the table Available filters for Guardian cache stat-
istics. You can also limit and order the data.

To set Guardian cache entries as expired from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the Guardian server(s) of your choice.
3. In the menu, select Edit > Command > Flush cache. The wizard Flush DNS Cache
opens.
4. In the drop-down list Flush, select The entire cache, Zone(s) or Record(s).

Table 61.5. Available options in the drop-down list Flush

Option Description
The entire cache Allows to force as expired all cached entries. By default, it is selected.
Zone(s) Allows to force as expired the cached entries of a domain and any of its subdomains
and records. Selecting it refreshes the wizard, the field Name appears.
Name The name of a domain, like domain.com to force as expired all the cached
entries of the domain and all its subdomains. This field is required.
You can specify the name of a subdomain, like sub.domain.com to force
as expired all the entries of the subdomain, or *.domain.com to force as
expired all matching subdomain entries.
Record(s) Allows to force as expired one or more cached records. Selecting it refreshes the
wizard, the field Name appears.
Name The name of a cached record, like www.domain.com to force it as expired.
This field is required.
You can type in *.<domain.com> to force as expired all matching records.

5. Tick the box Set Guardian entries as expired (do not flush) to force the specified entries
as expired. They remain in the cache.
If you do not tick the box, all specified entries are flushed. This operation is irreversible.
6. Click on OK to complete the operation. The wizard closes.

Clearing Guardian Cache Manually

You can clear Guardian cache to delete some or all the record entries it contains, via CLI or from
the GUI.

891
 Managing Guardian Cache

Before clearing the cache manually, note that:

• This action is irreversible.
• You can set parameters to automatically clear the cache to keep Guardian performances at
best. For more details, refer to the section Clearing Guardian Cache Automatically.

To clear Guardian cache via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To clear the cache records content, entirely or partly, use the command:
clear cache

4. To clear only a part of the cache records content, use the command:
clear cache <filter>

where any accepted filter is described of the table Available filters for Guardian cache stat-
istics. You can also limit and order the data.
The command returns the number of entries that were deleted as follows:
DNS Blast> clear cache (mit.edu|ietf)

32 entries flushed
done

To clear Guardian cache from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. Tick the Guardian server(s) of your choice.
3. In the menu, select Edit > Command > Flush cache. The wizard Flush DNS Cache
opens.
4. In the drop-down list Flush, select The entire cache, Zone(s) or Record(s).

Table 61.6. Available options in the drop-down list Flush

Option Description
The entire cache Allows to delete all cached entries. By default, it is selected.
Zone(s) Allows to delete the cached entries of a domain and any of its subdomains and records.
Selecting it refreshes the wizard, the field Name appears.
Name The name of a domain, like domain.com to delete all the cached entries of
the domain and all its subdomains. This field is required.
You can specify the name of a subdomain, like sub.domain.com to delete
all the entries of the subdomain, or *.domain.com to delete all matching
subdomain entries.
Record(s) Allows to delete one or more cached records. Selecting it refreshes the wizard, the
field Name appears.
Name The name of a cached record, like www.domain.com to delete it from the
cache. This field is required.
You can type in *.domain.com to delete all matching records.

892
 Managing Guardian Cache

5. Leave the box Set Guardian entries as expired (do not flush) unticked to flush the specified
entries.
If you tick the box, the entries are forced as expired, but they are not deleted.
6. Click on OK to complete the operation. The wizard closes.

Clearing Guardian Cache Automatically

You can use a set of parameters in Guardian configuration to automate the cache entries clearing
process.

clean_cache0.cmd=lastused>86400
clean_cache1.cmd=lastused>60 used<10
clean_cache2.cmd=error!=NOERROR

max_cache_entries
1000000 max_clean_cache_percent
95
The clean commands are executed
if they match entries and 95%
of max_cache_entries is reached

Each query All the cache entries

adds an entry matching one or more clean
in the cache commands are cleared

min_clean_cache_percent
5
The clean commands are stopped
to keep 5% of max_cache_entries

Figure 61.1. The automated cache clearing process

A set of parameters allow to define a maximum number of entries in the cache, the threshold to
be reached to start the automatic clearing of the cache and the maximum number of remaining
entries after the clearing:
• Clean cache#.cmd allows to set up to 10 different clearing commands, numbered between 0
and 9. These parameters trigger clearing commands matching the filters of your choice.
The clearing commands are the entry point of the automated queries clearing. The amount of
entries cleared depends on the parameters Max cache entries, Max clean cache percent and
Min clean cache percent.
The automated clearing is only executed if:
1. At least one parameter Clean cache#.cmd has a value. By default, the first three clearing
commands are configured.
2. The number of entries left in the cache matches or exceeds the value of Min clean cache
percent.
• Max cache entries sets the maximum number of entries to store in the cache. It applies to all
the parameters Clean cache#.cmd.
Its default value depends on the memory of each appliance:

Table 61.7. Max cache entries default values

SOLIDserver model Max cache entries default value
SOLIDserver-550, SOLIDserver-570 500000

893
 Managing Guardian Cache

SOLIDserver model Max cache entries default value

SOLIDserver-1100, SOLIDserver-1170 500000
SOLIDserver-2200, SOLIDserver-2270 500000
SOLIDserver-3300 & all Blast series appliances 1000000

• Max clean cache percent sets the percentage of Max cache entries to reach before clearing
the entries matching one or more parameters Clean cache#.cmd.
When the maximum percentage of entries is reached, the clearing commands are automatically
executed in ascending order.
• Min clean cache percent sets the percentage of Max cache entries to keep in the cache after
clearing the entries matching one or more parameters Clean cache#.cmd.
The clearing commands are automatically executed until the number of remaining queries
equals or exceeds the minimum percentage of entries.

Once Max clean cache percent is reached, the cleaning command Clean cache0.cmd is executed.
If the cache still contains more entries than the value set with Min clean cache percent, the
command Clean cache1.cmd is executed. All the commands Clean cache#.cmd are executed
in order until the percentage of entries remaining in the cache is equal or lower than the value
set with Min clean cache percent.

Before clearing Guardian cache automatically, keep in mind that:

• This action is irreversible.
• The more cached data you have, the more efficient your responses are and the more reliable
your statistics and analytics are.
• Cache entries can also be cleared manually, partially or entirely. For more details, refer to the
section Clearing Guardian Cache Manually.

To automate Guardian cache clearing

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. Click on NEXT until you reach the last page of the wizard.
4. In the panel Options, click on EDIT . The wizard Options configuration opens.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the field Clean cache#.cmd, specify the filter of your choice. By default:
• Clean cache0.cmd is set to lastused>86400.
• Clean cache1.cmd is set to lastused>60 used<10.
• Clean cache2.cmd is set to error!=NOERROR.
The field can contain any of the Available filters for Guardian cache statistics.
7. In the field Max cache entries, specify the maximum number of entries in Guardian cache.
As detailed in introduction, its default value depends on your SOLIDserver model.
8. In the field Max clean cache percent, specify the percentage of Max cache entries that
executes the automatic clearing of the cache.
By default, it is set to 95.
9. In the field Min clean cache percent, specify the percentage of the Max cache entries that
you want to keep in the cache after the clearing.
By default, it is set to 5.

894
 Managing Guardian Cache

10. Click on OK to complete the operation. The wizard closes.

In the panel Options, your configuration is listed if it differs from the default values.

Sharing the Cache Between Several Guardian Servers

If you purchased several DNS Guardian licenses, Guardian servers can share their cache:
• Your servers can automatically share their latest cache entries, as detailed in the section Setting
Up Incremental Cache Sharing Between Several Guardian Servers.
• You can send the entire cache content from one Guardian server to another, as detailed in the
section Sending the Cache Content to Another Guardian Server.

Note that you can monitor cache sharing in the servers statistics, for more details refer to the
section Monitoring Guardian Cache Sharing Statistics in Real-Time in the chapter Managing
Guardian Statistics.

Setting Up Incremental Cache Sharing Between Several Guardian

Servers
If you set up an incremental cache sharing, any new record in the cache is automatically added
to the cache of the other servers configured.

Once the sharing is set on all servers:

1. They can automatically update their cache content using a common multicast configuration.
2. You can send the entire content of your cache to a specific Guardian server using a unicast
IP address. For more details, refer to the section Sending the Cache Content to Another
Guardian Server.

To set the cache sharing between Guardian servers, on each of them you must:
• Specify a common multicast IP address.
• Specify a common multicast port.
• Specify a common sharing key.
• Enable the sharing service.
• Set the TTL of the IP packets sent. By default, it is set to 1.

To set up an incremental cache update between Guardian servers via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Set the multicast IP address for the sharing using the command:
set shared_cache_mcast_addr=<multicast-IP-address>

4. Set the multicast port used for the cache sharing using the command:
set shared_cache_mcast_port=<multicast-port>

5. Set the sharing key using the command:

set shared_cache_key=<key>

895
 Managing Guardian Cache

6. Enable the sharing using the command:

set shared_cache=1

7. Set the shared IP packets TTL using the command:

shared_cache_mcast_ttl=<TTL>

// Its default value is 1

8. Repeat the steps 3 to 7 using the exact same IP address, port and key on all the Guardian
servers that should send and receive the new entries in their cache.

To set up an incremental cache update between several Guardian servers from

the GUI
1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. Click on NEXT until you reach the last page of the wizard.
4. In the panel Options, click on EDIT . The wizard Options configuration opens.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. For the parameter Shared cache mcast addr, specify the multicast IP address for the
sharing.
7. For the parameter Shared cache mcast port, specify the multicast port used for the cache.
8. For the parameter Shared cache key, specify the sharing key.
9. To enable the sharing, for the parameter Shared cache, select yes (1).
10. For the parameter Shared cache mcast ttl, specify the shared IP packets TTL. Its default
value is 1.
11. Click on OK to complete the operation. The wizard closes.
12. Repeat these steps using the exact same IP address, port and key for all the Guardian
servers that should send and receive the new entries in their cache.

The entries on the local Guardian are marked origin: L while they are marked origin: S on the
receiving one. For more details, refer to the section Displaying Guardian Cache Content.

Sending the Cache Content to Another Guardian Server

If you enabled Guardian on several appliances, once your cache has all the entries you need,
you can send its entire content to another Guardian server. Using a dedicated command, you
can send all the cache entries from the source server to a receiving server, which then adds the
missing entries to its cache and/or updates the existing ones.

To send the content of your cache you must:

• Configure the cache sharing parameters: the multicast IP address, port and sharing key. It is
impossible to send the content of the cache from one Guardian server to the other without
these parameters. Once properly configured, the sharing must be enabled, Shared cache must
be set to yes (1). For more details, refer to the section Sharing the Cache Between Several
Guardian Servers.

896
 Managing Guardian Cache

• Use the IP address of the target Guardian server. This command, unlike cache sharing, is a
one-time operation that uses a unicast IP address. Any IP address configured on the target
server can be used.

To share the cache with another Guardian server

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Make sure that cache sharing is configured and enabled. For more details, refer to the section
Sharing the Cache Between Several Guardian Servers.
4. To send the entire content of your cache, use the command:
share cache <target-DNS-Guardian-server-IP-address>

5. If you do not want to incrementally update the cache of both servers with the new records,
you need to disable the cache sharing parameters once the target Guardian has received
the cache entries.

The entries are marked origin: L on the local DNS Guardian and origin: S on the receiving one.

897
Chapter 62. Managing Policies
From the page All policies, you can manage and configure Guardian policies. A Guardian policy
is a container for triggers and allows you to deploy a set of triggers on a Guardian server.

By default, the read-only policies default and empty are available. You can duplicate them to edit
the trigger they contain.

Browsing Policies
To display the list of Guardian policies
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. To display or hide policy deployments, on the right-end side of the menu, click on . The
page refreshes.
In the column Name, the icon precedes every policy.
If policies are deployed, they are preceded by the icon and listed under the parent policy
name as many times as there are Guardian servers associated with the policy.

Two policies are available by default and read-only.You can add policies from scratch as described
below or duplicate already existing policies. For more details, refer to the section Duplicating
Policies.

There are 5 columns on the page All policies that you can sort and filter. By default, all the columns
are displayed on the page and you cannot change their order.

Table 62.1. Available columns on the page All policies

Column Description
Name The name of the policy.
Description The description of the policy.
Guardian server For a policy, the value is N/A. For a policy deployment the value is the name of the
Guardian server the policy is deployed on.
Read only Only the policies available by default are read-only. Their edition is possible but limited.
Status Status of the policy.

To display a Guardian policy properties page

1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. At the end of the line of the policy of your choice, click on . The properties page opens.

Understanding the Policy Statuses

The column Status provides information regarding the policies you manage.

Table 62.2. Policy Statuses

Status Description
OK The policy is operational.

Delayed create The policy is being deployed, i.e. created on the associated server.

Delayed delete The policy is being deleted from the associated server.

898
 Managing Policies

Adding and Deploying Policies

From the page All policies, you can add as many policies as you want.

To avoid adding and configuring a new policy, you can duplicate the policy default and edit its
triggers. For more details, refer to the section Duplicating Policies.

Before adding a policy, keep in mind that:

• A policy must have a unique name.
• When you deploy a policy on a Guardian server from the GUI, a comparison between the
triggers in the policy and the ones that had been added via CLI and are already on the
Guardian server is done. The triggers that are on the server and also in the policy are kept.
The triggers that are only present on the server are deleted and the triggers only in the policy
are added on the server.
If you deploy the default policy empty on a Guardian server that already has triggers, they are
deleted.
• You cannot deploy more than one policy per Guardian server. Only servers in version 7.1 or
higher support policy deployments.
• You can add a policy without deploying it. This allows to add the triggers it contains before
deploying it on one or more servers. For more details regarding how to add triggers, refer to
the section Managing Triggers.

To add and deploy a policy

1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. In the menu, click on Add. The wizard Add a policy opens.
3. In the field Name, name the policy. The name must be unique.
4. In the field Description, specify the description of the policy.
5. In the list Available Guardian servers, you can select a server and click on . The server
is moved to the list Selected Guardian servers.
Only Guardian enabled physical servers are listed, whether they are managed by a smart
architecture or not.
To remove a server from the Selected Guardian servers, select it and click on . The
server is moved back to the list Available Guardian servers.
6. Click on OK to complete the operation. The policy is listed .
If you deployed the policy on one or more Guardian servers, on the right-end side of the
menu, click on . Several lines appear under the policy itself, there is a line for each of the
server(s) the policy is deployed on .

Once you added and deployed a policy, you must configure the triggers it contains. For more
details, refer to the chapter Managing Triggers.

You can duplicate, edit or delete it, as detailed in the sections Duplicating Policies, Editing Policies
and Deleting Policies.

899
 Managing Policies

Duplicating Policies
You can duplicate policies to avoid configuring them again.

When you get started with the module, you could duplicate the policy default to edit its triggers
or delete the ones you do not need.

Before duplicating a policy, note that:

• The new policy contains the same triggers as the duplicated one.
• The new policy can be edited, its Read only status is No.
• The duplicated policy deployment configuration is not copied. The new policy is not deployed
on any Guardian server. For more details, refer to the section Editing Policies.
• The position of the triggers it contains is reset, to start from 0. The position of all copied triggers
is automatically incremented. For more details, refer to the chapter Managing Triggers.
• You cannot duplicate policy deployments . You must duplicate the policy itself .

To duplicate a policy
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. Tick the policy of your choice. You can only duplicate policies one by one.
3. In the menu, select Edit > Duplicate. The wizard Duplicate a policy opens.
4. In the field Policy, name the new policy. The name must be unique.
5. Click on OK to complete the operation. The new policy is listed.

Once you duplicated a policy, you should:

1. Deploy it on a server, in other words edit it to associate it with the server of your choice, as
detailed in the section Editing Policies.
2. Click on the new policy Name to display and edit the triggers it contains. For more details,
refer to the chapter Managing Triggers.

Editing Policies
You can edit policies. Before editing a policy, note that:
• You can edit a policy, even a read-only one, to:
• Associate it with extra Guardian servers, to deploy it.
• Dissociate it from one or more Guardian servers. When you dissociate a policy from a
Guardian server, all the triggers are deleted from the server.
• You cannot rename policies.
• You cannot edit policy deployments . You must edit the policy itself .
• You cannot deploy more than one policy per Guardian server. Only servers in version 7.1 or
higher support policy deployments.
• You can edit the content of a policy, if it is not read-only, from the page All triggers. For more
details, refer to the chapter Managing Triggers.

To edit a policy
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. Right-click on the name of the policy that you want to edit. The contextual menu appears.
3. Click on Edit. The wizard Edit a policy opens.

900
 Managing Policies

4. Edit the policy Description according to your needs. If you are editing a read-only policy,
this field is grayed out.
5. Edit the list Selected Guardian servers according to your needs. Only Guardian enabled
physical servers are listed, whether they are managed by a smart architecture or not.
Select a server in the list Available Guardian servers and click on to add it the list Selected
Guardian servers. Select a server in the list Selected Guardian servers and click on to
move it back to the list Available Guardian servers.
6. Click on OK to complete the operation. The page refreshes.

Deleting Policies
You can delete a policy. Deleting a policy also deletes the triggers it contains. Note that:
• You cannot delete read-only policies.
• You cannot delete policies deployed on a Guardian server. You must dissociate the server
first. For more details, refer to the section Editing Policies.
• You cannot delete policy deployments . Once the policy is dissociated from the server, the
dedicated deployment line is no longer listed.

To delete a policy
1. In the sidebar, go to Guardian > Policies. The page All policies opens.
2. Tick the policy of your choice. You can tick several.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The policy is no longer listed.

901
Chapter 63. Managing Triggers
From the page All triggers, you can add, configure, edit, disable and delete triggers.

Triggers belong to policies, they allow to execute specific actions on the clients querying Guard-
ian servers cache.

All triggers combine:

• A specific traffic metric to monitor and a threshold to look for. When the threshold is reached,
the trigger is armed.
• A duration during which the trigger action is executed. At the end of the duration, if the threshold
is no longer reached, the trigger is disarmed.

For instance, one of the default triggers monitors SERVFAIL answers over 5 seconds and set a
threshold to maximum 40. If more than 40 SERVFAIL answers were sent in the last 5 seconds,
the trigger is armed and the requesting clients are put in quarantine.

Threshold

Trigger armed
Trigger Action
applied over the
defined period

Figure 63.1. Representation of a trigger armed and disarmed

Once the metric reaches its threshold, the trigger is armed for the whole duration period, even if
the metric drops immediately below said threshold.

If the threshold is reached again while the trigger is armed, the action duration is renewed but
you are not notified. However, the rearming operation is logged and listed on the page Syslog,
under the service named . For more details, refer to the section Syslog.

Note that you can monitor trigger analytics and statistics from the GUI, or monitor them all in real-
time via CLI. For more details, refer to the chapter Monitoring Guardian or to the section Monitoring
Trigger Statistics in Real-Time in the chapter Managing Guardian Statistics.

Prerequisites
• To use triggers, you must enable the cache, the parameter blast. For more details, refer to the
section Enabling or Disabling Guardian Cache in the chapter Setting Guardian Parameters.
• If a trigger belongs to a policy not deployed on any server, it is never used. For more details,
refer to the chapter Managing Policies.

902
 Managing Triggers

Limitations
• Any change made in the GUI overwrites the changes made via CLI. The modifications
made in the CLI are erased and replaced with the data available in the GUI.
• Restoring a backup on a management appliance leads to a synchronization between
the GUI and the Guardian server: The objects that are on the server and also in the GUI are
kept. The objects that are only present on the server are deleted and the objects only in the
GUI are added on the server.
Therefore, if you added, edited or deleted objects since the backup was saved, all changes
are lost and may even not be visible in the GUI. Before restoring a backup, make sure you
saved it when the Application or Guardian database was up-to-date.

Browsing Triggers
To display the list of triggers
1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. To display or hide policy deployments, on the right-end side of the menu, click on . For
more details regarding policy deployments, refer to the section Browsing Policies.

By default, there are five triggers available in the policy default. You cannot modify these triggers
as the policy default is in read-only.

To display a trigger properties page

1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. At the end of the line of the trigger of your choice, click on . The properties page opens.

Every time a trigger is armed or disarmed, the operation is logged and can be monitored from
the page Syslog. Note that this is the only page where you can display triggers that were renewed
while their action is being executed.

To monitor trigger operations in the logs

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Syslog. The page Syslog opens.
3. In the drop-down list SOLIDserver, select the local appliance. The page refreshes.
4. In the drop-down list Service, select named. The page refreshes.
5. In the column Log, type in arm to include triggers that were armed (ARMING) or disarmed
(DISARMING).
The returned logs are formatted as follows:
solid named[12962]: ARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-B)
solid named[12962]: DISARMING trigger on 142.12.0.101 (action:BLOCK) (Trigger-B)

In this example, the Trigger-B is armed when its metric threshold is reached, and then dis-
armed. While the trigger is armed, it blocks clients who reach the threshold, here the client
IP address is 142.12.0.101. They are no longer blocked when the trigger is disarmed.
If the trigger is tagged, the logs include the metric and value reached when the trigger was
armed and disarmed. For more details, refer to the section Adding Tagged Triggers.

Note that you can also monitor your triggers via CLI. For more details, refer to the section Monit-
oring Trigger Statistics in Real-Time in the chapter Managing Guardian Statistics.

903
 Managing Triggers

Customizing the Display on the Page All Triggers

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

There are 9 columns on the page All triggers that you can sort and filter. By default, all the columns
are displayed on the page.

Table 63.1. Available columns on the page All triggers

Column Description
Name The name of the trigger.
Action The action or countermeasure executed when the trigger is armed, either Log only (none),
Quarantine, Block, Quarantine redirect or Ratelimit. For more details, refer to the trigger actions.
Duration The Action duration, in seconds.
Options The querylog and/or answerlog configuration of the trigger, it indicated if either or both are en-
abled. For more details, refer to the section Enabling Querylog and Answerlog on Triggers.
Rule definition The values and thresholds that trigger the action.
Policy The name of the policy or policy deployment the trigger belongs to.
Guardian server The name of the server on which the policy the trigger belongs to is deployed. For a policy line,
the value is N/A.
Status The status of the trigger. For more details, refer to the table Trigger statuses.

Understanding the Trigger Statuses

The column Status provides information regarding the triggers you manage.

Table 63.2. Trigger statuses

Status Description
OK The trigger is managed and operational.

Delayed create The trigger is being deployed, i.e. created on the associated server.

Delayed delete The trigger is being deleted from the associated server.

Unmanaged The trigger is unmanaged, disabled. It is ignored and never armed.

Adding Triggers
By default, a set of triggers are available in the default policy. You can duplicate this policy and
the triggers it contains to edit them to suit your needs, as detailed in the section Editing Triggers.

You can add as many triggers you need in your policies. All triggers contain:
• One action to execute, the available actions are illustrated below.
• A duration in seconds, for the selected action.
• A rule definition defined using Reverse Polish Notation (RPN), that sets the client metrics
and thresholds to meet before executing the action during the specified duration. All available
metrics are described in the table trigger metrics.

Following the example in the chapter introduction, the default trigger based on a number of
SERFVAIL answers, Servfail protection, is configured as follows:
1. Its action is Quarantine.

904
 Managing Triggers

2. Its duration is 60 seconds. Clients are put in quarantine for 1 minute if the rule definition is
met.
3. Its rule definition is defined in RPN as follows: answer_servfail@5 40 >=
where:
• answer_servfail@5 defines the metric and how long it should be monitored, here it monitors
the number of answers returning a SERVFAIL rcode, during (@) the last 5 seconds.
• 40 >= ensures that the number of answers does not exceed 40. If it does, the trigger is
armed.

On the page All triggers, the trigger Rule definition is listed as answer_servfail@5 >= 40 to make
it easier to read.

All trigger configurations share the same actions, illustrated below, and metrics, described
in the next table.

cached answers missing

answers from the cache
Log only

only cached any answer not in

answers are sent the cache is ignored
Quarantine

no answer is sent any answer not in

to the client the cache is ignored
Block

redirects to any answer not in

an IP address the cache is ignored
Quarantine redirect

100

answers maximum answers missing

100 queries from the cache
per second
Ratelimit
Figure 63.2. Guardian actions

905
 Managing Triggers

All the metrics available to protect your servers are described below.

Table 63.3. Trigger metrics

Metric Description
<0-999999> A number between 0 and 999999, used to specify the metric monitoring
duration and its threshold.
query The number of queries received.
auth The number of authoritative queries received.
invalid_query The number of invalid queries received.
cache_hit The number of cache hits, query answers already in the cache.
cache_miss The number of cache misses, query answers not present in the cache.
cache_hit_quarantine The number of cache hits in quarantine mode.
cache_miss_not_exist The number of cache misses that have never been cached.
cache_miss_quarantine The number of cache misses in quarantine mode.
cache_miss_quarantine_redirect The number of cache misses in quarantine mode that were redirected.
recurs_time The total time in recursion in milliseconds.
auth_query_size The size, in bytes, of authoritative queries.
auth_answer_size The size, in bytes, of authoritative answers.
hit_query_size The size, in bytes, of hit queries.
hit_answer_size The size, in bytes, of hit answers.
miss_query_size The size, in bytes, of missed queries.
miss_query_size_not_exist The size, in bytes, of missed queries that have never been cached.
miss_answer_size The size, in bytes, of answers to missed queries.
miss_answer_size_not_exist The size, in bytes, of answers to missed queries that have never been
cached.
answer_noerror The number of answers returning a NOERROR rcode.
answer_formerr The number of answers returning a FORMERR rcode.
answer_servfail The number of answers returning a SERVFAIL rcode.
answer_nxdomain The number of answers returning a NXDOMAIN rcode.
answer_notimp The number of answers returning a NOTIMP rcode.
answer_refused The number of answers returning a REFUSED rcode.
auth_answer_noerror The number of authoritative answers returning a NOERROR rcode.
auth_answer_formerr The number of authoritative answers returning a FORMERR rcode.
auth_answer_servfail The number of authoritative answers returning a SERVFAIL rcode.
auth_answer_nxdomain The number of authoritative answers returning a NXDOMAIN rcode.
auth_answer_notimp The number of authoritative answers returning a NOTIMP rcode.
auth_answer_refused The number of authoritative answers returning a REFUSED rcode.
hit_answer_noerror The number of answers (cache hit) returning a NOERROR rcode.
hit_answer_formerr The number of answers (cache hit) returning a FORMERR rcode.
hit_answer_servfail The number of answers (cache hit) returning a SERVFAIL rcode.
hit_answer_nxdomain The number of answers (cache hit) returning a NXDOMAIN rcode.
hit_answer_notimp The number of answers (cache hit) returning a NOTIMP rcode.
hit_answer_refused The number of answers (cache hit) returning a REFUSED rcode.
miss_answer_noerror The number of answers (cache miss) returning a NOERROR rcode.
miss_answer_formerr The number of answers (cache miss) returning a FORMERR rcode.

906
 Managing Triggers

Metric
miss_answer_servfail
miss_answer_nxdomain
miss_answer_notimp
miss_answer_refused
Description
The number of answers (cache miss) returning a SERVFAIL rcode.
The number of answers (cache miss) returning a NXDOMAIN rcode.
The number of answers (cache miss) returning a NOTIMP rcode.
The number of answers (cache miss) returning a REFUSED rcode.

Before adding triggers, note that:

• You can add simple triggers, based on a rule definition containing one metric or the result of
metrics operation. For more details, refer to the section Adding Armed by a Single Threshold.
• You can add triggers that rely on Guardian lists to configure a more specific metric use
based on the domains, clients or clients identifiers of existing lists. For more details, refer to
the section Adding Triggers Relying on Lists Metrics.
• You can add complex triggers, based on several metric thresholds. For more details, refer
to the section Adding Triggers Armed by Several Thresholds.
• You can monitor triggers by tagging their rule definition, that way the logs display the metric
and threshold that armed and disarmed the trigger. For more details, refer to the section Adding
Tagged Triggers.
• Any trigger can be ignored at view level, the parameter View#.list id filter can be set with the
action notrigger. If it is, part of all of your trigger definition threshold may be ignored. For more
details, refer to the section Using Lists to Filter Guardian Views in the chapter Managing
Guardian Views.

Adding Triggers Armed by a Single Threshold

Triggers armed by a single threshold are the simplest ones. Their rule definition includes one
threshold that applies to one metric or to the result of an operation involving several metrics.

A simple trigger rule definition could be query@5 5000 >= where:

• query@5 monitors the number of queries received over the last 5 seconds; and
• 5000 >= ensures that the number of queries does not exceed or match 5000. If it does, the
trigger is armed and its Action is executed.

On the page All triggers, the trigger Rule definition is displayed as query@5 >= 5000 to make it
easier to read.

Before adding a trigger, note that:

• You cannot add a trigger in a read-only policy.
• The trigger rule definition contains at least a metric and a threshold. Its syntax must follow
Reverse Polish Notation (RPN), therefore it must be parenthesis-free and have each operator
follows all of its operands.
• If the threshold is reached again while the trigger is armed, the action duration is renewed but
you are not notified. However, the rearming operation is logged and listed on the page Syslog,
under the service named . For more details, refer to the section Syslog.
• You can include the operators % and push_param in the rule definition to monitor the trigger
and display in the logs which metric(s) and threshold(s) armed and disarmed it. For more details,
refer to the section Adding Tagged Triggers.

To add a trigger armed by a single threshold

1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.

907
 Managing Triggers

2. In the menu, click on Add. The wizard opens.

3. In the list Guardian policy, select the policy of your choice. You cannot select read-only
policies.
4. Click on NEXT . The page Add a trigger opens.
5. In the field Position, the trigger position is displayed in read-only. It is automatically incre-
mented based on the other triggers added to the policy.
6. In the field Name, name the trigger.
7. In the drop-down list Action, select the action to execute when the trigger is armed. Except
for Log only (none), all trigger actions are countermeasures:

Table 63.4. Trigger actions

Action Description
Log only No operation is performed. When the trigger is armed or disarmed, the event is logged on
(none) the page Syslog. This is the default value.
Quarantine The client is placed in quarantine. The quarantine protects the local recursive server, all
cached queries are accessible and sent out but the recursion is blocked. When the trigger
is armed or disarmed, the action is logged.
Block The DNS resolution is blocked. Keep in mind that, if you have private hosts on the same
NAT device or router, blocking a client IP address might block all the other clients using it
to connect the network. When the trigger is armed or disarmed, the action is logged.
Quarantine All the clients querying data not cached are redirected to a specific IP address. When the
redirect trigger is armed or disarmed, the action is logged.
The redirection address is defined in the parameters Quarantine redirect A or Quarantine
redirect AAAA. To configure them, refer to the section Configuring the Action Quarantine
Redirect.
Ratelimit The client traffic is capped to 100 queries per second, this value is set by default and cannot
be changed. When the trigger is armed or disarmed, the action is logged.

8. In the field Duration (in seconds), specify an integer between 0 and 999999 that sets how
many seconds the Action lasts once the trigger is armed.
Note that the duration can be silently renewed, if the trigger is rearmed because its threshold
is reached again during the initial duration. In this case, the rearming event is only visible in
the logs.
9. In the section Action options, you can enable Querylog to log all client queries and/or An-
swerlog to log all answers. For more details, refer to the section Enabling Querylog and
Answerlog on Triggers.
10. In the field Rule definition, specify in Reversed Polish Notation the values and thresholds
of your choice. The selected Action is triggered when the rule definition is met.
Your rule definition must contain at least the following:
<metric>@<nb-of-seconds> <threshold-value> <threshold-operator>
where:
• metric is one of the entries described in the table trigger metrics.
• @ introduces the monitoring period of the metric.
• nb-of-seconds is the period during which the metric is monitored, an integer between 0
and 999999.
• threshold-value is the metric value to look for over the period, an integer between 0 and
999999.
• threshold-operator is the operator, either =, !=, >=, <=, < or >, applied to the metric threshold
value.

908
 Managing Triggers

Note that you can also use a metric operator to combine two or more metrics and use that
result as a threshold:
<metric1>@<nb-of-seconds> <metric2>@<nb-of-seconds> <metric-operator> <threshold-
value> <threshold-operator>
where:
• metric-operator is +, -, * or / . It determines how to use the metrics. This operator must be
located between the metrics and the thresholds.
• threshold-value is the value to look for over the period, the result of the operation between
the metrics, an integer between 0 and 999999.
To configure a more complex rule definition, refer to the sections Adding Triggers Relying
on Lists Metrics and Adding Triggers Armed by Several Thresholds.
To display in the logs the metric involved in the trigger (dis)arming, refer to the section Adding
Tagged Triggers.
11. The box Manage is ticked by default, it activates the trigger. You can untick the box to deac-
tivate the trigger, in which case the Action and Rule definition are ignored and the trigger is
never armed. For more details, refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
In the list, the trigger Rule definition no longer follows RPN format.
If you added the trigger in a policy deployed on several Guardian servers, click on on
the right-end side of the menu. The page refreshes and several lines appear under the trigger
itself, one for each of the servers the policy is deployed on.

Once you added a trigger, you can edit, unmanage or delete it, as detailed in the sections Editing
Triggers, Managing or Unmanaging Triggers and Deleting Guardian Triggers.

Adding Triggers Relying on List Metrics

If you already configured at least one list of domains, clients or client identifiers, you can use its
content to narrow down the metrics to monitor in your trigger rule definition. For more details,
refer to the chapter Managing Lists.

Configuring a trigger with list metrics allows to take into account the content of a list before arming
the trigger. For instance, you could avoid false positives if your rule definition excludes queries
towards the legitimate domains of one list, or from the IP address of trusted clients of another
list.

All the list metrics are described in the table below. Each metric matches a specific list, via list#
where # identifies one of the 8 available lists using a number between 0 and 7.

Table 63.5. Guardian list metrics

List metric
list#_cache_hit
list#_cache_miss_not_exist
list#_cache_miss
list#_hit_answer_size
list#_hit_query_size
Description
The cumulated number of cache hits for all the entries present in the list list#;
where # is the list ID, a number between 0 and 7. The entries of domain, client
or specific client identifier list can be names or IP addresses.
The cumulated number of cache misses that have never been cached for all
the entries present in the list list#.
The cumulated number of cache misses for all the entries present in the list
list#.
The cumulated size of hit answers for all the entries present in the list list#.
The cumulated size of hit queries for all the entries present in the list list#.

909
 Managing Triggers

List metric Description

list#_miss_answer_size_not_ex- The cumulated size of hit answers that have never been cached for all the
ist entries present in the list list#.
list#_miss_answer_size The cumulated size of missed answers for all the entries present in the list list#.
list#_miss_query_size_not_exist The cumulated size of hit queries that have never been cached for all the entries
present in the list list#.
list#_miss_query_size The cumulated size of missed answers for all the entries present in the list list#.
list#_query The cumulated number of queries made to the entries present in the list list#.
list#_recurs_time The total recursion time of all the entries in the list list#.
list_hit The number of hits matching entries present in all lists.

Triggers relying on list metrics can be configured with one or several thresholds. Their rule
definition includes at least one threshold that applies to an operation involving a standard metric
and its corresponding list metric.

A trigger rule definition relying on a list metric could be cache_miss@10 list1_cache_miss@10

- 100 > where:
• cache_miss@10 monitors the number of cache misses over the last 10 seconds;
• list1_cache_miss@10 takes into account the content of list1 over the last 10 seconds;
• - excludes list1_cache_miss@10 from the data to monitor, any cache miss matching an entry
of list1 does not arm the trigger; and
• 100 > ensures that the number of cache misses not specified in list1 does not exceed 100. If
it does, the trigger is armed and its Action is executed.

On the page All triggers, the trigger Rule definition is displayed as ( cache_miss@10 -
list1_cache_miss@10 ) > 100 to make it easier to read.

Before adding a trigger, note that:

• You cannot add a trigger in a read-only policy.
• The trigger rule definition contains at least a metric and a threshold. Its syntax must follow
Reverse Polish Notation (RPN), therefore it must be parenthesis-free and have each operator
follows all of its operands.
• If the threshold is reached again while the trigger is armed, the action duration is renewed but
you are not notified. However, the rearming operation is logged and listed on the page Syslog,
under the service named . For more details, refer to the section Syslog.
• You can include the operators % and push_param in the rule definition to monitor the trigger
and display in the logs which metric(s) and threshold(s) armed and disarmed it. For more details,
refer to the section Adding Tagged Triggers.
• By default, Guardian servers are both authoritative and recursive, the parameter recursive is
set to 2. Therefore, each authoritative query results in a cache miss. You can configure a list
containing all the domains your server has authority over, and take it into account in your trigger,
to avoid executing actions on clients querying your domains. For more details, refer to the
section Configuring the Content of a List in the chapter Managing Lists.
• Your trigger can be ignored at view level via the parameter View#.list id filter. If it is set with
the action notrigger, the trigger rule definition threshold(s) may be ignored. For more details,
refer to the section Using Lists to Filter Guardian Views in the chapter Managing Guardian
Views.

To add a trigger relying on list metrics

1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.

910
 Managing Triggers

2. In the menu, click on Add. The wizard opens.

3. In the list Guardian policy, select the policy of your choice. You cannot select read-only
policies.
4. Click on NEXT . The page Add a trigger opens.
5. In the field Position, the trigger position is displayed in read-only. It is automatically incre-
mented based on the other triggers added to the policy.
6. In the field Name, name the trigger.
7. In the drop-down list Action, select the action to execute when the trigger is armed. Except
for Log only (none), all trigger actions are countermeasures:

Table 63.6. Trigger actions

Action Description
Log only No operation is performed. When the trigger is armed or disarmed, the event is logged on
(none) the page Syslog. This is the default value.
Quarantine The client is placed in quarantine. The quarantine protects the local recursive server, all
cached queries are accessible and sent out but the recursion is blocked. When the trigger
is armed or disarmed, the action is logged.
Block The DNS resolution is blocked. Keep in mind that, if you have private hosts on the same
NAT device or router, blocking a client IP address might block all the other clients using it
to connect the network. When the trigger is armed or disarmed, the action is logged.
Quarantine All the clients querying data not cached are redirected to a specific IP address. When the
redirect trigger is armed or disarmed, the action is logged.
The redirection address is defined in the parameters Quarantine redirect A or Quarantine
redirect AAAA. To configure them, refer to the section Configuring the Action Quarantine
Redirect.
Ratelimit The client traffic is capped to 100 queries per second, this value is set by default and cannot
be changed. When the trigger is armed or disarmed, the action is logged.

8. In the field Duration (in seconds), specify an integer between 0 and 999999 that sets how
many seconds the Action lasts once the trigger is armed.
Note that the duration can be silently renewed, if the trigger is rearmed because its threshold
is reached again during the initial duration. In this case, the rearming event is only visible in
the logs.
9. In the section Action options, you can enable Querylog to log all client queries and/or An-
swerlog to log all answers. For more details, refer to the section Enabling Querylog and
Answerlog on Triggers.
10. In the field Rule definition, specify in Reversed Polish Notation the values and thresholds
of your choice. It must include at least one standard metric and one list metric. The selected
Action is triggered when the rule definition is met.
Your rule definition must contain at least the following:
<metric>@<nb-of-seconds> <list_metric>@<nb-of-seconds> <metric-operator> <threshold-
value> <threshold-operator>
where:
• <metric>@<nb-of-seconds> specifies a standard metric:
• metric is one of the entries described in the table trigger metrics.
• @ introduces the monitoring period of the metric.
• nb-of-seconds is the period during which the metric is monitored, an integer between 0
and 999999.
• <list_metric>@<nb-of-seconds> specifies the corresponding list metric:
• list_metric is one of the entries described in the table list metrics.

911
 Managing Triggers

• @ introduces the monitoring period of the metric.

• nb-of-seconds is the period during which the metric is monitored, an integer between 0
and 999999.
• metric-operator is +, -, * or / . It determines how to take into account the list metric. This
operator must be located between the metrics and the thresholds.
• threshold-value is the value to look for over the period, the result of the operation between
the metrics and the list metric, an integer between 0 and 999999.
• threshold-operator is the operator, either =, !=, >=, <=, < or >, applied to the metric threshold
value.
To configure a rule definition including more metrics, refer to the section Adding Triggers
Armed by Several Thresholds.
To display in the logs the metric involved in the trigger (dis)arming, refer to the section Adding
Tagged Triggers.
11. The box Manage is ticked by default, it activates the trigger. You can untick the box to deac-
tivate the trigger, in which case the Action and Rule definition are ignored and the trigger is
never armed. For more details, refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
In the list, the trigger Rule definition no longer follows RPN format.
If you added the trigger in a policy deployed on several Guardian servers, click on on
the right-end side of the menu. The page refreshes and several lines appear under the trigger
itself, one for each of the servers the policy is deployed on.

Once you added a trigger, you can edit, unmanage or delete it, as detailed in the sections Editing
Triggers, Managing or Unmanaging Triggers and Deleting Guardian Triggers.

Adding Triggers Armed by Several Thresholds

Triggers armed by several thresholds allow to configure advanced, or even complex, arming
mechanisms. Their rule definition includes several metrics, each set with their own threshold and
a logical operator that defines how to use the definition content. It can even include a view.

With several thresholds, the trigger can be armed when all or only some of them are reached.

A trigger rule definition with several thresholds could be cache_miss_not_exist@15 30 >=

cache_miss_not_exist@2 70 < & where:
• cache_miss_not_exist@15 30 >= monitors the number of cache misses, or queries that were
never cached, over the last 15 seconds and ensures it does not exceed or match 30 (30 >=);
• cache_miss_not_exist@2 70 < monitors the number of cache misses that were never cached
over the last 2 seconds and ensures it exceeds 70 (70 <); and
• & (and) ensures that if both metric thresholds are met, the trigger is armed and its Action is
executed.

In this example, the trigger is armed when all its metrics are reached, it monitors the number of
cache misses that were never cached over two different periods. On the page All triggers, the
trigger Rule definition is displayed as ( cache_miss_not_exist@15 >= 30 ) & (
cache_miss_not_exist@2 < 70 ) to make it easier to read.

A trigger rule definition including a view and a threshold could be view 2 = cache_miss@30
50 > | where:

912
 Managing Triggers

• view 2 = identifies queries made only (=) to view2, where 2 is the view ID, it identifies the third
view of the server (30 >=);
• cache_miss@30 50 > monitors the number of cache misses over the last 30 seconds and
ensures it does not exceed 50 (50 >); and
• | (or) ensures that if the view is queried or if the metric threshold is met, the trigger is armed
and its Action is executed.

In this example, the trigger is armed if part of its rule definition is met, either a view or a metric.
On the page All triggers, the trigger Rule definition is displayed as ( view = 2 ) | ( cache_miss@30
> 50 ) to make it easier to read.

Before adding a trigger, note that:

• You cannot add a trigger in a read-only policy.
• The trigger rule definition contains at least a metric and a threshold. Its syntax must follow
Reverse Polish Notation (RPN), therefore it must be parenthesis-free and have each operator
follows all of its operands.
• If the threshold is reached again while the trigger is armed, the action duration is renewed but
you are not notified. However, the rearming operation is logged and listed on the page Syslog,
under the service named . For more details, refer to the section Syslog.
• You can include the operators % and push_param in the rule definition to monitor the trigger
and display in the logs which metric(s) and threshold(s) armed and disarmed it. For more details,
refer to the section Adding Tagged Triggers.

To add a trigger armed by several thresholds

1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. In the menu, click on Add. The wizard opens.
3. In the list Guardian policy, select the policy of your choice. You cannot select read-only
policies.
4. Click on NEXT . The page Add a trigger opens.
5. In the field Position, the trigger position is displayed in read-only. It is automatically incre-
mented based on the other triggers added to the policy.
6. In the field Name, name the trigger.
7. In the drop-down list Action, select the action to execute when the trigger is armed. Except
for Log only (none), all trigger actions are countermeasures:

Table 63.7. Trigger actions

Action Description
Log only No operation is performed. When the trigger is armed or disarmed, the event is logged on
(none) the page Syslog. This is the default value.
Quarantine The client is placed in quarantine. The quarantine protects the local recursive server, all
cached queries are accessible and sent out but the recursion is blocked. When the trigger
is armed or disarmed, the action is logged.
Block The DNS resolution is blocked. Keep in mind that, if you have private hosts on the same
NAT device or router, blocking a client IP address might block all the other clients using it
to connect the network. When the trigger is armed or disarmed, the action is logged.
Quarantine All the clients querying data not cached are redirected to a specific IP address. When the
redirect trigger is armed or disarmed, the action is logged.
The redirection address is defined in the parameters Quarantine redirect A or Quarantine
redirect AAAA. To configure them, refer to the section Configuring the Action Quarantine
Redirect.

913
 Managing Triggers

Action Description
Ratelimit The client traffic is capped to 100 queries per second, this value is set by default and cannot
be changed. When the trigger is armed or disarmed, the action is logged.

8. In the field Duration (in seconds), specify an integer between 0 and 999999 that sets how
many seconds the Action lasts once the trigger is armed.
Note that the duration can be silently renewed, if the trigger is rearmed because its threshold
is reached again during the initial duration. In this case, the rearming event is only visible in
the logs.
9. In the section Action options, you can enable Querylog to log all client queries and/or An-
swerlog to log all answers. For more details, refer to the section Enabling Querylog and
Answerlog on Triggers.
10. In the field Rule definition, specify in Reversed Polish Notation the values and thresholds
of your choice. The selected Action is triggered when the rule definition is met.
Your rule definition must contain at least the following:
<metric1>@<nb-of-seconds> <metric1-threshold> <threshold1-value> <threshold1-operator>
<metric2>@<nb-of-seconds> <metric2-threshold> <threshold2-value> <threshold2-operator>
<logical-operator>
where:
• <metric1>@<nb-of-seconds> <metric1-threshold> <threshold1-value> <threshold1-oper-
ator> specifies the first metric:
• metric1 is the first metric of the rule, one of the entries described in the trigger metrics
table.
• @ introduces the monitoring period of the metric.
• nb-of-seconds is the period during which the metric is monitored, an integer between 0
and 999999.
• threshold1-value is the value of the first metric to look for over the period, an integer
between 0 and 999999.
• threshold1-operator is the first metric operator, either =, !=, >=, <=, < or >, applied to
the metric threshold value.
• <metric2>@<nb-of-seconds> <metric2-threshold> <threshold2-value> <threshold2-oper-
ator> specifies the second metric.
• logical-operator is the operator, either & or |, applied to the metrics and their threshold.
To display in the logs the metric involved in the trigger (dis)arming, refer to the section Adding
Tagged Triggers.
11. The box Manage is ticked by default, it activates the trigger. You can untick the box to deac-
tivate the trigger, in which case the Action and Rule definition are ignored and the trigger is
never armed. For more details, refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
In the list, the trigger Rule definition no longer follows RPN format.
If you added the trigger in a policy deployed on several Guardian servers, click on on
the right-end side of the menu. The page refreshes and several lines appear under the trigger
itself, one for each of the servers the policy is deployed on.

Once you added a trigger, you can edit, unmanage or delete it, as detailed in the sections Editing
Triggers, Managing or Unmanaging Triggers and Deleting Guardian Triggers.

914
 Managing Triggers

Adding Tagged Triggers

Triggers can be tagged to display in full text in the logs which metric was involved in their arming
or disarming, and the metric value in both cases.

Tagged triggers allow to monitor one or several metrics on the page Syslog. Their name and rule
definition must include specific parameters to tag the metrics.

A tagged trigger is configured using:

1. The operator % in its Name.
The name identifies the trigger(s) to monitor. Each metric is given a numerical position, that
follows the order of the metric(s) specified in the rule definition, starting from 0 (%0).
2. The operator push_param in its Rule definition.
All the metrics you want to tag, the % specified in the trigger name, must be followed by
push_param.

A simple tagged trigger could have:

• The name Trigger-T1 Queries %0 where:
• Trigger-T1 is the name of the trigger itself.
• Queries is the name of the metric to monitor.
• %0 is the metric position in the rule definition, here the first metric specified.
• The rule definition query@10 push_param 100 >= where:
• query@10 monitors the number of queries over the last 10 seconds;
• push_param indicates that the preceding metric is tagged, it is the first metric ; and
• 100 >= ensures that the number of queries does not exceed or match 100. If its does, the
trigger is armed and its Action is executed.

On the page All triggers, the trigger Rule definition is displayed as query@10 >= 100 to make it
easier to read.

On the page Syslog, both the metric and its value are displayed when the trigger is armed and
disarmed. Here, the metric named Queries. For more details, refer to the procedure To monitor
trigger operations in the logs.
01/03/2018 18:13:18 solid named[12962]: ARMING trigger on 142.12.0.101 (action:BLOCK)
(Trigger-T1 Queries 100)
01/03/2018 18:13:18 solid named[12962]: DISARMING trigger on 142.12.0.101 (action:BLOCK)
(Trigger-T1 Queries 0)

An advanced tagged trigger could have:

• The name Trigger-T2 Queries %0 Cache-Miss %1 where:
• Trigger-T2 is the name of the trigger itself.
• Queries %0 is the first metric to monitor and its position in the rule definition, here the first
metric specified %0.
• Cache-Miss %1 is the next metric to monitor and its position, here the second metric specified
%1.
• The rule definition query@10 push_param 100 >= cache_miss@30 push_param 50 >= |
where:
• query@10 push_param 100 >= monitors the number of queries over the last 10 seconds,
tags it (push_param) and ensures that it does not exceed or match 100;

915
 Managing Triggers

• cache_miss@30 push_param 50 >= monitors the number of cache misses over the last 30
seconds, tags it (push_param) and ensures that it does not exceed or match 50;
• | (or) ensures that if the number of queries or if the cache misses is reached, the trigger is
armed and its Action is executed.

On the page All triggers, the trigger Rule definition is displayed as ( query@10 >= 100 ) | (
cache_miss@30 >= 50 ) to make it easier to read.

On the page Syslog, both the metrics and their value are displayed when the trigger is armed
and disarmed. Here, the value of both the metric named Queries and Cache-Miss are returned,
even if only one metric triggered the arming or disarming. For more details, refer to the procedure
To monitor trigger operations in the logs.
01/03/2018 18:13:18 solid named[12962]: ARMING trigger on 142.12.0.101 (action:BLOCK)
(Trigger-T2 Queries 0 Cache-Miss 50)
01/03/2018 18:13:18 solid named[12962]: DISARMING trigger on 142.12.0.101 (action:BLOCK)
(Trigger-T1 Queries 0 Cache-Miss 0)

Before adding a trigger, note that:

• You cannot add a trigger in a read-only policy.
• The trigger rule definition contains at least a metric and a threshold. Its syntax must follow
Reverse Polish Notation (RPN), therefore it must be parenthesis-free and have each operator
follows all of its operands.
• If the threshold is reached again while the trigger is armed, the action duration is renewed but
you are not notified. However, the rearming operation is logged and listed on the page Syslog,
under the service named . For more details, refer to the section Syslog.

To add a tagged trigger

1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. In the menu, click on Add. The wizard opens.
3. In the list Guardian policy, select the policy of your choice. You cannot select read-only
policies.
4. Click on NEXT . The page Add a trigger opens.
5. In the field Position, the trigger position is displayed in read-only. It is automatically incre-
mented based on the other triggers added to the policy.
6. In the field Name, name the trigger including a name for the metric to monitor and its position
in the Rule definition.
Your rule name must contain at least the following:
<trigger-name> <metric-name> %<metric-position>
where:
• trigger-name identifies the trigger itself.
• metric-name names the metric you are tagging in the rule definition.
• metric-position specifies the position of the metric in the rule definition, preceded by %.
All metric positions follow their order in the Rule definition and start at 0. If it contains only
one metric, it must be specified %0 in the tag name. If several metrics are specified, the
first one is %0, the next is %1...
It can include several metrics as follows:
<trigger-name> <metric1-name> %<metric-position> <metric2-name> %<metric-position>
where:

916
 Managing Triggers

• <metric1-name> %<metric-position> names and identifies the first metric, %0, specified
in the Rule definition.
• <metric2-name> %<metric-position> names and identifies the second metric, %1, specified
in the Rule definition.
7. In the drop-down list Action, select the action to execute when the trigger is armed. Except
for Log only (none), all trigger actions are countermeasures:

Table 63.8. Trigger actions

Action Description
Log only No operation is performed. When the trigger is armed or disarmed, the event is logged on
(none) the page Syslog. This is the default value.
Quarantine The client is placed in quarantine. The quarantine protects the local recursive server, all
cached queries are accessible and sent out but the recursion is blocked. When the trigger
is armed or disarmed, the action is logged.
Block The DNS resolution is blocked. Keep in mind that, if you have private hosts on the same
NAT device or router, blocking a client IP address might block all the other clients using it
to connect the network. When the trigger is armed or disarmed, the action is logged.
Quarantine All the clients querying data not cached are redirected to a specific IP address. When the
redirect trigger is armed or disarmed, the action is logged.
The redirection address is defined in the parameters Quarantine redirect A or Quarantine
redirect AAAA. To configure them, refer to the section Configuring the Action Quarantine
Redirect.
Ratelimit The client traffic is capped to 100 queries per second, this value is set by default and cannot
be changed. When the trigger is armed or disarmed, the action is logged.

8. In the field Duration (in seconds), specify an integer between 0 and 999999 that sets how
many seconds the Action lasts once the trigger is armed.
Note that the duration can be silently renewed, if the trigger is rearmed because its threshold
is reached again during the initial duration. In this case, the rearming event is only visible in
the logs.
9. In the section Action options, you can enable Querylog to log all client queries and/or An-
swerlog to log all answers. For more details, refer to the section Enabling Querylog and
Answerlog on Triggers.
10. In the field Rule definition, specify in Reversed Polish Notation the values and thresholds
of your choice. The selected Action is triggered when the rule definition is met.
Your rule definition must contain at least the following:
<metric>@<nb-of-seconds> push_param <threshold>
where:
• metric is one of the entries described in the table trigger metrics.
• @ introduces the monitoring period of the metric.
• push_param precedes each metric threshold, it tags the metric. In the trigger Name, this
metric is renamed, and as it is the only metric in the rule its position is %0.
• nb-of-seconds is the period during which the metric is monitored, an integer between 0
and 999999.
It can include several metrics as follows:
<metric1>@<nb-of-seconds> push_param <threshold1-value> <threshold1-operator>
<metric2>@<nb-of-seconds> push_param <threshold2-value> <threshold2-operator> <lo-
gical-operator>
where:

917
 Managing Triggers

• <metric1>@<nb-of-seconds> push_param <threshold1-value> <threshold1-operator>

specifies the first tagged metric:
• metric1 is the first metric of the rule, one of the entries described in the trigger metrics
table.
• @ introduces the monitoring period of the metric.
• nb-of-seconds is the period during which the metric is monitored, an integer between 0
and 999999.
• push_param precedes each metric threshold, it tags the metric. In the trigger Name,
this metric is renamed, as it is the first metric in the rule its position is %0.
• threshold1-value is the value of the first metric to look for over the period, an integer
between 0 and 999999.
• threshold1-operator is the first metric operator, either =, !=, >=, <=, < or >, applied to
the metric threshold value.
• <metric2>@<nb-of-seconds> push_param <threshold2-value> <threshold2-operator>
specifies the second tagged metric.
In the trigger Name, this metric is renamed, as it is the second metric in the rule its position
is %1.
• logical-operator is the operator, either & or |, applied to the metrics and their threshold.
To display in the logs the metric involved in the trigger (dis)arming, refer to the section Adding
Tagged Triggers.
11. The box Manage is ticked by default, it activates the trigger. You can untick the box to deac-
tivate the trigger, in which case the Action and Rule definition are ignored and the trigger is
never armed. For more details, refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
In the list, the trigger Rule definition no longer follows RPN format.
If you added the trigger in a policy deployed on several Guardian servers, click on on
the right-end side of the menu. The page refreshes and several lines appear under the trigger
itself, one for each of the servers the policy is deployed on.

Once you added a trigger, you can edit, unmanage or delete it, as detailed in the sections Editing
Triggers, Managing or Unmanaging Triggers and Deleting Guardian Triggers.

Enabling Querylog and Answerlog on Triggers

By default, Guardian logs the action configured in the triggers every time they are armed (arming)
and disarmed (disarming).

You can configure triggers to log all the queries and/or answers when they are armed, during the
whole action duration.

To enable querylog and/or answerlog, you must:

1. Edit the server properties to:
• Set the parameter querylog to 2, if you want to enable it on triggers.
• Set the parameter answerlog to 2, if you want to enable it on triggers.
For more details, refer to the chapter Setting Guardian Parameters.
2. Tick the box Querylog and/or Answerlog when you add or edit the trigger.

With either parameter enabled, the page Syslog returns more information.

918
 Managing Triggers

For instance a trigger Trigger-Z, configured with the action Log only (none) and the options
Querylog and Answerlog enabled, logs all queries and answers once it is armed. For more details,
refer to the procedure To monitor trigger operations in the logs.
01/03/2018 15:17:37 solid named[12962]: DISARMING trigger on 10.0.252.11 (action:NONE)
(Trigger-Z)
01/03/2018 15:17:32 solid named[12962]: client 10.0.252.11#38824 (wikipedia.com): answer:
wikipedia.com IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:17:32 solid named[12962]: client 10.0.252.11#38824: query: wikipedia.com
IN A (10.0.81.4)
01/03/2018 15:16:45 solid named[12962]: client 10.0.252.11#35200 (reddit.com): answer:
reddit.com IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:16:45 solid named[12962]: client 10.0.252.11#35200: query: reddit.com IN
A (10.0.81.4)
01/03/2018 15:16:42 solid named[12962]: client 10.0.252.11#16781 (reddit.com): answer:
reddit.com IN A (10.0.81.4) -> SERVFAIL
01/03/2018 15:16:42 solid named[12962]: client 10.0.252.11#16781: query: reddit.com IN
A (10.0.81.4)
01/03/2018 15:16:37 solid named[12962]: ARMING trigger on 10.0.252.11 (action:NONE)
(Trigger-Z)

To enable querylog and answerlog when you add on a trigger

1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. In the menu, click on Add. The wizard opens.
3. In the list Guardian policy, select the policy of your choice. You cannot select read-only
policies.
4. Click on NEXT . The page Add a trigger opens.
5. In the field Position, the trigger position is displayed in read-only. It is automatically incre-
mented based on the other triggers added to the policy.
6. In the field Name, name the trigger.
7. In the drop-down list Action, select the action to execute when the trigger is armed. Except
for Log only (none), all trigger actions are countermeasures:

Table 63.9. Trigger actions

Action Description
Log only No operation is performed. When the trigger is armed or disarmed, the event is logged on
(none) the page Syslog. This is the default value.
Quarantine The client is placed in quarantine. The quarantine protects the local recursive server, all
cached queries are accessible and sent out but the recursion is blocked. When the trigger
is armed or disarmed, the action is logged.
Block The DNS resolution is blocked. Keep in mind that, if you have private hosts on the same
NAT device or router, blocking a client IP address might block all the other clients using it
to connect the network. When the trigger is armed or disarmed, the action is logged.
Quarantine All the clients querying data not cached are redirected to a specific IP address. When the
redirect trigger is armed or disarmed, the action is logged.
The redirection address is defined in the parameters Quarantine redirect A or Quarantine
redirect AAAA. To configure them, refer to the section Configuring the Action Quarantine
Redirect.
Ratelimit The client traffic is capped to 100 queries per second, this value is set by default and cannot
be changed. When the trigger is armed or disarmed, the action is logged.

8. In the field Duration (in seconds), specify an integer between 0 and 999999 that sets how
many seconds the Action lasts once the trigger is armed.

919
 Managing Triggers

Note that the duration can be silently renewed, if the trigger is rearmed because its threshold
is reached again during the initial duration. In this case, the rearming event is only visible in
the logs.
9. In the section Action options:
a. Tick the box Querylog to log all queries when the trigger is armed.
b. Tick the box Answerlog to log all answers when the trigger is armed.
10. In the field Rule definition, specify in Reversed Polish Notation the values and thresholds
of your choice. The selected Action is triggered when the rule definition is met.
What you specify depends on the trigger you add. For more details, refer to the sections
Adding Armed by a Single Threshold, Adding Triggers Relying on Lists Metrics, Adding
Triggers Armed by Several Thresholds and Adding Tagged Triggers.
11. The box Manage is ticked by default, it activates the trigger. You can untick the box to deac-
tivate the trigger, in which case the Action and Rule definition are ignored and the trigger is
never armed. For more details, refer to the section Managing or Unmanaging Triggers.
12. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
In the list, the trigger Rule definition no longer follows RPN format.
If you added the trigger in a policy deployed on several Guardian servers, click on on
the right-end side of the menu. The page refreshes and several lines appear under the trigger
itself, one for each of the servers the policy is deployed on.

Once you configured the trigger Action options you can edit them; you can also unmanage the
trigger or delete it, as detailed in the sections Editing Triggers, Managing or Unmanaging Triggers
and Deleting Guardian Triggers.

Editing Triggers
You can edit your triggers. Before editing a trigger, note that:
• You cannot edit the trigger Position but any other parameter can be edited.
• You cannot edit a trigger belonging to a read-only policy or a policy deployment.

To edit a trigger
1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. Right-click on the name of the trigger you want to edit. The contextual menu opens.
3. Click on Edit. The wizard Edit a trigger opens.
4. Edit the trigger Name, Action, Duration (in seconds), Action options, Rule definition
and/or Manage configuration according to your needs. All parameters are detailed in the
section Adding Triggers.
If you untick the box Manage, the trigger can no longer be armed. For more details, refer to
the section Managing or Unmanaging Triggers.
5. Click on OK to complete the operation. The report works for a while before closing. The list
is updated.
If you edited the trigger in a policy that is deployed on one or more Guardian servers, on the
right-end side of the menu, click on . Several lines appear under the trigger itself, there
is a line for each of the server(s) the policy is deployed on.

920
 Managing Triggers

Managing or Unmanaging Triggers

You can unmanage triggers to disable them. Note that:
• An unmanaged trigger is never armed, even if its threshold is reached. It can be managed
again.
• You cannot manage or unmanage a deployed trigger. In the column Guardian server, it must
be marked N/A.

To manage or unmanage triggers

1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. Tick the trigger(s) of your choice. The column Status indicates if the trigger is managed, OK,
or Unmanaged.
3. In the menu:
a. To manage the trigger, select Edit > Manage > Yes. The wizard Manage opens.
b. To unmanage the trigger, select Edit > Manage > No. The wizard Unmanage opens.
4. Click on OK to complete the operation. In the column Status, the trigger is marked OK
or Unmanaged.

Deleting Triggers
You can delete your triggers. Before deleting a trigger, note that:
• You cannot delete a trigger if it is deployed on a server. In the column Guardian server, it must
be marked N/A.

To delete a trigger
1. In the sidebar, go to Guardian > Triggers. The page All triggers opens.
2. Tick the trigger(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The trigger is no longer
listed.

921
Chapter 64. Managing Guardian Views
You can manage up to 16 views on a Guardian server with specific traffic restrictions.

By default, only view0 is enabled. To enable the 15 other views, refer to the section Enabling or
Disabling Views.

You can configure and order the views of a Guardian server. The position of a view is visible in
the column Order on the page All views. For more details, refer to the chapters Managing DNS
Views and Configuring DNS Views.

At view level, you can:

• Identify the client sending the query, rather than the DNS server(s) that forwarded it, and redirect
them to a specific view. For more details, refer to the section Identifying the Clients Querying
the Views.
• Use domain, client or specific client identifier lists to tailor client redirection to a view. For more
details, refer to the section Using Lists to Filter Guardian Views.
• Log the queries and/or answers matching a list entry, a domain, client or client identifier. For
more details, refer to the section Logging List Filters Client Activity.
• Set a transparent DNS proxy to hide the DNS server address from clients associated with a
view. For more details, refer to the section Setting a Transparent DNS Proxy for Guardian
Views.

All views can be configured using the following parameters via CLI and from the GUI. Each view
is identified using its order on the local server, a number between 0 and 15 replaced by #
throughout this section.

Table 64.1. Guardian view parameters

Parameter Description
View#.client identifiers The client identifiers configuration of the view. It allows to redirect clients to a
View#.client_identifiers view based on the IP address, DSCP, VLAN, MAC address or the device, CPE
or organization identifier of their query. For more details, refer to the section
Identifying the Clients Querying the Views.
View#.list id filter The list filtering configuration of the view. It applies a traffic policy to specific
View#.list_id_filter list entries. For more details, refer to the section Using Lists to Filter Guardian
Views.
View#.nat destination The transparent DNS proxy configuration of the view which can be applied on
View#.nat_destination a specific network. For more details, refer to the section Setting a Transparent
DNS Proxy for Guardian Views.

Displaying the Views Configuration

From the GUI, you can only display the configuration of your views from the Guardian server
properties page.

To display the view configuration in the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. In the column Guardian/GSLB, look for the server marked Yes.
3. At the end of the line of the Guardian server, click on . The properties page opens.
4. Open the panel Options:

922
 Managing Guardian Views

• The section Advanced options contains all the Guardian parameters set with a value
different from the default value. For more details, refer to the section Available Guardian
Parameters.
• Each parameter listed has its own status. For more details, refer to the section Understand-
ing Guardian Parameter Statuses.
To display all the available parameters, refer to the section Editing Guardian Configuration.

Via CLI, the server configuration contains the configuration parameters of each view.

To display the view configuration via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Display all Guardian parameters, including the views configuration, using the command:
show config

All view parameters start with with view#_, where # identifies each of the 16 views with a
number between 0 and 15.

Some view parameters are only available via CLI:

• view#.enabled allows to enable or disable views, as detailed in the section Enabling or
Disabling Views.
• view#.match_clients and view#.match_destinations are available but should not
be edited. They are automatically updated by the resolver.
• view#.name allows to rename views. To set its value, refer to the section Editing Guardian
Configuration of the chapter Setting Guardian Parameters.

Enabling or Disabling Views

By default, only view0 is enabled. To use any other views you must enable them via CLI.

If you do not have at least one view enabled, Guardian cannot answer clients.

The parameter view#.enabled defines if the view is enabled 1 or disabled 0. By default, the views
view1 to view15 are disabled.

To enable or disable a view

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Display the current views configuration using the command:

show config

4. To enable a view, use the command:

set view#.enabled=1

923
 Managing Guardian Views

where # is the ID of the view, a number between 0 and 15.

5. To disable a view, use the command:
set view#.enabled=0

where # is the ID of the view, a number between 0 and 15.

Identifying the Clients Querying the Views

If you have cascaded several resolvers, the IP address of a client is overwritten every time it is
forwarded.Therefore, once the query gets to the Guardian server, the source IP address it receives
is no longer the one of the original client.

To identify the querying clients, rather than the last resolver that transmitted their query, you can
set the parameter client identifier on each view. You can identify them using the IP address,
DSCP or VLAN of the query and/or the value of an EDNS option of the query, that can be an IP
address, a MAC address, or a CPE, device or organisation identifier.

12.0.1.200 view0
view0.client_identifiers set to
all ecs=ecs_ip
12.0.1.250 Forwarding the
client IP address view0 identifies clients using the
via the EDNS EDNS option ECS of their query
option ECS Client ID
Clients querying a 12.0.1.250
Guardian server via
cascaded recursive
DNS servers
Guardian server
view1
15.0.0.100
view1.client_identifiers not set

15.2.3.27 Not forwarding the view1 identifies clients using

client IP address the last IP address received
Client ID
15.0.0.100

Figure 64.1. Example of clients identified by the EDNS option ECS

By default when you display client statistics, the column Client ID returns the source IP address
of the DNS query received by Guardian server, whether it was forwarded or not. If you identify
clients at view level, the values returned in the column Client ID change accordingly.

For each Guardian view you can specify which field(s) of the DNS query to use as client identifier.
The parameter View#.client identifiers can identify:
Only the IP address or DSCP of the query, when preceded by default
• default ip retrieves the source IP address of the query.
• default rev_ip retrieves the source IP address of the query, in reverse format.
• default destination_ip retrieves the destination IP address of the query.
• default destination_rev_ip retrieves the destination IP address of the query, in reverse
format.
• default dscp retrieves the DSCP of the query.
After the filter default you can combine values, you must separate them with a space, e.g.
default rev_ip destination_ip .

924
 Managing Guardian Views

Only an EDNS option or the VLAN of the query, when preceded by all
• all <EDNS-option>=<identifier> retrieves the identifier declared in the EDNS option of the
query.
• all vlan retrieves the VLAN information of the query. A 802.1q VLAN ID between 1 and
4096.
With an option or VLAN specified, clients are identified using the specified information in the
client statistics, if and only if it is in the query. The keyword all implies a match to look for.
The matching clients are identified, their Client ID could look as follows: 70.0.0.24 if the
parameter contains all ecs=ecs_ip .
A combination of information sent in the query, several identifiers, when preceded by all
• all <EDNS-option>=<identifier> <ip|rev_ip|destination_ip|destination_rev_ip|dscp|vlan>
retrieves the identifier declared in the EDNS option and the source or destination IP address,
DSCP or VLAN of the query. You can choose the IP address format, standard or reverse.
With an option and the query IP address specified, the matching clients are identified in the
clients statistics. Their Client ID could look as follows: 70.0.0.24.4.3.2.1 if the parameter
contains all ecs=ecs_ip rev_ip .
Note that even after the EDNS option, you can combine all the values that identify the IP
address of the query. Their Client ID could look as follows: 70.0.0.24.4.3.2.1.192.168.25.125
if the parameter contains all ecs=ecs_ip rev_ip destination_ip .

The parameter View#.client identifiers can identify the following EDNS options.

Table 64.2. Available EDNS options and identifiers

EDNS option Description and accepted identifiers
dnsmasq_mac The MAC address sent by DNSMASQ. The option accepted identifier is:
• dnsmasq_mac. The client MAC address.

ecs The IP address of the EDNS Client Subnet (ECS), in standard or reverse format. The option
accepted identifiers are:
• ecs_ip. The ECS IP address.
• ecs_rev_ip. The ECS IP address, in reverse format.

nominum_cpeid The CPE ID received from a Nominum/Akamai DNS. The option accepted identifier is:
• nominum_cpeid. The client CPE ID.

nominum_deviceid The Device ID received from a Nominum/Akamai DNS. The option accepted identifier is:
• nominum_deviceid. The client device ID.

opendns_deviceid The Device ID received from OpenDNS/Umbrella. The option accepted identifier is:
• opendns_deviceid. The client device ID.

opendns_ip The IP address or organization ID received from OpenDNS/Umbrella, in standard or reverse

format. The option accepted identifiers are:
• opendns_ip. The client IP address.
• opendns_rev_ip. The client IP address, in reverse format.
• opendns_orgid. The client organization ID.

Before identifying clients at view level, note that:

• The querying clients are identified whether their query involves IPv4 or IPv6. All the client
identifier parameters that accept an IP address, identify an IPv4 address or an IPv6 address.
• The client identifiers you set define how the client information is displayed is the client statistics.
For instance, if you set the parameter to all ecs vlan=ecs_ip vlan, the Client ID of the matching
client could look as follows: 70.0.0.24.4021 .

925
 Managing Guardian Views

For more details, refer to the section Managing Guardian Client Statistics in the chapter Man-
aging Guardian Statistics.
• If you identify clients using several identifiers, the clients are only identified if they match the
whole definition.
For instance, if you use all ecs=ecs_ip rev_ip to identify clients using an EDNS option and the
IP address of the query, but the option is not found in the query, the whole definition is ignored.
Clients are not identified using rev_ip. Instead, either the clients are identified using the IP
address of the original query, or, if you specified several definitions, the next one may match
their query and identify them.
• You can specify several identifiers, separated by a comma. With several identifiers, the para-
meter is used as an ACL. All the options are reviewed in order, the first one that matches the
client query is used to identify clients. For instance, with all opendns_ip ecs=opendns_ip
ecs_rev_ip specified:
• If the option opendns_ip is in the client query, the client is identified using the IP specified
in the EDNS option. The ecs identifier details are ignored.
• If the option opendns_ip is not in the client query, then we look for the option ecs. If ecs is
in the query, the client is identified using the reverse IP specified in the EDNS option.
• If none of them are found, the client is identified using the IP address of the original query,
as if the parameter was set to default ip.
• You can use client lists to filter traffic to the view and complete the client identifier configuration.
In this case, the parameter View#.list id filter identifies the lists to take into account and the
policy to apply.
• If you use a client list, the list content must match the order and format of the identifiers
specified in the parameter View#.client identifiers.
• If you use a client specific-id list, the list content must match the identifier specified in the
List#.client identifiers.
For more details, refer to the sections Configuring the Content of a List and Identifying Clients
via a List in the chapter Managing Lists.
• To stop identifying clients, you must empty the parameter View#.client identifiers. The clients
of the view are identified using the last resolver that transmitted their query again, whether it
was forwarded or not.

To identify the clients of a Guardian view

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the field Client stats, make sure that yes (1) is selected. If it is not, select it.
7. In the field View#.client identifiers, specify the client identifier(s) of your choice for the view:
<default|all> <identifier>
where the expected identifier format depends on default or all.
a. To only identify clients using the source or destination IP address or DSCP of the query,
in standard or reverse format, you must set the parameter as follows:
default <ip|rev_ip|destination_ip|destination_rev_ip|dscp>

926
 Managing Guardian Views

You can combine the values if you separate them with a space, e.g. default rev_ip
destination_ip.
b. To only identify clients using a VLAN, you can set the parameter as follows:
all vlan
c. To only identify clients using a specific EDNS option, you can set the parameter as fol-
lows:
all <EDNS-option>=<identifier>
All accepted values are described in the table Available EDNS options and values.
Note that if an EDNS option specified is not found in the query, the client is identified
using the source IP address of the original query, as if the parameter was set to default
ip.
d. To identify clients using several EDNS options, you can set the parameter as follows:
all <EDNS-option1> <EDNS-option2>=<identifier1> <identifier2>
You define the options to look for on the one hand, before =, and the format of their
value on the other hand, after =. All options and values are separated by a space.
Note that if the option specified is not found in the query, the whole identifier definition
is ignored. In this case, the client is either identified using two options or using next
identifier, if you specify several.
e. To identify clients using both an EDNS option and the IP address, DSCP or VLAN of
the query, you can set the parameter as follows:
all <EDNS-option>=<identifier> <ip|rev_ip|destination_ip|destination_rev_ip|dscp|vlan>
You can combine all the values that identify the IP address of the query if you separate
them with a space.
Note that if the option specified is not found in the query, the whole identifier definition
is ignored. In this case, the client is either identified using the IP address of the original
query or using next identifier, if you specify several.
f. To configure several identifiers for the view, you must separate them with a comma ","
as follows:
all <EDNS-option1>=<identifier1>, all <EDNS-option2>=<identifier2> <ip|rev_ip|destin-
ation_ip|destination_rev_ip|dscp|vlan>, default rev_ip
Each identifier is reviewed in order. If the first one matches a client query, all the other
are ignored. If the first one does not match a client query, the next one is reviewed, etc.
Note that if none of the values specified match a query, the client is identified using the
source IP address of the original query.
8. If you want to use client lists to complete the client identifier configuration of the view, in the
View#.list id filter you must specify the relevant list(s) and set their policy.
For more details, refer to the section Using Lists to Filter Guardian Views.
9. Click on OK to complete the operation. The wizard closes.

Using Lists to Filter Guardian Views

You can use Guardian lists to filter the traffic going through Guardian views. If you have not
configured lists yet, refer to the chapter Defining the Type of a List.

The parameter View#.list id filter allows to define traffic policies for each Guardian view based
on the content of existing domain, client or specific client identifier lists. For instance, your policy
could, based on the view traffic, differentiate domain names associated with many IP addresses
or redirect clients.

927
 Managing Guardian Views

The parameter must:

1. Define a filter, that specifies which entries should be applied a traffic policy. These entries
match the content of the list(s) of your choice. For more details, refer to the section Managing
Lists.

Table 64.3. Guardian list filters for views

Filter Description
any The view policy applies to the entries present in any of the specified domain, client or specific
client identifier list(s).
all The view policy only applies to the entries present in all of the specified domain, client or specific
client identifier lists. This implies the use of several lists.
none The view policy applies to the entries present in none of the specified domain, client or specific
client identifier list(s).
default The view policy applies to all the entries not impacted by another action. This implies the use of
several actions. There is no need to specify a list for this filter.
This filter cannot be used before entry tags.

2. Specify the list(s) and entry tag(s) to use, the filter you define only applies to the content
of the specified list.
Every list is specified using its ID, a number between 0 and 7. The list ID allows to take into
account the content of one or several lists:
• To use the content of a list in your filter, specify its ID as follows: 1.
• To avoid the content of a list in your filter, type in ! before its ID as follows: !0.
If you automatically update the content of a list using an authoritative zone, the TXT records
of the zone may include tags for specific entries of a list. For more details on how to tag list
entries, refer to the section Automatically Updating the Content of a List in the chapter Managing
Lists.
List entry tags allow to configure Client Query Filtering (CQF) and secure traffic to the view,
they can narrow down specific domains (destinations) and/or clients (sources) thanks to the
following configuration parameters:
tagmatch (<list-id>, <tags>)
Allows to look for tagged entries within one list, where:
• <list-id> is the ID the list.
• , separates the list ID and tag information. Both are taken into account.
• <tags> is one or several tags separated by a space. All tags must be included in the
field Text of the TXT records or the zone configured to automatically update the list.
If you specify several tags, for instance with tagmatch (0, untrusted unsafe), you apply
one of the list filters to entries set with either tag in the specified list. To look for all these
tags in one list, you must specify tagmatch for as many tags as needed, here it would be
tagmatch (0, untrusted) tagmatch (0, unsafe) .
You can use ! in front of a tagmatch configuration, or within the configuration in front of a
list or tag. For instance all tagmatch (!0, safe) passthru would let any client query an entry
tagged safe except if the entry belongs to list 0.
tagjoin (<list-ids>, <tags>)
Allows to look for tagged entries within one or more lists, where:
• <list-ids> is the ID of one or several lists separated by a space.
• , separates the list ID and tag information. Both are taken into account.
• <tags> is one or several tags separated by a space. All tags must be included in the
field Text of the TXT records or the zone configured to automatically update the list.

928
 Managing Guardian Views

If you specify several lists, for instance with tagjoin (1 2, untrusted), you apply one of the
list filters to the tag in either of the specified lists. To look for one tag in all these lists, you
must specify tagjoin for as many lists as needed, here it would be tagjoin (1, untrusted)
tagjoin (2, untrusted) .
If you specify several tags, for instance with tagjoin (3, untrusted unsafe), you apply one
of the list filters to entries set with either tag in the specified list. To look for all these tags
in one list, you must specify tagjoin for as many tags as needed, here it would be tagjoin
(3, untrusted) tagjoin (3, unsafe) .
You can use ! in front of a tagjoin configuration, or within the configuration in front of a list
or tag. For instance all tagjoin (3, untrusted !safe unsafe) quarantine would put in quarantine
any client querying an entry of the list 3 if it is tagged untrusted or unsafe but would let
them query entries with the tag safe.
Your list configuration can use tagjoin and tagmatch, you mut seperate them with a space:
<any|all|none> tagmatch (<list-id>, <tags>) tagjoin (<list-id>, <tags>) <action>
3. Specify which action to execute, to the specified filter and list. Except for nocache and
passthru all view actions are countermeasures:

Table 64.4. Guardian view actions

Action Description
drop The server drops each matching query from the client.
nocache The server proceeds directly to recursion and does not answer with the cached records.
The query is counted as C-miss in the cache statistics of the view. For more details,
refer to the section Displaying Guardian Cache Content.
nodata The server sends a NODATA response to each matching query from the client.
notrigger The server ignores any trigger involving the list content. It configures a whitelist that
forces the server to disregard the list content, the matching trigger action is never ex-
ecuted.
nxdomain The server sends an NXDOMAIN response to each matching query from the client.
passthru If the queried domain is present in the cache, the server replies with the cached answer.
Otherwise, the server proceeds to recursion, send the answer to the client and caches
the record for future use. The query is counted as C-miss in the cache statistics of the
view. For more details, refer to the section Displaying Guardian Cache Content.
quarantine The server answers the matching query only if it is present in the cache. Otherwise, it
does not answer.
quarantine redirect All the matching queries are answered if they are present in the cache. Otherwise, each
matching query is redirected to a specific IP address.
The redirection address is defined in the parameters Quarantine redirect A or Quarantine
redirect AAAA. To configure them, refer to the section Configuring the Action Quarantine
Redirect.
redirect The server redirects each matching query from the client to the IPv4 or IPv6 address
of your choice.
The redirection address is defined in the parameters List redirect a and List redirect
aaaa. To configure them, refer to the section Configuring the Action Redirect.

The filter, list and action define and apply a traffic policy for the view.

Note that:
• The parameter View#.list id filter can be set for each of the 16 Guardian views available, #
identifies each view using its ID, a number between 0 and 15.
• Each view can be set with several policies.

929
 Managing Guardian Views

• The parameter configuration applies to clients present in the match-client configuration of the
view and querying an entry present in the specified list(s).
• The parameter configuration extends the match-destination configuration of a Guardian view
to apply an advanced traffic policy. This policy can be based on a domain, client or client
identifier. For more details on the list types, refer to the section Defining the Type of a List.
• If a domain, client or client identifier involved in the query is not in the list(s), Guardian applies
the default policy passthru.
• To stop using lists to filter view traffic, you must empty the parameter View#.list id filter.

To filter a Guardian view using lists

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the field View#.list id filter, specify your policy as follows:
<filter> <list> <action>
where:
• filter is one of the list filters.
• list is a list configuration that relies on or more lists and even entry tags.
• action is one of the view actions.
To configure several policies for the view, you must separate them with a comma "," as fol-
lows:
<filter1> <list1> <action1>, <filter2> <list2> <action2>
To log the client activity based on the list filtering policy, refer to the section Logging List
Filters Client Activity.
7. If you set policies, one policy may not impact all entries of the specified list(s). In this case,
you can complete the policy configuration to apply another action to the remaining entries:
<filter1> <list1> <action1>, default <action2>
where:
• default takes into account all the entries that are not included in the filter of the other policy,
or policies, of the view.
• action2 applies one of the view actions to these entries. There is no need to specify a list
for this filter, it automatically takes into account what is left.
8. Click on OK to complete the operation. The wizard closes.

Configuring the Action Redirect

The action redirect is set at view level, it applies to all views. By default it is disabled, it redirects
the clients matching the specified list(s) entries to the localhost. You can set the redirection to
the IP address of your choice.

Before configuring the redirect, keep in mind that it relies on:

1. A target IP address, where client queries are redirected when a list entry is matched.

930
 Managing Guardian Views

• In IPv4, the target IP is defined by the parameter List redirect a. By default, it is set to
127.0.0.1
• In IPv6, the target IP is defined by the parameter List redirect aaaa. By default, it is set to
::1
2. A duration defined by the parameter List redirect ttl. By default, it is set to 300 seconds, it
applies to the IPv4 and IPv6 redirections.

To configure the redirect parameters of a view from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard. The list of all Guardian parameters
is displayed.
5. In the drop-down list Display options(s), all is selected.
6. Scroll down until you get to the parameters, they are listed in alphabetical order:
a. In the field List redirect a, specify the IPv4 address of your choice. By default, it is set
to 127.0.0.1.
b. In the field List redirect aaaa, specify the IPv6 address of your choice. By default, it is
set to ::1.
c. In the field List redirect ttl, specify the number of seconds of your choice. By default,
it is set to 300.
7. Click on OK . The report works for a while and closes.
In the panel Options, the values you changed are displayed.

To configure the redirect parameters of a view via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Specify the IPv4 address of your choice in the parameter list_redirect_a using the
command:
set list_redirect_a=<IPv4-address>

By default, it is set to 127.0.0.1 .

4. Specify the IPv6 address of your choice in the parameter list_redirect_aaaa using the
command:
set list_redirect_aaaa=<IPv6-address>

By default, it is set to ::1 .

5. Specify the TTL of your choice for the redirection in the parameter list_redirect_ttl
using the command:
set list_redirect_ttl=<seconds>

By default, it is set to 30.

931
 Managing Guardian Views

Once your configuration is complete, it applies to all the views you configure with the parameter
view#.list_id_fiter and the action Redirect. For more details, refer to the section Using Lists to
Filter Guardian Views.

Logging List Filters Client Activity

All the domain, client or specific client identifier lists you configured to filter the views can be set
to log the client activity via three options that you can combine:
+querylog
Allows to log the queries to an entry belonging to a list. All the queries that match the filter
are logged.
+answerlog
Allows to log the answers sent to the client. All the answers that match the filter are logged.
+listlog
Allows to log the query and the name of the list, only for view filter matches.
Therefore, setting +listlog for lists configured with the filter none is useless, the list is never
returned in the logs.

To configure logging based on the lists used to filter Guardian views you must:
• Set Guardian parameters Querylog, Answerlog and/or List log to 2. For more details, refer to
the chapter Setting Guardian Parameters.
• Specify the option +querylog, +answerlog and/or +listlog when you set the parameter View#.list
id filter.

For instance, you can decide to enable the querylog, answerlog and list log for all the entries of
the lists mylist1 and mylist2, with mylist1 containing wikipedia.com and reddit.com and mylist2
containing reddit.com. If a client requests these two domains, the following information is available
on the page Syslog:
May 31 15:17:32 solid named[63380]: client 10.0.252.11#38824 (wikipedia.com): answer:
wikipedia.com IN A (10.0.81.4) -> SERVFAIL
May 31 15:17:32 solid named[63380]: client 10.0.252.11#38824: query: wikipedia.com IN
A (10.0.81.4)
May 31 15:17:32 solid named[63380]: List Matched 10.0.81.4#38824: query: wikipedia.com
IN A (10.0.81.4){mylist1}
May 31 15:16:46 solid named[63380]: client 10.0.252.11#26822 (reddit.com): answer:
reddit.com IN A (10.0.81.4) -> SERVFAIL
May 31 15:16:46 solid named[63380]: client 10.0.252.11#26822: query: reddit.com IN A
(10.0.81.4)
May 31 15:16:46 solid named[63380]: List Matched 10.0.81.4#26822: query: reddit.com IN
A (10.0.81.4){mylist1,mylist2}

For more details regarding how to display the logs, refer to the section Syslog.

To enable Querylog, Answerlog and/or List log on lists filtering views

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.

932
 Managing Guardian Views

6. In the field View#.list id filter, specify the logging configuration of your choice as last value
of the parameter.
a. To enable the option answerlog, specify <filter> <lists> <action> +answerlog.
b. To enable the option querylog, specify <filter> <lists> <action> +querylog.
c. To enable the option list log, specify <filter> <lists> <action> +listlog.
d. To enable several, or all three options, specify them one after the other without spaces:
<filter> <lists> <action> +querylog+listlog+answerlog.
Keep in mind that +listlog is ignored if you use the filter none.
For more details on the available <filter>, <lists> and <action> preceding the logging option,
refer to the list filters, list configuration and view actions.
7. Click on OK to complete the operation. The wizard closes.

Setting a Transparent DNS Proxy for Guardian Views

On a specific network, the administrator can root all the DNS traffic to a DNS server that answers
all the queries at destination of port 53, whatever the destination address is. If a client connected
to said network is configured with another DNS server address, it is still answered by Guardian
with no mention of the routing. You can set one network address per view.

Note that this feature does not use NAT.

To set a transparent DNS proxy for a Guardian view

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. To set a transparent DNS proxy for a view, in the field View#.nat destination, specify the
network address and prefix of your choice as follows: <network address>/<prefix>.
7. To disable a transparent DNS proxy for a view, leave the field View#.nat destination empty.
8. Click on OK to complete the operation. The wizard closes.

933
Chapter 65. Managing Lists
Guardian provides by default 8 lists that you can configure and use to tailor client traffic at view
level or to customize trigger definitions.

All lists are empty by default, which is why you must specify their content before anything else.

To properly exploit a list you must:

1. Define its type.
The list type defines one of the following acceptable contents:
• A domain list, that only contains domains information, their FQDN or IP address.
• A client list, that only contains client names, client IP addresses or client networks.
• A specific client identifier list, that only contains clients identifiers to identify the original
query of the clients rather than the IP address of the last query received. They can contain,
IP addresses, MAC addresses, DSCP values, or even EDNS options.
A list cannot contain domain and client information. For more details, refer to the section De-
fining the Type of a List.
Note that you can also rename each list to display a name rather than a list ID, like list0, when
you display their content. For more details, refer to the section Renaming a List.
2. Configure its content, with domain or client information, depending on its type.
A list can contain all the entries of your choice. Its content can be automatically updated through
zone transfer, as detailed in the section Automatically Updating the Content of a List, or con-
figured manually via CLI, as detailed in the section Manually Configuring the Content of a List.
Once configured, the list content can only be displayed via CLI. For more details, refer to the
section Displaying the Lists Content.
Note that you can define how to save the list content, as detailed in the section Setting a List
Saving Mechanism.
3. Use the list at view and/or trigger level. The list ID allows to complete configurations.
• At view level, the chapter Managing Guardian Views details how you can use lists to:
• Filter client traffic toward the views. For more details, refer to the section Using Lists to
Filter Guardian Views.
• Filter clients based on the identifier of their original query, an IP address or an EDNS option.
For more details, refer to the section Identifying the Clients Querying the Views.
• At trigger level, you can include list metrics in a trigger definition to tailor its execution
threshold(s). For more details, refer to the section Adding Triggers Relying on Lists Metrics
in the chapter Managing Triggers.

How you use a list determines its purpose, it can be:

• A whitelist that is taken into account, included, in the configuration of the view parameters or
trigger definition.
• A blacklist that is ignored, excluded, in the configuration of the view parameters or trigger
definition.

All the list parameters are described in the table below. Each parameter matches a specific list,
via list# where # is one of the 8 available lists using a number between 0 and 7.

934
 Managing Lists

Table 65.1. Guardian lists parameters

Parameter Description
List#.name The name of the list list#; where # is the list ID, a number between 0 and 7.
List#.name For more details, refer to the section Renaming a List.
List#.save The parameter that sets if the list list# is saved or cleared when the service
List#.save DNS Guardian restarts. For more details, refer to the section Setting a List
Saving Mechanism.
List#.type The update frequency of the list list# if it is configured to automatically retrieve
List#.type the content of a zone. For more details, refer to the section Defining the Type
of a List.
List#.refresh period The incremental update, in seconds, of the list list# with the retrieved zone
List#.refresh_period content. For more details, refer to the section Automatically Updating the
Content of a List.
List#.request xfer The server parameters for the command dig used to automatically update the
List#.request_xfer list list#. For more details, refer to the section Automatically Updating the
Content of a List.
List#.zone name The name of the zone from which the content is retrieved to automatically update
List#.zone_name the list list#. For more details, refer to the section Automatically Updating the
Content of a List.
list#.client identifiers The client identifiers configuration of the list list#. This configuration can replace
list#.client_identifiers or complete the client identifier configuration set at view level. For more details,
refer to the section Identifying Clients via a List.

In addition to these parameters, via CLI you can:

• Reset the counter of the matched list entries, as detailed in the section Resetting the Counter
of a List.
• Empty your lists, as detailed in the section Clearing a List.

Displaying the Lists Content

You can display the content of all lists or of a specific list via CLI.

As by default all 8 Guardian lists are empty, to display any data at least one list must contain
entries. For more details, refer to the section Configuring the Content of a List.
DNS Blast> show list

Used | * | = | EOL | List ID members | Name

0 | * | = | 0 | 4 | 0-2u.com
0 | * | = | 0 | 4 | 0-800horoscopes.com
0 | * | = | 0 | 4 | 0-apr-card-credit-4u.info
0 | * | = | 0 | 4 | 0-holds-barred.com
0 | * | = | 0 | 4 | 0-p-0.xz.cn
0 | * | = | 0 | 0 {trusted} | anothertrusteddomain.com
0 | * | = | 0 | 2 | artemislist.gti.myantivirus.com
0 | * | = | 0 | 2 | cwl2.gti.myantivirus.com
0 | * | = | 0 | 2 | ens.rest.gti.myantivirus.com
0 | * | = | 0 | 3 | evilzone.net
0 | * | = | 0 | 2 | mace.rest.gti.myantivirus.com
0 | * | = | 0 | 0 {trusted} | mydomain.com
0 | * | = | 0 | 0 {trusted} | nicedomain.com
0 | * | = | 0 | 3 | reallynotnicezone.com
0 | * | = | 0 | 2 | realprotect1.myantivirus.com
0 | * | = | 0 | 1 | secretzone.mydomain.com
0 | * | = | 0 | 1 | secretzone2.outside.com
0 | * | = | 0 | 2 | tie.gti.myantivirus.com
0 | * | = | 0 | 2 | tunnel.message.trustedsource.org

935
 Managing Lists

0 | * | = | 0 | 3 | verybadzone.ws
...

When the command is executed without filters, it returns the Top 50 entries most Used entries
and sorts them by Name. All the information is returned in the following columns.

Table 65.2. show list columns

Column Description
Used The number of times the entry matched a query sent to Guardian. It is only incremented
if the list is used on a view or in a trigger. To reset the number of matched entries, refer
to the section Resetting the Counter of a List.
* One of the possible values of an entry specified with the wildcard * was matched. The
column Name returns the entry without the wildcard, it can be a subdomain, several IP
addresses, etc.
If the list contains a Name twice, with and without wildcard, it is only listed once and pre-
ceded by | * | = |.
= The entry in the column Name must match exactly.
If the list contains a Name twice, with and without wildcard, it is only listed once and pre-
ceded by | * | = |.
List ID members The ID of the lists where the entry is present, separated by a , (comma).
Any renamed list is followed by its new name between brackets {}. For more details, refer
to the section Renaming a List.
Name The name of the list entry, i.e. a domain, client or client identifier depending on the list
type.
If the list contains an entry twice, with and without wildcard, it is only listed once and pre-
ceded by | * | = |.

To display Guardian list entries

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To display the lists entries, use the command:

show list

By default, the command displays the 50 most Used entries in all lists.
4. To display the entries of a specific list, use the command:
show list list_id=#

For instance, displaying the content of list 1 could look as follows:

DNS Blast> show list list_id=1

Used | * | = | EOL | List ID members | Name

0 | * | = | 0 | 1 {subdomains} |
specialzone.mydomain.com
0 | * | = | 0 | 1 {subdomains} |
secretzone.mydomain.com
0 | * | = | 0 | 1 {subdomains} (trusted) |
secretzone2.outside.com

Note that the list was renamed, so its ID is followed by the list {name}. In addition, one of its
entries is tagged, the (tag) is also returned after the list ID. For more details, refer to the
sections Renaming a List and Automatically Updating the Content of a List.

936
 Managing Lists

Renaming a List
By default, the 8 Guardian lists are named from list0 to list7. This default name is always used
in each parameter name but you can rename lists.

Your new list name is available on the properties page of the Guardian server, along with all the
list parameters you configured. In addition, it is returned between brackets when you display the
lists content. For more details, refer to the section Displaying the Lists Content.

To rename a Guardian list from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. To edit the name of a list, in the field List#.name, specify the new name.
7. Click on OK to complete the operation. The wizard closes.

To rename a Guardian list via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Specify the name of your choice in the parameter list#.type. In the following command,
list1 is renamed domains:
set list1.name=domains

Defining the Type of a List

By default all Guardian lists are domain lists. Guardian provides three types:
• domain lists, the default type 0, dedicated to gathering domain names.
• client lists, type 1, dedicated to IP addresses used to identify clients.
• list client specific-id lists, type 2, dedicated to any client identifier, it must be specified in a
format that matches the list client identifier parameter. For more details, refer to the section
Identifying Clients via a List.

Keep in mind that:

• Once you set a list type, you must configure its content before using it. For more details, refer
to the section Automatically Updating the Content of a List or to the section Configuring the
Content of a List.
• For client lists, the expected entries and their format depend on the identifier(s) specified in
the parameter View#.client identifiers.
For more details, refer to the section Identifying the Clients Querying the Views in the chapter
Managing Views.

937
 Managing Lists

• For specific client-id lists, the expected format of the entries of the list depends on the identifier(s)
specified in the parameter List#.client identifiers.
For more details, refer to the section Identifying Clients via a List.

To change a Guardian list type from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the drop-down list List#.type, select domain (0), client (1) or list specific client-id (2). By
default, it is set to 0.
7. Click on OK to complete the operation. The wizard closes.

To change a Guardian list type via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Specify the type of your choice in the parameter list#.type. By default, it is set to 0.
Set it to 0 for a domain list, 1 for a client list or 2 for a list specific client-id list. In the following
command, we define list0 as a client list.
set list0.type=1

Configuring the Content of a List

By default, Guardian provides 8 empty lists. You must configure their content to use them.

There are two ways of configuring a list, you can:

1. Automatically retrieve the content of a zone, some records become list entries.
To avoid any misconfiguration, we recommend using this method. For more details, refer to
the section Automatically Updating the Content of a List.
2. Manually add each list entry via CLI.
For more details, refer to the section Manually Configuring the Content of a List.

You cannot configure a list with both methods, you either automatically update a list content
or manually configure it. Once you set a list to automatically retrieve a zone data, any entry not
matching a record of the zone is deleted at the next refresh.

Before configuring the content of a list, note that:

• Each list can contain as many entries as you want, once you defined their type.
• The entries of the list are reviewed in order.
• The list type determines the expected format and values of its entries, it can contain domains
(type 0), IP address that identify clients (type 1) or other client identifiers declared with a spe-

938
 Managing Lists

cific format (type 2). By default, all lists are domain lists. To change their type and make them
client lists, refer to the section Defining the Type of a List.
• By default, Guardian servers are both authoritative and recursive, the parameter recursive is
set to 2. Therefore, each authoritative query results in a cache miss. To avoid arming triggers
based on cache miss answers for clients querying your domains, you can add a list containing
all the domains your server has authority over. Once the list is configured, you can take it into
account in the relevant trigger(s). For more details, refer to the section Adding Triggers Relying
on Lists Metrics in the chapter Managing Lists.
• If you want to use lists to identify clients, keep in mind that:
• You can configure the content of a specific client-id list, of type 2. The expected format of
the entries of the list depends on the identifier(s) specified in the parameter List#.client
identifiers. For more details, refer to the section Identifying Clients via a List.
For instance, if the List#.client identifiers is the EDNS option ecs_rev_ip, your entries must
be match ECS IP addresses in reverse, e.g. 250.48.16.16.
• You can also configure the content of a client list, of type 1. The list expected entries and
their format depend on the identifier(s) specified in the parameter View#.client identifiers.
The values of each entry must match the order and format of the client identifier set on the
view. For more details, refer to the section Identifying the Clients Querying the Views in the
chapter Managing Views.
For instance, if the View#.client identifiers is all ecs dnsmasq_mac=ecs_rev_ip dnsmasq_mac,
your entries must include both an ECS IP address in reverse and a DNSMASQ MAC address,
separated by a dot ".", e.g. 250.48.16.16.00:aa:18:18:aa:00. The options must always be
specified in this order, you must not change it.
In both cases, your list is only used if you specify it in the parameter View#.list id filter of the
relevant view. This parameter allows to apply the policy of your choice to the list content, you
can include or exclude it.

Automatically Updating the Content of a List

From the GUI, you can automatically update the content of a list from an external source, a zone.

You should use this method to avoid any list content misconfiguration. Instead of manually
adding each list entry, this configuration allows to retrieve and synchronize the content of a zone
and automatically add the relevant entries in the list.

The parameters List#.request xfer and List#.zone name allow to specify one of the following:
• A zone located on a third party DNS server, like SURBL.
• An authoritative zone on your local DNS server, or any DNS server.

The list content update relies on the command dig and zone transfer. All the CNAME and TXT
records of the zone add entries to the list, the content refreshes every minute. Which is why,
once you configure the automatic update, you can no longer manually add entries to the list, they
are overwritten or deleted at the next refresh.

If you specify an authoritative zone, note that:

• The list content can be displayed via CLI or from the page All RRs, if you manage the zone
from a SOLIDserver appliance.
For more details, refer to the sections Displaying the Lists Content and Browsing the DNS
Resource Records Database in the chapter Managing DNS Resource Records.
• All the TXT records it contains can tag the matching entries in the list. These tags can be
leveraged at view level to filter traffic and configure Client Query Filtering (CQF).

939
 Managing Lists

When you add TXT records, any keyword specified in the field Text can be used as a tag for
the matching entry in the list. If you specify several tags, you must separate them with a space.
For more details, refer to the section Adding a TXT Record in the chapter Managing DNS Re-
source Records.
Once you configured your entry tags, you can use them in the configuration of the parameter
View#.list_id_filter. For more details, refer to the section Using Lists to Filter Guardian Views
in the chapter Managing Guardian Views.

To automatically update the content a Guardian list from a zone

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the field List#.refresh period, you can edit the frequency of the incremental update of
List#.zone name. By default, it is set to 60 seconds. The minimal refresh period value is 5
seconds.
7. In the field List#.request xfer, specify the DNS server to query as follows:
@<server> <optional-dig-parameters>
where:
• server is the IP address or FQDN of the DNS server of your choice.
• optional-dig-parameters can accept all relevant dig options like -y [hmac:]<name:tsig-
1
key> .
8. In the field List#.zone name, specify the name of the zone of your choice, within the specified
server. The zone content is retrieved to update the list content.
9. To stop automatically updating the list content, empty out the fields. The list still contains the
entries retrieved during the last refresh, to delete entries refer to the section Clearing a List.
10. Click on OK to complete the operation. The wizard closes.

Once your list content is configured, you can use the list in a view or trigger configuration. For
more details, refer to the section Using Lists to Filter Guardian Views in the chapter Managing
Views and to the section Adding Triggers Relying on Lists Metrics in the chapter Managing
Triggers.

Manually Configuring the Content of a List

Via CLI, you can add all the entries of a list one by one. Note that:
• We recommend automatically updating its content instead. For more details, refer to the section
Automatically Updating the Content of a List.
• Adding an entry to a list configured with the automatic update is useless, any new entry is
overwritten at the next refresh.

To manually configure the content of a Guardian list

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.

1
For more details regarding the command dig, refer to the ISC documentation, available at ftp://ftp.isc.org/www/bind/arm95/man.dig.html.

940
 Managing Lists

2. Connect to your local DNS Guardian using the command:

sudo blastcli

3. Display the current lists configuration, using the command:

show config

All list parameters start with with list#_, where # identifies each of the 8 list with a number
between 0 and 7.
For each list, the value of list#.type indicates if it is a domain list (0), client list (1) or list
specific client-id list (2). Each type impacts the expected entries.
4. Add a list entry using the command:
create list_entry list_id=# <list-entry>

where # is the list ID, a number between 0 and 7, and list-entry is specified using:
• A Fully Qualified Domain Name, for domain lists (0), it can include the wildcard * to
specify a subdomain. For instance:
create list_entry list_id=0 *.verybadzone.ws would add any subdomain of verybadzone.ws
to the first list, list 0.
• An IPv4 or IPv6 address for client list (1) or list specific client-id lists (2). This IP address
identifies a client. If you configure the parameter View#.client identifiers or List#.client
identifiers, the IP address is sent along with the original query of the client, potentially via
an EDNS option. It can include the wildcard * to specify several IP addresses or a network.
For instance:
create list_entry list_id=1 192.168.* would add any IP address or network between the
addresses 192.168.0.0 and 192.168.255.255 to the second list, list 1.
create list_entry list_id=2 *.10.168.192 would add any IP address or network between the
addresses 0.10.168.192 and 255.10.168.192 to the third list, list 2.
For more details, refer to the section Identifying the Clients Querying the Views in the
chapter Managing Views or to the section Identifying Clients via a List.
• Any other identifier, for list specific client-id lists (2). In each list, the entries expected
format depends on the configuration of the parameter List#.client identifiers. That identifier
is sent along with the original query of the client, it can be a DSCP, MAC address, CPE
ID, device ID, organization ID, record type or VLAN ID, depending on the configuration of
the parameter List#.client identifiers. It can include the wildcard * to match several values.
For instance:
create list_entry list_id=3 12 would add the DSCP 12 to the fourth list, list 3. This entry is
only relevant if the parameter List3.client identifiers is set to dscp.
For more details, refer to the section Identifying Clients via a List.
• A combination of identifiers separated by a dot for client list (1) if you want to use lists
to identify clients at view level, or for list specific client-id lists (2) if a list client identifiers
contains several values. Each entry expected values, order and format depend on the
configuration of the parameter View#.client identifiers or List#.client identifiers. It can include
the wildcard * to match several values.
create list_entry list_id=4 12.12.150.250.1035 would add an entry including an IP address
and VLAN ID to the fifth list, list 4. It matches a client identifier configured on a view set
to all opendns_ip vlan=opendns_ip vlan. Both values, the IP address 12.12.150.250 and
the VLAN ID 1035 must be separated by a dot. This entry is only relevant if it matches the
format and order set in View#.client identifiers.
create list_entry list_id=4 PTR.22.58.54.1 would add an entry including a record type and
an IP address in reverse to the sixth list, list 5. It matches a client identifier configured on

941
 Managing Lists

a list set to rr_type destination_rev_ip. Both values, the record type PTR and the IP address
22.58.54.1 must be separated by a dot. This entry is only relevant if it matches the format
and order set in List#.client identifiers.
For more details, refer to the section Identifying the Clients Querying the Views in the
chapter Managing Views or to the section Identifying Clients via a List.
5. To delete a list entry, indicate its exact name and use the command:
clear list list_id=# <list-entry>

For more details, refer to the section Clearing a List.

Once your list content is configured, keep in mind that:

• You can display its content, as detailed in the section Displaying the Lists Content.
• You can use its content in a view or trigger configuration. For more details, refer to the section
Using Lists to Filter Guardian Views in the chapter Managing Views and to the section Adding
Triggers Relying on Lists Metrics in the chapter Managing Triggers.

Identifying Clients via a List

In addition to client identification at view level, you can identify clients via lists.

Identifying clients via lists is useful if you have cascaded several resolvers. With such a configur-
ation, the IP address of a client is overwritten every time it is forwarded. Therefore, once the
query gets to the Guardian server, the source IP address it receives is no longer the one of the
original client.

To identify the querying clients, rather than the last resolver that transmitted their query, you can
set the parameter client identifier. You can identify them using the IP address, DSCP, VLAN or
record type of the query and/or the value of an EDNS option of the query, that can be an IP ad-
dress, a MAC address, or a CPE, device or organisation identifier.

To identify clients via a list, you must:

1. Set the list type to 2, list specific client-id is dedicated to identifying clients. For more details,
refer to the section Defining the Type of a List.
2. Configure the parameter List#.client identifiers, to specify the expected identifier that the
list contains.
3. Configure the list content accordingly, the entries of a list must match the format for specified
in the parameter List#.client identifiers. For more details, refer to the section Configuring the
Content of a List.
4. Use the list on a view or in a trigger. For more details, refer to the section Using Lists to Filter
Guardian Views in the chapter Managing Views and to the section Adding Triggers Relying
on Lists Metrics in the chapter Managing Triggers.

For each client list you can specify which field(s) of the DNS query to use as client identifier. The
parameter List#.client identifiers accepts the following identifiers.

Table 65.3. Available client identifiers in lists

Identifier Description
destination_ip The destination IP address of the original query.
destination_rev_ip The destination IP address of the query of a client, in reverse format.
dnsmasq_mac The MAC address sent by DNSMASQ. It is declared in an EDNS option in the original
query.

942
 Managing Lists

Identifier Description
dscp The DSCP of the original query.
ecs_ip The ECS IP address, sent in the EDNS Client Subnet (ECS). It is declared in an EDNS
option in the original query.
ecs_rev_ip The ECS IP address, sent in the EDNS Client Subnet (ECS), in reverse format. It is declared
in an EDNS option in the original query.
ip The source IP address of the original query.
nominum_cpeid The client CPE ID, received from a Nominum/Akamai DNS. It is declared in an EDNS
option in the original query.
nominum_deviceid The client device ID, received from a Nominum/Akamai DNS. It is declared in an EDNS
option in the original query.
opendns_deviceid The client device ID, received from OpenDNS/Umbrella. It is declared in an EDNS option
in the original query.
opendns_ip The client IP address, received from OpenDNS/Umbrella. It is declared in an EDNS option
in the original query.
opendns_orgid The client organization ID, received from OpenDNS/Umbrella. It is declared in an EDNS
option in the original query.
opendns_rev_ip The client IP address, received from OpenDNS/Umbrella, in reverse format. It is declared
in an EDNS option in the original query.
rev_ip The source IP address of the original query, in reverse format.
rr_type The original query record type.
vlan The 802.1q VLAN ID, a value between 1 and 4096, of the original query.

Note that:
• The parameter List#.client identifiers should only be set on specific client identifier lists, or list
specific client-id (2) lists.
• The querying clients are identified whether their query involves IPv4 or IPv6. All the client
identifier parameters that accept an IP address, identify an IPv4 address or an IPv6 address.
• The client identifiers you set in the parameter List#.client identifier must match the list content.
Their identifiers order and format must be the same.
• Unlike the parameter View#.client identifier, setting the parameter List#.client identifiers does
not impact client monitoring. The value you specify in the field does not change how clients
are displayed in the column Client ID. For more details, refer to the section Identifying the Clients
Querying the Views in the chapter Managing Guardian Views.
• To stop identifying clients, you must empty the parameter List#.client identifiers. The clients of
the view are identified using the last resolver that transmitted their query again, whether it was
forwarded or not.

To identify clients via a list

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the drop-down list Client stats, make sure that yes (1) is selected. If it is not, select it.
7. In the drop-down list List#.type, make sure that list specific client-id (2) is selected. If it is
not, select it.

943
 Managing Lists

8. In the field List#.client identifiers, specify the client identifier(s) of your choice for the list.
<identifier>
where the expected identifier is described in the table Available client identifiers in lists.
To specify several identifiers, you must separate them with a space: <identifier1> <identifier2>
9. Click on OK to complete the operation. The wizard closes.

Once your list client identifier configuration is done, keep in mind that:
• You may still need to configure its content to match your configuration, as detailed in the section
Configuring the Content of a List.
• The list is only used if it is part of a view or trigger configuration. For more details, refer to the
section Using Lists to Filter Guardian Views in the chapter Managing Views and to the section
Adding Triggers Relying on Lists Metrics in the chapter Managing Triggers.

Setting a List Saving Mechanism

By default, whenever a change is made to a Guardian list, the list is saved in a file.

You can decide to clear the list(s) of your choice every time the service DNS Guardian restarts.

To set a Guardian list saving mechanism from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. In the field List#.save, you can:
• Type in 1 to save the list every time DNS Guardian restarts. This is the default value.
• Type in 0 to clear the list every time DNS Guardian restarts.
We strongly recommend leaving this parameter enabled with the default value 1.
7. Click on OK to complete the operation. The wizard closes.

To set a Guardian list saving mechanism via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To save a list every time DNS Guardian restarts, set the parameter list#.save to 1. This
is the default value. In the following command, we set the parameter for list0:
set list0.save=1

4. To clear a list every time DNS Guardian restarts, set the parameter list#.save to 0. In
the following, command we set the parameter for list0:
set list0.save=0

944
 Managing Lists

Resetting the Counter of a List

When you display the content of your list(s), you can see the number of times its entries matched
a query sent to Guardian.

You can reset this number via CLI.

To reset a Guardian list counter

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To reset all the counters of a specific list, use the command:

reset list list_id=#

4. To reset only the counter of entries that have expired (1) or have not yet expired (0), use the
command:
reset list list_id=# expired=<0|1>

Clearing a List
You cannot delete your lists but you can clear their content. Clearing a list can delete all its entries
or only some, based on their expiration time.

To clear Guardian list entries

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To clear the content of a specific list, use the command:

clear list list_id=#

4. To clear only the entries that have expired (1) or have not yet expired (0), use the command:
clear list list_id=# expired=<0|1>

945
Chapter 66. Managing the Rescue Mode
The Rescue mode allows Guardian to answer as many queries as possible if the local DNS
server is saturated and unable to answer clients. It provides service continuity.

If your recursive server is under DDoS attack or looses its Internet connection, the Rescue mode
temporarily provides best-effort delivery and prevents your server from being overloaded or victim
of cache-poisoning.

cached best effort answers

answers for queries
not in the cache

Figure 66.1. How Guardian behaves in Rescue mode

In Rescue mode, Guardian buffers all the queries and behaves as follows:
1. If the queried record is in the cache, the response is immediate.
2. Usually, if the queried record is not cached yet, Guardian relays it to your local DNS server.
In Rescue mode, the local DNS server offers a best-effort service to deliver answers to the
clients. If the query is answered, it is cached by Guardian.
3. If the queried record has expired, Guardian sends it to the client with the TTL that you have
set beforehand (300 seconds by default) to preserve the local DNS server and potentially
avoid querying it altogether. Keep in mind that you can manually expire all or part of your cache
entries.

Note that:
• You must meet the prerequisites before configuring or forcing the Rescue mode.
• You can configure the Rescue mode to automatically trigger the Rescue mode when the
parameters set are met. If you do not want the Rescue mode to be triggered automatically,
you can disable the Rescue detection.
• You can force the Rescue mode and then stop it manually.
• Guardian provides you with charts to visualize different Rescue mode statistics on the properties
page of the server. For more details, refer to the section Monitoring Guardian Statistics.

Prerequisites
By default, Guardian is ready for the Rescue mode. The Rescue mode is set with default values
high enough to ensure that the automated switch cannot be triggered by accident.

To customize or force a switch to Rescue mode, you must make sure that:
1. Guardian cache is enabled. It is enabled when you start the service DNS Guardian, but can
be disabled.
2. The rescue mode detection is enabled. It is enabled by default, but can be disabled.

To prepare the switch to Rescue mode from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.

946
 Managing the Rescue Mode

2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. Make sure Guardian cache is enabled, the field Blast must be set to yes (1).
7. Make sure the Rescue mode detection is enabled, the field Rescue detection must be set
to auto (1).
8. Click on OK to complete the operation. The wizard closes.

To prepare the switch to Rescue mode via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Display Guardian current configuration using the command:

show config

4. Make sure Guardian cache is enabled, the parameter blast must be set to 1, as follows:
blast=1

5. Make sure the Rescue mode detection is enabled, the parameter rescue_detection must
be set to 1, as follows:
rescue_detection=1

Now that you prepared Guardian, you can either configure the Rescue mode or force the Rescue
mode.

Configuring the Rescue Mode

The Rescue mode can be triggered if:
1. The server reaches a maximum number of queries per second sent from Guardian to the local
DNS server: above the set value, Guardian switches to Rescue mode. Refer to Rescue high
rec packet in the table below.
2. The server reaches both:
• A minimum number of queries per second sent from Guardian to the local DNS server. Refer
to Rescue min rec packet in the table below.
• A percentage of these queries that are unanswered. This value acts as a threshold. Refer
to Rescue unanswered rate in the table below.
3. The server receives a maximum number or percentage of SERVFAIL error messages per
second from the local resolver. Refer to Rescue servfail qps or Rescue ratio servfail in the
table below.

The Rescue mode configuration relies on the following parameters, you can change their value
to match your needs:

947
 Managing the Rescue Mode

Table 66.1. Rescue mode parameters

Parameter
Rescue time
rescue_time
Rescue ttl
rescue_ttl
Rescue min rec packet
rescue_min_rec_packet
Rescue unanswered rate
rescue_unanswered_rate
Rescue high rec packet
rescue_high_rec_packet
Rescue servfail qps
rescue_servfail_qps
Rescue ratio servfail
rescue_ratio_servfail
Default Description
value
5 The check period during which the inbound traffic, outbound traffic
and packet traffic between Guardian and the local DNS server are
monitored to determine if a switch to Rescue mode is needed. Over
this period (<value>*10s), a check is performed every 10 seconds
and the <value> sets the number of checks performed. By default
it is set to 5, Guardian checked 5 times every 10 seconds, over the
last 50 seconds (5*10s), if the traffic met the triggering conditions
that require a switch to Rescue mode.
300 The TTL values of the cached records queried by clients that already
expired once Guardian is in Rescue mode. It overwrites the actual
record TTL, so we suggest that you set a low value to prevent clients
from keeping an outdated value once Guardian turns off the Rescue
mode.
5000 The minimum number of queries per second received by the local
DNS server that call for an extra check. If the number of queries
set is met, Guardian checks the condition of the parameter Rescue
unanswered rate to decide if it is necessary to switch to Rescue
mode.
10 The percentage of unanswered queries by the local DNS server,
based on the number of queries of Rescue min rec packet. If the
percentage of unanswered queries is exceeded, Guardian switches
to Rescue mode.
200000 The maximum number of queries per second sent from Guardian
to the local DNS server, above the value set, Guardian switches to
Rescue mode.
50000 The maximum number of queries per second answered by the local
resolver with SERVFAIL error messages.
90 The maximum percentage of queries per second answered by the
local resolver with SERVFAIL error messages.

Before configuring the Rescue mode, you must meet the prerequisites, if you want your parameters
to be taken into account.

To configure Rescue mode parameters from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. To set a rescue mode monitoring period, in the field Rescue time specify a check period:
<number-of-checks> * 10 seconds.
7. To define the expired records TTL once in Rescue mode, in the field Rescue ttl specify a
number of seconds.
8. To decide what triggers the Rescue mode:
• In the field Rescue min rec packet, you can specify the minimum number of queries re-
ceived per second that triggers a check of the Rescue unanswered rate.

948
 Managing the Rescue Mode

• In the field Rescue unanswered rate, specify the percentage of unanswered queries of
Rescue min rec packet. When the specified percentage is reached, the server switches
to Rescue mode.
• In the field Rescue high rec packet, you can specify a maximum number of queries per
second that triggers the Rescue mode.
• In the field Rescue servfail qps, you can specify a number of queries per second answered
with SERVFAIL error messages that triggers the Rescue mode.
• In the field Rescue ratio servfail, you can specify a percentage of queries per second
answered with SERVFAIL error messages that triggers the Rescue mode.
9. Click on OK to complete the operation. The wizard closes.

To configure Rescue mode parameters via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. Set the Rescue mode parameters to the value of your choice. In the following command, we
set them to their default value:
set rescue_time=5
set rescue_ttl=300
set rescue_min_rec_packet=5000
set rescue_unanswered_rate=10
set rescue_high_rec_packet=200000
set rescue_servfail_qps=50000
set rescue_ratio_servfail=90

All values are detailed in the table Rescue mode parameters.

Forcing the Rescue Mode

You can force a switch to Rescue mode, i.e. manually switch to Rescue mode, no matter the
parameters configured for the automatic switch.

Before forcing the Rescue mode, you must meet the prerequisites.

To force the switch to Rescue mode from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display option(s), select all. The list of all Guardian parameters is
displayed.
6. To manually switch Guardian to Rescue mode, in the field Rescue detection, select forced
(2).
7. To switch back to normal Rescue mode detection, which uses the threshold(s) you set in
the parameters, in the field Rescue detection, select auto (1).
8. Click on OK to complete the operation. The wizard closes.

949
 Managing the Rescue Mode

To force the switch to Rescue mode via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To display Guardian current configuration, use the command:

show config

4. To force Guardian to switch to Rescue mode, set the parameter rescue_detection to 2

as follows:
set rescue_detection=2

To switch back to the automated Rescue mode detection, set the parameter rescue_de-
tection to 1.

Disabling the Rescue Detection

By default, the Rescue detection is enabled. You can disable it to prevent Guardian from
switching to Rescue mode. Once the Rescue detection is disabled:
• If you configured an automatic switch to Rescue mode, Guardian ignores your configuration
and does not switch to Rescue mode if the traffic reaches the threshold(s) you set in the
parameters.
• It is no longer possible to force the Rescue mode.

To disable Guardian Rescue mode from the GUI

1. In the sidebar, go to DNS > Servers. The page All servers opens.
2. At the end of the line of the Guardian server of your choice, click on . The properties page
opens.
3. In the panel Options, click on EDIT . The wizard Options configuration opens.
4. Click on NEXT until you reach the last page of the wizard.
5. In the drop-down list Display options(s), select using default values.
6. To disable the Rescue mode detection, in the field Rescue detection, select disabled (0).
7. Click on OK to complete the operation. The wizard closes.

To disable Guardian Rescue mode via CLI

1. Open a shell session and connect to your appliance as the default admin user, the default
password is admin, or using the credentials of a user with sudo permissions.
2. Connect to your local DNS Guardian using the command:
sudo blastcli

3. To display Guardian current configuration, use the command:

show config

4. To disable the Rescue mode detection, set the parameter rescue_detection to 0 as fol-
lows:
set rescue_detection=0

950
 Part XI. NetChange
NetChange allows to locate and monitor your network devices. You can import them using their IP address
and the CDP, NDP and LLDP layer 2 discovery protocols to find more devices on the network.

Once imported, NetChange relies on the SNMP protocol to retrieve information in the MIB of each device.
It provides monitoring for the routes, VLANs and ports the devices contain and the IP addresses of their in-
terfaces as well as the devices connected to them. In addition, it allows to monitor the configuration file
versioning on the devices that support it.

IP address connection tracking

- Switch number
- Port number
Management - MAC address
- VLAN ID
- DNS name

Remote
discoveries
Local discoveries
Small office
Local discoveries
Data center

Headquarters

Figure 227. Example of a NetChange architecture

We recommend importing all your devices to have a clear overview of your network. All supported devices
are listed on the Knowledge Base, at https://kb.efficientip.com/index.php/Main_Page in the category
NetChange/IPLocator.

NetChange can include up to 3 levels of organization:

• Network devices: the highest level of hierarchy where you import all the devices you want to manage.
They contain routes, VLANs, ports, configurations files, interface IP addresses and/or discovered items.
For more details, refer to the chapter Managing Network Devices.
• Routes: one of the second levels of hierarchy where you can view and partially manage the IPv4 and
IPv6 routing tables of your layer 3 devices. For more details, refer to the chapter Managing Routes.
• VLANs: one of the second levels of the hierarchy where you can manage the VLANs of your network
devices. For more details, refer to the chapter Managing VLANs.
• Ports: one of the second levels of the hierarchy where you can manage the ports of your network devices.
For more details, refer to the chapter Managing Ports.
• Configurations: one of the second levels of the hierarchy where you can manage the configuration file
versioning of the network devices that support it. For more details, refer to the chapter Managing Config-
uration Versioning.
• Addresses: one of the second levels of the hierarchy where you can view the interface IP addresses of
the imported network devices, in IPv4 and IPv6. For more details, refer to the chapter Managing Addresses.
• Discovered items: the lowest level of the hierarchy where you can manage the devices connected to
your network devices.The devices are identified through their MAC address and are connected to a network
device via VLANs or ports. For more details, refer to the chapter Managing Discovered Items.

The module also provides:

• Statistics. You can use gadgets to display device and/or port statistics. For more details, refer to the
chapter Managing Statistics.
• Monitoring and Tuning. You generate reports on devices, refresh them using CSV files, keep them up-
to-date or customize their type. For more details, refer to the chapter Monitoring and Tuning.

Note that depending on the license you chose, you can either retrieve network devices information or
partially configure your network devices and their content. There are two NetChange licenses available:
1. NetChange-IPL, a light version that provides basic management options of your network devices.
2. NetChange, the full license that allows advanced management of your Avaya, Cisco and HP network
devices as it provides configuration options for VLANs and ports, 802.1X authentication, versioning...

Table 332. NetChange licenses differences

Option NetChange-IPL NetChange
Adding and listing Network devices
Discovering and listing routes
Listing VLANs
Listing ports
Listing IP addresses configured on the network device interfaces
Listing discovered items
Adding and deleting VLANs -
Configuring the speed of a port -
Configuring the duplex of a port -
Configuring the VLAN of a port -
Configuring access VLANs -
Enabling or disabling 802.1X authentication -
Configuring the protocol Port-security on a port -
Managing network devices' configuration file versioning -
Limiting port edition rights to specific groups of users -

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
67. Managing Network Devices ...................................................................................... 955
Browsing Network Devices .................................................................................... 955
Adding Network Devices ........................................................................................ 957
Importing Network Devices Using Discovery Protocols ............................................ 958
Enabling or Disabling the 802.1X Authentication Protocol ........................................ 960
Editing the SNMP Properties of a Network Device ................................................... 961
Refreshing the Network Devices Database ............................................................. 962
Connecting to a Network Device Via a Console ....................................................... 964
Making a Network Device Snapshot ....................................................................... 964
Automatically Adding New Network Devices as Group Resource .............................. 965
Adding Network Devices in Device Manager ........................................................... 966
Exporting Network Devices .................................................................................... 966
Deleting Network Devices ...................................................................................... 966
Defining a Network Device as a Group Resource .................................................... 966
68. Managing Routes .................................................................................................... 967
Prerequisites ........................................................................................................ 967
Limitations ............................................................................................................ 967
Browsing Routes ................................................................................................... 967
Enabling the Registry Key Required to Display the VRF Routes ............................... 969
Creating Routes in the IPAM .................................................................................. 970
Exporting Routes .................................................................................................. 971
69. Managing VLANs ..................................................................................................... 972
Browsing VLANs ................................................................................................... 972
Adding a VLAN ..................................................................................................... 973
Editing a VLAN ...................................................................................................... 973
Creating a VLAN in VLAN Manager ........................................................................ 973
Exporting VLANs ................................................................................................... 974
Deleting a VLAN ................................................................................................... 974
70. Managing Ports ....................................................................................................... 975
Browsing Ports ...................................................................................................... 976
Enabling or Disabling a Port ................................................................................... 977
Editing a Port Interconnection ................................................................................ 977
Editing a Port Speed and Duplex Mode .................................................................. 978
Updating a Port Description ................................................................................... 978
Managing the 802.1X Authentication Protocol on a Port ........................................... 979
Restricting Access to a Port with the Protocol Port-security ...................................... 980
Limiting Port Edition Rights to Specific Groups of Users .......................................... 983
Configuring VLAN Tagging on a Port ....................................................................... 984
Exporting Ports ..................................................................................................... 987
71. Managing Configuration Versioning ........................................................................... 988
Prerequisites ........................................................................................................ 988
Limitations ............................................................................................................ 988
Browsing Configuration Files .................................................................................. 988
Managing Connection Profiles ............................................................................... 990
Configuring the Versioning of a Network Device ...................................................... 992
Refreshing a Configuration File .............................................................................. 994
Comparing Configuration Files ............................................................................... 995
Monitoring the Configuration Versioning in the Logs ................................................. 996
Downloading Versioning Information ....................................................................... 997
Configuring Advanced Versioning Options ............................................................... 998
Exporting Configuration Files ................................................................................. 999

953
 NetChange

Disabling Versioning on a Network Device .............................................................. 999

72. Managing Addresses ............................................................................................. 1001
Browsing Addresses ............................................................................................ 1001
Exporting Addresses ........................................................................................... 1002
73. Managing Discovered Items .................................................................................... 1003
Browsing Discovered Items .................................................................................. 1003
Refreshing the Discovered Items Database ........................................................... 1005
Populating Device Manager ................................................................................. 1005
Creating the IP Address of a Discovered Item in the IPAM ...................................... 1005
Purging the Discovered Items Database ............................................................... 1006
Tracking the Discovered Items History of a Specific Device .................................... 1006
Exporting Discovered Items ................................................................................. 1007
74. Managing Statistics ................................................................................................ 1008
Displaying NetChange Statistics ........................................................................... 1008
Displaying Network Device Statistics .................................................................... 1008
Displaying Port Statistics ...................................................................................... 1008
75. Monitoring and Tuning ............................................................................................ 1010
Generating NetChange Reports ........................................................................... 1010
Keeping NetChange Data Up-to-date .................................................................... 1010
Synchronizing the Network Devices with a CSV File .............................................. 1011
Customizing the Type of Network Devices ............................................................. 1012

954
Chapter 67. Managing Network Devices
NetChange uses the SNMP protocol to query network devices and centralize all collected inform-
ation in its database. You can add, import and delete network devices with an IPv4 address from
the page All network devices. The devices can manage interfaces with IPv4 or IPv6 addresses
that are displayed on the dedicated page All addresses. There are several ways to integrate new
network devices in NetChange database:
• Adding one or several network devices using their IPv4 address.
• Importing network devices through discovery protocols (like CDP, DP or LLDP) once you added
a device.
• Importing network devices using a CSV file. For more details, refer to the section Importing
Data to NetChange in the chapter Importing Data from a CSV File.

To use NetChange at the maximum of its potential, we strongly suggest that you add at least
one device using its IP address and then use the discovery protocols to add all your network
devices to the page All network devices.

Browsing Network Devices

The network device is the highest level of organization in NetChange. All the devices that you
want to manage and work with on your network are gathered on one page.You can define, check
or discover how all these devices are related to each other through their VLANs, ports, routes,
IP addresses and discovered items. If they support it, you can even monitor their configuration
file versioning.

ROUTE

VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT

CONFIG

VLANADDRESS

Figure 67.1. The network device in NetChange hierarchy

Browsing the Network Devices Database

To display the list of network devices
1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. You can filter the list using the column search engines.

To display a network device properties page

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.

955
 Managing Network Devices

2. At the end of the line of the network device of your choice, click on . The properties page
opens.

The properties page of a network device contains a set of panels detailing its configuration:
Refresh properties
The device refresh configuration, for both data and configuration file refresh. For more details,
refer to the chapter Managing Configuration Versioning.
Additional information
More specific data that is not displayed in the other panels like the Stack identifier, Uptime,
Number of ports, System OID, System contact and Complete description. For more details,
refer to the section Customizing the Display on the Page All Network Devices.
SNMP properties
All the SNMP monitoring information of the device: its profile name, version, port, number of
retries, timeout, transfer timeout, supported MIBs, etc. For more details, refer to the section
Editing the SNMP Properties of a Network Device.
Configuration versioning properties
The versioning configuration status: unsupported, enabled, disabled. Once enabled and
configured, the connection profile is also displayed in the panel. For more details, refer to
the chapter Managing Configuration Versioning.
IP Addresses List
All the IP addresses configured on the interfaces of the device, whether IPv4 or IPv6. You
can list them all on the page All addresses, for more details refer to the chapter Managing
Addresses.
Network device ports status
A graph representing the active, inactive and disabled ports of the device.

Customizing the Display on the Page All Network Devices

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Some columns provide more specific information regarding network devices:

Table 67.1. Available columns on the page All network devices

Column Description
Last updated on The network device last refresh date and time.
Complete description All the available vendor information, the SysDescr of the device.
Version The OS version of the network device, only for Cisco equipment.
Last config. check
Revision The device configuration file versioning information for the devices that support
it. You can also display more versioning dedicated columns. For more details,
Versioning refer to the chapter Browsing the Configuration Files.
Configuration refresh
Analysis Time The time necessary to collect information during the last refresh or the network
device current analysis status: Being analyzed (in progress).
Uptime The network device uptime.
Type The network device type and model.
Serial number The serial number of the network device.

956
 Managing Network Devices

Column Description
Slot serial number The slot number and slot serial number (identifier) of used slots as follows:
<slot-number>:<slot-serial-number>. That column only retrieves information
for used slots, empty slots are not listed.
SNMP profile The name of the SNMP profile used on the network device.
SNMP refresh The scheduled database refresh frequency configured on the network device
Status The network device status
OK The network device is up and running.
Timeout The network device is not responding.

Adding Network Devices

The menu Add allows to import network devices via SNMP based on their IPv4 address, you can
specify a range of IPv4 addresses to import several devices at once. The network devices can
manage interfaces with an IPv4 or an IPv6 address.

Note that:
• You can also import network devices from a CSV file. For more details, refer to the section
Importing Data to NetChange in the chapter Importing Data from a CSV File.
• Standard users cannot see the network devices they add, unless a user of the group admin
either:
• Adds the new devices to the resources of the group(s) they belong to.
• Configures the rule 407 to automatically add every new device as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New Network
Devices as Group Resource.

To add a network device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. In the menu, click on Add. The wizard Add network devices opens.
3. If custom classes are enabled at network device level, in the list Network device class,
select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. To add only one device:
a. In the field IP address, specify the IP address of the device.
b. Leave the field Ending IP address empty.
5. To add several devices at once:
a. In the field IP address, specify the start address of a range of addresses.
b. In the field Ending IP address, specify the last address of the range.
6. You can select the SNMP profile(s) used to access the SNMP agent on the device(s).
If you do not select any, NetChange uses the default profile standard v2c.

957
 Managing Network Devices

Table 67.2. SNMP profile information parameters

Field Description
SNMP profiles The available SNMP profiles, select one and click on to move it to the list Selected
configuration profiles. This field is optional.
By default, it contains standard v1, standard v2c and standard v3. Any existing profile
is listed. To add profiles, refer to the section Managing SNMP Profiles.
Selected profiles The SNMP profile to use to retrieve the device(s) information. If you add several pro-
files, that are all used in order on the device(s). This field is optional.
To order the profiles, select them one by one and click on or . To remove a profile
select it and click on .

7. In the drop-down list Target space, select the IPAM space to associate with the network
device(s). The IP address of each device is imported in the selected space. The space also
helps differentiate devices on the page.
8. You can tick the box Expert mode to review and specify more details regarding the device(s)
information retrieval.

Table 67.3. Network device SNMP parameters

Parameter Description
SNMP port The port that the SNMP service must use. By default, it uses the port 161. This field is
required.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 1. This field is required.
SNMP transfer The number of minutes above which the SNMP transfer is aborted when you add or refresh
timeout (minutes) a device, a value between 0 and 999. By default, it is set to 0. This field is optional.
SNMP timeout The number of seconds between each connection attempt, either 1s, 2s, 3s, 4s, 5s, 10s
or 30s. By default, it is set to 2s. This field is optional.
Use bulk For SNMPv2c or SNMPv3. Allows to send several requests at once, it uses a bulk
transfer of data. This compact SNMP request method accelerates transfers. By default,
it is set to Yes. This field is required.
Use TCP The network communication protocol, either TCP (Yes) or UDP (No). By default, No is
selected. You should use TCP instead of UDP if the network link is unreliable. This field
is required.

9. Click on OK to complete the operation. The report opens and works for a while before closing.
The page displays the network device(s).
Note that depending on the group they belong to, users may not see the device(s) they added
on the page until an administrative user either:
• Adds the new devices to the resources of the group(s) they belong to.
• Configures the rule 407 to automatically add every new device as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New Network
Devices as Group Resource.

Once you added one device, you can retrieve all the devices it is directly connected (plugged)
to via the discovery protocol option detailed in the next section.

Importing Network Devices Using Discovery Protocols

Once you manage at least one network device, you can use the discovery protocols to retrieve
and import the network devices connected to each other. For more details regarding network
device addition, refer to the section Adding Network Devices.

958
 Managing Network Devices

Note that you can also import network devices from a CSV file before using the discovery protocols.
For more details, refer to the section Importing Data to NetChange in the chapter Importing Data
from a CSV File.

The discovery protocol import option retrieves all the information via three layer 2 protocols: the
Cisco Discovery Protocol (CDP), the Nortel Discovery Protocol (NDP) and the Link Layer Discovery
Protocol (LLDP). The information gathered through these protocols is then retrieved using SNMP,
among which, the devices neighbors i.e. the devices connected to the devices listed on the page
All network devices.
The Cisco Discovery Protocol (CDP)
The CDP is a proprietary Data Link Layer network protocol developed by Cisco Systems to
share information between devices, from their topology to their OS version, IP address or
interfaces' status. NetChange uses CDP to discover Cisco network devices.
The Nortel Discovery Protocol (DP)
The DP is a Data Link Layer (OSI Layer 2) network protocol for discovery of Nortel devices
and their topology. NetChange uses it to automatically discover Nortel, Avaya and Ciena
network devices.
The Link Layer Discovery Protocol (LLDP)
The LLDP is a vendor-neutral Link Layer protocol in the Internet Protocol Suite used by net-
work devices for advertising their identity, capabilities, and neighbors on a IEEE 802 local
area network, principally wired Ethernet. LLDP is supported by the following switch vendors:
HP, H3C, Nortel, Extreme Networks, Cisco and Juniper, Dell and Entreats.

To import network devices using the discovery protocols

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the device(s) for which you want to discover neighbors.
3. In the menu, select Import > Using CDP/NDP/LLDP.The wizard Add network devices
opens.
4. In the drop-down list Target space, select the IPAM space that should list the IP addresses
of the discovered device(s).
5. Click on OK to complete the operation. The report opens and works for a while before closing.
The devices found are listed.

The LLDP being the only vendor-neutral protocol, you might need to enable it on your devices,
especially if the devices connected are from different vendors or if you connected a Nortel or
Cisco device with a device from a different vendor.

Enabling LLDP on HP Devices

LLDP is enabled by default on HP Procure switches and routers. There is nothing to do. If you
want to see LLDP neighbors from your HP switch, use the following command.
show lldp info remote-device

Enabling LLDP on Nortel Devices

Nortel switch 425 and 55x0 series support LLDP with a 5.x firmware.This is not enabled by default.
Here is the set of command to enable LLDP:
5510-24T(config)#interface FastEthernet ALL
5510-24T(config-if)#lldp tx-tlv port ALL port-desc

959
 Managing Network Devices

5510-24T(config-if)#lldp tx-tlv port ALL sys-name

5510-24T(config-if)#lldp tx-tlv port ALL sys-desc
5510-24T(config-if)#lldp tx-tlv port ALL local-mgmt-addr
5510-24T(config-if)#lldp tx-tlv port ALL dot1 vlan-name ALL
5510-24T(config-if)#lldp tx-tlv port ALL dot3 link-aggregation
5510-24T(config-if)#lldp tx-tlv port ALL dot3 mac-phy

Depending on your firmware version, some options may be unrecognized. For VLAN, unfortunately,
you need to issue the command each time you add a VLAN. When using MT, EAST or SMELT,
you may want to disable ingress filtering:
vlan ports ALL filter-unregistered-frames disable

For Nortel RES 8600, there is no support for LLDP. For Nortel Switch for IBM Blade canter (Nortel
Layer 2-3 and 2-7), you need version 5.1 or more recent.

Enabling LLDP on Extreme Networks Devices

ExtremeOS and ExtremeWare supports LLDP with recent firmware's. You need to enable it with:
enable lldp ports all
configure lldp ports all avertise management-address
configure lldp ports all avertise port-description
configure lldp ports all avertise system-capabilities
configure lldp ports all avertise system-description
configure lldp ports all avertise system-name
configure lldp ports all avertise vendor-specific dot1 vlan-name
configure lldp ports all avertise vendor-specific dot3 link-aggregation
configure lldp ports all avertise vendor-specific dot3 mac-phy

Enabling LLDP on Cisco Devices

Starting from IS 12.2(33)SCH, LLDP is supported. Use the following command to enable it:
lldp run

On each interface, you may need to accept LLDP:

interface GigabitEthernet1/7
lldp enable

Enabling LLDP on Juniper Devices

Numerous platforms from Juniper support LLDP and LLDP-MED.The Juniper supported platforms
are: EX, MX, M, J and SEX. Use the following command to enable it:
set protocols lldp

On capable and configured devices, you can see LLDP information with:
show lldp <detail>

Enabling or Disabling the 802.1X Authentication Protocol

As long as a device supports the 802.1X authentication, you can enable or disable it from the
GUI. Keep in mind that:
• Enabling 802.1X authentication at device level, enables it at port level as well.
You can individually disable it on the ports. For more details, refer to the section Managing the
802.1X Authentication Protocol on a Port.

960
 Managing Network Devices

• Disabling 802.1X authentication at device level, disables it at port level as well.

At port level, the protocol can still be configured but you can no longer enable it on the ports
when it is disabled on their device.

On the page All network devices, the column 802.1X allows to see if the devices support the
authentication, and if it is enabled or not. For more details on how to add and display customized
list template, refer to the section Managing List Templates.

To enable/disable the 802.1X authentication on a device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Right-click on the Name of the device you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a network device opens.
4. In the drop-down list 802.1x authentication, select Enable or Disable.
5. Click on OK to complete the operation. The report opens and closes. The device is marked
Enabled or Disabled in the column 802.1X .

Editing the SNMP Properties of a Network Device

For each device, you can set specific SNMP parameters (version, profile, port, number of retries,
transfer timeout...) via the panel SNMP properties on its properties page. Keep in mind that the
SNMP service and profiles must be configured beforehand. For more details, refer to the sections
Configuring the SNMP Server and Managing SNMP Profiles.

This panel also provides an overview of the MIBs supported by the device.

To edit the SNMP properties of a network device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the network device of your choice, click on . The properties page
opens.
3. In the panel SNMP properties, click on EDIT . The wizard SNMP parameters opens.
4. Edit the parameters according to your needs.

Table 67.4. Network device SNMP parameters

Field Description
SNMP version The SNMP version of your choice, either v1, v2c or v3. By default, v2c is selected.
SNMP port The port that the SNMP service must use. By default, it uses the port 161. This field is
required.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 1. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1s, 2s, 3s, 4s, 5s, 10s
or 30s. By default, it is set to 2s. This field is optional.
Use bulk For SNMPv2c or SNMPv3. Allows to send several requests at once, it uses a bulk
transfer of data. This compact SNMP request method accelerates transfers. By default,
it is set to Yes. This field is required.
Use TCP The network communication protocol, either TCP (Yes) or UDP (No). By default, No is
selected. You should use TCP instead of UDP if the network link is unreliable. This field
is required.

961
 Managing Network Devices

Field Description
SNMP transfer The number of minutes above which the SNMP transfer is aborted when you add or refresh
timeout (minutes) a device, a value between 0 and 999. By default, it is set to 0. This field is optional.

5. Click on NEXT . The last page opens.

6. In the drop-down list SNMP profile, choose a profile using the same version of the SNMP
protocol as the one you selected in the field SNMP version.
If you added SNMP profiles, you can choose one of your profiles. They are listed only if they
use the same version of the SNMP protocol as the one you selected on the previous page.
Note that the SNMP profiles you can choose from must be configured on the appliance you
are currently working with.
7. Click on OK to complete the operation. The wizard closes. The changes are listed in the
panel.

Refreshing the Network Devices Database

After each network device import, a discovery is automatically carried out to fill NetChange
database. It includes ports, VLANs, routes, IP addresses and MAC addresses information. Fol-
lowing this initial discovery, it is necessary to periodically refresh the database to keep it up to
date. Two methods are available: a manual refresh or a scheduled refresh of network devices.

Executing a Device Refresh Manually

Refreshing a device manually allows to retrieve all the latest information on the network device.
If you edited a device configuration or architecture, you should refresh it. Keep in mind that:
• The option Refresh only applies to network devices.
From the page All network devices, it applies to the selected device(s) and its content.
From any other NetChange page, it applies to the device that the selected object(s) belong to.
• The device parameter SNMP transfer timeout can impact the success of the refresh. For more
details, refer to the section Editing the SNMP Properties of a Network Device.

To manually refresh a device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network device(s) you want to refresh.
3. In the menu, select Edit > Refresh. The wizard Refresh a network device opens.
4. Tick the box Device data to refresh the database of the selected network device(s).
5. Tick the box Configuration versioning if you enabled versioning on the selected device(s).
For more details, refer to the section Refreshing a Configuration File.
6. Click on OK to complete the operation. The report opens and works for a while.
When the refresh is over, a report might appear and list the added IP addresses (Notice)
and existing ones (Error). This list only regards the device addition or import in the selected
Target space. You can download this report in the format of your choice: TEXT , HTML or
EXCEL .

7. Click on CLOSE to go back to the page All network devices. The page refreshes.

962
 Managing Network Devices

Scheduling a Device Refresh

The scheduled refresh allows to plan ahead the update of the NetChange database. You can
specify different schedules depending on the devices. Typically, edge switches are queried more
often than backbone routers.

Setting Up a Scheduled Refresh

The device refresh frequency can be common to several devices or specific to a device. Do not
hesitate to tick one or several devices before setting up a refresh schedule.

To set up a network device scheduled refresh

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network device(s) for which you want to schedule the refresh.
3. In the menu, select Edit > Scheduled refresh > Configure. The wizard Set refresh
frequency opens.
4. Configure the refresh frequency according to your needs.

Table 67.5. Scheduled refresh frequency parameters

Field Description
Minute A moment of the hour, either 00, 15, 30 or 45. The minute respects the UTC standard.
By default, 00 is selected. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.

5. You can tick the box Device data to refresh the database of the selected network device(s)
at the scheduled time. By default, the box is ticked.
6. You can tick the box Configuration versioning to retrieve the configuration file of the selected
device(s) if changes are detected. By default, the box is unticked.
Note that you can only retrieve the configuration file if the versioning is enabled on the
device(s). For more details, refer to the section Refreshing a Configuration File.
7. Click on OK to complete the operation. The report opens and closes. The refresh frequency
configuration is displayed in the panel Refresh properties of each network device properties
page.

Disabling a Scheduled Refresh

Any scheduled refresh can be disabled for one or several devices at once.

To disable a network device scheduled refresh

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network device(s) for which you want to disable the scheduled refresh.

963
 Managing Network Devices

3. In the menu, select Edit > Scheduled refresh > Disable. The wizard Disable the
scheduled refresh opens.
4. Tick the box Device data to disable the scheduled refresh for the selected network device(s).
5. Tick the box Configuration versioning if you enabled versioning on the selected device(s).
For more details, refer to the section Refreshing a Configuration File.
6. Click on OK to complete the operation. The report opens and closes.

Connecting to a Network Device Via a Console

From the properties page you can connect to a network device via an SSH, telnet or web console.

To connect to a network device via SSH

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the network device of your choice, click on . The properties page
opens.
3. In the menu, select Tools > Connect > Via SSH. The SSH console connected to your
device opens.

To connect to a network device via a telnet console

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the network device of your choice, click on . The properties page
opens.
3. In the menu, select Tools > Connect > Via telnet. The telnet console connected to your
device opens.

To connect to a network device via a web console

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the network device of your choice, click on . The properties page
opens.
3. In the menu, select Tools > Connect > Via web. A new tab connecting to your device
opens.

Making a Network Device Snapshot

You can retrieve information on a network device, that you manage or not, through its IP address.

EfficientIP support team might ask for a device snapshot in case of missing or distorted information
on the equipment you want to add to NetChange. The snapshot is generated in .pcap format and
stored in the Local files listing. Keep in mind that the SNMP service and profiles must be configured
beforehand. Note that SNMPv3 is not accepted as a profile. For more details, refer to the sections
Configuring the SNMP Server and Managing SNMP Profiles.

To make and download a network device snapshot

1. Make the snapshot:

964
 Managing Network Devices

a. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
b. In the menu, select Tools > Make a snapshot. The wizard Make a network device
snapshot opens.
c. In the drop-down list Interface, select the network interface through which you want to
make the snapshot.
d. In the drop-down list SNMP profile, select the SNMP protocol version of the snapshot
generation, either standard v1 or standard v2c. By default, standard v1 is selected.
e. If you are generating a Cisco device snapshot, tick the box Cisco device.
f. In the field IP address, specify the device IP address.
g. Click on OK to complete the operation. The report opens and works for a while before
closing.
2. Download the snapshot:
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Maintenance, click on Local files listing. The page Local files listing
opens filtered through the bullet Local, under the menu.
In the column Name, the snapshot file is named <chosen_interface>_<chosen_SN-
MP_profile>_snapshot.pcap.
c. Click on the snapshot file name to download it.

Automatically Adding New Network Devices as Group

Resource
By default, only administrative users can immediately see the network device that they add. All
the standard users that can add network devices must wait until an administrative user defines
these network devices as resource of the group(s) of users they belong to. Once they can see
the network devices, they can start managing them.

To avoid having to manually define new network device as group resource, administrators can
configure the rule 407 and automatically add every new network device as resource of the groups
of users of the relevant group(s) of users.

To add the rule 407 that sets which groups have new network devices as resource
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select NetChange.
5. In the drop-down list Event, select NetChange refresh.
6. In the list Rule, select (407) (POC) Add new network devices as group resource.
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can specify a comment.
9. Click on NEXT . The page Rule filters opens.
10. Click on NEXT . The page Rule parameters opens.

965
 Managing Network Devices

11. In the list Available groups, select a group of users and click on . The group is moved to
the list Selected groups. You can add as many groups as you want.
To remove a group from the list Selected groups, select it and click on . The group is
moved back to the list Available groups.
12. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Adding Network Devices in Device Manager

SOLIDserver allows you to manage your network devices through NetChange and Device Man-
ager. With a simple automated manipulation you can create, within the module Device Manager,
the network devices of your choice as well as the ports and interfaces they contain.

For more details, refer to the section Automatically Adding Network Devices in Device Manager.

Exporting Network Devices

From the page All network devices, you can export the data listed in a CSV, HTML, XML, XLS
or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Network Devices

If you no longer want to manage a network device and its content, you can delete it.

To delete a network device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network device(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The device is no longer
listed.

Defining a Network Device as a Group Resource

In SOLIDserver, by default only users of the group admin can manage and edit the items of every
module. Adding a network device as one of the resources of a specific group allows the users of
that group to manage the network device in question as long as they have the corresponding
rights granted.

Note that administrative users can add a rule to ensure that every new network device is added
to the resources of the groups of users of their choice. For more details, refer to the section
Automatically Adding New Network Devices as Group Resource.

Granting access to a network device as a resource also grants access to every item it contains.
For more details, refer to the section Adding Resources to a Group in the chapter Groups.

966
Chapter 68. Managing Routes
The page All routes is dedicated to the network devices routing tables and displays the existing
routes on the layer 3 network devices you manage.

All the information displayed is retrieved via SNMP. Each route corresponds to a subnetwork
and has a unique IP address and prefix. The prefix size can be any number between 0 and 32
for IPv4 addresses and between 0 and 128 for IPv6 addresses.

NetChange supports more MIBs to provide detailed route information on the page. Thanks to
L3VPN you can now display the VRF routes configured on your network and also retrieve the
routes Type and Protocol.

Prerequisites
• Managing network devices and/or routers that support and have SNMP enabled.
• To discover VRF routes on your network you must:
• Make sure the routers support the MIB MPLS-L3VPN-STD-MIB.
• Make sure the routers configured with VRF have MPLS enabled.
• Make sure the routers configured with VRF have BGP enabled.
• Enable the registry key module.netchange.enable_vrf_route.

Limitations
• Routes are retrieved automatically when you import network devices. You cannot add, edit or
delete them.
• You can only export routes.
• To display the routes' Type and Protocol, the MIBs IP-FORWARD-MIB and IANA-RTPROTO-
MIB must be implemented on the routers.
• Depending on your infrastructure, enabling the VRF routes discovery can significantly increase
the database size.

Browsing Routes
The routes are the second level of organization in NetChange, along with the VLANs, configura-
tions, ports and addresses.

ROUTE

VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT

CONFIG

VLANADDRESS

Figure 68.1. The route in NetChange hierarchy

967
 Managing Routes

Browsing the Routes Database

To display the list of routes
1. In the sidebar, go to NetChange > Network devices. The page opens.
2. In the breadcrumb on the right of Network devices, click on to display additional pages.
3. Click on All routes. The page opens.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. To display the list of routes of a specific network device, in the column Network device,
click on the name of the device of your choice. The page refreshes.

Understanding the Icons on the Page All Routes

In the column Route IP address, every retrieved route is preceded by an icon providing prefix
information.

Table 68.1. The icons on the page All Routes

Icon Description on the page V4
Routes with a prefix size between 0 to 29.
Routes with a prefix size of 30.
Routes with a prefix size of 31.
Routes with a prefix size of 32.
Description on the page V6
Routes with a prefix size between 0 to 125.
Routes with a prefix size of 126.
Routes with a prefix size of 127.
Routes with a prefix size of 128.

Customizing the Display on the Page All Routes

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that you can use colored labels to differentiate at a glance IPv6 address containers.
For more details, refer to the chapter Managing IPv6 Labels.

In addition to the route and network device dedicated columns, the columns VRF name, VRF
RD and Next hop provide detailed information.

Table 68.2. Column information retrieved with L3VPN

Column Description
VRF name The name of the VRF as set on the network device.
VRF RD The VRF Route Distinguisher. A unique 64-bits identifier, that can be composed of IP ad-
dresses or AS Numbers, that differentiates every set of routes on each VRF. For more
details, refer to the part VRF.
Next hop The next router to reach the destination within the VRF.

A column is dedicated to the Type of each route.

Table 68.3. The possible values of the column Type

Value Description
blackhole The routing is working, the route is discarding traffic silently.
direct The routing is working, the route destination is directly connected to the network device.

968
 Managing Routes

Value Description
indirect The routing is working, the route destination is not connected to the network device and
relies on a next-hop.
invalid The routing is not working, the route is either invalidated or discarding traffic.
local The routing is working, the route destination is directly connected to the network device.
other The routing is not working, we do not know why.
reject The routing is not working, the route is either invalidated or discarding traffic.
remote The routing is working, the route destination is not connected to the network device and
relies on a next-hop.

Another column returns the Protocol via which the route was found.

Table 68.4. The possible values of the column Protocol

Value Description
other No protocol is specified.
local Local interface.
netmgmt Static route.
icmp Result of ICMP Redirect.
egp Exterior Gateway Protocol.
ggp Gateway-Gateway Protocol.
hello FuzzBall HelloSpeak
rip Berkeley RIP or RIP-II.
is-is Dual IS-IS.
es-is ISO 9542.
ciscoIgrp Cisco IGRP.o
bbnSpfIgp BBN SPF IGP.
ospf Open Shortest Path First.
bgp Border Gateway Protocol.
idpr InterDomain Policy Routing.
ciscoEigrp Cisco Enhanced Interior Gateway Routing Protocol.
dvmrp Distance Vector Multicast Routing Protocol.
rpl Routing Protocol for LLNs [RFC-ietf-roll-rpl-19].
dhcp Dynamic Host Configuration Protocol [RFC2132].
ttdp Train Topology Discovery Protocol [IEC 61375-2-5].

Enabling the Registry Key Required to Display the VRF

Routes
Once you met the Prerequisites, you can enable a registry key to retrieve all the routes of all
VRFs configured on your network devices providing L3VPN services.

Enabling the key updates the data on the page All routes, including additional information in the
columns VRF name and VRF RD.

You can create these retrieved routes in the IPAM. For more details, refer to the section Creating
Routes in the IPAM.

969
 Managing Routes

To enable the registry key that controls the switch based on time drift
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.netchange.enable_vrf_route.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 1 to enable it. By default, its value is 0.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

Creating Routes in the IPAM

You can create terminal or non-terminal subnet-type networks in the IPAM from NetChange
routes. Keep in mind that:
• You can only create routes in a space containing a block-type network large enough to receive
the new subnet-type networks.
• You can only create networks from routes with a valid IP address. You cannot create default
routes in the IPAM.
• You cannot create networks from routes with a prefix /0.
• During the creation of several terminal networks from the routes, the biggest prefix has priority.
If you create terminal networks from several routes with the same IP address but different
prefixes, only the smallest network is created.

To create a NetChange route in the IPAM

1. In the sidebar, go to NetChange > Routes. The page All routes opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the route(s) of your choice.
4. In the menu, click on Tools > Create in IPAM. The wizard Create NetChange routes
in IPAM opens.
5. In the drop-down list Space, select the space of your choice.
6. In the drop-down list Maximum prefix, select the value of your choice. The maximum prefix
must be smaller than the prefix of the selected route. By default, 30 is selected.
7. To add terminal networks, make sure the box Terminal networks only is ticked.
8. To add non-terminal networks, untick the box Terminal networks only. By default, it is
ticked.
9. Click on OK to complete the operation. The report opens and closes.
10. To display the created network(s), in the sidebar, go to IPAM > Networks. The page All
networks opens. Each new network is set with the IP address and prefix of the NetChange
route as its Address + prefix and Name.

970
 Managing Routes

Exporting Routes
From the page All routes, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

971
Chapter 69. Managing VLANs
The page All VLANs provides an overview of the existing Virtual Local Area Networks for each
network device and their ID if you purchased the license NetChange-IPL. If you have the
NetChange license, it also allows to add, edit and delete VLANs on your devices. For more details
regarding the two available NetChange licenses, refer to the table NetChange licenses differences.

Browsing VLANs
The VLANs are the second level of organization in NetChange, along with the routes, configura-
tions, ports and addresses.

ROUTE

VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT

CONFIG

VLANADDRESS

Figure 69.1. The VLAN in NetChange hierarchy

Browsing the VLANs Database

To display the list of VLANs
1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. To display the list of VLANs of a specific network device, in the column Network device,
click on the name of the device of your choice. The page refreshes.

To display a VLAN properties page

1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. At the end of the line of the VLAN of your choice, click on . The properties page opens.

Customizing the Display on the Page All VLANs

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that the column Port list contains the number of all the ports associated with each
VLAN. You can edit this list if you purchased the license NetChange, otherwise this list is merely
informative.

972
 Managing VLANs

Adding a VLAN
With the NetChange license, you can add VLANs to the page All VLANs and then associate them
with existing ports. Using 802.1q VLAN Trunking protocol, a VLAN can cover a network area on
multiple switches.

To add a VLAN from the page All VLANs

1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. In the menu, click on Add. The wizard Add a VLAN opens.
3. In the field Name, name the VLAN.
4. In the field VLAN ID, specify an ID between 1 and 1005 for your VLAN.
5. In the drop-down list Network device, select the network device where you want to add your
VLAN.
6. Click on OK to complete the operation. The report opens and closes. The VLAN is listed.

You can also add a VLAN from the list All VLANs of a specific device, in this case the Network
device drop-down list does not appear.

Editing a VLAN
Editing a NetChange VLAN means renaming it.

Note that depending on your NetChange license, you may be able to associate a VLAN with one
or several network ports. For more details, refer to the section Associating a Port With a VLAN.

To rename a VLAN
1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. Right-click over the ID of the VLAN you want to rename. The contextual menu opens.
3. Click on . The wizard Add a VLAN opens.
4. In the field Name, rename the VLAN.
5. In the field VLAN ID, the ID is displayed but cannot be edited.
6. Click on OK to complete the operation. The report opens and closes. The list refreshes, the
new VLAN name is listed.

Creating a VLAN in VLAN Manager

You can create NetChange VLANs in a VLAN or VXLAN domain in VLAN Manager. Keep in mind
that:
• You can only create a NetChange VLAN in a domain or range that manages this ID.
• If you select two NetChange VLANs with the same VLAN ID, only the first one is created in
VLAN Manager.

To create a NetChange VLAN in VLAN Manager

1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. Tick the VLAN(s) of your choice.
3. In the menu, click on Tools > Create in VLAN Manager. The wizard Create NetChange
VLANs in VLAN Manager opens.

973
 Managing VLANs

4. In the drop-down list VLAN Domain, select the domain of your choice. The field VLAN Range
appears.
5. In the drop-down list VLAN Range, you can select the range of your choice. By default,
None is selected.
6. In the drop-down list Existing records, select Replace to overwrite any existing VLAN or
Don't replace to create it. By default, Don't replace is selected.
7. Click on OK to complete the operation. The report opens and closes.
8. To display the created VLAN(s), in the sidebar, go to VLAN Manager > VLANs. The page
All VLANs opens. Each new VLAN is assigned the ID and Name of the selected NetChange
VLAN.

Exporting VLANs
From the page All VLANs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting a VLAN
With the NetChange license you can delete any VLAN from any network device as long as it is
not used on any port.

To delete a VLAN
1. In the sidebar, go to NetChange > VLANs. The page All VLANs opens.
2. In the column Network device, click on the name of the device of your choice to display
only its VLANs.
3. Tick the VLAN(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The VLAN is no longer
listed.

974
Chapter 70. Managing Ports
The ports are physical interfaces of the network devices. NetChange discovers the network
devices ports using a discovery algorithm that automatically analyzes each port and displays its
type and status. It also allows to know which MAC or IP addresses should be looked for and the
devices connection on the network. Typically the listed ports can be:
• Edge or terminal ports: used to connect the terminal network devices of the network (servers,
workstations, printers, ...);
• Interconnection ports: used to link the network devices between them (the backbone).

Depending on your network devices, some ports can actually be both. Some columns on the
page provide all this information:
• Interco (for interconnection) is purely informative even if you can manually force its value to
Yes, No or Autodetect in the GUI.
• Trunking/Tagging mode provides the actual port type, edge ports are marked Access and
interconnection ports are marked Trunk or Tagged.

NetChange module allows to edit a port and associate it with existing VLANs on your device
(existing by default or that you added). To be able to edit a port, you must meet the following
prerequisites:
1. The SNMP service is configured properly. For more details, refer to the section Configuring
the SNMP Server.
2. The SNMP profile used with network devices has a read/write access to interact with the
device(s). For more details, refer to the sections Managing SNMP Profiles and Editing the
SNMP Properties of a Network Device.
3. You have the NetChange license. NetChange-IPL does not provide port edition options. For
more details, refer to the table NetChange licenses differences.
4. The network device on which you edit the port supports MIBs that allow port edition.

Once these prerequisites are met, you can edit your ports. This allows to associate them with
any VLAN on your network or even use them in a tagged or untagged mode and influence their
behavior on the network. As a general rule, when choosing to tag or not a port you should take
into account the following:
• The untagged mode (called Access on Cisco devices) uses the ID of the tagged VLAN the port
is associated with when sending and receiving data. That way packages are identified
throughout the transfer on the network from the sending port to the receiving one. Once the
package is received, the tag number is dismissed, in other words, untagged. This transfer
mode is based on terminal, or edge, ports as packages always reach their destination thanks
to their tag once sent. In the columns VLAN name list and VLAN # list, the untagged/access
VLAN of the port is followed by a star.
• The tagged mode (called Trunk on Cisco devices) uses the ID of the VLANs associated with
the port only when sending packages. The tag identifies the target port. Once the package is
received, the tag number is kept. This transfer mode is based on interconnection ports as it
allows to send out data all over the network.

975
 Managing Ports

Browsing Ports
The ports are the second level of organization in NetChange, along with the routes, configurations,
VLANs and addresses.

ROUTE

VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT

CONFIG

VLANADDRESS

Figure 70.1. The port in NetChange hierarchy

Browsing the Ports Database

To display the list of ports
1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. To display the list of ports of a specific network device, in the column Network device, click
on the name of the network device of your choice. The page refreshes.

To display a port properties page

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. At the end of the line of the port of your choice, click on . The network port properties page
opens.

Customizing the Display on the Page All Ports

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Some columns provide more specific information regarding port settings, like Trunking/Tagging
mode, Configured speed, Configured duplex, VLAN name list, VLAN # list, Operating speed,
Operating duplex, or even Port-security action.

976
 Managing Ports

Understanding the Port Statuses

The column Status provides information regarding the ports you manage.

Table 70.1. NetChange port statuses

Status Description
Active The port is active, or up.

Inactive The port is inactive, or down.

Testing The port is up but no operational packets can be passed.

LowerLayerDown
The port is inactive. These statuses are very rare. For more details, refer to the description
NotPresent of the MIB IF-MIB.
Dormant
Unknown The port status is unknown.

Disabled The port was disabled. For more details, refer to the section Enabling or Disabling a Port.

Enabling or Disabling a Port

NetChange offers a function to disable or enable ports of any network device, as soon as it has
been validated. This function allows you to disable directly through the web interface any port,
typically when a workstation has been detected as infected by a virus or when a user has not
been authorized on the network. To work properly, you must have defined the Write community
string of the SNMP profile used by the network device.

Keep in mind that you should never disable interconnection ports as you take the risk of
losing access to your network device.

To enable/disable a port
1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Tick the port(s) for which you want to change the status.
3. In the menu, select Edit > Port status > Enable or Disable.The wizard opens.
4. Click on OK to complete the operation. The report opens and closes.
Keep in mind that on some devices, especially Cisco Catalyst, the configuration is not written
after the modification has been done, so if no write configuration command is made through
CLI, modifications can be lost if the switch is reloaded.

Editing a Port Interconnection

Interconnection ports are used to link the network devices (the backbone) between them. Most
of the network traffic is done through these ports.

NetChange discovery algorithm automatically isolates interconnection ports: they are marked
Yes in the column Interco if the number of discovered items on a port is greater than a defined
limit (4 by default).

The value of the column Interco is merely a way of filtering the ports in the list. However, if a port
interconnection is set to Yes, any MAC address discovered via the port is not logged on the page
Discovered item history. For more details, refer to the section Tracking the Discovered Items
History of a Specific Device.

977
 Managing Ports

To tag a port interconnection status

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Tick the port(s) you want to use as an interconnection.
3. In the menu, select Edit > Interconnection.The wizard Editing the port interconnection
status opens.
4. In the drop-down list Port interconnection status, select:
a. Auto to automatically detect the interconnection status of the port.
b. Yes to force the port interconnection status to Yes.
c. No to force the port interconnection status to No.
5. Click on OK to complete the operation. The report opens and closes.
If you have selected Auto, the value of the Interco column is Yes or No depending on the
interconnection status of the port.
If you have selected Yes or No, the value of the Interco column switches to Yes (forced)
or No (forced) respectively.

Editing a Port Speed and Duplex Mode

You can edit the port speed and duplex on each port individually. In some cases, you may only
be able to edit the speed. During the configuration, the available values depend on the port
possible speed and duplex configuration. We recommend that you display the Configured speed,
Configured duplex, Operating speed and Operating duplex columns to rapidly see the speed
and duplex configuration of the ports.

Keep in mind that you can only see the speed and duplex changes of active ports. If you edit the
port and speed of an inactive port, the changes are never visible in the GUI.

To edit a port speed and duplex mode

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Right-click over the Name of the port you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a port opens.
4. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list Speed and duplex mode, select the port <speed> <duplex> of your
choice.
6. If the port can be configured with VLAN tagging, click on NEXT . The last page opens.
7. Click on OK to complete the operation. The report opens and closes.

Once you edited the port tagging mode, to see your changes in the columns Configured speed
and Configured duplex, you must refresh the device the port belongs to. For more details, refer
to the section Refreshing a Device Manually.

Updating a Port Description

Even though the name of a switch port cannot be edited, it is possible to modify its description
through NetChange to help you recognize it instantly from the graphical interface.

978
 Managing Ports

Note that:
• To work properly, you must have defined the Write community of the SNMP profile used by
the network device.
• The new description is directly updated on the port itself. It is visible in the column Description
and available to any user who discovers the device.

To update a port description

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Tick the port(s) for which you want to change the description.
3. In the menu, select Edit > Update port description.The wizard Update port description
opens.
4. In the field Port description, specify the description of your choice.
5. Click on OK to complete the operation. The report opens and closes.

Managing the 802.1X Authentication Protocol on a Port

You can manage 802.1X authentication on a port as long as you meet the prerequisites and take
into account the limitations.

Prerequisites
• The license NetChange.
• The network device that the port belongs to must support 802.1X authentication.
• 802.1X authentication must be enabled on the device to be managed from the GUI.
• 802.1X authentication must be configured on each port individually.
• 802.1X authentication must be enabled at device level to be enabled at port level. If it is disabled
on the device, the port is configured with it but not used for authentication.

Limitations
• On HP devices, only the HP-DOT1X-EXTENSIONS-MIB is supported.
• On Cisco devices, the interface vlanTrunkPortDynamicState should not be set to auto or desir-
able.

Enabling or Disabling 802.1x Authentication Protocol on a Port

You must edit ports to enable or disable 802.1X authentication. You can disable 802.1X authen-
tication on ports even if it is enabled on the network device they belong to.

On the page All ports, the column 802.1X allows to see if the authentication is enabled or not on
each port. For more details on how to add and display customized list template, refer to the
section Managing List Templates.

To enable/disable the 802.1X authentication on a port

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Click on the name of a device marked Active in the column 802.1X. The page All ports of
the device opens.
3. Right-click over the Name of the port you want to edit. The contextual menu opens.

979
 Managing Ports

4. Click on . The wizard Edit a port opens.

5. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Click on NEXT . The last page opens.
7. The section Security configuration contains the box 802.1X. It is grayed out if 802.1X au-
thentication is disabled on the device.
a. To enable the 802.1X authentication, tick the box. The page refreshes.
b. To disable the 802.1X authentication, untick the box. The page refreshes.
8. Click on OK to complete the operation. The report opens and closes. The port is marked
Enabled or Disabled in the column 802.1X.

Note that you can enable both 802.1x authentication and port-security on a port, but on HP
devices, if 802.1x is enabled, only the port-security mode 8021xAuthorised is available.

Restricting Access to a Port with the Protocol Port-security

You must edit ports to use the protocol Port-security if the device supports it.

This protocol allows to restrict input to an interface by limiting and identifying MAC addresses
that are allowed to access the port.

By default, the protocol is enabled on the devices that support it and you can enable or disable
it individually on each port.

Prerequisites
• The license NetChange.
• On Cisco devices, the port mode Trunking/Tagging (i.e. switchport) is set to Access or Trunk.

Limitations
• On Cisco devices, only the CISCO-PORT-SECURITY-MIB is supported.
• Only HP devices supporting the HP-ICF-GENERIC-RPTR MIB can be configured.
• On HP devices, if you enable Port-security and 802.1x on a port, only the port-security mode
8021xAuthorised can be configured.
• On HP devices, if you enable Port-security and 802.1x on a port, you cannot limit the number
of MAC addresses that can access the port.

Enabling or Disabling Port-Security

To enable or disable Port-security on a port, you must edit it. You can enable both port-security
and 802.1x authentication on a port, but keep in mind that on HP devices, if 802.1x is enabled,
only the port-security mode 8021xAuthorised is available.

On the page All ports, the column Port-security allows to see which ports support it. For more
details on how to add and display customized list template, refer to the section Managing List
Templates.

980
 Managing Ports

To enable/disable the option Port-security on a port

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Click on the name of a device of your choice. The page All ports of the device opens.
3. Right-click over the Name of the port you want to edit. The contextual menu opens.
4. Click on . The wizard Edit a port opens.
5. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Click on NEXT . The last page opens.
7. In the section Security configuration:
a. To enable Port-security, tick the box Port-security. The page refreshes and displays
the fields Mode, Maximum number of secured MAC addresses and/or Action. For more
details, refer to the section Configuring Port-Security Modes and or Limiting the Number
of MAC Addresses Allowed to Access a Port.
b. To disable Port-security, untick the box Port-security. The page refreshes, the dedicated
fields are no longer visible.
8. Click on OK to complete the operation. The report opens and closes. The port is marked
Enabled or Disabled in the column Port-security.

Limiting the Number of MAC Addresses Allowed to Access a Port

You can limit access to a port by setting a maximum number of MAC addresses when you edit
the port. This option can only be set if you enable the protocol Port-security.

On the page All ports, the column MAC number limit allows to see which ports are restricted,
by default it contains the value 1. For more details on how to add and display customized list
template, refer to the section Managing List Templates.

Note that on HP devices you cannot set a maximum number of MAC address on a port configured
both with 802.1x authentication and Port-security, the Port-security mode 8021xAuthorised does
not allow it.

To set a maximum number of MAC addresses that can access a port

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Click on the name of a device of your choice. The page All ports of the device opens.
3. Right-click over the Name of the port you want to edit. The contextual menu opens.
4. Click on . The wizard Edit a port opens.
5. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Click on NEXT . The last page opens.
7. In the section Security configuration, tick the box Port-security. The page refreshes.

981
 Managing Ports

8. If you are editing the port of a HP device, make sure the Port-security Mode selected is
either FirstN or LimitedContinuous.
9. In the field Maximum number of secured MAC addresses, specify the number of MAC
addresses that can access the port. This number depends on your device. By default, Port-
security is configured with 1 MAC address.
To configure an Action for the port once the number of secured MAC addresses exceeds
the one you just set, refer to the section Configuring Port-Security Modes.
10. Click on OK to complete the operation. The report opens and closes. The column MAC
number limit displays the new value.

Configuring Port-Security Modes

SOLIDserver supports the configuration of some Port-security modes on the ports belonging to
HP, Cisco Juniper and Avaya devices.

On the page All ports, the configuration modes are displayed in the column Port-security action.

To configure the option Port-security on a port

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Click on the name of the HP device of your choice. The page All ports of the device opens.
3. Right-click over the Name of the port you want to edit. The contextual menu opens.
4. Click on . The wizard Edit a port opens.
5. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Click on NEXT . The last page opens.
7. In the section Security configuration, tick the box Port-security.
8. For HP devices, in the field Mode select FirstN, 8021xAuthorized or LimitedContinuous. If
the authentication 802.1x is enabled, you can only select 8021xAuthorized.
Note that the mode configureSpecific cannot be selected during the Mode configuration. It
is automatically retrieved and displayed if it is configured on a port you are editing.
9. In the field Action, select the value of your choice. Each vendor provides a specific list.

Table 70.2. Configurable Port-security actions on ports for each vendor

Vendor Available actions
HP disable, sendTrap or sendTrapAndDisablePort.
Cisco shutdown, dropNotify or drop.
Juniper none, drop, alarm or shutdown.
Avaya discard or none.

If you configured a Maximum number of secured MAC addresses, the Action applies to
the extra MAC addresses, the addresses that try to connect to the port once the value spe-
cified in this field is exceeded.
10. Click on OK to complete the operation. The report opens and closes.

982
 Managing Ports

Limiting Port Edition Rights to Specific Groups of Users

With the license NetChange, you can use a class and a rule to define which groups of users are
allowed to edit the ports of your choice. For instance, you can decide that all the interconnection
ports can only be edited by users of the group admin.

To limit edition rights on a port you must:

1. Enable the class reserved in Class Studio.
2. Add and configure the rule 378.
3. Apply the class to the port you want to limit access to.

Keep in mind that once you configured the rule, and enabled and applied the class to a port, only
the users belonging to a group of users authorized in the rule can edit that port. Even users with
edition permissions on the ports and the proper resources are not allowed to edit the ports con-
figured with the class reserved if they do not belong to an authorized group of users.

Enabling the Class reserved

By default, the class reserved is disabled. You must enable it to be able to apply it to a port and
restrict access to it once you configured the rule 378.

To enable the class reserved

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Type, type in Port and hit Enter.
4. In the column Name, type in reserved and hit Enter.
5. Tick the class reserved that does not belong to the directory Library.
6. In the menu, select Edit > Enable class or Disable class. The wizard opens.
7. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The class is marked as Enabled in the column Status.

Adding and Configuring the Rule 378

You must add and configure the rule 378 to be able to use the class reserved to restrict access
to your ports.

Keep in mind that once the rule is configured, its configuration overrides the port permissions set
for any group of users. Even if a group has all the existing ports within its resources and edition
permissions over them, its users are not allowed to edit the ports set with the class reserved if
they are not listed among the Authorized groups.

To add the rule 378 that defines the groups of users allowed to edit reserved ports
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select NetChange.
5. In the drop-down list Event, select Edit: ports properties.

983
 Managing Ports

6. In the list Rule, select (378) Ports configuration permission.

7. In the field Rule name, name the rule.
8. In the field Comment, you can specify a comment if you want.
9. Click on NEXT . The page Rule filters opens.
10. Click on NEXT . The page Rule parameters opens.
11. In the list Available groups, select one by one the group(s) of users that can edit the ports
configured with the class reserved.
12. Click on . The group is moved to the list Authorized groups. Repeat this action for as
many groups as needed.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Applying the Class reserved to a Port

Once you enabled the class reserved and configured the rule 378, you can apply the class to the
ports of your choice.

On the page All ports, the column Class allows to see to which ports you applied the class re-
served. For more details on how to add and display customized list template, refer to the section
Managing List Templates.

To apply the class reserved to a port

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Right-click over the Name of the port you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a port opens.
4. In the list Port class, select reserved.
5. Click on NEXT until you get to the last page of the wizard.
6. Click on OK to complete the operation. The report opens and closes.

Once the class is applied on a port, only users belonging the Authorized groups configured in
the rule can edit the port.

Configuring VLAN Tagging on a Port

With the license NetChange, you can edit the ports configuration on the network according to
your needs. For instance, set a port with a specific access VLAN.

Keep in mind that the untagged/access VLAN tag of a port is followed by a star (*) in the columns
VLAN name list and VLAN # list.

Configuring the Tagging Mode

When configuring VLAN tagging at ports level, you must choose the relevant tagging mode before
associating a port of specific VLANs. For this reason, we recommend that you display the
Trunking/Tagging mode column to rapidly see your ports configuration.

There are different tagging modes available depending on the network device vendor: Cisco or
others.

984
 Managing Ports

Cisco devices tagging modes

Cisco devices offer three tagging modes: Trunk (i.e. tagged), Access (i.e. not tagged) and
auto (the port mode is automatically one or the other). Setting a port to Trunk mode sets its
tag encapsulation mode to 802.1Q .
Other vendors tagging modes
Non-Cisco devices offer two tagging modes: tagged or mixed.

Keep in mind that you can only edit a device Trunking/Tagging mode if the SNMP configuration
set at device level allows to retrieve the MIBs.

To edit a port tagging mode on a non-Cisco network device

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Right-click over the Name of the port you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a port opens.
4. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list Trunking/Tagging mode, select the mode of your choice: Tagged or
Mixed.
6. Click on OK to complete the operation. The report opens and closes.

Once you edited the port tagging mode, to see your changes in the column Trunking/Tagging
mode, you must refresh the device the port belongs to. For more details, refer to the section
Refreshing a Device Manually.

To edit a port tagging mode on a Cisco network device

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Right-click over the Name of the port you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a port opens.
4. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list Trunking/Tagging mode, select the mode of your choice: Trunk, Access
or Auto.
If you set the trunking/tagging mode to auto, the 802.1X authentication must be inactive.
6. Click on OK to complete the operation. The report opens and closes.

Once you edited the port tagging mode, to see your changes in the column Trunking/Tagging
mode, you must refresh the device the port belongs to. For more details, refer to the section
Refreshing a Device Manually.

Associating a Port With a VLAN

Through the port edition wizard you can associate a port with a set of VLANs. These VLANs can
be tagged or untagged depending on the port tagging mode.

985
 Managing Ports

To rapidly see your port/VLAN association, make sure the columns VLAN # list and VLAN name
list are displayed.

Associating a Port with an Untagged VLAN

To associate a port with an untagged VLAN, its mode must be Access or Auto (on Cisco devices)
or Mixed (on any other device vendor). To edit the port tagging mode, refer to the section Config-
uring the Tagging Mode.

You can only associate one untagged VLAN with a port.

To associate a port with an untagged VLAN

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Right-click over the Name of the port you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a port opens.
4. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the section VLAN addition, the drop-down list Access/Untagged VLAN displays the
untagged VLAN associated with your port. Select the VLAN of your choice. By default, the
1 - default VLAN is selected.
If your port mode is Mixed or Auto, the previously selected VLAN is moved to the list Available
VLANs.
The lists can be empty if the device port cannot be configured.
6. Click on OK to complete the operation. The report opens and closes. The untagged VLAN
associated with the port is followed by a * in the columns VLAN # list and VLAN name list.

Associating a Port with a Tagged VLAN

To associate a port with tagged VLANs, its mode must be Trunk or Auto (on Cisco devices) or
Tagged or Mixed (on any other device vendor). To edit the port tagging mode, refer to the section
Configuring the Tagging Mode.

You can add as many untagged as you want with a port.

To associate a port with a tagged VLAN

1. In the sidebar, go to NetChange > Ports. The page All ports opens.
2. Right-click over the Name of the port you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a port opens.
4. If custom classes are enabled at port level, in the list Port class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the section VLAN addition, the field Trunk/Tagged VLAN list displays all the tagged
VLANs associated with your port.
a. To add tagged VLANs, in the list Available VLANs, select a VLAN and click on , or
double-click on it, to move it to the list Trunk/Tagged VLAN list.

986
 Managing Ports

b. To remove the port association with tagged VLANs, in the list Trunk/Tagged VLAN
list, select a VLAN and click on , or double-click on it, to move it back to the list
Available VLANs.
6. Click on OK to complete the operation. The report opens and closes. The VLANs associated
with the port are displayed in the columns VLAN # list and VLAN name list.

Exporting Ports
From the page All ports, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

987
Chapter 71. Managing Configuration
Versioning
You can manage the configuration file versioning of network devices. Versioning allows to auto-
matically save all the changes in the configuration files, and all the revisions of the files are saved
in SOLIDserver backup file. To monitor versioning from NetChange you must:
1. Add a connection profile from the Administration module.
2. Enable versioning and configure the connection profile on the device.

Once configured, all the revisions are listed on the page All configurations, and you can compare
changes on the page Configuration and download entire files or only changes.

Prerequisites
• SOLIDserver with the license NetChange.
• The network device must support versioning, like HP, Cisco, Juniper or Extreme.
• The network device must already be managed from SOLIDserver. To add a network device,
refer to the section Adding Network Devices.

Limitations
• Disabling the configuration files versioning on a device deletes all the configuration file revisions
from the database.
• Configurations files are local. You cannot push them to the network device you manage from
SOLIDserver.
• Configurations files are read-only. You cannot rollback to a former file version.
• On appliances configured in High Availability, the configuration files versioning of your network
devices can only be managed from the Master appliance.

Browsing Configuration Files

The configurations are the second level of organization in NetChange, along with the routes,
VLANs, ports and addresses. They outline the devices use and detail their structure.

ROUTE

VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT

CONFIG

VLANADDRESS

Figure 71.1. The configuration in NetChange hierarchy

988
 Managing Configuration Versioning

Browsing the Configuration Files Database

The page All configurations allows to browse all the revisions of the configuration file of the
network devices for which you enabled versioning. The page Configuration displays the content
of the configuration file revision of your choice.

To display the list of configuration files

1. In the sidebar, go to NetChange > Configurations. The page All configurations opens.
2. To display the list of configuration files of a specific device, in the column Name, click on the
name of the network device of your choice. All the revisions of the configuration files of the
selected device are displayed.

There are 6 columns on the page All configurations that you can sort and filter. By default, all
the columns are displayed on the page, you cannot change their order.

Table 71.1. The columns on the page All configurations

Column Description
Name The network device name. This column is not displayed if you list the configurations
files of a specific network device.
Vendor The network device vendor. This column is not displayed if you list the configurations
files of a specific network device.
IP address The IP address of the network device management interface.
Revision The configuration file revision number, the latest revision is displayed as follows:
r.<number> (last). This revision number is based on a version control system and
does not reflect the number of changes in the file.
Configuration date The date and time when the configuration was saved. It is unique to each revision.
Changed lines The number of lines that changed between the latest revision and the previous one.

At the end of the line of each revision listed, you can find two links.

Table 71.2. The links on the page All configurations

Link Description
Compare with previous This link allows to compare side by side the latest revision of the configuration file
with the previous one.
Download This link allows to download any revision of the configuration file of your choice. The
downloaded file is named <network-device-ip-address>_r<revision-number>.txt .

Do not hesitate to set up alerts on the page to monitor any changes. For more details, refer to
the chapter Managing Alerts.

For more details regarding downloads, refer to the section Downloading Versioning Information.

To display the latest configuration file from the page All network devices
1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. In the column Revision, click on r.<revision-number>. The page Configuration opens
and displays the latest version of the network device configuration file.
Above the configuration file content, a gray area contains the network device details: its
name, its IP address, and the date and time when the configuration version was saved.

989
 Managing Configuration Versioning

To display a configuration file from the page All configurations

1. In the sidebar, go to NetChange > Configurations. The page All configurations opens.
2. To display the revisions of a specific device, in the column Name, click on the network device
of your choice. The page refreshes.
3. In the column Revision, the latest revision number is named r.<number> (last), click on the
revision number of your choice. The page Configuration opens and displays the chosen
revision of the configuration file.
Above the configuration file content, a gray area contains the network device details: its
name, its IP address, and the date and time when the configuration version was saved.

By default, the configuration file displays all the passwords in plain text, if you do not want
all the users to see them you can edit a registry database entry to hide them. For more details,
refer to the section Configuring the Passwords Display in the Configuration Files.

Displaying Versioning Information on the page All network devices

A set of columns dedicated to network devices versioning provide information directly from the
page All network devices.

Table 71.3. The columns on the page All network devices

Column Description
Last config. check The date and time of the last configuration check on the device. This column is displayed
by default on the page.
Revision The last known device configuration revision number, following the format r.<revision-
number>. This revision number does not reflect the number of changes on the device
configuration file. The number is a link toward the latest version of the configuration file
on the page Configuration. This column is displayed by default on the page.
Versioning The device configuration versioning status. This column is displayed by default on the
page.
Yes: the versioning is active.
No: the versioning is inactive.
Error: the versioning is active but an error occurred during the last operation.
Unsupported: the versioning is not supported by the device.
Connection profile The device connection profile, the name of the profile currently associated with the device.
Configuration refresh The scheduled configuration versioning refresh frequency configured on the network
device.
Last configuration The date and time of the last configuration date, the last known configuration for the device.
It corresponds to the Revision number displayed on the page All network devices.
First configuration The date and time of the first configuration date, the first known configuration for the device.
It corresponds to the first known Revision available on the page All configuration for the
device.
No config. change for The number of hours that passed between the Last config. check and the Last configuration
on the device.

Do not hesitate to set up alerts based on these dedicated columns. For more details, refer to the
chapter Managing Alerts.

Managing Connection Profiles

To enable and configure versioning on a network device, a connection profile must be added
and associated with a network device that supports it.

990
 Managing Configuration Versioning

Connection profiles are managed on the page Network devices connection profiles in the
module Administration.

Only users of the group admin can add, edit and delete connection profiles.

Adding Connection Profiles

They can add as many connection profiles as needed.

Keep in mind that one profile can be used for several devices as long as the profile configuration
suits all the devices it is associated with.

To add a connection profile

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Network devices & SNMP profiles. The
page Network devices & SNMP profiles opens.
3. In the panel Network devices connection profiles, click on ADD . The wizard Add a con-
nection profile opens.
4. In the field Connection profile name, name the profile.
5. In the field Description, you can specify a description for the profile.
6. In the drop-down list Connection protocol, select the protocol used by the profile: SSH,
TELNET or RSH.
7. In the field Login, you can specify the name of the user connecting.
8. In the field Password, you can specify the connecting user password.
9. If you want to configure the profile further, tick the box Expert mode and follow the table
below.

Table 71.4. Connection profile Expert mode fields

Field Description
"enable" login The name of a user with enable privileges. In connection profiles added for Juni-
per network devices, you cannot use a superuser login.
"enable" password A password of the mode "enable" on the network device. In connection profiles
added for Juniper network devices, you cannot use a superuser login.
Auto enable Tick this box if the mode "enable" is automatic on the network device.
No "enable" privileges Tick this box if you do not want to use enable privileges for the profile. In connec-
tion profiles added for Juniper network devices, you might have to tick this box.
Cypher type If you selected SSH as your connection protocol, you can select the protocol
cypher type, either 3des, blowfish or des. By default, 3des is selected.
SSH identity If you selected SSH as your connection protocol, you can paste your SSH key.
Port If you selected TELNET as your connection protocol, you can specify the Telnet
port number on the network device.
Connection timeout The number of seconds after which the network device is considered unreachable.
By default, it is set to 20 seconds.

10. Click on OK to complete the operation. The report opens and closes. In the list Network
devices connection profiles, the new profile is listed as follows: <profile-name> [PRO-
TOCOL].

991
 Managing Configuration Versioning

Editing Connection Profiles

You can edit connection profiles.

Keep in mind that editing a connection profile associated with a device sets its status in the
column Versioning to Yes on the page All network devices.

To edit a connection profile

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Network devices & SNMP profiles. The
page Network devices & SNMP profiles opens.
3. In the panel Network devices connection profiles, select in the list Network devices
connection profiles the profile you want to edit.
4. Under the list, click on EDIT . The wizard Edit a connection profile opens.
5. Edit the profile. For more details, refer to the section Adding Connection Profiles.
6. Click on OK to complete the operation. The report opens and closes. If the profile you edited
is used on a network device, its Versioning status is now Yes.

Deleting Connection Profiles

A connection profile can be deleted only if it is no longer used on any network device.

If you want to delete a connection profile already associated with a network device, you must
edit the network device in question and select another connection profile. For more details, refer
to the section Configuring Versioning on One Device.

To delete a connection profile

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Network devices & SNMP profiles. The
page Network devices & SNMP profiles opens.
3. In the panel Network devices connection profiles, select in the list Network devices
connection profiles the profile of your choice.
4. Under the list, click on DELETE . The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The profile is no longer
listed.

Configuring the Versioning of a Network Device

Configuring versioning implies to enable it and associate your network device with a connection
profile. It can be done on one network device at a time or on several network devices at once.

When versioning is enabled, you can manage the configuration files versioning from the pages
All configurations, Configuration and All network devices.

992
 Managing Configuration Versioning

Configuring Versioning on One Device

You can configure versioning for the network devices that support it directly on their properties
page once you added a connection profile.

To configure versioning on a network device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the network device of your choice, click on . The properties page
opens.
3. In the panel Configuration versioning properties, click on EDIT . The wizard Network
device connection profile opens.
4. Tick the box Enable configuration versioning. A drop-down list appears.
5. In the drop-down list Network device connection profile, select the connection profile of
your choice.
6. Click on OK to complete the operation. The report opens and closes. In the panel, the line
Enable configuration versioning is marked yes and the Connection profile name and
Connection protocol of the device are displayed.

You can change the connection profile associated with your network device. Follow the procedure
above and select another connection profile.

Once you enabled versioning, the page All configurations allows to display the list of configur-
ation file revisions and click on a revision number to open that version of the configuration file.
To refresh a configuration files database, compare revisions or download revisions, refer to the
dedicated sections.

Configuring Versioning on Several Devices

You can enable and set the configuration versioning on several network devices at once from
the page All network devices. As the configuration is done from a single wizard, you have to
make sure that the existing connection profile that you select matches the network devices'
configuration needs.

To configure versioning on several network devices at once

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network devices that you want to associate with your connection profile.
3. In the menu, Tools > Set configuration versioning. The wizard Configuration versioning
parameters opens.
4. Tick the box Enable configuration versioning. A drop-down list appears.
5. In the drop-down list Connection profile, select the connection profile of your choice.
6. Click on OK to complete the operation. The report opens and closes. On the properties page
of the selected devices, in the panel Configuration versioning properties: the line Enable
configuration versioning is marked yes and the Connection profile name and Connection
protocol of the device are displayed.

You can change the connection profile associated with several network devices. Follow the pro-
cedure above and select another connection profile.

993
 Managing Configuration Versioning

Once you enabled versioning, the page All configurations allows to display the list of configur-
ation file revisions and click on a revision number to open that version of the configuration file.
To refresh a configuration files database, compare revisions or download revisions, refer to the
dedicated sections.

Refreshing a Configuration File

In addition to refreshing the database, you can refresh the configuration files of the devices for
which versioning is enabled. Refreshing the configuration file checks that the latest revision on
the page All configurations matches the configuration of the network device you manage from
the GUI at the time of the refresh.

Note that you can limit the refresh and only allow it for network devices which Status is OK. For
more details, refer to the section Limiting Configuration Refresh Based on the Network Device
Status.

Refreshing Manually a Network Device Configuration File

The manual refresh allows to get the latest configuration available on a network device.

Keep in mind that the device parameter SNMP transfer timeout can impact the success of the
refresh. For more details, refer to the section Editing the SNMP Properties of a Network Device.

To manually refresh the configuration file of a device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network device(s) you want to refresh.
3. In the menu, select Edit > Refresh. The wizard Refresh a network device opens.
4. The box Device data is ticked. This box refreshes the database but not the configuration
file of the selected network device(s). You can leave it ticked if you want. For more details,
refer to the section Refreshing the Network Devices Database.
5. Tick the box Configuration versioning to retrieve the latest revision of the configuration
file of the selected device(s). This revision is retrieved only if any changes are detected.
6. Click on OK to complete the operation. The report opens and works for a while. The revision
number is incremented if changes were detected. To compare the changes, go to the page
All configurations of the network device and click on Compare with previous.

Scheduling the Versioning Refresh on a Network Device

The configuration file refresh can be planned ahead and queried out automatically. The scheduled
refresh can be set on any network device.

To set up a network device configuration file scheduled refresh

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network device(s) for which you want to schedule the refresh.
3. In the menu, select Edit > Scheduling > Configure refresh. The wizard Set refresh
parameters opens.
4. Configure the refresh frequency using the table below.

994
 Managing Configuration Versioning

Table 71.5. Scheduled refresh frequency parameters

Field Description
Minute A moment of the hour, either 00, 15, 30 or 45. The minute respects the UTC standard.
By default, 00 is selected. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.

5. The box Device data is ticked. This box refreshes the database at the scheduled time but
not the configuration file of the selected network device(s). You can leave it ticked if you
want. For more details, refer to the section Refreshing the Network Devices Database.
6. Tick the box Configuration versioning to retrieve the latest revision of the configuration
file of the selected device(s). This revision is retrieved only if any changes are detected at
the time of the scheduled refresh.
7. Click on OK to complete the operation. The report opens and closes. The refresh frequency
that you set is displayed in the panel Refresh properties on the properties page of your
network device.

To disable a scheduled refresh, refer to the section Disabling a Scheduled Refresh.

Comparing Configuration Files

From the page All configurations, you can access the page Configuration that provides a com-
parison of all the changes between two revision numbers, as raw data.

The page Configuration, in comparison display, provides the following information:

• Changed lines, on the left-end side, indicates the number of lines edited between the two re-
visions.
• The buttons Full diff and Short diff, on the right-end side, allow to display the whole configur-
ation files (Full diff), or only the lines that were edited (Short diff).
No matter the amount of information displayed, it is displayed as follows: on the left, the oldest
revision where changes are highlighted in orange; on the right, the latest revision where changes
are highlighted in green.
• Previous changes, on the right-end side, allows to compare older revisions of the configuration
file, when possible. It actually compares the oldest revision with the previous revision of the
configuration.
• Next changes, on the right-end side, allows you to navigate between comparisons of two re-
visions: toward more recent and/or older changes.
• revision <number> , on the right-end side of each file revision allows to open the configuration file
revision on its own, without the changes.

You can compare consecutive revisions of a device configuration file or even non-consecutive
revisions of a configuration file or configuration files from different network devices.

995
 Managing Configuration Versioning

Comparing Consecutive Revisions of a Configuration File

From the page All configurations, you can open the comparison display of the page Configuration.
It allows to compare the revision of your choice with a previous one.

The very first revision available compares an empty file with that revision.

To compare consecutive revisions of a configuration file

1. In the sidebar, go to NetChange > Configurations. The page All configurations opens.
2. In the column Name, click on the network device of your choice. Only the configuration file
revisions of the device are listed; in the column Revision, the latest revision is named
r.<number> (last).
3. At the end of the line of the revision of your choice, click on Compare with previous. The
page Configuration opens.
The oldest revision is on the left and the latest on the right. Each revision has its own gray
area with the device revision details.
4. You can use the buttons to navigate the revisions changes, display the entire file with the
changes or only the changes or even display only one revision. For more details, refer to
the introduction of the section Comparing Configuration Files.

Comparing Any Configuration File Revisions

From the page All configurations, you can tick several revisions - consecutive ones, the first and
last revisions of a network device, two revisions belonging to different network devices - and
compare them on the page Configuration using the menu.

To compare non-consecutive revisions of a configuration file

1. In the sidebar, go to NetChange > Configurations. The page All configurations opens.
2. Tick the two revisions that you want to compare. It can be non-consecutive revisions of the
same configuration file or from two different configuration files.
3. In the column Name, click on the network device of your choice. Only the configuration file
revisions of the device are listed: in the column Revision, the latest revision is named
r.<number> (last).
4. At the end of the line of the revision of your choice, click on Compare with previous. The
page Configuration opens.
The oldest revision is on the left and the latest on the right. Each revision has its own gray
area with the device revision details.
5. You can use the buttons to navigate the revisions changes, display the entire file with the
changes or only the changes or even display only one revision. For more details, refer to
the introduction of the section Comparing Configuration Files.

Monitoring the Configuration Versioning in the Logs

You can monitor versioning changes on the page Syslog, in the Administration module.

Versioning dedicated logs include: notifications if the device does not support it, if versioning is
enabled/disabled, the new configurations, etc.

To display the versioning dedicated logs

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

996
 Managing Configuration Versioning

2. In the section Monitoring, click on Syslog. The page Syslog opens.

3. Under the menu, in the drop-down list SOLIDserver, make sure your local SOLIDserver is
selected.
4. Under the menu, in the drop-down list Services, select ipmserver.
5. In the column Description, filter the list using the keyword configuration.
The logs indicate when versioning has been enabled or disabled, they include the network
device name and IP address.

Downloading Versioning Information

Once you enabled versioning, any configuration file in the database can be downloaded.

From the page Configuration, you can download one revision or the differences between two
compared configuration files.

From the page All configurations, you can display an archive file containing as many configuration
file revisions as you need.

Downloading a Configuration File

From the page Configuration, you can download any configuration file revision as a .txt file.

To download consecutive revisions of a configuration file

1. In the sidebar, go to NetChange > Configurations. The page All configurations opens.
2. In the column Revision, click on the revision of your choice. The page Configuration opens.
Above the configuration file content, a gray area contains the network device details: its
name, its IP address, and the date and time when the configuration version was saved.
3. On the right-end side of the network device details, click on Download and save the file.
The downloaded file is named <device-ip-address>_r<revision-number>.txt.

Downloading Compared Configuration Files

From the page Configuration, you can download the compared display of two comparison files
as a .diff file.

Keep in mind that the downloaded file only contains the differences between the two revisions,
even if you display the Full diff.

To download compared configuration file revisions

1. In the sidebar, go to NetChange > Configurations. The page All configurations opens.
2. Compare the revisions of your choice. For more details, refer to the sections Comparing
Consecutive Revisions of a Configuration File and Comparing Any Configuration File Revi-
sions.
3. Above the configuration files content, in the right-end side, click on Download diff and save the
file. Only the differences between the files are downloaded.
Depending on the revisions you chose to compare, the downloaded file is named <device-
ip-address>_r<oldest-revision>_r<latest-revision>.diff or <device-1-ip>_r<revision-num-
ber>_<device-2-ip>_r<revision-number>.diff.

997
 Managing Configuration Versioning

Downloading Several Configuration Files in an Archive

You can download one or several revisions from the page All configuration in a .tar file.

To download configuration file revisions in an archive file

1. In the sidebar, go to NetChange > Configurations. The page All configurations opens.
2. Tick the revision(s) you want to download.
3. In the menu, select Tools > Download device configurations. The wizard Download
device configurations opens.
4. Click on OK to complete the operation. The report opens, you can DOWNLOAD and save the
file directly from the wizard.
The downloaded file is named configs_<date>_<time>.tar and is available in the module
Administration, on the page Local files listing.

Configuring Advanced Versioning Options

Some registry database entries allow to customize the configuration files refresh possibilities and
the passwords display within the files.

Configuring the Passwords Display in the Configuration Files

You can manage the versioning of your network devices, which is supported by most vendors,
to automatically save all the changes in the configuration files. All the revisions of the files are
then saved in SOLIDserver backup file.

Thanks to a registry database key, you can show or hide all or some of the passwords of the
configuration file. By default, they are all hidden and we strongly recommend leaving it this way.

To configure the passwords display in the configuration files

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.iplocator.rancid.show_passwords.
4. Hit Enter. Only this key is listed.
5. In the column wizard Value, click on the value listed. The Registry database Edit a value
opens.
6. In the field Name, the key name is displayed in read-only.
7. In the field Value, specify 0, 1 or 2. By default, it is set to 0.

Table 71.6. Available display options for passwords in the configuration file
Value Description
0 Allows to hide all the passwords in the configuration files.
1 Allows to display only the encrypted passwords of the configuration files, in their encrypted form.
All the non-encrypted passwords are hidden.
This display option can be useful to keep track of the password changes without displaying them.
2 Allows to display all the passwords of the configuration files.
This display option is not recommended.

We strongly recommend leaving the default value 0.

998
 Managing Configuration Versioning

8. Click on OK to complete the operation. The report opens and closes. The column Value
contains the value you set.

Limiting Configuration Refresh Based on the Network Device Status

Thanks to a registry database key, you can prevent users from refreshing the configuration of
the network devices with a Status different from OK. By default, the configuration refresh is allowed
no matter the network device's status.

To set configuration refresh permissions based on status

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.iplocator.rancid.ignore_snmp_status.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Name, the key name is displayed in read-only.
7. In the field Value, specify the value that suits your needs:

Table 71.7. The accepted values of the configuration file refresh key
Value Description
0 Prevent users from refreshing the configuration of network devices which Status is not OK.
1 Allow configuration refresh of network devices no matter their Status. This is the default value.

8. Click on OK to complete the operation. The report opens and closes. The column Value
contains the value you set.

Exporting Configuration Files

From the page All configurations, you can export the data listed in a CSV, HTML, XML, XLS or
PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Disabling Versioning on a Network Device

To disable versioning, you have to edit the network device network connection profile.

Keep in mind that disabling the configuration files versioning on a device deletes all the
configuration file revisions saved in the database.

To disable versioning on a network device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the network device of your choice, click on . The properties page
opens.

999
 Managing Configuration Versioning

3. In the panel Configuration versioning properties, click on EDIT . The wizard Network
device connection profile opens.
4. Untick the box Enable configuration versioning. The page refreshes and the drop-down
list Network device connection profile is no longer visible.
5. Click on OK to complete the operation. The report opens and closes. In the panel, only the
line Enable configuration versioning remains, it is marked no.

Once disabled, the network device is marked No in the column Versioning on the page All
network devices.

To disable versioning on several network devices at once

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network devices that you want to associate with your connection profile.
3. In the menu, Tools > Set configuration versioning. The wizard Configuration versioning
parameters opens.
4. Untick the box Enable configuration versioning. The page refreshes and the drop-down
list Connection profile is no longer visible.
5. Click on OK to complete the operation. The report opens and closes. On the properties page
of the selected devices, in the panel Configuration versioning properties: only the line
Enable configuration versioning remains, it is marked no.

Once disabled, all the network devices selected are marked No in the column Versioning on the
page All network devices.

1000
Chapter 72. Managing Addresses
The page All addresses lists the IP addresses configured for the interfaces of each network
device managed from the page All network devices.

Browsing Addresses
The addresses are the second level of organization in NetChange, along with the routes, VLANs,
ports and configurations.

ROUTE

VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT

CONFIG

VLANADDRESS

Figure 72.1. The address in NetChange hierarchy

Browsing the Addresses Database

To display the list of configured IP addresses
1. In the sidebar, go to NetChange > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. To display the list of IP addresses configured for a specific network device, in the column
Network device, click on the name of the device of your choice. The page refreshes.

Customizing the Display on the Page All addresses

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Table 72.1. Available columns on the page All addresses

Column Description
IP address The interface IP address.
Network address The address of the network the IP address belongs to.
Interface name The interface name.
Network device The network device managing the interface the IP address is associated with.
VLAN ID The ID of the VLAN the IP address belongs to, as set on the network device.
VRF name The name of the VRF as set on the network device.
VRF RD The VRF Route Distinguisher. A unique 64-bits identifier, that can be composed of
IP addresses or AS Numbers, that differentiates every set of routes on each VRF.
For more details, refer to the part VRF.

1001
 Managing Addresses

Column Description
Status The interface status: Active or Inactive.

Keep in mind that you can use colored labels to differentiate at a glance IPv6 address containers.
For more details, refer to the chapter Managing IPv6 Labels.

Exporting Addresses
From the page All addresses, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

1002
Chapter 73. Managing Discovered Items
The discovered items are devices connected to NetChange network devices. Usually these items
are edge devices, like workstations, servers, printers and so on. All these devices are identified
through their MAC address.

Discovered items are automatically retrieved from NetChange devices after each discovery and
put in the history. They can be discovered through many types of interface such as physical
ethernet interfaces, virtual aggregated interfaces, VLAN interfaces or loopbacks.

The page All discovered items provides detailed information on where a device IP or MAC address
has been connected to the network, when it connected, which device port was used, in which
VLAN etc.

Browsing Discovered Items

The discovered items are the third and last level of the organization of the NetChange module.

ROUTE

VLAN
NETWORK DISCOVERED
DEVICE VLANITEM
PORT

CONFIG

VLANADDRESS

Figure 73.1. The discovered item in NetChange hierarchy

Browsing the Discovered Items Database

To display the list of discovered items
1. In the sidebar, go to NetChange > Discovered items. The page All discovered items
opens.
2. To display the list of discovered items of a specific network device, in the column Network
device, click on the name of the device of your choice. The page refreshes.

One MAC address can be listed multiple times. It is listed for each unique IPv4 and/or IPv6 address
associated with the discovered item.

The discovered items do not have a properties page, all the information is displayed on the page.

To display the discovered items history

1. In the sidebar, go to NetChange > Discovered items. The page All discovered items
opens.
2. On the right-end side of the menu, click on Discovered item history. The page opens.
For more details, refer to the section Tracking the Discovered Items History of a Specific
Device.

1003
 Managing Discovered Items

Customizing the Display on the Page All Discovered Items

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Some columns on the page provide specific information regarding the discovered items:

Table 73.1. Available columns on the page All discovered items

Column Description
DNS name The name of each discovered item is automatically retrieved by NetChange if it is declared
a
in an A or PTR record in one of your DNS resolvers .
Last seen The time and date when the MAC address was last seen on a specific port and VLAN.
This column is displayed by default on the page.
Discovered on The time and date when the MAC address was seen for the first time on a specific port
and VLAN. This column is displayed by default on the page.
First seen The time and date when the MAC address was seen for the first time on a port, VLAN or
network device. By default, this information is not retrieved, to retrieve it, refer to the section
Enabling the Data Retrieval for the Column First Seen.
Source The origin of the IP address, it indicates where it was retrieved.
Network device: the IP address was retrieved either from the ARP table (for IPv4) or the
NDP table (for IPv6) of the network device.
lease: the IP address is a lease allocated in the DHCP.
static: the IP address is a static reserved in the DHCP.
IPAM: the IP address is assigned in the IPAM.
Network device IP The IP address of the network device the item was discovered on.
IPv4 address The IPv4 address of the discovered item, retrieved in the Network device ARP table. This
column can be empty if the device has an IPv6 address or if no address was discovered.
IPv6 address The IPv6 address of the discovered item, retrieved in the Network device NDP table. This
column can be empty if the device has an IPv4 address or if no address was discovered.
You can use colored labels to differentiate at a glance IPv6 address containers. For more
details, refer to the chapter Managing IPv6 Labels.
VRF Name The name of the VRF the MAC address belongs to.
VRF RD The VRF Route Distinguisher.
a
Setting the DNS Resolver can be performed from the page Network configuration. NetChange does not retrieve the in-
formation in the records of the DNS servers you manage.

Enabling the Data Retrieval for the Column First Seen

The column First seen allows to display the time and date that the discovered items have ever
been seen connected to a port, VLAN or network device. Retrieving that information can lower
NetChange performances, which is why by default it is disabled.

To enable the retrieval of the data displayed in the column First seen, you must add a dedicated
key in the registry database and reboot SOLIDserver.

To enable the data retrieval in the column First seen

1. Add the registry key
Only users of the group admin can perform this operation.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.

1004
 Managing Discovered Items

b. In the section Expert, click on Registry database. The page Registry database opens.
c. In the menu, click on Add. The wizard Registry database Add an item opens.
d. In the field Name, type in module.iplocator.activate_first_seen .
e. In the field Value, type in 1 to enable the data retrieval.
f. Click on OK to complete the operation. The report opens and closes. The key is listed.
2. Reboot SOLIDserver
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Maintenance, click on Reboot SOLIDserver. The wizard Reboot the
system opens.
c. Click on OK to complete the operation. You are logged out, the login page details the
progression until the connection is lost.
d. Refresh the page until the login page appears.
Once the reboot is complete and the login page is visible again, log in and go to the page
All discovered items. In the column First seen, all the information available is displayed.

Refreshing the Discovered Items Database

You can refresh a selection of discovered items, whether they are associated with an IPv4 or
IPv6 address form the page All discovered items.

To refresh manually or schedule the refresh of a network device and all its discovered items,
refer to the section Refreshing the Network Devices Database.

To refresh the discovered items manually

1. In the sidebar, go to NetChange > Discovered items. The page All discovered items
opens.
2. Tick the discovered item(s) you want to refresh.
3. In the menu, select Edit > Refresh. The wizard Refresh a network device opens.
4. Click on OK to complete the operation. The report opens and closes.

Populating Device Manager

The same way you can create a discovered network device into Device Manager, you can populate
Device Manager with a selection of discovered items. This allows to create the corresponding
device and interface in Device Manager, with the MAC address differentiating each interface.

For more details, refer to the section Automatically Adding Discovered Items in Device Manager.

Creating the IP Address of a Discovered Item in the IPAM

You can assign IPv4 and IPv6 addresses in the IPAM from the page All discovered items.

To successfully create IP addresses in the IPAM from NetChange, make sure that:
1. The IP address of the discovered item is actually retrieved and displayed. It might not be
available if the router has not found any equivalence between the MAC and IP address, neither
from the equipment nor from the DHCP.
2. The IP address of the discovered item is available in the IPAM. The option allows to:

1005
 Managing Discovered Items

• Select a Target space, either the same space as the one set for the network device managing
your item or another space, as long as this space contains a terminal network with free ad-
dresses that you can assign to your discovered items. For more details regarding the space
selection at network level, refer to the section Adding Network Devices.
• Tick the box Use best space to automatically find a space that can receive the discovered
item in the smallest terminal network available.

To create the IP address of a discovered item in the IPAM

1. In the sidebar, go to NetChange > Discovered items. The page All discovered items
opens.
2. Tick the discovered item(s) you want to create in the IPAM.
3. In the menu, select Tools > Create IP address in the IPAM. The wizard Create IP ad-
dresses in the IPAM opens.
4. To automatically select a space, tick the box Use best space. The drop-down list Target
space disappears.
The selected discovered item(s) are created in the space containing the smallest network
that can receive them.
5. To select a specific space, in the drop-down list Target space, select the space of your
choice.
6. Click on OK to complete the operation. The report opens and closes. The IP address is listed
on the page All addresses, in the IPAM.

Purging the Discovered Items Database

You can purge the discovered items database of all your network devices at once, that is to say
remove MAC addresses older than a certain period from the page All discovered items.

All MAC addresses discovered prior to the period you set are removed from the page and only
available on the page Discovered items history. For more details, refer to the section Tracking
the Discovered Items History of a Specific Device.

Note that you can also configure or refine the purge frequency via the rule 008, for more details
refer to the section Keeping NetChange Data Up-to-date.

To purge the discovered items database of all the network devices

1. In the sidebar, go to NetChange > Discovered items. The page All discovered items
opens.
2. In the menu, select Tools > Administration > Purge MAC addresses. The wizard Purge
MAC addresses opens.
3. In the field Number of hours to keep, specify the value of your choice.
4. Click on OK to complete the operation. The wizard closes. Only the items which MAC address
was discovered during the period you set are listed.

Tracking the Discovered Items History of a Specific Device

NetChange database is not erased automatically. However, from the page Discovered items
history you can have an overview of the movements of a specific edge device during previous
discoveries.

1006
 Managing Discovered Items

That way, using a MAC address, you can see the different IP addresses an edge device had, at
different periods of time, which switch and port it was connected and which VLAN it belonged to.
This function also allows to track laptops on the network and see on which switches and ports
they have been successively connected to.

To manage the columns display, refer to the section Customizing the Display on the Page All
Discovered Items.

To display the Discovered items history of a specific network device

1. In the sidebar, go to NetChange > Discovered items. The page All discovered items
opens.
2. In the column Network device, click on the name of the network device of your choice. The
page refreshes, the device name is displayed in the breadcrumb.
3. On the right-end side of the menu, click on Discovered item history. The page opens
and displays only the history of the network devices of the network you chose.
4. If need be, filter the list using the search engine of the column(s) of your choice.

To limit the number of discovered items saved in the history, you can configure and enable a rule
dedicated to purging the NetChange database, including discovered items. For more details,
refer to the section Keeping NetChange Data Up-to-date.

Exporting Discovered Items

From the page All discovered items and All discovered items history, you can export the data
listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

1007
Chapter 74. Managing Statistics
NetChange can provide a set of specific statistics. These statistics are all displayed as pie and
bar charts that can present vendors, speed, usage, etc.

Displaying NetChange Statistics

By default, NetChange dashboard displays four gadgets (pie charts) that present the database
network devices vendors, number of ports per device, ports status and ports speed.

To display NetChange gadgets

1. From any page, in the top bar, select My account > My Gadgets. The page My Gadgets
opens.
2. In the breadcrumb, click on Gadgets Library. The page Gadgets Library opens.
3. In the list, tick the gadget(s) of your choice: Number of NetChange ports per device,
NetChange network devices vendor, NetChange active ports speed (bps) and/or NetChange
ports status.
4. In the menu, select Edit > Assign Gadget(s). The gadget configuration wizard opens.
5. In the list Available, select a module and click on .
6. The module name is moved to the list Configured.
7. Click on OK to complete the operation. The report opens and closes. The gadgets are dis-
played on the selected dashboards and listed in the column Dashboard.

In addition to these holistic charts, NetChange provides specific charts on the network devices
and port properties pages.

Displaying Network Device Statistics

The properties page of the network devices contains a chart summing up the device ports status.

To display the statistics of a network device

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. At the end of the line of the device of your choice, click on . The properties page opens.
3. Open the panel Network device ports status to display the graph.

Displaying Port Statistics

The ports properties page provides a set of charts that display accurate data if you enable the
rule 067.

Enabling the Rule That Retrieves Ports Information

The rule 067 allows to retrieve ports information and display it on the ports properties page. By
default, it is listed among the Rules but disabled, so you have to activate it to retrieve data.

To activate the collection of data rule

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

1008
 Managing Statistics

2. In the section Expert, click on Rules. The page Rules opens.

3. Through the columns filters, look for the rule 067 called Charts of NetChange ports bandwidth
usage.
4. Tick the rule.
5. In the menu, select Edit > Enable. The wizard Enable opens.
6. Click on OK to complete the operation.

Displaying a Port Charts

On the port properties page, you can display four different charts: NetChange port traffic,
NetChange port broadcast traffic, NetChange port unicast traffic and NetChange port error
packet traffic.

To display the statistics of a port

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Click on the name of the device of your choice. The page All ports of the device opens.
3. At the end of the line of the port of your choice, click on . The properties page opens.
4. Click on in the upper right corner of the page to open all the panels.

The charts contain In and Out parameters. To better understand them, refer to the table below.

Table 74.1. NetChange ports charts information

Information Description
In octets The total number of octets received on the port, including framing characters.
Out octets The total number of octets transmitted out of the port, including framing characters.
In broadcast The number of non-unicast (i.e., subnetwork- broadcast or subnetwork-multicast) packets de-
livered to a higher-layer protocol.
Out broadcast The total number of packets that higher-level protocols requested be transmitted to a non- unicast
address, including those that were discarded or not sent.
In unicast The number of unicast packets delivered to a higher-layer protocol.
Out unicast The total number of packets that higher-level protocols requested be transmitted to a subnetwork-
unicast address, including those that were discarded or not sent.

1009
Chapter 75. Monitoring and Tuning
NetChange offers a set of options to monitor and tune your network devices and discovered
items.

Generating NetChange Reports

EfficientIP provides NetChange dedicated reports for network devices. The reports on inconsist-
encies might be empty if the devices configuration is correct.

Table 75.1. Available NetChange reports

Page Report
All network devices Network devices properties
NetChange/IPAM/DHCP data comparison
Network devices summary

For more details regarding the reports and their generation, refer to the section Managing Reports.

Keeping NetChange Data Up-to-date

In addition to periodically refreshing the network devices using scheduling, as explained in the
chapter Managing Network Devices, to keep NetChange up-to-date data, you should remove old
data from the history to speed up the processes and have only the relevant IP or MAC address
information.

The choice of periodicity depends completely on your environment and what you intend to do
with NetChange, you may need to have a history of all movements (so you might need to purge
the database every month or trimester) or you may only need the most relevant data when
looking for a host (so you might want to purge every week).

To configure the purge frequency of the data listed on the page All discovered items, you must
edit and enable the rule 008.

To edit the rule 008 that purges NetChange History

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule # search field, type in 008. The rule is the only one listed.
4. Configure the rule
a. At the end of the line, click on . The properties page opens.
b. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
c. Click on NEXT . The page Rule filters appears.
d. Edit the rule frequency according to your needs.

Table 75.2. Frequency filters of the rule 008

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This
field is optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This
field is optional.

1010
 Monitoring and Tuning

Field Description
Month A specific month or every month. By default, every month is selected. This field
is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period.
The hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the
UTC standard. By default, 30 is selected. This field is optional.

e. Click on NEXT . The page Rule parameters appears.

f. Configure the purge according to your needs.

Table 75.3. Rule parameters

Field Description
Purge MAC/port history Allows to keep (No) or delete (Yes) the history data of all the MAC addresses
that were discovered thought a port, when their lifespan exceeds the Number
of days to keep. By default, Yes is selected. This field is optional.
Purge MAC/IP history Allows to keep (No) or delete (Yes) the association history of all the MAC
addresses that were retrieved from the ARP table of the network device,
when they their lifespan exceeds the Number of days to keep. By default,
Yes is selected. This field is optional.
Number of days to keep The maximum number of days that you want to keep NetChange history,
this includes the discovered item and time entries are listed in the History
view. By default, it is set to 180. This field is required.

g. Click on OK to complete the operation. The report open and closes.

5. Enable the rule
a. Tick the rule 008.
b. In the menu, select Edit > Enable. The wizard Enable opens.
c. Click on OK to complete the operation. The wizard closes, the page refreshes.The rule
is Enabled.

Synchronizing the Network Devices with a CSV File

The rule 010 allows to automatically synchronize network devices to NetChange through a CSV
file. That file must be stored locally and contain on each line the IP address of a network device.

To retrieve the list of devices, you must edit the rule, specify the path to the local CSV file and
enable the rule. If the CSV file contains devices that are not managed by NetChange yet, they
are automatically imported during the synchronization.

To edit the rule 010 that retrieves network devices from a CSV file
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 010 and hit Enter. The rule is the only one listed.
4. Configure the rule
a. At the end of the line, click on . The properties page opens.
b. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
c. Click on NEXT . The page Rule filters opens.
d. Edit the rule frequency according to your needs.

1011
 Monitoring and Tuning

Table 75.4. Frequency filters of the rule 380

Column Default value
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This
field is optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This
field is optional.
Month A specific month or every month. By default, every month is selected. This field
is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period.
The hour respects the UTC standard. By default, 01 is selected. This field is op-
tional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the
UTC standard. By default, 00 is selected. This field is optional.

e. Click on NEXT . The page Rule parameters opens.

f. Configure the retrieval according to your needs.

Table 75.5. Rule parameters

Field Description
Local CSV file The path toward the CSV file containing the list of addresses. This CSV file must
already be part of the local SOLIDserver file system. This field is optional.
Devices missing in Allows to Delete or perform No action over the devices already listed in the page
CSV file All network devices but not part of the CSV file. By default, No action is selected.
This field is optional.
Site id The name of the IPAM space to associate with the network devices. The IP ad-
dress of each device is imported in the selected space. This field is required.
Delimiter The delimiter that separates the data of your CSV file, either , (comma), ; (semi-
colon) or tab. By default, the comma is selected. This field is optional.
Skip first line Allows to avoid importing the columns title (Yes) or to include them (No). By default,
Yes is selected. This field is optional.

g. Click on OK to complete the operation.

5. Enable the rule
a. Tick the rule 010.
b. In the menu, select Edit > Enable. The wizard Enable opens.
c. Click on OK to complete the operation. The wizard closes, the page refreshes.The rule
is Enabled.

Customizing the Type of Network Devices

On the page All network devices, the column Type displays partial vendor and/or model inform-
ation about each network device. Via CLI, you can customize the content of this column and
append the information of your choice for each device.

To customize the network devices Type, users with administrative rights over SSH connections
to SOLIDserver must:
1. Create a file <vendor-id>.inc for each vendor and place it in the directory /data1/etc/netchange/
You need one file per vendor that includes all the devices you need, the device Vendor ID is
displayed in the column System OID.

1012
 Monitoring and Tuning

2. Add a line per device that includes its OID and the information to display in the column in json
format.
Note that first part of all devices OID .1.3.6.1.4.1. is already taken into account, so you only
need to specify the device OID from vendor to device.

For instance, to customize the type of Cisco Nexus 6004 devices, you can create a file 9.inc,
9 being Cisco's vendor ID, containing the following information:
{
"9.12.3.1.3.1237": { "model": "Nexus 6004 Switches in the US"}
{

The column Type now displays Cisco Nexus 6004 Switches in the US instead of Cisco Nexus
6004.

To customize the Type of a network device

1. Create a file <vendor-id>.inc using the vendor ID of your choice that contains each network
device OID and the information to display in the column Type as follows:
{
"<vendor-id>.<oid-of-device-1>": { "model": "<your-device-1-information>"}
"<vendor-id>.<oid-of-device-2>": { "model": "<your-device-2-information>"}
}

2. Connect to your appliance using an SSH session or a console port.

3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. Upload each file to the directory /data1/etc/netchange/ of your appliance.

6. Refresh the network devices:
a. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
b. Tick the network device(s) you want to refresh.
c. In the menu, select Edit > Refresh. The wizard Refresh a network device opens.
d. Tick the box Device data to refresh the database of the selected network device(s).
e. Click on OK to complete the operation. The report opens and works for a while.
When the refresh is over, a report might appear and list the added IP addresses (Notice)
and existing ones (Error). This list only regards the device addition or import in the se-
lected Target space. You can download this report in the format of your choice: TEXT ,
HTML or EXCEL .

f. Click on CLOSE to go back to the page All network devices. The page refreshes.
In the column Type, the information regarding the device(s) matching the OID you
specified in the files are updated.

1013
 Part XII. Workflow
The Workflow is a request-based module allowing standard users to ask for changes in the IPAM and DNS:
• DNS zones addition, edition or deletion.
• IPAM non-terminal networks addition, edition or deletion. These can be block-type or subnet-type net-
works.
• IPAM terminal networks addition, edition or deletion.
• IPAM pools addition, edition or deletion.
• IPAM IP addresses addition, edition or deletion.

All the requests are listed on both pages of the module:

• Outgoing requests, where users - requestors - can add requests and monitor their status evolution. For
more details, refer to the chapter Managing Outgoing Requests.
• Incoming requests: where request managers and administrators can deal with the user requests. For
more details, refer to the chapter Managing Incoming Requests.

In addition, you can:

• Automate the requests' execution. You can set up automated execution of incoming requests, either
using the Workflow default classes and the button Execute or include pending operations to the class
objects of their custom classes. For more details, refer to the chapter Executing Requests.
• Customize the requests acceptance cycle. Some registry database entries determine the requests' life
cycle using their statuses. For more details, refer to the chapter Customizing the Requests Administration.

Keep in mind that to use the Workflow at the best of its potential you must:
1. Grant sufficient rights to requestors and request managers: the group they belong to needs to be
granted the appropriate IPAM, DNS and/or Workflow rights. For more details, refer to the section Managing
the Rights of a Group of Users in the chapter Managing Groups.
2. Grant users access to request classes, the existing classes or the ones you added. For more details,
refer to the chapter Granting Access to Workflow Classes.
3. Customize the page Incoming requests if need be. For more details, refer to the chapter Customizing
the Requests Administration.
4. Grant relevant users access to the Workflow pages, that way they can add or deal with the requests.
5. Executing the action required in the requests if they are accepted.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
76. Granting Access to Workflow Classes ..................................................................... 1016
77. Managing Outgoing Requests ................................................................................. 1017
Browsing Outgoing Requests ............................................................................... 1017
Adding Requests for Creation .............................................................................. 1017
Adding Requests for Edition ................................................................................. 1019
Adding Requests for Deletion ............................................................................... 1020
Editing Requests ................................................................................................. 1022
Exporting Outgoing Requests .............................................................................. 1023
Canceling Requests ............................................................................................ 1023
78. Managing Incoming Requests ................................................................................. 1025
Browsing Incoming Requests ............................................................................... 1025
Managing the Requests Content .......................................................................... 1025
Administrating Requests Using the Default Statuses and Options ........................... 1026
Administrating Requests Using Your Own Settings ................................................. 1029
Exporting Incoming Requests .............................................................................. 1029
79. Executing Requests ............................................................................................... 1030
Executing Requests Using the Execute Option ...................................................... 1030
Executing Requests Using Classes ...................................................................... 1031
80. Customizing the Requests Administration ................................................................ 1034
Editing the Workflow Statuses .............................................................................. 1035
Editing the Email Notification Details ..................................................................... 1037
Adding a Workflow Status .................................................................................... 1038
Customized Statuses Best Practices .................................................................... 1039

1015
Chapter 76. Granting Access to Workflow
Classes
As every request is based on a specific Workflow class, users need to be granted access to the
relevant ones. That way, they can select a class when adding a request and fill in the fields
defined through the class.

There are five classes dedicated to Workflow requests. They define all the required fields when
asking for the addition, edition or deletion of the object they are named after:
• request_dns_zone is dedicated to requests regarding DNS zones.
• request_ip_block is dedicated to requests regarding IPv4 non-terminal networks, block-type
or subnet-type.
• request_ip_subnet is dedicated to requests regarding IPv4 terminal networks.
• request_ip_pool is dedicated to requests regarding IPv4 pools.
• request_ip_address is dedicated to requests regarding IPv4 addresses.

The users that do not have access to Workflow request classes are not able to properly complete
the request addition wizard: the request addition wizard is still available, but it is impossible to
define the needed containers or resources to apply the requested changes to.

Obviously, you can add your own Workflow request classes. These classes must be dedicated
to the Module Workflow and the Type Request. For more details, refer to the chapter Configuring
Classes.

Keep in mind that in this case, the Execute option is not available in the page Incoming requests.
For more details, refer to the section Executing Requests Using the Execute Option.

To add an existing request class as group resource

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
1
3. Click on the name of the group of your choice . The page Resources opens.
4. In the menu, select Add > Resources > Classes. The wizard Administration: Classes
opens.
5. In the search engine of the column Type, type in request to filter the list.
6. Tick the class(es) you want to grant the group access to. Keep in mind that the default
Workflow classes are request_dns_zone, request_ip_block, request_ip_subnet, re-
quest_ip_pool and request_ip_address.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the list of resources now includes the selected class(es).

Once the classes of your choice are part of the resources of a group, its users can choose from
one of them when requesting the addition, edition or deletion of objects in the DNS or IPAM
database.

1
Any group EXCEPT the admin group as, by default, it has authority over all the resources of SOLIDserver database.

1016
Chapter 77. Managing Outgoing
Requests
From the page Outgoing requests, users with sufficient Workflow rights can:
• Add requests for creation, edition or deletion.
• Edit the requests they added.
• Cancel the requests they added.

The requests management respects the groups hierarchy by default. Therefore, once added if
the user belongs to a group that has a parent group, then by default the request can be dealt
with by all the users of the parent group as well as the users of the group admin. If the users
want the request to be dealt with by specific users, they can set a managing group when adding
or editing the request.

Browsing Outgoing Requests

The Outgoing requests page is one of the two pages of the module. Requestors use this page
to add, edit and cancel requests.

Browsing the Outgoing Requests Database

To display the list of outgoing requests
1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. You can filter the list using the column search engines.

To display an outgoing request properties page

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. To display a request properties page you can:
a. Click on the name of the request of your choice. The properties page opens.
b. At the end of the line of the incoming request of your choice, click on . The properties
page opens.
3. Click on to expand all the panels.

Customizing the Display on the Page Outgoing Requests

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding Requests for Creation

Users with sufficient rights can add requests asking for objects creation. This request can only
contain basic information regarding the object, the advanced properties can only be configured
by administrators and request managers when they execute the request.

1017
 Managing Outgoing Requests

The procedure below uses the request_dns_zone class as an example.

Reminder
To add a DNS zone creation request, the group of the user must have at least been granted
the following rights:
• In the panel Workflow, all the rights that suit your needs
• In the panel DNS, the right Display: DNS servers list.
To add a DNS zone creation request, the group of the user must include among its resources:
• At least one server to grant access to all the objects it contains.

To add a request for creation

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. In the menu, click on Add. The wizard Add a request opens.
3. In the list Workflow request class, select request_dns_zone .
4. Click on NEXT . The page Requesting: Zone opens.
5. In the drop-down list Action requested, select New (Create). The page refreshes.
6. In the drop-down list DNS Server, select the server of your choice.
7. If your server contains views, in the drop-down list DNS view, select the view of your choice.
8. In the field DNS zone, name your zone.
9. In the drop-down list Zone type, you can select either master, slave, stub or forward. By
default, master is selected.
10. In the field Motivation, specify a text or a maximum of 3000 characters explaining the
reason for the zone addition request.
11. Click on NEXT . The last page opens.
12. In the drop-down list Set a group to manage the request, you can select Yes or No. By
default, it is set to No.

Table 77.1. Managing group of users available options

Field Description
No Only the users from the requesting user parent group, or users of the group admin, can manage
the request.
Yes An existing group of users can manage your request.The drop-down list Managing group appears.
Managing group The name of the group of users which request managers are allowed to
accept the request and deal with it, or deny it. This field is optional.

13. Click on OK to complete the operation. The report opens and closes. The request is listed
and marked as New in the column Status.

Each request is named as follows: <request-number>-<requestor>, where <request-number>

corresponds to the number of requests in the Workflow database and not the number of requests
of a particular requestor.

On the request properties page, the Main properties and Request parameters sum up the re-
quest details.

1018
 Managing Outgoing Requests

Adding Requests for Edition

Users with sufficient rights can add requests asking for objects edition. This request can only
contain basic information regarding the object, the advanced properties can only be configured
by administrators and request managers when they execute the request.

The edition request only applies to the values that you can usually edit in each module, so:
• You cannot ask for the edition of anything configured for DNS zones.
• You can only ask for the edition of the name of the networks, pools and addresses.

The procedure below uses the default request_ip_address class as an example.

Reminder
To add an IPv4 address edition request, the group of the user must have at least been
granted the following rights:
• In the panel Workflow, all the rights that suit your needs
• In the panel IPAM, the right Display: spaces list.
To add an IPv4 address edition request, the group of the user must include among its re-
sources:
• At least one space, which grants access to all the objects it contains.

To add a request for edition

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. In the menu, click on Add. The wizard Add a request opens.
3. In the list Workflow request class, select request_ip_address .
4. Click on NEXT . The page Requesting: IP address opens.
5. In the drop-down list Action requested, select Modify. The page refreshes.
6. Click on NEXT . The next page opens.
7. In the list Choose a terminal network, select the terminal network containing the IP address
you want to edit. Once selected, the line is highlighted in blue.
8. Click on NEXT . The next page opens.
9. In the field Name to edit, type in the first letter(s) of the IP name. The auto-completion
provides a list of addresses matching these letters, select the one you want to edit.
10. In the field IP address name, specify the new name of the address.
11. In the gray field IP address, the IP address is displayed as a reminder.
12. In the field Motivation, specify a text or a maximum of 3000 characters explaining the
reason for the IP address edition request.
13. Click on NEXT . The last page opens.
14. In the drop-down list Set a group to manage the request, you can select Yes or No. By
default, it is set to No.

Table 77.2. Managing group of users available options

Field Description
No Only the users from the requesting user parent group, or users of the group admin, can manage
the request.
Yes An existing group of users can manage your request.The drop-down list Managing group appears.

1019
 Managing Outgoing Requests

Field Description
Managing group The name of the group of users which request managers are allowed to
accept the request and deal with it, or deny it. This field is optional.

15. Click on OK to complete the operation. The report opens and closes. The request is listed.
It is marked New in the column Status and Modified in the column Action.

Each request is named as follows: <request-number>-<requestor>, where <request-number>

corresponds to the number of requests in the Workflow database and not the number of requests
of a particular requestor.

On the request properties page, the Main properties and Request parameters sum up the re-
quest details.

Adding Requests for Deletion

Users with sufficient rights can add requests asking for objects deletion. Besides, the terminal
networks deletion request can be added from the page All networks. For more details, refer to
the section Adding a Network Deletion Request from the IPAM.

Adding a Request for Deletion

In the procedure below we use the default request_ip_subnet class as an example.

Note that to the class request_ip_block applies to non-terminal networks of both subnet and block
type.
Reminder
To add a terminal network deletion request, the group of the user must have at least been
granted the following rights:
• In the panel Workflow, all the rights that suit your needs
• In the panel IPAM, the right Display: spaces list.
To edit an IP address related request, the group of the user must include among its resources:
• At least one space to grant access to all the objects it contains.

To add a request for deletion

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. In the menu, click on Add. The wizard Add a request opens.
3. In the list Workflow request class, select request_ip_subnet .
4. Click on NEXT . The page Requesting: Network (subnet) opens.
5. In the drop-down list Action requested, select Delete. The page refreshes.
6. Click on NEXT . The next page opens.
7. In the list Choose a terminal network, select the terminal network you want to delete. Once
selected, the line is highlighted in blue.
8. Click on NEXT . The next page opens.
9. The fields Network name, Network address, Netmask, Prefix and Comments display the
selected network information as a reminder.
10. In the field Motivation, specify a text or a maximum of 3000 characters explaining the
reason for the network deletion request.

1020
 Managing Outgoing Requests

11. Click on NEXT . The last page opens.

12. In the drop-down list Set a group to manage the request, you can select Yes or No. By
default, it is set to No.

Table 77.3. Managing group of users available options

Field Description
No Only the users from the requesting user parent group, or users of the group admin, can manage
the request.
Yes An existing group of users can manage your request.The drop-down list Managing group appears.
Managing group The name of the group of users which request managers are allowed to
accept the request and deal with it, or deny it. This field is optional.

13. Click on OK to complete the operation. The report opens and closes. The request is listed.
It is marked New in the column Status and Delete in the column Action.

Each request is named as follows: <request-number>-<requestor>, where <request-number>

corresponds to the number of requests in the Workflow database and not the number of requests
of a particular requestor.

On the request properties page, the Main properties and Request parameters sum up the re-
quest details.

Adding a Network Deletion Request from the IPAM

In addition to the standard addition of requests for deletion from the page Outgoing request, it is
possible to add a request for network deletion from the page All networks.

It automatically adds a request in the Workflow using the default class request_ip_subnet for
terminal networks or request_ip_block for non-terminal networks (block-type or subnet-type).
Reminder
To add a network deletion request, the group of the user must have at least been granted
the following rights:
• In the panel Workflow, all the rights that suit your needs.
• In the panel IPAM, the right Display: spaces list.
To edit an IP address related request, the group of the user must include among its resources:
• At least one space to grant access to all the objects it contains.

To add a request for networks deletion from the IPAM

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. Tick the network for which you want to add a request for deletion.
3. In the menu, select Edit > Request for deletion. The wizard Workflow Creating a
network deletion request opens.
4. In the drop-down list Source, select a group if you belong to several groups. If you only belong
to one group, it is automatically selected. The managing group of the selected group handles
the request.
5. Click on OK to complete the operation. The report opens and closes.
6. In the sidebar, go to Workflow > Outgoing requests. The request is listed. It is marked
New in the column Status and Delete in the column Action.

1021
 Managing Outgoing Requests

Editing Requests
Once you added a request, you can edit its details or provide additional information via a note
and/or file upload.

Editing a Request Details

Once added, the details of a request can be edited to a certain point: you cannot edit the action
required or the object it applies to.

To edit a request from the outgoing request page

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. Right-click over the Name of the request you want to edit. The contextual menu opens.
3. Click on . The wizard opens.
4. Edit the fields as needed. Only the fields with a white background can be edited.
5. Once you get to the last page of the wizard, click on OK to complete the operation. The report
opens and closes. The changes are visible on the properties page panel Request paramet-
ers.

To edit a request from its properties page

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. Right-click over the Name of the request you want to edit. The contextual menu opens.
3. Click on . The request properties page opens.
4. In the panel Main properties, click on EDIT . The wizard opens.
5. Edit the fields as needed. Only the fields with a white background can be edited.
6. Once you get to the last page of the wizard, click on OK to complete the operation. The report
opens and closes. The changes are visible in the panel Request parameters.

Adding Information to a Request

From a request properties page, users can add information to a request via notes and files upload.

Uploading a File
Requestors can add up to 10 files to their request. They cannot upload more than 5 Mb of files.

To upload a file to a request properties page

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. Right-click over the Name of the request you want to edit. The contextual menu opens.
3. Click on . The request properties page opens.
4. In the panel Upload file, click on EDIT . The wizard Upload file opens.
5. Click on BROWSE to select the file of your choice on your local computer.
6. Once selected, it is displayed in the fields File name and Final value.

1022
 Managing Outgoing Requests

7. Click on to add the file to the list Attached files. Repeat these actions for as many files
as you want.
8. Click on OK to complete the operation. The report opens and closes. The panel Upload file
contains the file(s).

Adding a Note
Requestors can add notes to their request in addition to the Motivation expressed when adding
the request.

To add a note to a request

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. Right-click over the Name of the request you want to edit. The contextual menu opens.
3. Click on . The request properties page opens.
4. In the panel Note, click on EDIT . The wizard Enter a note opens.
5. Click on ADD . In the field List, the line new_<number> appears.
6. In the field Note, specify your note. The note must not include special characters or exceed
3993 characters.
7. Click on ADD to save it. The note is saved. In the field List, the note is now displayed as
follows: <date> <time> <beginning-of-note> [author]. Repeat these actions for as many notes
as needed.
8. Click on OK to complete the operation. The report opens and closes. The panel Note displays
the note(s).

Exporting Outgoing Requests

From the page Outgoing requests, you can export the data listed in a CSV, HTML, XML, XLS or
PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Canceling Requests
You can cancel a request you added. By default, this action is only possible is the request status
is New. Once it is handled or accepted, you can no longer cancel it.

Once canceled, you no longer see it on the page, only request managers can still see it.

To cancel a request
1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. Tick the request you want to cancel.
3. In the menu, select Edit > Cancel. The wizard Status edition opens.
4. In the field Enter a note, you can type in a text of 3000 characters at most, explaining why
you want the request canceled.
5. Click on OK to complete the operation. The report opens and displays the cancellation report
status.

1023
 Managing Outgoing Requests

6. You can click on CSV (DATA) , TEXT , HTML or EXCEL to download the cancellation report in the
corresponding format.
7. Click on CLOSE to go back to the page Outgoing requests. The request is no longer listed.

1024
Chapter 78. Managing Incoming
Requests
From the page Incoming requests, administrators or request managers can:
1. Deal with pending requests using the default options of the menu Edit: handle, edit, execute,
reject, finish and finally delete the requests.
2. Deal with pending requests using custom options. The available options would then depend
on the administrator configuration and intern use of the module.

Keep in mind that by request managers, we mean users belonging to a group with sufficient rights
and resources. Make sure they belong to a group configured with:
• All the Workflow rights, to be able to manage the requests completely.
• All the DNS and IPAM objects that regular users can add requests for among the group re-
sources.
• All the relevant IPAM and DNS rights that allow them to comply with the request.

Browsing Incoming Requests

The Incoming requests page allows the request managers and administrators to deal with the
requests.

Browsing the Incoming Requests Database

To display the list of incoming requests
1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. You can filter the list using the column search engines.

To display an incoming request properties page

1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. At the end of the line of the incoming request of your choice, click on . The properties page
opens.
3. Click on to expand all the panels.

Customizing the Display on the Page Incoming Requests

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Managing the Requests Content

Once a request is added, it is listed on both pages of the module. Administrators and request
managers deal with them from the Incoming requests.

1025
 Managing Incoming Requests

On the request properties page are displayed all the request details as well as the requestor
notes and uploaded files. In the Request history are listed all the administrators and request
managers notes added when editing the request status.

To download an uploaded file

1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. Right-click over the Name of the request you want to edit. The contextual menu opens.
3. Click on . The request properties page opens.
4. Click on to expand all the panels.
5. In the panel Upload file, click on the name of the file you want to download.

To display notes
1. In the sidebar, go to Workflow > Outgoing requests. The page Outgoing requests
opens.
2. Right-click over the Name of the request you want to edit. The contextual menu opens.
3. Click on . The request properties page opens.
4. In the panel Note, all the notes are displayed under the Date and User. You can scroll down
if there are several notes.

The administrators and request managers can also add notes and upload files. For more details,
refer to the section Adding Information to a Request.

Administrating Requests Using the Default Statuses and

Options
There are 6 default statuses on the page Incoming requests of the Workflow module. They allow
administrators and request managers to see what requests need to be dealt with. All these
statuses can be set from the menu Edit on the page Incoming requests. Except canceled that
has to be set from the page Outgoing requests.

Every time a request status is edited, it sends an email to the user who requested it to inform
them of the request evolution. Therefore, make sure your requesting users profile is set up
properly. For more details, refer to the chapter Managing Users.

Only the Archive option does not correspond to any status as it basically deletes the request from
the page and stores it on the page Local files listing.

Table 78.1. Request statuses

Status Description
New The request was added on the page Outgoing requests and has not been dealt with yet.
Handled The request was acknowledged by a request manager or administrator, it still has to be accepted
or rejected. This status can only be set from the page Incoming requests.
Accepted The request was accepted by the request manager or administrator handling it. The requested
object creation, edition or deletion will be performed. This status can only be set from the page
Incoming requests.
Rejected The request was denied by the request manager or administrator handling it. Whatever was
requested is ignored. This status can only be set from the page Incoming requests.

1026
 Managing Incoming Requests

Status Description
Canceled The request was canceled by the requestor. The requested object creation, edition or deletion
has to be ignored by the request manager or administrator handling it. This status can only be
set from the page Outgoing requests.
Finished The requested creation, edition or deletion was performed. This status can only be set from the
page Incoming requests.

By default, the requests managers can set these statuses as long as they respect the following:
• New requests can be handled, accepted, rejected and canceled.
• Handled requests can be accepted, rejected and canceled.
• Accepted requests can only be dealt with and finished.
• Rejected requests can only be archived.
• Canceled requests can only be archived.
• Finished requests can only be archived.

Using the default options and statuses is useful as it allows to use the Execute option. This option
allows to execute a request from the Incoming requests directly. For more details, refer to the
section Executing Requests Using the Execute Option.

Handling Requests
The request managers and administrators can at any point handle New requests.

You cannot handle Accepted, Rejected or Finished requests.

To handle a request
1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. Tick the request(s) you want to handle.
3. In the menu, select Edit > Handle. The wizard Status edition opens.
4. In the field Enter a note, you can specify a reason for accepting or the user performing the
task. This text is available on the request properties page, in the Request history panel.
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.

Accepting Requests
The request managers and administrators can, at any point, accept New and Handled requests.

You cannot accept Rejected and Finished requests.

To accept a request
1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. Tick the request(s) you want to accept.
3. In the menu, select Edit > Accept. The wizard Status edition opens.
4. In the field Enter a note, you can specify a reason for accepting or the user performing the
task. This text is available on the request properties page, in the Request history panel.
5. Click on OK to complete the operation. The report opens and indicates the operation success.

1027
 Managing Incoming Requests

6. Click on CLOSE to go back to the page Incoming requests.

Rejecting Requests
The request managers and administrators can at any point reject New and Handled requests.

You cannot reject Accepted and Finished requests.

To reject a request
1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. Tick the request(s) you want to reject.
3. In the menu, select Edit > Reject. The wizard Status edition opens.
4. In the field Enter a note, you can specify a reason for accepting or the user performing the
task. This text is available on the request properties page Request history module.
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.

Finishing Requests
Once the request has been dealt with, when the object has been added, edited or deleted, the
request managers and administrators can set the requests to Finished.

Only Accepted requests can be finished.

To finish a request
1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. Tick the request(s) you want to finish.
3. In the menu, select Edit > Finish. The wizard Status edition opens.
4. In the field Enter a note, you can specify a reason for accepting or the user performing the
task. This text is available on the request properties page Request history module.
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.

Archiving Requests
Archiving a request actually means moving it to the Local Files Listing. This means that it is no
longer listed on the Incoming requests and Outgoing request pages.

Archiving a request is useful for requests that have been dealt with, have been canceled or that
were rejected. In any of these cases, once the requesting user has been informed, it is probably
useless to keep the request in the list.

The request managers and administrators can archive Canceled, Rejected and Finished requests.

To archive a request
1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.

1028
 Managing Incoming Requests

2. Tick the request(s) you want to remove from the list.

3. In the menu, select Edit > Archive. The wizard Status edition opens.
4. In the field Local file name, specify the name of the .txt file that contains the request details
following the format <file-name>.txt .
By default, the file is saved in the directory /data1/exports but you can save it in an existing
sub-directory of /data1 if you want: specify the subdirectory name following the syntax <sub-
directory-name>/<file-name>.txt .
5. Click on OK to complete the operation. The report opens and indicates the operation success.
6. Click on CLOSE to go back to the page Incoming requests.

Administrating Requests Using Your Own Settings

You can customize the Workflow administration methods by editing some Workflow dedicated
registry database entries. For more details, refer to the chapter Customizing the Requests Admin-
istration.

Once you customized these entries, the restrictions detailed in the section Administrating Requests
Using the Default Statuses and Options might not apply anymore. However, requests managers
and administrators may still rely on the procedures detailed in said section to administer the re-
quests from the page Incoming requests.

Exporting Incoming Requests

From the page Incoming requests, you can export the data listed in a CSV, HTML, XML, XLS or
PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

1029
Chapter 79. Executing Requests
There are different ways of executing requests:
1. Use the Execute option from the page Incoming requests if you are using the Workflow default
classes. For more details regarding this option, refer to the section Executing Requests Using
the Execute Option.
2. Use classes to integrate the requests to the addition, edition or deletion wizard. This method
can be used if you use the default Workflow classes or if you use customized ones. For more
details, refer to the section Executing Requests Using Classes.
3. Go to the IPAM or DNS module and add, edit or delete the requested objects and change the
status to Finished once the request was executed.

Executing Requests Using the Execute Option

If you are using the Workflow default classes listed in the chapter Granting Access to Workflow
Classes, you can use the option Execute to perform the action requested in the New, Handled
and Accepted requests directly from the page Incoming requests.

To execute an addition request using the option Execute

1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. In the column Action, filter the list using the key word new to only display requests for addition.
3. At the end of the line of the request for addition you want to execute, click on Execute. The
wizard opens.
4. Depending on the classes configured you might have class dedicated pages. Select a class
or none and click on NEXT .
5. On the object addition page, the object name and details are in a gray field as a reminder.
During the execution of a request for network creation, the wizard skips the network type
selection page and directly adds the relevant network.
6. If need be, you can fill in the optional object details fields and configure advanced properties.
Click on NEXT . The Workflow dedicated page opens.
7. In the drop-down list Request, the request you are executing is selected by default. The list
can contain other request numbers if other requests for creation of a similar resource were
added.
8. Under this field, the fields Requested <object> name and Requestor motivation contain
the request original details as a reminder.
9. The requests for IP address addition have an extra page: the page Aliases configuration.
You can add aliases if need be. Then click on NEXT to display the last page of the wizard.
10. Click on OK to complete the operation. The report opens and closes. The request status is
now Finished, the object is now added.

To execute an edition request using the option Execute

1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. In the column Action, filter the list using the key word modify to only display requests for
edition.

1030
 Executing Requests

3. At the end of the line of the request for edition you want to execute, click on Execute. The
wizard opens.
4. Depending on the classes configured you might have class dedicated pages. Select a class
or none and click on NEXT .
5. On the object edition page, the object name and details are in a gray field as a reminder.
6. If need be, you can fill in the optional object details fields and configure default parameters.
Click on NEXT . The Workflow dedicated page opens.
7. In the drop-down list Request, the request you are executing is selected by default. The list
can contain other request numbers if other requests for edition of a similar resource were
added.
8. Under this field, the fields Requested <object> name and Requestor motivation contain
the request original details as a reminder.
9. The requests for IP address edition have an extra page: the page Aliases configuration. You
can add aliases if need be. Then click on NEXT to display the last page of the wizard.
10. Click on OK to complete the operation. The report opens and closes. The request status is
now Finished, the object is now edited.

To execute a deletion request using the option Execute

1. In the sidebar, go to Workflow > Incoming requests. The page Incoming requests
opens.
2. In the column Action, filter the list to display only requests for deletion using the key word
delete.
3. At the end of the line of the request for edition you want to execute, click on Execute. The
wizard Delete opens.
4. The fields Name, Address, Space name and/or DNS server name contain the objects details
as a reminder.
5. Click on OK to complete the operation. The report opens and closes. The request status is
now Finished, the object is now deleted.

Once the request is executed, the requestor receives a notification email. The administrator or
request manager can archive the request. For more details, refer to the section Archiving Requests.

On the request properties pages, in the panel Attached objects, are listed all the object configur-
ation details if the request concerned an addition or an edition. For instance, if a specific class
or default parameters were set by the administrator or request manager.

Executing Requests Using Classes

You can use classes to automate the addition and edition requests execution. You cannot use
them to automate the deletion requests. Using classes for the automation implies:
1. From Class Studio:
• Adding a class applying to IPAM network, pool, address or DNS zone.
• Adding the corresponding Pre-defined variable object to the class.
2. From the IPAM or DNS module:
• Applying the class when adding or editing the object.
• At the end of the wizard, selecting the request matching the operation performed.
3. Archiving the request. For more details, refer to the section Archiving Requests.

1031
 Executing Requests

Configuring a Workflow Request Association Class

The classes that can automate the request execution apply to IPAM networks, pools, addresses
or DNS zones.

If you do not already use a class for which you would like to add the Pre-defined variable, add a
class. Otherwise, directly follow the procedure To add a Workflow request association pre-defined
variable.

To add a class to automate the Workflow request association

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the menu, click on Add. The wizard Add a new class opens.
4. In the field Filename, name your class. The name cannot contain any special characters.
This field is required.
5. In the field Sub directory, you can fill in the directory where you want to save your class. If
it does not exist, it is added. On the wizards class selection page, classes placed in a directory
are displayed as such: <directory>/<class>. This field is optional.
6. In the drop-down list Module, select DNS or IPAM.
7. In the drop-down list Type, select the resource of your choice: DNS zone, Network, Pool or
Address.
8. In the section Enable class, tick the box.
9. Click on OK to complete the operation. The report opens and closes. The class is listed.

To add a Workflow request association pre-defined variable

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Pre-defined variable.
5. In the class object list, click on Pre-defined variable or drag and drop it among the class objects.
The wizard Pre-defined variable opens.
6. In the drop-down list Name, select the variable that suits your needs:
• WORKFLOW_ADD_TICKET_SPACE to associate the class with space addition and/or
edition requests.
• WORKFLOW_ADD_TICKET_BLOCK to associate the class with non-terminal (block-type
or subnet-type) network addition and/or edition requests.
• WORKFLOW_ADD_TICKET_SUBNET to associate the class with terminal network addition
and/or edition requests.
• WORKFLOW_ADD_TICKET_POOL to associate the class with pool addition and/or edition
requests.
• WORKFLOW_ADD_TICKET_ADDRESS to associate the class with address addition
and/or edition requests.
• WORKFLOW_ADD_TICKET_DNSZONE to associate the class with zone addition and/or
edition requests.
7. In the field Value, type in 1 (one) to enable the variable.
8. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content.

1032
 PNG
Executing Requests

original

9. Click on to save the class configuration. If you exit without saving, your changes are
lost.
10. Click on to close Class Editor.

Once the class is configured, you can apply it from the DNS and/or IPAM module to automate
the addition or edition of objects.

Applying a Workflow Request Association Class

To apply the Workflow request association class, it must be enabled and then selected in the
addition or edition wizard.

To apply the Workflow request association class when adding an object

1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DNS > Zones. The page opens.
2. In the menu, click on Add > <object>. The corresponding wizard opens.
3. On the page <Object> class, select the class configured for the Workflow request association.
4. Configure the object according to your needs and click on NEXT until you get to the Workflow
related page.
5. In the drop-down list Ticket, select an existing request for addition of the chosen object.
6. If you are adding an IP address, the page Aliases configuration opens.You can add aliases
if need be. Then click on NEXT to display the last page of the wizard.
7. Click on OK to complete the operation. The report opens and closes. The object is listed.
On the Workflow pages, the selected request is now Finished.

To apply the Workflow request association class when editing an object

1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DNS > Zones. The page opens.
2. Right-click over the object you want to edit. The contextual menu opens.
3. Click on . The corresponding wizard opens.
4. On the <page Object> class, select the class configured for the Workflow request association.
5. Edit the object according to your needs and click on NEXT until you get to the Workflow related
page.
6. In the drop-down list Ticket, select an existing request for addition of the chosen object.
7. If you are editing an IP address, the page Aliases configuration opens.You can add aliases
if need be. Then click on NEXT to display the last page of the wizard.
8. Click on OK to complete the operation. The report opens and closes. The object is listed.
On the Workflow pages, the selected request is now Finished.

Once the request is executed, the requestor receives a notification email. The administrator or
request manager can archive the request. For more details, refer to the section Archiving Requests.

1033
Chapter 80. Customizing the Requests
Administration
Depending on your needs, you can entirely customize the menu Edit of the page Incoming requests
as well as the restrictions associated with the status edition. As detailed in the section Adminis-
trating Requests Using the Default Statuses and Options, you cannot set all the statuses to the
requests as you please. As you can see in the image below.

Executed request Rejected request Cancelled request

Full default cycle By a requestor

New

Handle

Request
Accept execution
Reject Cancel

Finish

Archive

Figure 80.1. Workflow default status cycle

These default edition restrictions are all set in the registry database. The default configuration of
the Workflow in the registry database is the following:

Table 80.1. Workflow registry database entries default value

Registry database entry
module.workflow.state.accept
module.workflow.state.archive
module.workflow.state.cancel
module.workflow.state.finish
module.workflow.state.handle
module.workflow.state.new
module.workflow.state.reject
module.workflow.state_mail
Default value
incoming, wf-accept, t, nocallback, new-target,handle-operator
incoming, wf-archive, t, archive_callback, cancel-admin, reject-admin,finish-
admin, accept-operator
outgoing, wf-cancel, t, cancel_callback, new-source,handle-source
incoming, wf-finish, t, finish_callback, accept-operator
incoming, wf-handle, t, nocallback, new-target,handle-target
incoming, wf-new, f, nocallback, finish-admin
incoming, wf-reject, t, nocallback, new-target,handle-operator
new,handle,accept,reject,finish

1034
 Customizing the Requests
Administration

You can edit default statuses, remove default statuses from the GUI and add new statuses.
Whatever the customization you have in mind, we recommend that you take into consideration
the section Customized Statuses Best Practices.

Editing the Workflow Statuses

All the entries of the registry database dedicated to the Workflow configuration can be identified
and filtered.You can edit these entries to suit internal processes, for instance skip some statuses
that are obsolete to your organization or even grant more permissions to requestors and request
managers.

Whether you decide to edit an existing status or hide it from the GUI, to make sure the request
cycle is complete, we recommend that you follow, the sections Status Edition Best Practices and
Status Deletion Best Practices.

To edit the Workflow request statuses

1. Edit the status entries value:
Only users of the group admin can perform this operation.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the column Name with module.workflow.state.
d. Hit Enter. Only this key is listed.
e. In the column Value, click on the value of the entry you want to edit. The wizard Registry
database Edit a value opens.
f. In the field Value, specify the value of your choice following the description of the
Workflow Status Entries String below.
g. Click on OK to complete the operation.The report opens and closes.The page refreshes
and the new value is displayed.
2. Register your changes:
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Register new macros & rules. The wizard Register all
the latest macros and rules opens.
c. Click on OK to complete the operation. The report opens and works for a while. A noti-
fication pop-up appears in the lower right corner of the GUI when the operation is over.

The Workflow configuration entries are all named module.workflow.state<detail>. There are
seven entries dedicated to the default statuses.
1. module.workflow.state.accept .
2. module.workflow.state.archive .
3. module.workflow.state.cancel .
4. module.workflow.state.finish .
5. module.workflow.state.handle .
6. module.workflow.state.new .
7. module.workflow.state.reject .

1035
 Customizing the Requests
Administration

Each entry is important as it sets the permissions and restrictions related to the status. The status
key value is a string in which the order matters. They must be separated by a coma as follows:
<page>, <icon>, <visibility>, <callback>, <attribute_1, attribute_2, ..., attribute_n> .

As an example, the Accept status is detailed in the image below:

Figure 80.2. Structure of a workflow status registry entry

Page where the status can be set.

Icon preceding the Accepted status on the page.
Visibility in the menu configuration.
This section of the value is obsolete.
Attributes defines who can set the Accept status and in what conditions.

In this example, the Accept status is displayed (t) on the page Incoming requests (incoming) and
is preceded by the green icon. Any user with sufficient rights can accept New requests (new-
target) and only the request manager who Handled or Rejected the request can accept it (accept-
operator, reject-operator).

Each element of the string has a set of acceptable values that define the request status logic and
organization that suits your needs:
Page
incoming specifies that the status is available on the page Incoming requests.
outgoing specifies that the status is available on the page Outgoing requests.
Icon
wf-accept allows to display the icon 3 , before the status name.
wf-archive does not display any icon as archiving means removing the request from the list.
wf-cancel allows to display the icon 5, before the status name.
wf-finish allows to display the icon 6, before the status name.
wf-handle allows to display the icon , before the status name.
wf-new allows to display the icon 1 , before the status name.
wf-reject allows to display the icon 4 , before the status name.
Visibility
t stands for true and indicates that the status is available in the menu Edit of the specified
<page>.

1036
 Customizing the Requests
Administration

f stands for false and indicates that the status is not displayed in the menu Edit of the specified
<page>.
Callback parameters
This parameter is obsolete. You can find in the keys the values: callback, nocallback,
archive_callback and cancel_callback. Do not edit them, they are part of the string.
Attributes
This last part of the string sets which user can set the status described in the string. This
permission depends on who set the previous status: the user who set the status listed can
now set the status described in the string.
The permissions structure follows the format: <action>-<user> in which action can be: accept,
archive, cancel, finish, handle, new and reject, each one corresponds to the default
statuses.
The users are:
• admin that is to any user in the group admin, including ipmadmin.
• operator the user that deals with the request.The other users belonging to the same group
cannot perform the actions associated with operator: only the user who performed the action
detailed in the status entry Value is the operator.
• source the user who added the request, i.e. the requestor.
• target any user with sufficient Workflow permissions, including ipmadmin. In other words,
any user that can see the request in the list.
Therefore, only the users specified in the field Value of the status entry can set the status
described and only if the previously set one of the statuses associated with their <user>
name.

Editing the Email Notification Details

In addition to the status dedicated entries, there is one key dedicated to the notification of re-
questors via email: module.workflow.state_mail.

The default configuration sends an email to the requestors whenever the status request they
added is edited. This is why, by default, it contains new,handle,accept,reject,finish .

The requestors only receive an email if their User profile was set properly. For more details, refer
to the chapter Managing Users in the section Adding Users or Editing Users.

To edit the email notification trigger details

1. Edit the status entries value:
Only users of the group admin can perform this operation.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the column Name with module.workflow.state_mail.
d. Hit Enter. Only this key is listed.
e. In the column Value, click on the value listed. The wizard Registry database Edit a
value opens.
f. In the field Value, edit the content according to your needs. An email is sent to the re-
questor if the status attributed to a request they added is listed in the field. By default,
the field contains new,handle,accept,reject,finish.

1037
 Customizing the Requests
Administration

g. Click on OK to complete the operation.The report opens and closes.The page refreshes
and the new value is displayed.
2. Register your changes:
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Register new macros & rules. The wizard Register all
the latest macros and rules opens.
c. Click on OK to complete the operation. The report opens and works for a while. A noti-
fication pop-up appears in the lower right corner of the GUI when the operation is over.

Adding a Workflow Status

You can add new statuses to the Incoming and Outgoing requests pages. This implies:
1. Adding the registry database entry following the Workflow entries format.
2. Translating the related menu option and status on the page.
3. Follow the Status Addition Best Practices.

To add a Workflow request status

1. Add the status entry:
Only users of the group admin can perform this operation.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the list to only display the Workflow status related entries using the keyword:
module.workflow.state.
d. In the menu, click on Add. The wizard Registry database Add an item opens.
e. In the field Name, specify the status name following the format: module.work-
flow.state.<your-status-name> .
f. In the column Value, specify the characteristics if the new status following the format
<page>, <icon>, <visibility>, nocallback, <attribute_1>, <attribute_2>, <attribute_n> .
For more details, refer to the description of the Workflow Status Entries String.
g. Click on OK to complete the operation. The report opens and closes. The new entry is
listed.
2. Register your changes:
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Register new macros & rules. The wizard Register all
the latest macros and rules opens.
c. Click on OK to complete the operation. The report opens and works for a while. A noti-
fication pop-up appears in the lower right corner of the GUI when the operation is over.

Once the entry is added and registered, the new status is visible in the menu Edit of the selected
page as followed: rq_<your-status-name>. Once you attributed the status to a request, the request
Status is rq_in_<your-status-name>. You can translate both using the page Language editor.

1038
 Customizing the Requests
Administration

To translate the name of your Workflow statuses

1. From any page or wizard within SOLIDserver, copy the name of a field, page, column or
menu that you want to replace with your label.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Customization, click on Language editor. The page Language editor opens.
4. In the menu, click on Add. The wizard opens.
5. In the field Key, paste the status name. We recommend that you copy/paste the label name
because Language editor is case sensitive.
6. If your appliance is displayed in English, in the field English, specify the new label value.
7. Click on OK to complete the operation. The entry is listed. Go back to the page where you
copied the label to see the new name.

Customized Statuses Best Practices

Whether you decide to add statuses, edit statuses or remove them from the GUI, to complete
the status customization we recommend that you follow the best practices below.

Status Addition Best Practices

Once you added a new status, you should:
• Edit the list attributes in the entries describing the statuses you do use. For instance, if you
want to add a Postpone status that can be set after a request is accepted, you should add the
postpone-<user> attribute in the value of the finish entry as well as the accept-<user> in the
1
value of the postpone entry . For more details, refer to the description of the Workflow Status
Entries String below.
• Edit all the status icons to make sure that the GUI respects your new request cycle.
• Add the status in the email notification entry. For more details, refer to the section Editing
the Email Notification Details.
• The new status cannot be executed using the Execute option as it only applies to New, Handled
and Accepted requests. For more details, refer to the section Executing Requests Using the
Execute Option.
• The restrictions detailed in the Administrating Requests Using the Default Statuses and Options
no longer apply to your request status cycle.
• The request execution automation using the pre-defined variables class objects can still be
configured. For more details, refer to the section Executing Requests Using Classes.

Status Edition Best Practices

Once you decided to edit statuses or add new ones, keep in mind that:
• Once you edited the registry database entries the Execute option still only applies to New,
Handled and Accepted requests. For more details, refer to the section Executing Requests
Using the Execute Option.
• The restrictions detailed in the Administrating Requests Using the Default Statuses and Options
no longer apply to your request status cycle.
• The request execution automation using the pre-defined variables class objects can still be
configured. For more details, refer to the section Executing Requests Using Classes.

1
This example is only valid if you still use the default statuses cycle.

1039
 Customizing the Requests
Administration

Status Deletion Best Practices

To remove a status from the GUI, you recommend that you edit the status registry entry Value
and set its visibility attribute to f (false). From then on the status is no longer visible in the menu
Edit, and can no longer be used by users. Keep in mind that:
• Edit the list attributes in the entries describing the statuses you do use. For instance, if you
want to remove the Handle status from the request management steps, you should remove
all the handle-<user> attributes from the other statuses value field. For more details, refer to
the description of the Workflow Status Entries String below.
• Edit all the status icons to make sure that the GUI respects your new request cycle.
• Remove the status from the email notification entry. For more details, refer to the section
Editing the Email Notification Details.
• Keep in mind that if the status was already set before you remove it from the menu, it is still
displayed in the list.

1040
 Part XIII. Device Manager
Device Manager provides an overview of all the equipment on your network. Relying on both manual and
automatic management options, it helps to piece together the data registered in the modules NetChange,
IPAM, DHCP and DNS to map out the device interactions and their connections through interfaces and
ports. It allows to organize devices and their content.

NetChange DHCP

Network device: local.switch Hostname: local.computer

Port name: FastEthernet 0/10 MAC address: a0:12:34:56:78:90

Device Manager

Device name: local.switch Device name: local.computer

Port name: FastEthernet 0/10 Interface name: eth1
MAC address: a0:12:34:56:78:90

Figure 237. The information Device Manager retrieves from NetChange and the DHCP

Note that all the data saved in Device Manager is never deleted, unless you decide to delete it. Therefore
you can save a lot of information regarding users or pieces of equipment through their MAC address or IP
address without impacting the other modules.

Device Manager hierarchy is composed of 2 levels:

• Devices: the highest level of the hierarchy. They contain ports and/or interfaces. For more details, refer
to the chapter Managing Devices.
• Ports & interfaces: the lowest level of the hierarchy. The ports are connected to other ports or interfaces,
which allows to link the devices together on the network. For more details, refer to the chapter Managing
Ports and Interfaces.

In addition, the module allows to:

• Interact with the IPAM. The MAC address and/or IP address of the interfaces can automate updates in
the IPAM. For more details, refer to the chapter Managing the Interaction with the IPAM.
• Automate updates from the DHCP. A couple of rules allow to automatically update the database
whenever relevant data is added in the DHCP. For more details, refer to the chapter Rules Impacting
Device Manager.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
81. Managing Devices ................................................................................................. 1043
Browsing Devices ................................................................................................ 1043
Adding Devices ................................................................................................... 1044
Editing Devices ................................................................................................... 1049
Duplicating Devices ............................................................................................. 1049
Merging Devices ................................................................................................. 1050
Adding Devices from the IPAM ............................................................................. 1050
Exporting Devices ............................................................................................... 1050
Deleting Devices ................................................................................................. 1050
82. Managing Ports and Interfaces ............................................................................... 1052
Browsing Ports and Interfaces .............................................................................. 1052
Adding Ports and Interfaces ................................................................................. 1053
Editing Ports and Interfaces Properties ................................................................. 1060
Tracking Changes on the Page All ports & interfaces ............................................. 1064
Updating Ports and Interfaces from the IPAM ........................................................ 1065
Exporting Ports and Interfaces ............................................................................. 1065
Deleting Ports and Interfaces ............................................................................... 1065
83. Managing the Interaction with the IPAM ................................................................... 1066
Assigning IP Addresses to an Interface Using their MAC Address ........................... 1066
Managing the IP Addresses / Interfaces Link from the IPAM ................................... 1068
84. Rules Impacting Device Manager ............................................................................ 1071
DHCP Rules Impacting Device Manager ............................................................... 1071
Adding Device Manager Rules ............................................................................. 1071
Enabling or Disabling Device Manager Rules ........................................................ 1072

1042
Chapter 81. Managing Devices
The devices are managed from the page All devices, where any device on the network can be
managed (network devices, computers, virtual machines...) and uniquely identified based on the
ports or interfaces it manages.

You can add them manually or automatically retrieve them. Devices can contain interfaces and/or
ports, depending on the discovered MAC and IP addresses.

You can merge devices, duplicate them, edit their content or delete them. You cannot rename
them.

Browsing Devices
Within the module Device Manager, the devices are the highest level of the hierarchy. It is required
to add devices to manage ports and interfaces.

INTERFACE
DEVICE
PORT

Figure 81.1. The device in Device Manager hierarchy

Browsing the Devices Database

To display the list of devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. You can filter the list using the column search engines.

To display a device properties page

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. At the end of the line of the device of your choice, click on . The properties page opens.

Customizing the Display on the Page All Devices

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that a set of columns provides an overview of the devices interfaces and ports
content:
• Interfaces usage and Ports usage: the total portion, in percent of used interfaces/ports on a
device, along with a progression bar,
• Number of Interfaces and Number of Ports: the total number of interfaces/ports on the device,
• Free Interfaces and Free Ports: the number of available interfaces/ports on the device.

Note that the data listed in the column IP Address can be sorted but not filtered. It only retrieves
and displays the IP address of all the interfaces of the device.

1043
 Managing Devices

Managing the Devices Status and Visibility

Devices can be Managed, Unmanaged or Imported. Based on these statuses, you can filter the
list from the column Status and, for example, only display the managed and imported devices
using the value != Unmanaged (different from Unmanaged).

The option Manage allows to manage or unmanage the device of your choice, whether you added
it yourself or it was Imported from another module.

Keep in mind that you cannot unmanage a device associated with an IP address of the IPAM.

To manage/unmanage devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Tick the device(s) of your choice.
3. In the menu, select Edit > Manage > Yes or No. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The device is marked
Unmanaged or Managed in the column Status.

Adding Devices
You can add devices manually or automatically from several modules.

Before adding any device, we recommend Configuring Device Manager to make sure the data
listed is consistent with the equipment configuration of your network.

Once added, you can decide which devices you want to display and deal with on the page All
devices. For more details, refer to the section Managing the Devices Visibility.

Keep in mind that Device Manager does not delete on its own the entries that you might delete
in other modules. In that way, it provides an overview of former devices. To delete devices and
their content refer to the section Deleting Devices.

Note that you can also import devices on the page All devices. From then on, you can add or
import the ports and interfaces it contains and organize your network as you please. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.

Configuring Device Manager

The option Configure Device Manager ensures the consistency of the links between the devices
listed. You can execute it from both pages of the module.

We recommend configuring Device Manager before managing any device, port and interface
because it compares the information of the other modules with what is listed in Device Manager.
On the page All ports & interfaces of each device, the columns Manually linked to and Automat-
ically linked to identify how the devices are linked together. If the column Manually linked to is
empty, configuring Device Manager overwrites its content with the information collected during
the automatic addition. This ensures that the data listed reflects the interaction between the
devices on your network.

This option has to be ticked once. Afterward, a data check is performed each time a port or inter-
face is added or edited.

1044
 Managing Devices

To configure Device Manager automatic data check

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Extra options > Configure Device Manager. The wizard Configure
Device Manager reconciliation opens.
Ancienne taille de la page

3. Tick the box.

4. Click on OK to complete the operation. The wizard closes.

Automatically Adding Devices

A set of options automatically adds devices and the ports and interfaces they contain from Device
Manager, NetChange and the IPAM.

Once you retrieved data automatically, you should monitor the column Reconciliation on the
page All ports & interfaces to prevent any drift. For more details, refer to the section Tracking
Changes on the Page All ports & interfaces.

Note that you can also import devices on the page All devices. From then on, you can add or
import the ports and interfaces it contains and organize your network as you please. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.

Automatically Adding Devices from the Page All Devices

After Configuring Device Manager, you can execute the option automatic discovery from the
page All devices.

The option Automatic discovery performs a sweep of the other modules data and retrieves all
the devices along with the ports and interfaces they contain. The option analyzes data in the
modules NetChange, DHCP, IPAM and DNS. The more information there is in these modules,
the more efficient is the option as it behaves as follows:
1. It retrieves NetChange data: network devices, ports and discovered items. The MAC ad-
dresses linked to the ports that have the interconnection set to No become interfaces in Device
Manager. The discovered items DNS name is retrieved as well, the IP address is only retrieved
if it is part of the IPAM. NetChange network devices can be managed as several devices in
Device Manager depending on their content.
Note that if several ports in NetChange are linked to one MAC address, the option retrieves
all the ports and the MAC address but randomly links it to one of the ports.
2. It retrieves the names of the devices, ports and interfaces if the information is available in
the modules NetChange, IPAM, DHCP or DNS:
a. In NetChange, on the page All discovered items, the option retrieves all the MAC addresses,
DNS names and IP addresses, only if they are part of the IPAM database.
If the MAC addresses retrieved have a DNS name, the option stops here.
If the MAC addresses do not have a DNS name, the option looks for it in the IPAM.
b. In the IPAM, on the page All addresses, the option tries to match the collected MAC ad-
dresses with a name, using the available IPv4 and IPv6 addresses.
If a name is found for the MAC addresses, the option stops here.
If no name is found, the option looks for it in the DHCP.
c. In the DHCP, on the page All statics, the option tries to match the collected MAC addresses
with a name, using the available IPv4 statics and statics without IP.
If a name is found for the MAC addresses, the option stops here.

1045
 Managing Devices

If no name is found, the option looks for it in the DNS.

d. In the DNS, on the page All RRs, the option tries to match the collected IP addresses with
a name, using the available A records.
If a name is found for the IP addresses, the option stops here.
If no name is found, Device Manager assigns the relevant MAC and IP addresses a name
based on the information collected in all four modules.
3. It assigns a name to:
a. Devices
In Device Manager, the name of devices, including network devices, depends on their
content.
• Network devices that contain one or several ports keep their NetChange name and only
manage ports. The interfaces are managed in a different device.
• Devices which IP address is declared in an A record of the DNS are listed under that
name in Device Manager.
• Network devices hosting the MAC address of one virtual machine, are named using the
hostname of the virtual machine.
• Network devices hosting the MAC address of several virtual machines are named
1
vm_server_# .
• Devices hosting an interface from which few information was retrieved are named gener-
ic_#.
b. Ports
All ports keep their NetChange name.
• Ethernet ports are named Ethernet <slot>/<port>, FastEthernet <slot>/<port>,
GigaEthernet <slot>/<port> or TenGigaEthernet <slot>/<port>.
• Wifi ports are named wifi#, where # differentiates the ports belonging to one device.
• Virtual ports are named Virtual port <slot>/<port>.
c. Interfaces
All interfaces are named according to the port they are linked to. When a MAC address has
a name, this name is used to name the device it belongs to.
• Interfaces linked to an ethernet port are named eth#, where # differentiates the interfaces
belonging to one device.
• Interfaces linked to a wifi port are named wifi#.
• Interfaces linked to a virtual port are named vm_interface_#.
• Interfaces from which few information - except the MAC address - was retrieved are
named generic_#.

To automatically add devices from the page All devices

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Tools > Automatic Discovery. The wizard Automatic discovery
opens.
3. Click on OK to complete the operation. The report opens and closes. In the column Status,
the devices are marked Imported and you can manually manage and edit the devices,
ports and interfaces.

1
# is a number used to differentiate all these devices.

1046
 Managing Devices

Keep in mind that the automatic discovery retrieves data but does not automatically update
it, if you delete data or make changes in NetChange, you must make the same changes in Device
Manager.

If the automatic discovery added more devices that your need, you can merge devices to reor-
ganize the data as you need. For more details, refer to the section Merging Devices.

Automatically Adding Devices from NetChange

From the NetChange pages All network devices and All discovered items you can select objects
to create devices, with the ports and interfaces they contain, in Device Manager.

Automatically Adding Network Devices in Device Manager

After Configuring Device Manager, you can use the option Create in Device Manager on the
page All network devices to select network devices and create them in Device Manager. It takes
into account the information available on the pages All network devices, All ports and All discovered
items and behaves as follows:
1. The device is created in Device Manager, it keeps the same name and contains all the network
device ports, no matter their interconnection configuration.
2. The interfaces (discovered items) of the device are retrieved and based on the MAC address:
a. If the MAC address has a DNS name, a device is created using that name. The interface
2
is named eth# .
b. If the MAC address has no DNS name, a device is created, it is named generic_#. It contains
the MAC address, it is named eth#.

If the option creates more devices that your need, you can merge devices to reorganize the data
as you need. For more details, refer to the section Merging Devices.

To automatically create Device Manager devices from NetChange

1. In the sidebar, go to NetChange > Network devices. The page All network devices
opens.
2. Tick the network device(s) you want to create in Device Manager.
3. In the menu, select Tools > Create in Device Manager. The wizard Create NetChange
devices in Device Manager opens.
4. Click on OK to complete the operation. The report opens and closes.
5. In the sidebar, go to Device Manager > Devices. The page All devices opens and the
new devices are marked Imported in the column Status.

Automatically Adding Discovered Items in Device Manager

After Configuring Device Manager, you can use the option Populate Device Manager on the
page All discovered items to create interfaces from the discovered item of your choice. The MAC
addresses selected create interfaces and devices as follows:
3
• If the selected MAC address has a DNS name, it creates an interface named generic_# that
belongs to a device named using the DNS name.
• If the selected MAC address has no DNS name, it creates an interface named generic_# that
belongs to a device named generic_#.

2
# differentiates interfaces within one device.
3
# differentiates interfaces within one device.

1047
 Managing Devices

If the option creates more devices that your need, you can merge devices to reorganize the data
as you need. For more details, refer to the section Merging Devices.

To populate Device Manager with NetChange discovered items

1. In the sidebar, go to NetChange > Discovered items. The page All discovered items
opens.
2. Tick the discovered item(s) you want to create in Device Manager.
3. In the menu, select Tools > Populate Device Manager. The wizard Populate device
manager opens.
4. Click on OK to complete the operation. The report opens and closes.
5. In the sidebar, go to Device Manager > Devices. The page All devices opens. The
discovered item created a device that contains the interface. In the column Status, it is
marked Imported.

Automatically Adding Devices from the IPAM

From the IPAM page All addresses you can automatically add devices managing interfaces created
from the IPv4 and IPv6 addresses In use of your choice. The option names the objects as follows:
• The devices are named using the selected IP address name. If the IP addresses, v4 and/or
v6, share the same name, like the addresses Gateway, they belong to one device. If the selected
IP address does not have a name, the device is named generic_#.
• The interfaces are all named generic_#, where # differentiates interfaces within one device.
Their IP address and the space they originated from are displayed in the column Status.

If the option creates more devices that your need, you can merge devices to reorganize the data
as you need. For more details, refer to the section Merging Devices.

To create devices and interfaces from the page All addresses

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the Used IP addresses for which you want to create devices and interfaces.
4. In the menu, select Tools > Populate Device Manager. The wizard Populate Device
Manager opens.
5. Click on OK to complete the operation. The report opens, works for a while and closes. From
the IPAM you can see the device and interface of the IP address in the columns Device
manager name and Device manager interface.
In the module Device Manager, the device and interface are marked Imported in the
column Status. In the column IP address, the IP address and the space they originated
from are displayed as follows: <ip-address> (<space>).

Manually Adding Devices

After Configuring Device Manager, you can add a device manually from the page All devices.

Note that you can also import devices on the page All devices. From then on, you can add or
import the ports and interfaces it contains and organize your network as you please. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.

1048
 Managing Devices

To manually add a device

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Add. The wizard Add a device opens.
3. If custom classes are enabled at device level, in the list Device class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Device, name your device.
5. In the field Description, you can add a description.
6. Click on OK to complete the operation. The report opens and closes. The device is listed.

Note that, from the device addition wizard, you can also add the ports and/or interfaces it manages.
For more details, refer to the section Manually Adding Ports and Interfaces.

Editing Devices
You can edit devices from their properties page or from the contextual menu on the page All
devices.

To edit a device
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Right-click over the Name of the device you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a device opens.
4. If custom classes are enabled at device level, in the list Device class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Device name and/or Description according to your needs.
6. Click on OK to complete the operation. The report opens and closes. The changes are visible
on the page.

Duplicating Devices
You can duplicate the content and class parameters of a device. Duplicating devices can be used
to anticipate provisioning.

If you know that you will add a new network device to NetChange and an existing device in Device
Manager has configuration similar, you should duplicate the device to import more easily the
network device to the page All devices. In this case you should:
1. Duplicate your device and name it like the NetChange network device to come, as detailed in
the procedure below.
2. Edit the device content to make sure it matches the network device to come, starting with its
MAC address but also the number of ports and/or interfaces it manages, the links between
the devices, etc. For more details, refer to the sections Adding Ports and Interfaces, Editing
Ports and Interfaces Properties and Deleting Ports and Interfaces.

To duplicate a device
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.

1049
 Managing Devices

2. Tick the device you want to duplicate. You can only duplicate one device at a time.
3. In the menu, select Edit > Duplicate. The wizard Duplicate device opens.
4. In the field Device name, specify the name of the new device.
5. Click on OK to complete the operation. The report opens and closes. The device is listed. It
contains the same ports and/or interfaces. However, the link from ports to device has to be
set manually and interfaces MAC addresses are automatically generated.

Merging Devices
You can merge devices to manage the ports and interfaces they contain from a unique device.

Merging devices can be useful if you want to correct what was automatically found on the network.
For instance, if after automatically retrieving information from NetChange, a port and an interface
end up in two different devices even if they both belong to one laptop, you can merge these
devices to manage them from a single device.

To merge devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Tick the devices you want to merge.
3. In the menu, select Edit > Merge. The wizard Merge device opens.
4. In the drop-down list Name, select the device that should include all the ports and interfaces.
The other device(s) are emptied and deleted.
5. Click on OK to complete the operation. The report opens and closes. The device is listed,
the other devices are no longer listed.

Adding Devices from the IPAM

The advanced properties allow to automatically add a device and an interface when you add or
edit an IP address in the IPAM. The interface shares the same address and MAC address as the
IP address.

For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.

Exporting Devices
From the page All devices, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Devices
You can delete a device, this also deletes the ports and interfaces it contains. This action is non-
reversible.

To delete a device
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.

1050
 Managing Devices

2. Tick the device(s) of your choice.

3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The device and the
ports and interfaces it contains are no longer listed.

1051
Chapter 82. Managing Ports and
Interfaces
From the page All ports & interfaces, you can manage the ports and the interfaces that belong
to your devices.

You can add them to a specific device or when you add a device. You can also automatically
retrieve them, along with the device they belong to, from other modules.

The ports link devices together, the interfaces are connected to the ports.

The interfaces have a MAC address and can have one or several IPv4 and/or IPv6 addresses.
Both IPv4 and IPv6 addresses are listed on the page.

Note that, to minimize any error or distortion between what is really connected to the network
and what is listed, you can track changes and reconcile data on this page. For more details, refer
to the section Tracking Changes on the Page All ports & interfaces.

Browsing Ports and Interfaces

Within Device Manager module, the ports and interfaces are the lowest level of the hierarchy.
They both belong devices, and are listed on the same page.

INTERFACE
DEVICE
PORT

Figure 82.1. The interface in Device Manager hierarchy

INTERFACE
DEVICE
PORT

Figure 82.2. The port in Device Manager hierarchy

Browsing the Ports and Interfaces Database

To display the list of ports and interfaces
1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. To display the ports and interfaces of a specific device, in the column Device name, click
on the name of the of your choice. The page refreshes.

To display a port or interface properties page

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.

1052
 Managing Ports and Interfaces

2. Filter the column Type, type in port or interface to list the objects that suit your needs.
3. At the end of the line of the port or interface of your choice, click on . The properties page
opens.

Customizing the Display on the Page All Ports & Interfaces

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Keep in mind that the column Addition date provides extra information regarding the devices'
content. You can use it to sort or filter the list.

Managing the Ports and Interfaces Status and Visibility

Ports and interfaces can be Managed, Unmanaged or Imported. Based on these statuses, you
can filter the list from the column Status and, for example, only display the managed and imported
ports and interfaces using the value != Unmanaged (different from Unmanaged).

The option Manage allows to manage or unmanage the port or interface of your choice, whether
you added it yourself or it was Imported from another module.

To manage/unmanage a device
1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. Tick the port and/or interface of your choice. You can tick more than one.
3. In the menu, select Edit > Manage > Yes or No. The wizard opens.
4. Click on OK to complete the operation. The report opens and closes. The device is marked
Unmanaged or Managed in the column Status.

Adding Ports and Interfaces

You can add ports and interfaces manually or automatically retrieve them.

Before adding any port or interface, we recommend Configuring Device Manager to make sure
the data listed is consistent with the equipment configuration of your network.

Once added, you can decide which items you display and deal with on the page, as detailed in
the section Managing the Ports and Interfaces Visibility.

Keep in mind that Device Manager does not delete the entries that you might delete in other
modules on its own. In that way, it provides an overview of former port and interface interactions,
to delete ports and interfaces refer to the section Deleting Ports and Interfaces.

Note that you can also import ports and/or interfaces on the page All ports & interfaces. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.

Configuring Device Manager

The option Configure Device Manager ensures the consistency of the links between the devices
on your network, through the ports and interfaces they manage.

1053
 Managing Ports and Interfaces

This option has to be ticked once, if you already configured Device Manager there is no need
to do it again.

On the page All ports & interfaces of each device, the columns Manually linked to and Automat-
ically linked to identify how the devices are linked together. If the column Manually linked to is
empty, configuring Device Manager overwrites its content with the information collected during
the automatic addition. This ensures that the data listed reflects the interaction between the
devices on your network.

To configure Device Manager automatic data check

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. In the menu, select Extra options > Configure Device Manager. The wizard Configure
Device Manager reconciliation opens.
Ancienne taille de la page

3. Tick the box.

4. Click on OK to complete the operation. The wizard closes.

Automatically Adding Ports and Interfaces

You can automatically add ports and interfaces, along with the device they belong to when relevant,
from Device Manager or the IPAM.

Once you retrieved data automatically, you should monitor the column Reconciliation on the
page All ports & interfaces to prevent any drift. For more details, refer to the section Tracking
Changes on the Page All ports & interfaces.

Note that you can also import ports and/or interfaces on the page All ports & interfaces. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.

Automatically Adding Ports and Interfaces from the page All Devices
After Configuring Device Manager you can use the option Automatic discovery from the page
All devices to retrieves devices, and the ports and interfaces they contain. The name of all the
objects reflect the amount of information available in the modules NetChange, IPAM, DHCP and
DNS.

This option adds devices from network devices. Some of these devices manage only ports and
others manage one or several interfaces based on the MAC addresses retrieved.

On the page All network devices, the ports can have the following names:
• Ethernet ports can be named Ethernet <slot>/<port>, FastEthernet <slot>/<port>, GigaEthernet
<slot>/<port> or TenGigaEthernet <slot>/<port>.
• Wifi ports are named wifi#, where # differentiates the ports belonging to one device.
• Virtual ports are named Virtual port <slot>/<port>.

On the page All network devices, the interfaces can have the following names:
• Interfaces linked to an ethernet port are named eth#, where # differentiates the interfaces be-
longing to one device
• Interfaces linked to a wifi port are named wifi#.
• Interfaces linked to a virtual port are named vm_interface_#.

1054
 Managing Ports and Interfaces

• Interfaces from which few information - except the MAC address - was retrieved are named
generic_#.

For more details regarding what data is retrieved and how it is named, refer to the section Auto-
matically Adding Devices from the Page All Devices.

To automatically add ports and interfaces from the page All devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Tools > Automatic Discovery. The wizard Automatic discovery
opens.
3. Click on OK to complete the operation. The report opens and closes.
4. In the bread crumb, click on All ports & interfaces. The page opens.
5. In the column Status, the ports and interfaces are marked Imported.

Once the automatic discovery retrieved ports and interfaces, you can rename or edit them if need
be. For more details, refer to the section Editing Ports and Interfaces Properties. You should also
monitor the column Reconciliation as detailed in the section Tracking Changes on the Page All
ports & interfaces.

Keep in mind that the option retrieves data but does not automatically update it, if you delete data
or make changes in NetChange, you must make the same changes in Device Manager.

Automatically Adding Interfaces from the IPAM

From the IPAM page All addresses you can automatically add interfaces and the devices they
belong to from the IPv4 and IPv6 addresses In use of your choice. The option names the objects
as follows:
• The devices are named using the selected IP address name. If the IP addresses, v4 and/or
v6, share the same name, like the addresses Gateway, they belong to one device. If the selected
IP address does not have a name, the device is named generic_#.
• The interfaces are all named generic_#, where # differentiates interfaces within one device.
Their IP address and the space they originated from are displayed in the column Status.

No ports are added as the interfaces are created using the MAC address of the selected IP ad-
dresses.

To create devices and interfaces from the page All addresses

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the Used IP addresses for which you want to create devices and interfaces.
4. In the menu, select Tools > Populate Device Manager. The wizard Populate Device
Manager opens.
5. Click on OK to complete the operation. The report opens, works for a while and closes. From
the IPAM you can see the device and interface of the IP address in the columns Device
manager name and Device manager interface.
In the module Device Manager, the device and interface are marked Imported in the
column Status. In the column IP address, the IP address and the space they originated
from are displayed as follows: <ip-address> (<space>).

1055
 Managing Ports and Interfaces

Manually Adding Ports and Interfaces

Manually adding ports and interfaces allows to correct what was found in NetChange or simply
manage devices in accordance to your needs. You can add as many ports and interfaces as you
want to a device to virtually link your devices.

Once you added data, you should monitor the column Reconciliation on the page All ports &
interfaces to prevent any drift. For more details, refer to the section Tracking Changes on the
Page All ports & interfaces.

Note that you can also import ports and/or interfaces on the page All ports & interfaces. For more
details, refer to the section Importing Data to Device Manager in the chapter Importing Data from
a CSV File.

Manually Adding Ports

After configuring Device Manager you can add ports manually from the page:
• All devices to add as many ports as you want when you add a device. All these ports have the
same name and can be numbered. You cannot apply a custom class to the ports during the
device addition.
• All ports & interfaces to add one port at a time in a specific device. You can apply a custom
class to the port.

To manually add a device and its ports from the page All devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, click on Add. The wizard Add a device opens.
3. If custom classes are enabled at device level, in the list Device class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Device, name your device.
5. Tick the box Add port(s)/interface(s). The ports and interfaces configuration fields appear
6. In the drop-down list Type, select Port. The port related fields appear.
7. Specify the number of ports and their name:

Table 82.1. Port configuration fields when adding a device

Field Description
Name The name of the port. If you use the character #, it is replaced by a number no
matter how many ports you want the add at once.
Number of ports The number of ports you want to add in the device you are adding. If you used
# in their name, they are all numbered from 1 to n.

8. You can specify a device and port or interface to link the port you are adding with another
device.

Table 82.2. Options to link a port with another device

Field Description
Link with device The name of the device you want to link the port with. The auto-completion re-
trieves a list of existing devices matching this name that you can choose from.

1056
 Managing Ports and Interfaces

Field Description
Link with port/interface The name of the port or interface you want to link the port with. The auto-com-
pletion retrieves a list of available ports and interfaces matching this name that
you can choose from.

9. Click on ADD . The port is listed as such: port: <number of ports> <port name> in the Inter-
faces/Ports list. If you want to add more ports to the device. Repeat these actions for as
many ports as needed.
10. In the list Interfaces/Ports, you can reorder the entries by selecting them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
11. Click on OK to complete the operation. The report opens and closes. The device is listed.
On the pages All devices and All ports & interfaces, in the column Status, the device and
the port(s) are marked Managed.

To manually add a port from the page All Ports & Interfaces
1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. In the menu, click on Add. The wizard Add port/interface opens.
3. In the drop-down list Device, select one of your existing devices.
4. Click on NEXT . The next page opens.
5. If custom classes are enabled at port and interface level, in the list Port/Interface class
select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Name, name the port.
7. In the drop-down list Type, select Port.
8. You can specify a device and port or interface to link the port you are adding with another
device.

Table 82.3. Options to link a port with another device

Field Description
Link with device The name of the device you want to link the port with. The auto-completion re-
trieves a list of existing devices matching this name that you can choose from.
Link with port/interface The name of the port or interface you want to link the port with. The auto-com-
pletion retrieves a list of available ports and interfaces matching this name that
you can choose from.

9. Click on OKto complete the operation. The report opens and closes. The port is listed and
marked Managed.

1057
 Managing Ports and Interfaces

Manually Adding Interfaces

After Configuring Device Manager you can add interfaces from the page:
• All devices to add as many interfaces as you want when you add a device. Each interface has
a unique name, can be linked to an existing IP address and must have a MAC address. You
cannot apply a custom class to the interfaces during the device addition.
• All ports & interfaces to add one interface at a time in a specific device.You can apply a custom
class to the interface.

Keep in mind that you can also add devices and the interfaces they contain from the IPAM. For
more details, refer to the section Adding Devices from the IPAM.

To manually add a device and its interfaces from the page All devices
1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, click on Add. The wizard Add a device opens.
3. If custom classes are enabled at device level, in the list Device class select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Device, name your device.
5. Tick the box Add port(s)/interface(s). The ports and interfaces configuration fields appear.
6. In the drop-down list Type, select Interface.
7. In the field Name, specify the interface name.
8. You can link the interface with an IP address using the following fields.

Table 82.4. Options to link an interface with an IP address

Field Description
MAC address The MAC address of an IP address. This field is optional.
You can leave the field empty if you want to either specify an IP address or let
Device Manager generate a MAC address. Note that a generated MAC address
is never displayed in the GUI.
This field is automatically emptied out or filled if you specify an IP address.
IP Address An IP address assigned in the IPAM, its MAC address is automatically displayed
in the field MAC Address.
Note that the all MAC addresses must be unique, if address you specify retrieves
a MAC address already listed on the page, the interface addition is impossible.

9. In the drop-down list Space, you can select one of the existing IPAM spaces.
10. You can link the interface you are adding with another device port or interface using the fol-
lowing fields.

Table 82.5. Options to link an interface with another device

Field Description
Link with device The name of the device you want to link the interface with. The auto-completion
retrieves a list of existing devices matching this name that you can choose from.
Link with port/interface The name of the port you want to link the interface with. The auto-completion
retrieves a list of available ports and interfaces matching this name that you can
choose from.

1058
 Managing Ports and Interfaces

11. Click on ADD . In the list Interfaces/Ports, the interface is listed as such: interface: <interface
name> <MAC address> <IP Address>. Repeat these actions for as many interfaces as you
need.
12. In the list Interfaces/Ports, you can reorder the entries by selecting them one by one and
click on the arrows to move them up or down .
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
13. Click on OK to complete the operation. The report opens and closes. The device is listed.
On the pages All devices and All ports & interfaces, in the column Status, the device and
the interface(s) are marked Managed.

To manually add an interface from the page All Ports & Interfaces
1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. In the menu, click on Add. The wizard Add port/interface opens.
3. In the drop-down list Device, select one of your existing devices.You can use your keyboard
to find the device you are looking for.
4. Click on NEXT . The next page, regarding ports and interfaces, opens.
5. If custom classes are enabled at port and interface level, in the list Port/Interface class
select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Name, name the interface.
7. In the drop-down list Type, select Interface. The interface related fields appear.
8. You can link the interface with an IP address using the following fields.

Table 82.6. Options to link an interface with an IP address

Field Description
MAC address The MAC address of an IP address. This field is optional.
You can leave the field empty if you want to either specify an IP address or let
Device Manager generate a MAC address. Note that a generated MAC address
is never displayed in the GUI.
This field is automatically emptied out or filled if you specify an IP address.
IP Address An IP address assigned in the IPAM, its MAC address is automatically displayed
in the field MAC Address.
Note that the all MAC addresses must be unique, if address you specify retrieves
a MAC address already listed on the page, the interface addition is impossible.

9. In the drop-down list Space, you can select one of the existing IPAM spaces.
10. You can link the interface you are adding with another device port or interface using the fol-
lowing fields.

Table 82.7. Options to link an interface with another device

Field Description
Link with device The name of the device you want to link the interface with. The auto-completion
retrieves a list of existing devices matching this name that you can choose from.

1059
 Managing Ports and Interfaces

Field Description
Link with port/interface The name of the port you want to link the interface with. The auto-completion
retrieves a list of available ports and interfaces matching this name that you can
choose from.

11. Click on OK to complete the operation. The report opens and closes. The interface is listed
and marked Managed.

Editing Ports and Interfaces Properties

To edit the ports and interfaces implies:
• Renaming a port or an interface.
• Editing the links between existing ports/interfaces and devices.
• Editing the links between existing interfaces and devices, and the interface MAC address.

Editing port and interfaces is required if you duplicated existing devices. Once you duplicated
the relevant device, you must edit its content as follows:
1. Add/delete the ports and interfaces it contains as needed. For more details, refer to the sections
Adding Ports and Interfaces and Deleting Ports and Interfaces.
2. Manually link the ports/interfaces to the needed device as detailed in the sections Editing a
Port and Editing an Interface.

Renaming a Port or Interface

You can change the name of a port or an interface name from its properties page or from the
contextual menu on the page All port & interfaces.

Keep in mind that ports retrieved from NetChange had a name before you chose to manage them
in Device Manager. Once you renamed a port, both NetChange and Device Manager names are
displayed on its properties page: the field Name displays your name, the field NetChange port
name displays the port original name.

To rename a port from the page All ports & interfaces

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. In the Type column, type in port to only display the ports.
3. Right-click over the Name of the port you want to edit. The contextual menu opens.
4. Click on . The wizard Edit a port or interface opens.
5. If custom classes are enabled at port and interface level, in the list Port/Interface class
select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Name, rename the port.
7. Click on OK to complete the operation. The report opens and closes. Your modified port
name is listed, its former name is no longer visible.

1060
 Managing Ports and Interfaces

To rename an interface from its properties page

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. In the column Type, type in interface to only display the interfaces.
3. Click on the name of the interface you want to edit. The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a port or interface opens.
5. If custom classes are enabled at port and interface level, in the list Port/Interface class
select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Name, rename the interface.
7. Click on OK to complete the operation. The report opens and closes. In the Main properties
panel, the name is edited.

Editing a Port
You can edit port links toward devices.

If you duplicated a device, you must edit these links. Once a device is duplicated, the newly
added device ports are not linked to any other device. In this case, you have to add the link
between the ports and the needed device port or interface. To successfully edit the port links
between devices, you must:
1. Add a new link toward the newly added device interfaces.
2. Perform an automatic discovery if both the ports and interfaces links are edited.
3. Check the data.

To link a port to another device's interface

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. Click on the Name of the port you want to link to another device interface. The port properties
page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a port or interface opens.
4. If custom classes are enabled at port and interface level, in the list Port/Interface class
select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Specify the other device port or interface.

Table 82.8. Options to link a port or interface with another device

Field Description
Link with device The name of the device you want to link the port with. The auto-completion re-
trieves a list of existing devices matching this name that you can choose from.
Link with port/interface The name of the port or interface you want to link the port with. The auto-com-
pletion retrieves a list of available ports and interfaces matching this name that
you can choose from.

1061
 Managing Ports and Interfaces

6. Click on OK to complete the operation.The report opens and closes.The device you selected
is visible in the panel Main properties in the Manually linked to line, the selected interface
is between brackets. If you go back to the page All ports & interfaces, you have the same
information in the column Manually linked to.

Now that the links are saved, if you already added the new device in NetChange, you can run
the automatic discovery. For more details, refer to the section Adding Network Devices.

If you also have interfaces in that device, edit their links and MAC addresses before running
the automatic discovery. For more details, refer to the section Editing an Interface.

To automatically add ports and interfaces

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Tools > Automatic Discovery. The wizard Automatic discovery
opens.
3. Click on OK to complete the operation. The report opens and closes. The devices are all
listed, their content and names depend on what was found. For more details, refer to the
section Automatically Adding Devices from the Page All Devices.

Once your changes are done and the list of ports is up-to-date, you can compare the data added
manually and automatically.

To check the automatic discovery results

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Click on the Name of the new device. The page All ports & interfaces of the device opens.
3. Compare the content columns Manually linked to and Automatically linked to.
4. Make sure there is no drift in the column Reconciliation. For more details, refer to the section
Tracking Changes on the Page All ports & interfaces.

Editing an Interface
You can edit interface links toward devices.

If you duplicated a device, you must edit the links. Once a device is duplicated, the newly added
device interfaces are not linked to any other device and their MAC address is probably incorrect.
In this case, you have to add the link between the interfaces and the needed device port or inter-
face. To successfully edit the interfaces' links between devices, you must:
1. Add a new link toward the new device interfaces.
2. Update the MAC address of the interface.
3. Perform an automatic discovery if both the ports and interfaces links are edited.
4. Check the data.

To link an interface to another device's interface

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. Click on the Name of the interface you want to link to another device interface. The interface
properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Edit a port or interface opens.
4. If custom classes are enabled at port and interface level, in the list Port/Interface class
select a class or None.

1062
 Managing Ports and Interfaces

Click on NEXT . The next page opens.

If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Specify the port or interface on the other device using the following fields.

Table 82.9. Options to link an interface with another device

Field Description
Link with device The name of the device you want to link the interface with. The auto-completion
retrieves a list of existing devices matching this name that you can choose from.
Link with port/interface The name of the port you want to link the interface with. The auto-completion
retrieves a list of available ports and interfaces matching this name that you can
choose from.

6. Click on OK to complete the operation.The report opens and closes.The device you selected
is visible in the panel Main properties in the Manually linked to line, the selected interface
is between brackets. If you go back to the page All ports & interfaces, you have the same
information in the Manually linked to column.

Once you linked the interfaces to another device interface, update its MAC address.

To update a MAC address

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. Tick the interface which MAC address you want to update. Filter the data if needed.
3. In the menu, select Edit > Update MAC. The wizard Update mac address opens.
4. In the field MAC address, specify the new MAC address.
5. Click on OK to complete the operation. The report opens and closes. The interface is listed
with the new MAC address. The MAC address is also updated within the IPAM module.
Once you updated a MAC address, the former MAC address is deleted and the IP address(es)
it is linked to are saved whether it is an IPv4 or an IPv6 address.

Now that the links are saved and the MAC addresses updated, if you already added the new
device in NetChange, you can run the automatic discovery. For more details, refer to the section
Adding Network Devices.

If you also have ports in that device, edit their links as well before running the automatic
discovery. For more details, refer to the section Editing a Port.

To automatically add ports and interfaces

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. In the menu, select Tools > Automatic Discovery. The wizard Automatic discovery
opens.
3. Click on OK to complete the operation. The report opens and closes. The devices are all
listed, their content and names depend on what was found. For more details, refer to the
section Automatically Adding Devices from the Page All Devices.

Once your changes are done and the list of interfaces is up-to-date, you can compare the data
added manually and automatically.

1063
 Managing Ports and Interfaces

To check the automatic discovery results

1. In the sidebar, go to Device Manager > Devices. The page All devices opens.
2. Click on the Name of the new device. The page All ports & interfaces of the device opens.
3. Compare the content columns Manually linked to and Automatically linked to.
4. Make sure there is no drift in the column Reconciliation. For more details, refer to the section
Tracking Changes on the Page All ports & interfaces.

Tracking Changes on the Page All ports & interfaces

To minimize the risk of saving inaccurate information in the module, the page All ports & interfaces
allows to track changes via a column and an option, both called reconciliation.

The reconciliation allows to compare the manual and/or automatic links between devices through
ports and interfaces.

The Column Reconciliation

The column Reconciliation compares the data entered in the columns Automatically linked to
and Manually linked to. Note that:
• It works in close relation with the reconciliation option. For more details, refer to the section
The Reconciliation Option.
• The data retrieved automatically always has the upper hand in Device Manager so do not use
the reconciliation option if you know that what you entered manually corresponds to the way
you want to manage your items.
• Editing the devices topology from the IPAM changes the content of the column Manually linked
to. For more details, refer to the section IP Address Advanced Properties.

The column can contain the following:

Table 82.10. Possible content of the column Reconciliation

Type Description
OK The information displayed in the columns Automatically linked to and Manually linked to is a match.

N/A No information is displayed in either column.

! Drift The information displayed in the columns Automatically linked to and Manually linked to is not a match.

The Top List Alert on ports/interfaces reconciliation drift tracks any drift in the column. For more
details, refer to the section Gadgets Displayed by Default.

The Reconciliation Option

The reconciliation option is here to proofread the link added manually versus the data entered
automatically. The first way to avoid getting any Drift is to configure Device Manager before
adding any items to it. Indeed, with this option both Automatically linked to and Manually linked
to should basically contain the exact same data.

However, if you decided to enter some data manually, you can reconcile both link related columns
with the reconciliation option.That is to say, the content of the column Manually linked to overwrites
the content of the column Automatically linked to.

1064
 Managing Ports and Interfaces

To use the reconciliation option to save the manual device links

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. Filter data if needed. For instance, through Drift in the Reconciliation column.
3. Tick the port(s) and/or interface(s) you want to reconcile.
4. In the menu, select Edit > Reconcile. The wizard Reconciliation opens.
5. Click on OK to complete the operation. The report opens and closes. The items disappear
from the list if the Reconciliation column was filtered by Drift as the value of the selected
items is now OK.

Updating Ports and Interfaces from the IPAM

The advanced properties allow to set the interaction between ports and interfaces and IP addresses
of the IPAM. When you add or edit an IP address, you can add an interface, along with its device,
or you can link it with an existing port or interface. If the port is already linked with an interface,
it edits the device topology.

For more details, refer to the chapter Managing Advanced Properties in the section IP Address
Advanced Properties.

Exporting Ports and Interfaces

From the page All ports & interfaces, you can export the data listed in a CSV, HTML, XML, XLS
or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Ports and Interfaces

You can delete interfaces and ports from the page All ports & interfaces. Keep in mind that:
• The ports and interfaces deletion is manual and non-reversible.
• Deleting interfaces linked with the IPAM, breaks the link between the IP addresses and
the device.

To delete ports or interfaces

1. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports & inter-
faces opens.
2. Tick the port(s) and/or interface(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The selected item(s)
is/are no longer listed.

1065
Chapter 83. Managing the Interaction
with the IPAM
From Device Manager, you can manage the interaction of interfaces with IPAM IPv4 and IPv6
addresses via their MAC addresses or the option Link IP addresses to Device Manager interfaces.

From the IPAM module, a set of options allows to edit Device Manager database. You can:
• Add devices from the page All addresses when assigning an IP address.
• Associate IP addresses to existing interface or remove that link.
• Edit the link between devices from the page All addresses.

For more details, refer to the part Global Policies, in the section IP Address Advanced Properties.

Assigning IP Addresses to an Interface Using their MAC

Address
You can assign IPv4 and IPv6 addresses to existing interfaces using a MAC address.

This assignation links an IPAM IP address with an interface through a MAC address retrieved
by Netchange discovered items. There is no automatic detection of matching MAC addresses
within these modules, therefore you must manually assign each IP address to each interface.

Keep in mind that adding, editing or deleting a MAC address saved in Device Manager may
change or remove the IP address/interface link you configured.

To assign an IPv4 address to an interface using its MAC address

1. Within Device Manager
a. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports &
interfaces opens.
b. Order the list by MAC address. The interfaces are listed first.
c. Right-click over the Name of the interface of your choice. The contextual menu opens.
d. Click on . The interface properties page opens.
e. In the panel Main properties, copy the MAC address.
2. Within the IPAM module
a. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
b. Click on an available address. The pop-up message This address is free, do you want
to assign it? opens.
c. Click on OK . The wizard opens.
d. If custom classes are enabled at address level, the list IP address class is visible. Select
a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note
that applying a class on an object can impact the configuration fields available and/or
required.
e. The field IP address name is gray and empty.

1066
 Managing the Interaction with the
IPAM

f. The field IP address displays the IP address.

g. In the field MAC address, paste your MAC address.
h. In the field Shortname, name your IP address: it is automatically displayed in the field
IP address name.
i. Click on NEXT . The page Aliases configuration opens. There is nothing to set up in
this page when you are simply assigning an IP address to an interface. For more details,
refer to the section Configuring and Managing IP Address Aliases.
j. Click on OK to complete the operation. The IPv4 address is listed as Used, named and
has a MAC address.
If the report page displays the warning message MAC address already used. (Space:
..., Address: ....), on as many lines as IP address(es) used on the interface, click on OK
to commit the addition of the extra IP address on the interface. To cancel the assignment,
click on CLOSE . To edit the MAC address, click on PREVIOUS . The Aliases configuration
page opens first, click on PREVIOUS again to open the page Add an IPv4 address where
you can make the needed changes.
With IPv6 addresses, the interface assignment also involves going through the IPAM
module and editing the interface within Device Manager. However, we recommend that
you make sure the MAC address of the interface using this IPv6 address is present
among the NetChange discovered items. That way it is directly detected by Device
Manager.

To assign an IPv6 address to an interface using its MAC address

1. Within Device Manager
a. In the sidebar, go to Device Manager > Ports & interfaces. The page All ports &
interfaces opens.
b. Order the list by MAC address. The interfaces are listed first.
c. Right-click over the Name of the interface of your choice. The contextual menu opens.
d. Click on . The interface properties page opens.
e. In the panel Main properties, copy the MAC address.
2. Within NetChange
a. In the sidebar, go to NetChange > Discovered items. The page All discovered
items opens.
b. In the search engine of the column Interco, click on to remove the default filter.
c. In the search engine of the column MAC Address, paste your address to make sure it
is part of NetChange items.
d. On your keyboard, hit Enter. If the MAC address is listed, go to the next step. If it is not
listed, go back to step 1 and find an interface that is part of the list All discovered items.
3. Within the IPAM module
a. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
b. On the right-end side of the menu, click on V6 . The page refreshes and the button turns
black.
c. Click on an available address. The pop-up message This address is free, do you want
to assign it? opens.
d. Click on OK . The wizard Add an IPv6 address opens.
e. If custom classes are enabled at address level, the list IP address class is visible. Select
a class or None and click on NEXT . The next page opens.

1067
 Managing the Interaction with the
IPAM

f. The field IP address name is gray and empty.

g. The field IP address displays the IP address.
h. In the field MAC address, paste your MAC address.
i. In the field Shortname, name your IP address: it is automatically displayed in the IP
address name field.
j. Click on NEXT . The page Aliases configuration opens. There is nothing to set up in
this page when you are simply assigning an IPv6 address to an interface. For more
details, refer to the section Configuring and Managing IP Address Aliases.
k. Click on OK to complete the operation. The report opens and closes. The IPv6 address
is listed as used, named and has a MAC address.
If the report page displays the warning message MAC address already used. (Space:
..., Address: ....), on as many lines as IP address(es) used on the interface, click on OK
to commit the addition of the extra IP address on the interface. To cancel the assignment,
click on CLOSE . To modify the MAC address, click on PREVIOUS . The Aliases configuration
page opens first, click on PREVIOUS again to open the page Add an IPv6 address where
you can make the needed changes.
4. Within Device Manager
a. In the sidebar, go back to Device Manager > Ports & interfaces. The page All
ports & interfaces opens.
b. Order the list by MAC address. The interfaces are listed first.
c. Right-click over the Name of the interface of your choice. The contextual menu opens.
d. Click on . The interface properties page opens.
e. Click on EDIT . The wizard Edit a port or interface opens.
f. In the field IP address, specify in the address of your choice, the auto-completion will
retrieve its MAC address.
g. Click on OK to complete the operation. The report opens and closes. In the panel Inter-
face attachments, the IPAM section regarding v6 addresses is updated and displays
the new IP address information. The address is visible in the list All ports & interfaces.

You can use the procedure above for as many IP addresses as needed for one interface. Beyond
one IPv6 address, the addition wizard displays a report step listing the IP addresses already used
on this interface to make sure that you actually want to use an extra IP address.

Managing the IP Addresses / Interfaces Link from the IPAM

From the page All addresses, you can link IP addresses with existing interfaces. You can either
use advanced properties to provide a link between them or a dedicated option in the menu Edit.
This menu also provides an easy way to break the link between an IP address and an interface.
To use advanced properties, refer to the section IP Address Advanced Properties.

The columns Device manager name and Device manager interface allow to display the inter-
actions on that page. For more details on how to add and display customized list templates, refer
to the section Managing List Templates.

Any ports and interfaces changes made from the IPAM change the content of the column
Manually linked to. For more details, refer to the section Tracking Changes on the Page All ports
& interfaces.

1068
 Managing the Interaction with the
IPAM

Linking IP Addresses with Existing Interfaces

From the page All addresses, you can set up, edit or remove links between your IP addresses
and existing Device Manager interfaces. Once you assigned IP addresses, you can link them to
the existing device and interface of your choice through the menu. The wizard also allows you
to edit, i.e. overwrite, an existing link between the IP address and interface.

The auto-completion provided in the device name and interface name only lists the device and
interfaces marked as Managed and Imported. The Unmanaged items are not listed.

To link an IP address and an interface using the menu

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the IP address(es) of your choice.
4. In the menu, select Edit > Link IP addresses to Device Manager interfaces. The wizard
Link IP addresses to Device Manager interfaces opens.
5. Set the link between the IP address(es) and the interface of your choice using the following
fields.

Table 83.1. IPAM to Device Manager link configuration fields

Field Description
Device The name or part of the name of an existing device. The auto-completion retrieves a list of
devices matching this name that you can choose from.
Interface name The name or part of the name of an existing interface. The auto-completion retrieves a list
of interfaces matching this name that you can choose from. Once you selected an interface,
its name is displayed as follows: <interface name> (<device name> - <number of IP ad-
dresses associated with the interface>).
Overwrite Tick this box to edit an existing link and overwrite it with a link to the device and interface
you specified in the above fields.

6. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the dedicated columns, on the IP address properties page and in Device Manager.

Editing the Link Between IP Addresses and Interfaces

Once you set up a link between an IP address and an interface, you can edit it to link the IP ad-
dress with a different interface.

First, as detailed in the section Linking IP Addresses with Existing Interfaces, you can simply
specify a device and interface and tick the box Overwrite.

Second, if the IP address was assigned a MAC address, you can simply edit the MAC address
to link the IP address with another interface. For more details regarding IP address edition, refer
to the section Editing IP Addresses.

Removing the Link Between IP Addresses and Interfaces

Once you set a link between an IP address and an interface, you can remove it using the menu
provided that no MAC address was used when assigning the IP address. If your IP address
was assigned a MAC address, you need to edit the IP address, remove the MAC address and

1069
 Managing the Interaction with the
IPAM

then follow the procedure below to remove the link with the interface. For more details regarding
IP address edition, refer to the section Editing IP Addresses.

To remove an IP address / interface link using the menu

1. In the sidebar, go to IPAM > Addresses. The page All addresses opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the IP address(es) of your choice.
4. In the menu, select Edit > Remove IP addresses / Device Manager interfaces link.
The wizard Link IP addresses to Device Manager interfaces opens.
5. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the dedicated columns, on the IP address properties page and in Device Manager.

1070
Chapter 84. Rules Impacting Device
Manager
From the module Administration, you can add, enable or disable rules related to Device Manager.

DHCP Rules Impacting Device Manager

The DHCP can interact directly with Device Manager thanks to two rules.These rules automatically
add devices containing an interface every time you add a static or lease.

Note that the rules are first organized by modules ans then event, so even if they both ultimately
impact Device Manager, you will find them under the module DHCP and the event Add: <DHCP-
object>.
Rule 221
Enabling this rule adds an interface every time you add a static, with or without an IPv4 ad-
dress. The interface has the same name as the static and belongs to a device also named
after the static. To add this rule, refer to the procedure To add a Device Manager rule and
select the Module DHCP and the Event Add: DHCP statics.
Rule 225
Enabling this rule adds an interface every time an IPv4 lease is generated. The interface is
named generic_# and belongs to a device named using the lease hostname. To add this
rule, follow the procedure To add a Device Manager rule and select the Module DHCP and
the Event Add: DHCP leases.

Adding Device Manager Rules

From the page Rules, you can add the rules of your choice. By default, none of Device Manager
related rules are added.

To add a Device Manager rule

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select the module that triggers the needed behavior. The rules
impacting Device Manager are listed in the section DHCP Rules Impacting Device Manager.
5. In the drop-down list Event, select the action in the selected module that triggers the beha-
vior.
6. In the list Rule, select the rule of your choice. Each rule is listed as follows: (<rule-number>)
<rule-name>.
7. In the Rule name, name the rule. This name is displayed in the column Instance and help
you filter the list without using the rule number.
8. In the field Comment, you can specify a comment.
9. Click on NEXT . The last page opens.
10. Click on OK to complete the operation. The report opens and closes. The rule is listed and
marked OK in the column Status.

1071
 Rules Impacting Device Manager

Enabling or Disabling Device Manager Rules

You can enable or disable a rule, only the enabled rules are executed

To enable/disable Device Manager rules

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the search engine of the column Rule #, specify the partial or complete rule(s) number
and hit Enter to filter the list.
4. Tick the rule(s) of your choice.
5. In the menu, select Edit > Enable or Disable. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. In the column Status,
the rule is marked OK or Disabled.

1072
 Part XIV. VLAN Manager
VLAN Manager allows to create and handle Virtual Local Area Networks (VLANs) and Virtual Extensible
LAN (VXLAN) to set up layer 2 data exchange between networks and devices.

Keep in mind that the VLAN Manager VLANs are different from the VLAN interfaces you can set up on the
page Network configuration. For more details, refer to the section Setting up a VLAN Interface.

Network name: DC1

Network address:
10.88.122.0/24

VLAN ID: 100

VLAN name: DC

Network name: floor1 Network name: floor2

Network address: Network address:
10.34.2.0/24 10.34.15.0/24

VLAN ID: 1
VLAN Name: Atrium

Figure 241. Example of a VLAN associating two subnet-type networks

From the module VLAN Manager you can include up to 3 levels of organization:
• Domains: the highest level of the hierarchy. They contain ranges and VLANs. For more details, refer to
the chapter Managing VLAN Domains.
• Ranges: an optional second level in the hierarchy. They contain VLANs. For more details, refer to the
chapter Managing VLAN Ranges.
• VLANs: the lowest level of the hierarchy. They are unique with a VLAN Identifier (ID) and belong to a
domain or range. For more details, refer to the chapter Managing VLANs.

Once you organized your VLANs, you can connect them with IPAM subnet-type networks belonging to dif-
ferent spaces or networks and make them communicate no matter their IP address. For more details, refer
to the Global Policies chapter Managing Advanced Properties.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
85. Managing VLAN Domains ....................................................................................... 1075
Browsing VLAN Domains ..................................................................................... 1075
Adding VLAN Domains ........................................................................................ 1075
Editing VLAN Domains ........................................................................................ 1076
Automatically Adding New VLAN Domains as Group Resource .............................. 1077
Exporting VLAN Domains .................................................................................... 1078
Deleting VLAN Domains ...................................................................................... 1078
Defining a VLAN Domain as a Group Resource ..................................................... 1078
86. Managing VLAN Ranges ........................................................................................ 1079
Browsing VLAN Ranges ....................................................................................... 1079
Adding VLAN Ranges .......................................................................................... 1079
Editing VLAN Ranges .......................................................................................... 1080
Exporting VLAN Ranges ...................................................................................... 1081
Deleting VLAN Ranges ........................................................................................ 1081
Defining a VLAN Range as a Group Resource ...................................................... 1082
87. Managing VLANs ................................................................................................... 1083
Browsing VLANs ................................................................................................. 1083
Adding VLANs ..................................................................................................... 1084
Editing VLANs ..................................................................................................... 1085
Adding VLANs from the IPAM ............................................................................... 1085
Creating VLANs from NetChange ......................................................................... 1085
Exporting VLANs ................................................................................................. 1085
Deleting VLANs ................................................................................................... 1086

1074
Chapter 85. Managing VLAN Domains
VLAN domains are managed from the page All domains.They can be composed of VLAN ranges
and VLANs or exclusively of VLANs depending on your organizational needs.

You need at least one domain to organize your VLANs.

A domain is defined by its name and start and end ID. These IDs corresponds to the first and
last VLAN ID that it manages, it sets the number of VLANs it can contain:
• A VLAN domain can contain between 1 and 4094 VLANs.
• A VXLAN domain can contain between 1 and 16777215 VLANs.

Every time you add a domain, you can set the same set of IDs. They are duplicated on the page
All VLANs, and even if you have several VLANs with the ID 1, they are different. Indeed, they do
not belong to the same domain or range and might be assigned different names.

Browsing VLAN Domains

Within VLAN Manager, the domains are the highest level of the hierarchy. They are required to
manage your VLANs.

RANGE
DOMAIN
VLAN

Figure 85.1. The domain in VLAN Manager hierarchy

Browsing the VLAN Domains Database

To display the list of VLAN domains
1. In the sidebar, go to VLAN Manager > Domains. The page All domains opens.
2. In the column Domain End ID, the values can help differentiate VLAN and VXLAN domains.

To display a VLAN domain properties page

1. In the sidebar, go to VLAN Manager > Domains. The page All domains opens.
2. At the end of the line of the domain of your choice, click on . The properties page opens.

Customizing the Display on the Page All Domains

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding VLAN Domains

Adding a domain sets the number of VLANs that you manage. You can set the start and end
VLAN ID of your choice, for instance you can choose to manage the VLANs 25 to 500.

You can add as many domains as you want. Note that:

1075
 Managing VLAN Domains

• You can import domains from a CSV file. For more details, refer to the section Importing VLAN
Domains in the chapter Importing Data from a CSV File.
• Once you added a domain, you cannot edit its start and end ID, or decide to make it a VXLAN
domain instead of VLAN or vice versa.
• Users that do not belong to the group admin cannot see the domains they add, unless an ad-
ministrative user either:
• Adds the new domains to the resources of the group(s) they belong to
• Configures the rule 408 to automatically add every new domain as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New VLAN Domains
as Group Resource.

To add a VLAN domain

1. In the sidebar, go to VLAN Manager > Domains. The page All domains opens.
2. In the menu, click on Add. The wizard Add a VLAN domain opens.
3. If custom classes are enabled at domain level, in the list Domain class select a class or
None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Domain, specify the VLAN domain name.
5. In the field Description, you can add a description. This field is optional. By default, 1 is
displayed in the field.
6. To add a VXLAN domain, tick the box Use VXLAN.
7. In the field Starting VLAN ID, specify the ID of the first VLAN of the domain.
a. For a VLAN domain, specify a number between 1 and 4094.
b. For a VXLAN domain, specify a number between 1 and 16777215.
8. In the field Ending VLAN ID, specify the ID of the last VLAN of the domain.
a. For a VLAN domain, specify a number between 1 and 4094. By default, 4094 is displayed
in the field.
b. For a VXLAN domain, specify a number between 1 and 16777215. By default, 16777215
is displayed in the field.
9. Click on OK to complete the operation. The report opens and closes. The domain is listed.
Note that depending on the group they belong to, users may not see the domain they added
on the page until an administrative user either:
• Adds the new domains to the resources of the group(s) they belong to
• Configures the rule 408 to automatically add every new domain as resource of the group(s)
they belong to. For more details, refer to the section Automatically Adding New VLAN
Domains as Group Resource.

Editing VLAN Domains

Editing a domain means renaming it or changing its description, setting it, editing it or removing
it.

You can edit a VLAN domain from the page All domains, via the contextual menu, or from its
properties page.

1076
 Managing VLAN Domains

If a domain no longer matches you needs and you want to edit its start ID, end ID, make it a
VXLAN domain or make it a VLAN domain, you must:
1. Add a new domain configured with the settings that suit your needs.
You can either add again the VLANs it contains and name them the same or export the VLANs
of the domain you want to edit and reimport them into the domain you added. For more details,
refer to the part Imports and Exports.
2. Delete the obsolete domain.

To edit a VLAN domain

1. In the sidebar, go to VLAN Manager > Domains. The page All domains opens.
2. Right-click on the Name of the domain of your choice. The contextual menu opens.
3. Click on Edit. The wizard Add a VLAN domain opens.
4. If custom classes are enabled at domain level, in the list Domain class select a class or
None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the fields Domain and/or Description according to your needs.
6. Click on OK to complete the operation. The report opens and closes. The domain is listed
with the changes you just made.

Automatically Adding New VLAN Domains as Group

Resource
By default, only administrative users can immediately see the VLAN domains that they add. All
the standard users that can add domains must wait until an administrative user defines these
domains as resource of the group(s) of users they belong to. Once they can see the domains,
they can start managing them.

To avoid having to manually define new VLAN domain as group resource, administrators can
configure the rule 408 and automatically add every new VLAN domain as resource of the groups
of users of the relevant group(s) of users.

To add the rule 408 that sets which groups have new VLAN domains as resource
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select VLAN Manager.
5. In the drop-down list Event, Add: VLAN domains is selected.
6. In the list Rule, select (408) (POC) Add new VLAN domains as group resource.
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can specify a comment.
9. Click on NEXT . The page Rule filters opens.
10. Click on NEXT . The page Rule parameters opens.

1077
 Managing VLAN Domains

11. In the list Available groups, select a group of users and click on . The group is moved to
the list Selected groups. You can add as many groups as you want.
12. In the list Selected groups, you can select and reorder the groups using and .
To remove a group, select it and click on . The group is moved back to the list Available
groups.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Exporting VLAN Domains

From the page All domains, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting VLAN Domains

Deleting a domain is only possible if it does not contain any range or Used VLANs. If any of its
VLANs were assigned a name, you cannot delete the domain.

To delete a VLAN domain

1. In the sidebar, go to VLAN Manager > Domains. The page All domains opens.
2. Tick the domain(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The domain is no longer
listed, the VLANs it contained are deleted from the page All VLANs as well.

Defining a VLAN Domain as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a VLAN domain as one of the resources of a specific group allows the users of that group
to manage the VLAN domain in question as long as they have the corresponding rights granted.

Note that administrative users can add a rule to ensure that every new VLAN domain is added
to the resources of the groups of users of their choice. For more details, refer to the section
Automatically Adding New VLAN Domains as Group Resource.

Granting access to a domain as a resource also grants access to every item it contains. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

1078
Chapter 86. Managing VLAN Ranges
VLAN ranges provide an extra level of management for your VLANs. They are optional.

A VLAN range can contain as many VLANs as the domain it belongs to, or just or portion of the
VLANs.

Like the domain, a range is defined by its name, its start ID and its end ID. Considering that it
belongs to a domain, it cannot manage VLANs that are not managed by the domain, in other
words you cannot add a range with the start and end IDs 5-10 in a domain managing the IDs 6-
10.

Within a domain, you can add as many ranges as you want to manage the VLANs of the domain.
Your ranges can manage the same VLAN IDs if you allow overlapping, the VLANs are different
as they belong to different ranges.

Browsing VLAN Ranges

Within VLAN Manager, the ranges are the second level of the hierarchy.

RANGE
DOMAIN
VLAN

Figure 86.1. The range in VLAN Manager hierarchy

Browsing the VLAN Ranges Database

To display the list of VLAN ranges
1. In the sidebar, go to VLAN Manager > Ranges. The page All ranges opens.
2. To display the list of ranges of a specific domain, in the column Domain, click on the name
of your choice. The page refreshes.

To display a VLAN range properties page

1. In the sidebar, go to VLAN Manager > Ranges. The page All ranges opens.
2. At the end of the line of the range of your choice, click on . The properties page opens.

Customizing the Display on the Page All Ranges

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding VLAN Ranges

You can add as many ranges as you need in a domain.

If you want to add ranges with unique sets of VLAN ID, you can tick the box No ID overlapping.
Keep in mind that the overlap restriction applies whether it was set on existing ranges or on

1079
 Managing VLAN Ranges

ranges you are trying to add. Therefore, if a range managing the VLAN IDs 1-512 already exists
and you try to add the range 512-550, an error message is returned whether the box was ticked
on the existing range or on the range you are adding.

With the overlapping allowed, if you set several ranges with common VLANs, the common VLAN
ID is replicated on the page All VLANs. You can differentiate them through their range, and po-
tentially their name.

Note that you can also import ranges from a CSV file. For more details, refer to the section Im-
porting VLAN Ranges in the chapter Importing Data from a CSV File.

To add a VLAN range

1. In the sidebar, go to VLAN Manager > Ranges. The page All ranges opens.
2. In the menu, click on Add. The wizard Add a VLAN range opens.
3. If custom classes are enabled at range level, in the list Range class select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the list Domain, select the domain of your choice.
5. Click on NEXT . The last page opens.
6. In the field Range, name your VLAN range.
7. In the field Description, you can add a description. This field is optional.
8. In the field Starting VLAN ID, specify the ID of the first VLAN of the range. By default, the
Starting VLAN ID of the domain is displayed in the field.
9. In the field Ending VLAN ID, specify the ID of the last VLAN of the range. By default, the
Ending VLAN ID of the domain is displayed in the field.
10. The box No ID overlapping is ticked by default, you can untick it if you want to allow VLAN
ID overlapping in several ranges.
11. Click on OK to complete the operation. The report opens and closes. The range is listed.

Editing VLAN Ranges

You can edit a range name and description or resize it, that is say manage more or less VLANs.

Editing a VLAN Range Properties

Editing a range means renaming it or changing its description, setting it, editing it or removing it.

You can edit a VLAN range from the page All ranges, via the contextual menu, or from its prop-
erties page.

To edit a VLAN range from the properties page

1. In the sidebar, go to VLAN Manager > Ranges. The page All ranges opens.
2. At the end of the line of the range of your choice, click on . The properties page opens.
3. In the panel Main properties, click on EDIT . The wizard Add a VLAN range opens.
4. If custom classes are enabled at range level, in the list Range class select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.

1080
 Managing VLAN Ranges

5. Edit the fields Domain, Description according to your needs.

6. Tick or untick the box No ID overlapping according to your needs.
7. Click on OK to complete the operation. The report opens and closes. The range properties
are updated.

Resizing a VLAN Range

At range level, you can change the number of VLANs managed.You can decide to manage more
or less VLANs, i.e. VLAN IDs. This option basically shifts the VLAN identifier number to add IDs
to the VLAN range or remove some IDs.

This option respects a set of rules:

1. You cannot reduce the size of a range if it contains Used VLANs (i.e. VLAN that were assigned
a name and might therefore be linked to a subnet-type network in the IPAM)
2. You can extend the size of a range as much as you want provided that:
• The new range size is not greater than the domain it belongs to.
In a domain managing the IDs 1-15, you cannot resize a range and make it manage the IDs
10-20, instead of 10-15.You would be asking to manage IDs that do not exist in the domain.
• The new range size does not exclude any Used VLAN of the range or include any Used
VLAN belonging to another range.

In case of overlap, you can either delete the used VLAN and add it again in the new range or
export it and reimport it in the new range.

To resize a VLAN range

1. In the sidebar, go to VLAN Manager > Ranges. The page All ranges opens.
2. Tick the range(s) that you want to resize.
3. In the menu, select Edit > Resize ranges. The wizard Resize ranges opens.
4. In the Start ID shift, specify the value of your choice. The value can be positive or negative,
preceded by -. A negative shift extends the number of IDs managed. If you do not want to
edit the Start ID, type in 0.
5. In the End ID shift, specify the value of your choice.The value can be positive or negative,
preceded by -. A negative shift reduces the number of IDs managed. If you do not want to
edit the End ID, type in 0.
6. Click on OK to complete the operation. The report opens and closes. The new range(s) size
is visible.

Exporting VLAN Ranges

From the page All ranges, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting VLAN Ranges

Deleting a range is only possible if it does not contain any Used VLANs. If any of its VLANs were
assigned a name, you cannot delete the range.

1081
 Managing VLAN Ranges

To delete a VLAN range

1. In the sidebar, go to VLAN Manager > Ranges. The page All ranges opens.
2. Tick the range(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The range is no longer
listed, the VLANs it contained are deleted from the page All VLANs as well.

Defining a VLAN Range as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a VLAN range as one of the resources of a specific group allows the users of that group
to manage the VLAN range in question as long as they have the corresponding rights granted.

Granting access to a range as a resource also grants access to every item it contains. For more
details, refer to the section Adding Resources to a Group in the chapter Managing Groups.

1082
Chapter 87. Managing VLANs
Once you have added at least one domain, the VLANs it contains are listed on the page All
VLANs. They can belong to ranges.

All the VLANs are differentiated through their ID. You can assign them a name to set up an inter-
action with the module IPAM at network level between several subnet-type networks or devices
within a network. For this reason, once a VLAN has a name, the range and/or domain it belongs
to cannot be deleted.

You can add, edit or delete VLANs.

Browsing VLANs
Within VLAN Manager, the VLANs are the lowest level of the hierarchy.

RANGE
DOMAIN
VLAN

Figure 87.1. The VLAN in VLAN Manager hierarchy

Browsing the VLANs Database

To display the list of VLANs
1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
Only the Used VLANs are listed. If the VLAN ID overlapping is enabled, the columns Domain
and Range help differentiate VLAN IDs.
2. To display the Used and Free VLANs of a specific domain, in the column Domain, click on
the name of your choice. The page refreshes.
3. To display the Used and Free VLANs of a specific range, in the column Range, click on the
name of your choice. The page refreshes.
4. To display more Free VLANs, in the column VLAN ID click on left of the ID of your choice.
The first or last 13 VLANs appear.

For more details regarding statuses, refer to the section Understanding the VLAN Statuses.

To display a VLAN properties page

1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
2. At the end of the line of the Used VLAN of your choice, click on . The properties page
opens.

Customizing the Display on the Page All VLANs

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

1083
 Managing VLANs

Understanding the VLAN Statuses

The column Status provides information regarding the VLANs you manage.

Table 87.1. VLAN statuses

Status Description
Free The VLAN can be assigned a name.

Used The VLAN was assigned a name, it can interact with the IPAM. The domain and range it belongs
to cannot be deleted.

Adding VLANs
Adding a VLAN means using it as all the VLANs were added at the same time as the domain
they belong to. When you add a VLAN, you can assign it a name.

Note that you can import VLANs from a CSV file. For more details, refer to the section Importing
VLANs or VXLANs in the chapter Importing Data from a CSV File.

You can also use existing NetChange VLANs to create VLANs in VLAN Manager. For more details,
refer to the section Creating a VLAN in VLAN Manager.

To add a VLAN from the menu

1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
2. In the menu, click on Add. The wizard Add a VLAN opens.
3. In the list Domain, select the domain of your choice.
4. Click on NEXT . The next page opens.
5. In the list Range, select the range of your choice.
6. Click on NEXT . The next page opens.
7. If custom classes are enabled at VLAN level, in the list VLAN class select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
8. In the field VLAN name, you can name the VLAN.
9. In the field VLAN ID, specify the VLAN ID of your choice.
10. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the VLAN is now marked as Used. If you gave it a name, it is displayed in the column
Name.

To add a VLAN from the listing page

1. In the sidebar, go to VLAN Manager > Domains or Ranges. The page All Domains or
All Ranges opens.
2. In the column Name, click on the domain or range of your choice. The page All VLANs
opens.
3. In the column VLAN ID, click on the VLAN of your choice. A pop-up window This VLAN ID
is free, do you want to assign it? opens.
4. Click on OK . The wizard Add a VLAN opens.
5. If you are adding a VLAN within a domain, in the list Range, select a range or None.
6. Click on NEXT . The next page opens.

1084
 Managing VLANs

7. If custom classes are enabled at VLAN level, in the list VLAN class select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
8. In the field VLAN name, you can name the VLAN.
9. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the VLAN is now marked as Used. If you gave it a name, is displayed in the column
Name.

Editing VLANs
You can edit a VLAN name.

Keep in mind that renaming a VLAN breaks the IPAM / VLAN interaction.

To edit a VLAN
1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
2. Right-click over the VLAN ID of your choice. The contextual menu opens.
3. Click on Edit. The wizard opens.
4. If custom classes are enabled at VLAN level, in the list VLAN class select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field VLAN name, you can rename the VLAN.
6. Click on OK to complete the operation. The report opens and closes. The new VLAN name
is displayed.

Adding VLANs from the IPAM

The advanced properties allow to set up an interaction between VLANs and IPAM networks.
When you add or edit a subnet-type network, you can add a VLAN or associate it with an existing
VLAN. This configuration allows several subnet-type networks to communicate with each other
through a common VLAN no matter what space or network they belong to.

For more details, refer to the chapter Managing Advanced Properties in the section Network
Advanced Properties.

Creating VLANs from NetChange

From the NetChange page All VLANs you can create a VLAN from NetChange VLANs. For more
details, refer to the section Creating a VLAN in VLAN Manager.

Exporting VLANs
From the page All VLANs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

1085
 Managing VLANs

Deleting VLANs
You can only delete Used VLANs. Before proceeding keep in mind that:
• Once deleted, the VLANs are still listed, if you are displaying the VLANs of a specific domain
or range, but are Free and no longer have a name.
• If the VLANs were associated with a subnet-type network, deleting VLANs breaks the association
and removes the VLAN information from the network properties. For more details, refer to the
chapter Network Advanced Properties.

The Free VLANs are unused so you cannot delete them. They are listed on the page All VLANs
of the domain or range they belong to. To delete unused VLANs from the list, you must delete
the range and/or domain they belong to.

To delete a VLAN
1. In the sidebar, go to VLAN Manager > VLANs. The page All VLANs opens.
2. Tick the Used VLAN(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The VLAN is no longer
listed.
5. To see this VLAN, display the list of the VLANs for the domain or range it belongs to. This
VLAN no longer has a name in the column Name and its status is Free.

1086
 Part XV. VRF
VRF, Virtual Routing and Forwarding, allows to simultaneously define and maintain multiple instances of a
routing table on a single router.

This technology is commonly used for implementing L3 VPN(s) provided by MPLS service providers. In
such networks MPLS encapsulation is used to isolate individual customer traffic, and an independent routing
table (VRF) is maintained for each one of them.

Following RFC 4364, each VRF has a unique Route Distinguisher (RD) identifier. In that context, MP-BGP
is commonly employed to facilitate complex redistribution schemes to import and export routes to and from
VRFs (using route targets) to provide Internet connectivity or inter-VRF communication. Technically, you
should keep in mind that:
• Each VRF behaves like an independent router with its own interfaces, IP subnet-type networks and routing
protocol.
• Each VRF has separate routing and forwarding tables used only for the packets that traffic through the
VRF based on its interface mapping.

VPN A

CE

VPN B

PE P PE CE

VPN B

CE P P

VPN A
VPN A Tunnel
PE PE CE
VPN B Tunnel
Service Provider
MPLS Network

Figure 245. Example use of VRF on an MPLS network

From the module VRF, you can display and have an overview of the VRF and Route Targets that associate
them on your network on two dedicated pages. All available options are detailed in the chapters:
• Managing Virtual Routing and Forwarding.
• Managing VRF Route Targets.
Table of Contents
88. Managing Virtual Routing and Forwarding ............................................................... 1089
Browsing VRFs ................................................................................................... 1089
Adding VRFs ....................................................................................................... 1089
Editing VRFs ....................................................................................................... 1090
Exporting VRFs ................................................................................................... 1090
Deleting VRFs ..................................................................................................... 1090
89. Managing VRF Route Targets ................................................................................. 1091
Browsing VRF Route Targets ................................................................................ 1091
Adding VRF Route Targets ................................................................................... 1091
Exporting VRF Route Targets ............................................................................... 1092
Deleting VRF Route Targets ................................................................................. 1092

1088
Chapter 88. Managing Virtual Routing
and Forwarding
From the page All VRFs, you can add, import, edit and delete Virtual Routing and Forwarding
(VRF) for basic management purposes. The page inventories all VRFs using their name and
unique Route Distinguisher or RD.

You can oversee the communication configurations between your VRFs via the Route Targets.
For more details, refer to the chapter Managing VRF Route Targets.

Browsing VRFs
Within the module VRF, the VRFs are the highest level, the entry point of your inventory.

Browsing the VRF Database

To display the list of VRFs
1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. You can filter the list using the page columns.

To display a VRF properties page

1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. At the end of the line of the VRF of your choice, click on . The properties page opens.

Customizing the Display on the Page All VRFs

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding VRFs
You can add as many VRFs as you need.

Note that you can also import VRFs, for more details refer to the section Importing Data to VRF
in the chapter Importing Data from a CSV File.

To add a VRF
1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. In the menu, click on Add. The wizard Add a VRF opens.
3. If custom classes are enabled at VRF level, in the list VRF class select a class or None.
Click on NEXT . The page Add a VRF opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
4. In the field Name, name your VRF.

1089
 Managing Virtual Routing and
Forwarding

5. In the field RD, specify the Route Distinguisher of your VRF. Following RFC 4364, the three
accepted types rule the RD format:

Table 88.1. RD types and formats

Type RD Format
0 <integer between 0 and 65535>:<integer between 0 and 4294967296>
1 <IPv4 address>:<integer between 0 and 65535>
2 <integer between 0 and 4294967296>:<integer between 0 and 65535>

6. In the field Comment, you can specify a comment. This field is optional.
7. Click on OK to complete the operation. The report opens and closes. The VRF is listed.

Editing VRFs
You can edit VRFs from the page All VRFs or from their properties page. Keep in mind that
editing a VRF name or RD also edits its VRF Route Target(s) in the GUI.

To edit a VRF from the page All VRFs

1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. Right-click over the Name of the VRF you want to edit. The contextual menu opens.
3. Click on . The wizard opens.
4. If custom classes are enabled at VRF level, in the list VRF class select a class or None.
Click on NEXT . The page Add a VRF opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Edit the Name, RD and Comment fields according to your needs.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the VRF is listed with the new information.

Exporting VRFs
From the page All VRFs, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting VRFs
You can delete one or more VRFs at once. Keep in mind that deleting a VRF also deletes its
VRF Route Targets from the GUI.

To delete a VRF
1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. Tick the VRF(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The VRF is no longer
listed, its VRF Route Targets are deleted as well.

1090
Chapter 89. Managing VRF Route Targets
From the page All VRF Route Targets, you can oversee the communication you set or want to
set on your network between the VRFs. This page simply illustrates the VRF communication
configuration, it assists in inventorying it all.

A Route Target sets up an exchange of routes between two VRFs, via their RD. They allow to
import and/or export the routes of the VRFs, one is the source VRF, the other is the target VRF.
Every VRF can be associated with one or more Route Targets.

Browsing VRF Route Targets

Within the module VRF, the VRF Route Targets are the lowest level, they link together the VRFs.

Browsing the VRF Route Targets Database

To display the list of VRF Route Targets
1. In the sidebar, go to VRF > VRF Route Targets. The page All VRF Route Targets opens.
2. You can filter the list using the page columns.

VRF Route Targets do not have a properties page as all the information is displayed on the page.

To display the list of VRF Route Targets of a specific source VRF

1. In the sidebar, go to VRF > VRFs. The page All VRFs opens.
2. Click on the name of the VRF of your choice. The page All VRF Route Targets opens. Only
the Route Targets that defined the VRF RD as Source VRF are listed.

Customizing the Display on the Page All VRF Route Targets

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding VRF Route Targets

From the page All VRF Route Targets, you can add Route Targets to inventory the ones that are
already configured on your network or that you want to set up.

To properly add Route Targets you must:

• Have at least two VRFs listed on the page All VRFs.
• Specify a Source VRF and a Target VRF.
• Specify the exchange medium between the VRFs, importation and/or exportation:
• import: the Target VRF can import all the routes of the Source VRF.
• export: the Source VRF sends out its routes to the Target VRF.
• Make sure that you add two Route Targets to establish and confirm your exchange configuration.
For instance:
1. Add a Route Target that establishes that the Source VRF site A can import the routes of
the Target VRF site B.

1091
 Managing VRF Route Targets

2. Add another Route Target that establishes that the Source VRF site B can export the routes
the Target VRF site A.
To properly set up the exchange of routes, an import must be confirmed by an export,
and vice versa.

Note that:
• You can also import Route Targets, for more details refer to the section Importing VRF Route
Targets in the chapter Importing Data from a CSV File.
• A Route Target may be edited if its Source or Target VRF is edited.
• You cannot edit Route Targets from the page All VRF Route Targets. You must delete the
Route Target that no longer suits your needs and add it again.

To add the Route Targets that establish the communication between two VRFs
1. In the sidebar, go to VRF > VRF Route Targets. The page All VRF Route Targets opens.
2. Add the first Route Target
a. In the menu, click on Add. The wizard Add a VRF Route Target opens.
b. In the field Source VRF name, specify the VRF of your choice.
Type in the first letters of the source VRF, the auto-completion provides the list of
matching names, select the one you want.
c. In the field Target VRF name, specify the VRF of your choice using auto-completion.
d. You can tick the box Import to let the Target VRF retrieve the routes of the Source VRF.
e. You can tick the box Export to let the Source VRF send out its routes to the Target
VRF.
f. Click on OK to complete the operation. The report opens and closes. The VRF is listed.
3. Add the second Route Target
a. In the menu, click on Add. The wizard Add a VRF Route Target opens.
b. In the field Source VRF name, specify the Target VRF of the first Route Target.
c. In the field Target VRF name,specify the Source VRF of the first Route Target.
d. If you ticked the box Export in the first Route Target, tick the box Import to confirm the
communication configuration.
e. If you ticked the box Import in the first Route Target, tick the box Export to confirm the
communication configuration.
f. Click on OK to complete the operation. The report opens and closes. The VRF is listed.

Exporting VRF Route Targets

From the page All VRF Route Targets, you can export the data listed in a CSV, HTML, XML,
XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting VRF Route Targets

At any point you can delete a VRF Route Target between two VRFs.

Note that Route Targets can be deleted from the page when one of the VRFs they link is deleted.

1092
 Managing VRF Route Targets

To delete a VRF Route Target

1. In the sidebar, go to VRF > VRF Route Targets. The page All VRF Route Targets opens.
2. Tick the VRF Route Target(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The page refreshes,
the VRF Route Target is no longer listed.

1093
 Part XVI. SPX
The Service Provider eXtension (SPX) assists Local Internet Registry (LIR) declarations as it allows to
manage the complete life cycle of the IP address networks allocated to you by a Regional Internet Registry
(RIR) member. From SOLIDserver GUI, SPX helps you manage networks that were allocated to you by the
RIPE (Réseaux IP Européens) or the APNIC (Asia-Pacific Network Information Center).

The module SPX comes in addition to the IPAM and is available through a dedicated license option. To
make sure you do have this license option, the administrator can go to the page Admin Home and, in the
section System, click on License. When the page opens, in the panel Current license, all the license options
are listed: SPX must be listed.

To properly use SPX you must:

1. Configure SOLIDserver with the organization details of your RIR, whether the RIPE or APNIC. For more
details, refer to the chapter Configuring SPX.
2. Add or import the user(s), i.e. RIPE or APNIC person(s), responsible for the SPX network(s) management.
For more details, refer to the chapter Managing SPX Persons.
3. Import the networks that your RIR allocated to you and add or import the assigned network that suit your
needs. For more details, refer to the chapter Managing SPX Networks.
4. Add or import the AS Numbers registration details, i.e. RIPE or APNIC aut-nums, that suit your needs.
For more details, refer to the chapter Managing SPX AS Numbers.
Table of Contents
90. Configuring SPX .................................................................................................... 1096
Enabling the SPX Classes ................................................................................... 1096
Enabling the SPX Rules ....................................................................................... 1096
Configuring the SPX Connection .......................................................................... 1096
Editing the Connection to the RIPE or APNIC ........................................................ 1099
91. Managing SPX Persons .......................................................................................... 1101
Browsing SPX Persons ........................................................................................ 1101
Adding SPX Persons ........................................................................................... 1102
Editing SPX Persons ........................................................................................... 1102
Registering SPX Person Changes ........................................................................ 1103
Deleting SPX Persons ......................................................................................... 1103
92. Managing SPX Networks ........................................................................................ 1105
Browsing SPX Networks ...................................................................................... 1105
Adding SPX Networks ......................................................................................... 1106
Editing SPX Networks ......................................................................................... 1111
Registering SPX Network Changes ...................................................................... 1113
Validating a New Assignment Window .................................................................. 1113
Deleting SPX Networks ....................................................................................... 1114
93. Managing SPX AS Numbers ................................................................................... 1116
Browsing SPX AS Numbers ................................................................................. 1116
Adding SPX AS Numbers .................................................................................... 1117
Editing SPX AS Numbers .................................................................................... 1118
Exporting SPX AS Numbers ................................................................................ 1118
Deleting SPX AS Numbers .................................................................................. 1119

1095
Chapter 90. Configuring SPX
No matter what RIR you depend on, there is only one wizard to configure SOLIDserver.

Once SPX is properly set and matches your allocated network(s), you can add and edit the ag-
gregated and assigned networks they contain, the allocated networks are managed by the RIR
itself. Whenever you add or edit aggregated and assigned networks from the GUI, your RIR is
notified via POST.

Enabling the SPX Classes

To properly configure SOLIDserver to manage RIR networks, you need to enable the default
SPX classes provided. They allow to add the extra fields and options that assist you in managing
RIPE or APNIC networks.

To enable SPX classes

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the search engine of the column Directory, type in SPX. Only the default SPX classes
are listed.
4. Tick the box next to the column Name. All the classes of the directory are selected.
5. In the menu, select Edit > Enable class. The wizard Enable class opens.
6. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The classes are marked as Enabled in the column Status.

Enabling the SPX Rules

Once the SPX classes are enabled, you must enable the default SPX rules. These rules are de-
signed to automate the communications between SOLIDserver and the RIPE or APNIC organiz-
ation.

To enable SPX rules

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the search engine of the column Module, type in SPX. The SPX rules are listed.
4. Tick the box next to the column Name. All the classes of the directory are selected.
5. In the menu, select Edit > Enable. The wizard Enable opens.
6. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The rules are marked as OK in the column Status.

Configuring the SPX Connection

To configure SOLIDserver with your RIR organization details, and set up management preferences
using SOLIDserver classes, a configuration wizard is available in the module SPX.

Before going further, make sure that:

1096
 Configuring SPX

• You have all your RIPE or APNIC network details: maintainer, organization, registry identifier,
administrator contact (admin-c) and user contact (person).
• Your SPX classes and rules are enabled. They apply to IPv4 and IPv6 allocated networks,
IPv4 and IPv6 assigned networks, autnums and finally users. For more details, refer to the
sections Enabling the SPX Classes and Enabling the SPX Rules.

Keep in mind that:

• The SPX configuration wizard allows to configure your RIPE or APNIC "real" database as well
as your TEST database, if you have one.
• All changes and updates performed within SOLIDserver are sent to your RIR via POST.

To configure SOLIDserver SPX with your RIPE or APNIC details

1. In the sidebar, go to SPX > AS Numbers or Policies. The page opens.
2. In the menu, select Tools > SPX configuration. The wizard SPX configuration opens.
3. Configure your SPX settings:

Field Description
RIR The Regional Internet Registry, either RIPE or APNIC.
Comment A comment regarding the organization.
Maintainer Your RIPE or APNIC maintainer full name. This information is contained in the
field mntner and reused in the field mnt-by of your assigned networks.
Password Your RIPE or APNIC password. It is used to authenticate the database updates.
Source The selected RIR to configure your official database or TEST to configure your
test database.
NCC REGID Your registry identifier. It was provided to you by your RIR, if not, you should
contact them to obtain it.
From (email) The email address used as source address in the emails sent to your RIR.
Notify (email) The email address of the person notified of any change made in the RIPE or
APNIC database.
Changed (email) The email address displayed in the field changed of the description of your as-
signed network in the RIPE or APNIC database. It can be a generic address or
the address of a person.
AW validation (email) The email of the person notified if you exceed the number of IP addresses of
your Assigned Window. This person must be granted sufficient rights to perform
the appropriate operations if your new assigned networks exceed the allocated
range of addresses.
AW size The number of IP addresses you are allocated in the RIPE or APNIC Assigned
Window.
Expert mode Tick this box if you want to set up a proxy server to communicate changes to
your RIR. Once ticked, the following fields appear.
Whois RIR host The full name of the proxy server.
Whois port The number of the Whois RIR host port used to
transmit information. Port 80 is generally used.
RIR Update host The name of the server of your RIR receiving the up-
dates
RIR update URL The URL of the RIPE or APNIC server receiving your
updates.

Once all the fields are filled, click on ADD .

The details are moved to the Maintainer list and displayed as follows: Source: <selected-
source> - Maintainer : <maintainer-name>.

1097
 Configuring SPX

4. Repeat the configuration step for as many maintainers as needed.

5. Click on NEXT . The next page opens.
6. On the page SPX allocated networks classes configuration, configure the classes of your
RIR allocated networks:
a. In the drop-down list Allocated network class, select one of your classes or the default
1
class SPX/RIPE_block .
b. In the drop-down list Allocated network PI class, select one of your classes or the
default class SPX/RIPE_PI_block.
c. Click on NEXT . The next page opens.
7. On the page SPX assigned networks classes configuration, configure the classes of your
RIR assigned networks:
a. In the drop-down list Assigned network class, select one of your classes or on of the
default classes, SPX/RIPE_PI_subnet or SPX/RIPE_subnet.
The selected class is moved to the field New Assigned network class.
b. Click on ADD to confirm the selection. The class is moved to the List of SPX assigned
networks.
c. Repeat these steps for as many classes as needed.
d. Click on NEXT . The next page opens.
8. On the page SPX allocated networks (v6) classes configuration, configure the classes
of your IPv6 RIR allocated networks:
a. In the drop-down list Allocated network class (v6), select one of your classes or the
default class SPX/RIPE_Block.
b. Click on NEXT . The next page opens.
9. On the page SPX assigned networks (v6) classes configuration, you can configure the
classes of your IPv6 RIR assigned networks:
a. In the drop-down list Assigned network class (v6), select one of your classes or the
default class SPX/RIPE_subnet.
The selected class is moved to the field New assigned network class (v6).
b. Click on ADD to confirm its selection. The class is moved to the List of SPX assigned
networks (v6).
c. Repeat the steps above for as many classes as needed.
d. Click on NEXT . The next page opens.
10. On the page SPX aut-nums classes configuration, you can configure the classes for your
autnums:
a. In the drop-down list Aut-num class, select one of your classes or the default class
SPX/RIPE. The selected class is moved to the field New aut-num class.
b. Click on ADD to confirm its selection. The class is moved to the List of SPX aut-num
classes.
c. Repeat these steps for as many classes as needed.
d. Click on NEXT . The next page opens.
11. On the page SPX users classes configuration, you can configure the classes of your RIPE
or APNIC users:

1
All the classes name can be preceded by a / if they belong to a specific directory, following the format: <directory-name>/<class-
name>. In this case, the default class RIPE_Block belongs to the directory SPX.

1098
 Configuring SPX

a. In the drop-down list User class, select one of your classes or the default class
SPX/RIPE_person.
The selected class is moved to the field New user class.
b. Click on ADD to confirm its selection. The class is moved to the List of SPX users.
c. Repeat these steps for as many classes as needed.
12. Click on OK to complete the operation. The report opens and closes, the page refreshes.

You can edit these settings or add new maintainers. For more details, refer to the section Editing
the Connection to the RIPE or APNIC.

Editing the Connection to the RIPE or APNIC

Once your configuration with SOLIDserver is done, you can always edit its details or the class
associated with your maintainer from the wizard SPX configuration.

Keep in mind that you should not edit the maintainer name, registry identifier or AW size if
you already imported your allocated networks.

To edit an SPX maintainer configuration details

1. In the sidebar, go to SPX > AS Numbers or Policies. The page opens.
2. In the menu, select Tools > SPX configuration. The wizard SPX configuration opens.
3. At the bottom of the page in the Maintainer list, click on the maintainer you want to edit.
The configuration current values are displayed in the each field.
4. Change the value of the field(s) of your choice. For more details regarding the fields, refer
to the procedure in the section Configuring the SPX Connection.
5. Click on UPDATE . The Maintainer list is edited according to your changes. Only the Source
and Maintainer name are displayed on this list.
6. Click on NEXT . The page SPX allocated networks classes configuration opens.
7. Click on NEXT . The page SPX assigned networks classes configuration opens.
8. Click on NEXT . The page SPX allocated networks (v6) classes configuration opens.
9. Click on NEXT . The page SPX assigned networks (v6) classes configuration opens.
10. Click on NEXT . The page SPX aut-num classes configuration opens.
11. Click on NEXT . The page SPX users classes configuration opens.
12. Click on OK to complete the operation. The report opens and closes, the page refreshes.

To delete an SPX maintainer

1. In the sidebar, go to SPX > AS Numbers or Policies. The page opens.
2. In the menu, select Tools > SPX configuration. The wizard SPX configuration opens.
3. At the bottom of the page in the Maintainer list, click on the maintainer you want to delete.
The configuration current values are displayed in the each field.
4. Click on DELETE . The maintainer is no longer in the Maintainer list.
5. Click on NEXT . The page SPX allocated networks classes configuration opens.
6. Click on NEXT . The page SPX assigned networks classes configuration opens.
7. Click on NEXT . The page SPX allocated networks (v6) classes configuration opens.
8. Click on NEXT . The page SPX assigned networks (v6) classes configuration opens.

9. Click on NEXT . The page SPX aut-num classes configuration opens.

1099
 Configuring SPX

10. Click on NEXT . The page SPX users classes configuration opens.
11. Click on OK to complete the operation. The report opens and closes, the page refreshes.

To edit the classes associated with an SPX maintainer

1. In the sidebar, go to SPX > AS Numbers or Policies. The page opens.
2. In the menu, select Tools > SPX configuration. The wizard SPX configuration opens.
3. At the bottom of the page in the Maintainer list, click on the maintainer which classes you
want to edit. The configuration current values are displayed in the each field.
4. Click on NEXT . The page SPX allocated networks classes configuration opens.
5. You can select a different class in the drop-down lists Allocated network class and Allocated
network PI class.
6. Click on NEXT . The page SPX assigned networks classes configuration opens.
7. You can edit the list of classes in the List of SPX assigned networks classes: select a
class in the drop-down list Assigned network class and ADD it, or select a class in the list
and DELETE it.
8. Click on NEXT . The page SPX allocated networks (v6) classes configuration opens.
9. You can select a different class in the drop-down list Allocated network class (v6).
10. Click on NEXT . The page SPX assigned networks (v6) classes configuration opens.
11. You can edit the list of classes in the List of SPX assigned networks classes (v6): select
a class in the drop-down list Assigned network class (v6) and ADD it, or select a class in
the list and DELETE it.
12. Click on NEXT . The page SPX aut-num classes configuration opens.
13. You can edit the list of classes in the List of SPX aut-num classes: select a class in the
drop-down list Aut-num class and ADD it, or select a class in the list and DELETE it.
14. Click on NEXT . The page SPX users classes configuration opens.
15. You can edit the list of classes in the List of SPX users classes: select a class in the drop-
down list User class and ADD it, or select a class in the list and DELETE it.
16. Click on OK to complete the operation. The report opens and closes, the page refreshes.

1100
Chapter 91. Managing SPX Persons
Before managing SPX networks, you need to add or import RIPE and APNIC persons.

Within the GUI, SPX persons are managed from the page Users of the module Administration.
Like other users, you need to add SPX persons to groups and grant them rights and resources.
For more details, refer to the part Rights Management.

Browsing SPX Persons

On the page Users, a set of columns are dedicated to SPX person class parameters. They allow
to sort and filter SPX users on the page.

Users of the group admin can include these columns to the Displayed list template of the page.
To add them to a new list template instead, refer to the section Adding List Templates.

To display the SPX persons dedicated columns

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. On the right-end side of the menu, click on List templates. The window opens.
4. The list Displayed list template displays the name of the current template. You can select
a different one.
5. Tick the SPX persons dedicated columns to include to the template:

Table 91.1. SPX persons dedicated class parameters

List template name Column name on the page
User class name Class
Waiting Waiting
Class param: Address Address
Class param: Email Email
Class param: Fax Fax
Class param: Maintainer Maintainer
Class param: Notify Notify
Class param: Person Person
Class param: Phone Phone
Class param: Remark Remark

Note that most of these parameters are only available if you properly enabled the classes
of the Directory SPX. For more details, refer to the chapter Enabling the SPX Classes.
6. Click on SAVE . The page refreshes.
7. You can filter the column Class with RIPE to only display SPX users, or any Class param:
column according to your needs.

1101
 Managing SPX Persons

Adding SPX Persons

You can add as many SPX persons as you need. Every time you add a person, you have to wait
for the RIPE or APNIC confirmation.

To make sure the person addition was confirmed, you can display the column Waiting. For more
details, refer to the section Browsing the SPX Persons.

To add an SPX person

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page Users opens.
3. In the menu, click on Add. The wizard Add a user opens.
4. In the list User class, select the class RIPE_person .
5. Click on NEXT . The page Add a user opens.
6. Configuring the SPX person details:
a. In the field Usr login, an identifier is automatically incremented. You can edit it if need
be.
b. In the field Address, specify the person mailing address to fill in the RIPE or APNIC
field address.
c. In the field Phone, specify the person phone number following the format: +<country
code> <area code> <phone number>.
d. In the field Fax, you can specify a fax number following the same format as the field
Phone.
e. In the field Email, specify the user email address.
f. In the field Remark, you can specify a comment regarding the person.
g. In the field Notify, you can specify the email address of the person notified of any
changes made on the details of the person you are adding.
h. In the drop-down list Maintainer, select your maintainer.
7. If need be, configure extra details for the person management from the GUI:
a. In the field First name, specify the person first name.
b. In the field Last name, specify the person last name.
c. In the field Pseudonym, the user last and first name are automatically displayed. You
can replace them by a shortname or shorter name if you want.
8. Click on OK to complete the operation. The report opens and closes. The user is listed, its
state is Creating. Its status is not OK, until the RIPE or APNIC has confirmed the addition.
The column Waiting details the states.
If the person status stays in wait_mail_add, refer to the section Registering SPX Person
Changes.

Editing SPX Persons

You can edit SPX persons. Any change is sent to the RIPE or APNIC using the email address
specified in the field Notify specified when the person was added.

Every time you edit a person, you have to wait for the RIPE or APNIC confirmation. To make
sure the person edition was confirmed, you can display the column Waiting. For more details,
refer to the section Browsing the SPX Persons.

1102
 Managing SPX Persons

To edit an SPX person

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page Users opens.
3. In the column Login, click on the user name of your choice. The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a user opens.
5. In the list User class, edit the class if need be.
6. Click on NEXT . The page Edit a user opens.
7. Edit the user information according to your needs. All details can be edited, except their
Pseudonym. For more details, refer to the procedure To add an SPX person.
8. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
9. Go back to the page Users to see the person state and make sure it was confirmed by the
RIPE or APNIC. Its status is not OK, until the RIPE or APNIC has confirmed the edition.
The column Waiting details the states.
If the person status stays in wait_mail_add, refer to the section Registering SPX Person
Changes.

Registering SPX Person Changes

You need to register again any SPX person you added, edited or deleted if their Status is
wait_mail_add, wait_mail_del or must_send_mail.

A dedicated option allows to resend the person information to the RIPE or APNIC.

To register again newly added or edited SPX assigned persons

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page Users opens.
3. Tick the person(s) that have the status wait_mail_add or wait_mail_del.
4. In the menu, select Edit > Register again. The wizard Person Register again opens.
5. Click on OK to complete the operation. The report opens and closes. The person status
evolves until it is OK. The column Waiting details the states.

Deleting SPX Persons

You can delete SPX persons. The deletion request is sent to the RIPE or APNIC using the email
address specified in the field Notify specified when the person was added.

Every time you delete a person, you have to wait for the RIPE or APNIC confirmation. To make
sure the assigned network edition was confirmed, you can display the column Waiting. For more
details, refer to the section Browsing the SPX Persons.

Before deleting a person, make sure that the assigned networks they were managing are
already managed by someone else. You need to edit the relevant assigned networks Contacts
details before deleting the person. For more details, refer to the section Editing SPX Networks.

To delete an SPX person

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page Users opens.

1103
 Managing SPX Persons

3. Tick the user(s) of your choice.

4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The user state is
Deleting until the RIPE or APNIC confirms its deletion. The column Waiting details the states.
If the person status stays in wait_mail_del, refer to the section Registering SPX Person
Changes.

1104
Chapter 92. Managing SPX Networks
Once you imported allocated networks, you can add, edit or delete the aggregated and assigned
networks they contain.

Within the GUI, SPX networks are managed from the IPAM page All networks. All imported alloc-
ated networks are displayed as block-type networks, the aggregated and assigned networks
you add are displayed as subnet-type networks.

In IPv4 you can:

• Add, edit and delete assigned networks.
1
• Import or add Provider Aggregatable (PA) and Provider Independent (PI) addresses using the
dedicated classes available for assigned networks.

In IPv6 you can:

• Add, edit and delete aggregated and assigned networks.
1
• Import Provider Aggregatable (PA) addresses using the dedicated classes available for as-
signed networks.

SPX aggregated and assigned networks addition is assisted by dedicated classes that
administrators should enable in Class Studio, all these classes belong to the Directory SPX. For
more details, refer to the chapter Configuring SPX.

More generally, SPX networks can be managed the same way as regular networks, For more
details, refer to the chapters Managing Networks, Managing Pools and Managing IP Addresses.

Browsing SPX Networks

On the page All networks, a set of columns are dedicated to SPX network class parameters.
They allow to sort and filter SPX networks on the page.

Users of the group admin can include these columns to the Displayed list template of the page.
To add them to a new list template instead, refer to the section Adding List Templates.

Note that the column Status indicates if the addition requests to the RIPE or APNIC are confirmed
or denied.

To display the SPX networks dedicated columns

Only users of the group admin can perform this operation.
1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. On the right-end side of the menu, click on List templates. The window opens.
4. The list Displayed list template displays the name of the current template. You can select
a different one.
5. Tick the SPX networks dedicated columns to include to the template:

1
For more details, refer to http://www.ripe.net/lir-services/member-support/info/faqs/isp-related-questions/pa-pi.

1105
 Managing SPX Networks

Table 92.1. SPX networks dedicated class parameters

List template name Column name on the page
Network class name Class
Network waiting state Waiting state
* Description (__eip_description) Description
* Description (descr) Description
Class param: Admin c Administrative contacts
Class param: Assigned network Assigned network
Class param: Changed Changed
Class param: Country Country
Class param: Maintainer Maintainer
Class param: Name Name
Class param: Notify Notify
Class param: Remarks Remarks
Class param: Rev srv Rev srv
Class param: Status Status
Class param: Tech c Technical contacts

Note that most of these parameters are only available if you properly enabled the classes
of the Directory SPX. For more details, refer to the chapter Enabling the SPX Classes.
6. Click on SAVE . The page refreshes.
7. You can filter the column Class with RIPE to only display SPX networks, or any Class
param: column according to your needs.

To display an SPX network properties page

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the subnet of your choice, click on . The properties page opens.
The panel Main properties displays the RIPE status of the network. Note that for IPv6 ag-
gregated networks, the Assignment size is also displayed.

Adding SPX Networks

You can only add and manage some SPX networks to the GUI.

To manage SPX networks you must:

1. Configure user access, you must indicate which SPX user manages the networks of your RIPE
or APNIC database.
If the person managing the network(s) already exists in the RIPE or APNIC database, there
is no need to add them to the GUI, you can import them. For more details, refer to the chapter
Managing SPX Persons.
2. Import a RIPE or APNIC allocated network. For more details, refer to the section Importing
SPX Allocated Networks.
3. Add SPX networks using dedicated classes.
In IPv4, you can only add assigned networks, as details in the section Adding SPX IPv4 Net-
works.

1106
 Managing SPX Networks

In IPv6, you can add aggregated and assigned networks, as detailed in the section Adding
SPX IPv6 Networks.

Adding SPX IPv4 Networks

From the page All networks, you can add IPv4 assigned networks.

Once added, you have to wait for the RIPE or APNIC confirmation. To make sure the network
addition was confirmed, you can display the column Waiting state. For more details, refer to the
section Browsing SPX Networks.

Note that you can also import assigned networks. For more details, refer to the section Importing
SPX Assigned Networks in the chapter Importing Data from a CSV File.

To add an IPv4 assigned network

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V4 is black, otherwise click on it.
3. In the menu, click on Add an IPv4 network (subnet) by search. The wizard opens.
4. On the page Space selection, select the space of your choice. Click on NEXT . The page
Network class opens.
5. In the list Network class, select either SPX/RIPE_PI_subnet or SPX/RIPE_subnet. Click
on NEXT . The page Network Size opens.
6. Select a Size, Prefix or Netmask. The two other fields are edited accordingly.
7. Click on NEXT . The page Search result opens.
8. In the list Network address, select a start address.
9. Click on NEXT . The page Add an IPv4 network opens.
10. Configure the assigned network:
a. The Address and Prefix fields are displayed in read-only as they correspond to the
criteria previously set.
b. In the section Terminal network, the box is ticked.
c. In the field Gateway, the gateway is displayed. Its IP address corresponds to the default
gateway offset configured. You can edit it if need be.
d. In the drop-down list Number of pools, you can select a value between 1 and 5, de-
pending on the number of pools you want to add in the assigned network. Once you
selected a value, you need to set the Size and Type of each pool.
e. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields and set partic-
ular behaviors for the assigned network. For more details, refer to the IPAM section of
the chapter Managing Advanced Properties.
f. At the bottom of the wizard, in the field Assigned network, the inetnum start and end
address are displayed in read-only.
g. In the field Name, name the assigned network (inetnum). It must contain letters, digits,
an underscore and an hyphen. The first character must be a letter, the last character
must be a letter or a digit. The field automatically displays capital letters. The value
entered in also displayed in the field Network name.
h. In the field Description, specify a description for the network.

1107
 Managing SPX Networks

i. In the drop-down list Country, you can select the country where the organization is
located.
11. Click on NEXT . The next page opens and allows you to set up a notify mail:
a. In the field Notify mail, you can specify the email address of the person notified of any
change made on the assigned network you are adding.
b. Click on ADD . The address is moved to the list Notify.
c. In the field Remarks, you can specify a comment regarding the assigned network.
12. Click on NEXT . The page Contacts opens.
a. Specify the assigned network technical contacts (tech-c):
1. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Technical contacts.
b. Specify the assigned network administrative contacts (admin-c):
1. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Administrative contacts.

13. Click on OK to complete the operation. The report opens and closes. The assigned network
is listed, its state is Creating. Its status is not OK, until the RIPE or APNIC has confirmed
the addition. The column Waiting details the states.
If the assigned network status stays in wait_mail_add, refer to the section Registering SPX
Network Changes.
If the assigned network status stays in wait_aw_confirm, refer to the section Validating a
New Assignment Window.

Adding SPX IPv6 Networks

From the page All networks, you can add IPv6 aggregated and assigned networks.

Before adding IPv6 networks, note that:

• The rule 414 that Checks for restrictions every time you add or edit an IPv6 network in the
RIPE database must be enabled.
• Aggregated networks are set with the status AGGREGATED-BY-LIR. They allow to set a
hierarchy of up to three levels within allocated networks.
• They cannot have a prefix greater than /64, the RIPE database does not support greater
prefixes.
• They are non-terminal networks configured with an assignment size that determines the
prefix of the networks they contain.This assignment size must be greater than the aggregated
network prefix.
• They can contain another aggregated network, assigned networks or local IPAM networks
not sent to the RIPE. An aggregated network cannot contain more than one aggregated
network.
• They can belong to an allocated network, to another aggregated network or to a local IPAM
network not sent to the RIPE. If they belong to another aggregated network, their prefix must
match the assignment size of the parent network.

1108
 Managing SPX Networks

• Assigned networks are set with the status ASSIGNED. Within allocated networks, they are the
lowest level in the networks hierarchy.
• They cannot have a prefix greater than /64, the RIPE database does not support greater
prefixes.
• They are terminal networks, they cannot contain other networks.
• They can belong to an aggregated network or a local IPAM network not sent to the RIPE. If
they belong to an aggregated network, their prefix must match the assignment size of their
parent network.
• As your IPAM organization can include RIPE networks and local networks, a set of warning
messages are returned in the GUI if your changes do not respect the expected configuration
of aggregated and assigned networks in the RIPE database. You can ignore these messages
and force network additions, in this case the changes are applied locally but the RIPE may not
take them into account.

Once added, you have to wait for the RIPE or APNIC confirmation. To make sure the network
addition was confirmed, you can display the column Waiting state. For more details, refer to the
section Browsing SPX Networks.

Note that you can also import assigned networks. For more details, refer to the section Importing
SPX Assigned Networks in the chapter Importing Data from a CSV File.

To add an SPX IPv6 aggregated network

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
3. In the menu, click on Add an IPv6 network (subnet) by search. The wizard opens.
4. In the list Choose a space, select the space of your choice. Click on NEXT . The page Network
class opens.
5. In the list Network class, select SPX/RIPE_subnet. Click on NEXT . The page Network Size
opens.
6. Untick the box Terminal network.
7. In the drop-down list Prefix, select the value of your choice. It cannot be greater than /64.
8. Click on NEXT . The page Search result opens.
9. In the drop-down list Network address, select a start address.
10. Click on NEXT . The page Add an IPv6 network page opens.
11. Configure the IPv6 aggregated network:
a. The Address and Prefix fields are displayed in read-only as they correspond to the
criteria previously set.
b. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields and set partic-
ular behaviors for the assigned network. For more details, refer to the IPAM section of
the chapter Managing Advanced Properties.
c. In the field IPv6 assigned network, the inet6num start address and prefix are displayed.
d. In the field Name, name the assigned network (inet6num). It must contain letters, digits,
an underscore and an hyphen. The first character must be a letter, the last character
must be a letter or a digit. The field automatically displays capital letters. The name is
also displayed in the field Network name.
e. In the field Description, specify a description for the network.

1109
 Managing SPX Networks

f. In the drop-down list Country, you can select the country where the organization is
located.
g. In the drop-down list RIPE status, select AGGREGATED-BY-LIR. The field Assignment
size appears.
h. In the field Assignment size, specify the prefix of the assignment size. It must be
greater than the network prefix. By default, it is set to 64.
12. Click on NEXT . The next page opens and allows you to set up a notify mail:
a. In the field Notify mail, you can specify the email address of the person notified of any
change made on the IPv6 assigned network you are adding.
b. Click on . The address is moved to the list Notify.
c. In the field Remarks, you can specify a comment regarding the assigned network.
13. Click on NEXT . The page Contacts opens.
a. Specify the assigned network technical contacts (tech-c):
1. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Technical contacts.
b. Specify the assigned network administrative contacts (admin-c):
1. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Administrative contacts.

14. Click on OK to complete the operation. The report opens and closes. The assigned network
is listed, its state is Creating. Its status is not OK, until the RIPE or APNIC has confirmed
the addition. The column Waiting details the states.

To add an SPX IPv6 assigned network

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, make sure the button V6 is black, otherwise click on it.
3. In the menu, click on Add an IPv6 network (subnet) by search. The wizard opens.
4. In the list Choose a space, select the space of your choice. Click on NEXT . The page Network
class opens.
5. In the list Network class, select SPX/RIPE_subnet. Click on NEXT . The page Network Size
opens.
6. Tick the box Terminal network.
7. In the drop-down list Prefix, select the same value as the parent network. It cannot be
greater than /64.
8. Click on NEXT . The page Search result opens.
9. In the drop-down list Network address, select a start address.
10. Click on NEXT . The page Add an IPv6 network page opens.
11. Configure the IPv6 assigned network:
a. The Address and Prefix fields are displayed in read-only as they correspond to the
criteria previously set.
b. In the field Gateway, the gateway is displayed. Its IP address corresponds to the default
gateway offset configured. You can edit it if need be.

1110
 Managing SPX Networks

c. In the drop-down list Number of pools, you can select a value between 1 and 5, de-
pending on the number of pools you want to add in the assigned network. Once you
selected a value, you need to set the Size and Type of each pool.
d. In the drop-down list Advanced properties, Default is selected, so only the fields/options
included in the wizard default display are visible.
Depending on your rights, you may be able to display All available fields and set partic-
ular behaviors for the assigned network. For more details, refer to the IPAM section of
the chapter Managing Advanced Properties.
e. At the bottom of the wizard, in the field IPv6 assigned network, the inet6num start
address and prefix are displayed.
f. In the field Name, name the assigned network (inet6num). It must contain letters, digits,
an underscore and an hyphen. The first character must be a letter, the last character
must be a letter or a digit. The field automatically displays capital letters. The name is
also displayed in the field Network name.
g. In the field Description, specify a description for the network.
h. In the drop-down list Country, you can select the country where the organization is
located.
i. In the drop-down list RIPE status, select ASSIGNED.
12. Click on NEXT . The next page opens and allows you to set up a notify mail:
a. In the field Notify mail, you can specify the email address of the person notified of any
change made on the IPv6 assigned network you are adding.
b. Click on . The address is moved to the list Notify.
c. In the field Remarks, you can specify a comment regarding the assigned network.
13. Click on NEXT . The page Contacts opens.
a. Specify the assigned network technical contacts (tech-c):
1. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Technical contacts.
b. Specify the assigned network administrative contacts (admin-c):
1. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
2. Click on SEARCH to retrieve their details.
3. Click on ADD . The contact is moved to the field Administrative contacts.

14. Click on OK to complete the operation. The report opens and closes. The assigned network
is listed, its state is Creating. Its status is not OK, until the RIPE or APNIC has confirmed
the addition. The column Waiting details the states.
If the IPv6 assigned network status stays in wait_mail_add, refer to the section Registering
SPX Network Changes.

Editing SPX Networks

Allocated networks cannot be edited, however, aggregated and assigned networks can be edited.
Your changes are sent to the RIPE or APNIC and the notify mail person configured for the assigned
network.

1111
 Managing SPX Networks

To edit the content of your aggregated or assigned networks, refer to the chapters Managing
Pools and Managing IP Addresses.

Before editing IPv6 networks, note that:

• The rule 414 that Checks for restrictions every time you add or edit an IPv6 network in the
RIPE database must be enabled.
• The prefix of your networks cannot be greater than /64 in the RIPE database. If the network
you edit belongs to an aggregated network, its prefix must match the assignment size of its
parent network.
• Aggregated networks can become assigned networks if they do not contain other network(s).
Assigned networks cannot contain other networks.
• The assignment size of an aggregated network can be edited, but you cannot set an assignment
size prefix greater than the prefix of the network itself.
• Assigned networks can only become aggregated networks if they do not belong to a hierarchy
of two aggregated networks. Within an allocated network, you cannot set up a hierarchy of
networks deeper than 3 levels.
• Removing a RIPE class from a network does not delete the network from the RIPE database.
• As your IPAM organization can include RIPE networks and local networks, a set of warning
messages are returned in the GUI if your changes do not respect the expected configuration
of aggregated and assigned networks in the RIPE database. You can ignore these messages
and force network editions, in this case the changes are applied locally but the RIPE may not
take them into account.

Once you edited an aggregated or assigned network via the GUI, you have to wait for the RIPE
or APNIC confirmation.To make sure the assigned network edition was confirmed, you can display
the column Waiting state. For more details, refer to the section Browsing SPX Networks.

To edit an SPX network from its properties page

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. At the end of the line of the network of your choice, click on . The network properties pages
opens.
4. In the panel Main properties, click on EDIT . The wizard opens.
5. In the list Network class, select either SPX/RIPE_PI_subnet, SPX/RIPE_subnet or None.
If you select None, the SPX parameters are removed from the network in the local IPAM
database but the network is not deleted from the RIPE database.
6. Click on NEXT . The page Edit an IPv4 Network or Edit an IPv6 Network opens.
7. You can tick or untick the box Terminal network according to your needs. If you are editing
IPv6 networks, aggregated networks should be non-terminal and assigned networks should
be terminal.
8. Edit the field Name, Description and/or Country, according to your needs.
9. If you are editing an IPv6 network:
a. In the drop-down list RIPE status, select either ASSIGNED or AGGREGATED-BY-LIR.
If you selected AGGREGATED-BY-LIR, the field Assignment size appears. Specify
an assignment size greater than the network prefix.
Note that changes in this step only apply locally.
10. Click on NEXT . The next page open.

1112
 Managing SPX Networks

11. Edit the list of notification email addresses and Remarks field according to your needs:
a. Add a new email address if need be. In the field Notify mail, specify the new email ad-
dress. Click on to move the address in the list Notify. In the field Remarks, you can
specify a comment regarding the assigned network to fill the RIPE or APNIC field re-
marks.
b. Remove an address from the list Notify. Select the address you want to delete and click
on . The address is no longer listed.
c. In the field Remarks, you can edit the comment regarding the assigned network.
12. Click on NEXT . The page Contacts opens.
13. You can edit the lists Technical contacts and Administrative contacts of assigned network:
find new persons in the field Nic handle / Person and ADD them. Or select a person in the
list and DELETE it.
14. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.
15. Go to the page All networks to see the assigned network state and make sure it was con-
firmed by the RIPE or APNIC. Its status is not OK, until the RIPE or APNIC has confirmed
the edition. The column Waiting details the states.
If the assigned network status stays in wait_mail_add, refer to the section Registering SPX
Network Changes.
In IPv4, if the assigned network status stays in wait_aw_confirm, refer to the section Validating
a New Assignment Window.

Registering SPX Network Changes

If the assigned networks you added, edited or deleted have the status wait_mail_add, wait_mail_del
or must_send_mail, you need to use the option Register again.This option resends your assigned
network information to the RIPE or APNIC.

You can also send any change made on SPX persons to the RIPE or APNIC. For more details,
refer to the section Registering SPX Person Changes.

To register again newly added or edited SPX assigned networks

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the network(s) that have the status wait_mail_add, wait_mail_del or must_send_mail.
4. In the menu, select Edit > SPX > Register again.The wizard Assigned network Register
again opens.
5. Click on OK to complete the operation. The report opens and closes. The assigned network
Status evolves until it is OK. The column Waiting details the states until the RIPE or
APNIC confirmation.

Validating a New Assignment Window

If one of your IPv4 assigned networks has the status wait_aw_confirm, the Assignment Window
declared during your RIPE or APNIC configuration is exceeded. If you configured SMTP on your
appliance, you may have been notified via email. For more details, refer to the section Configuring
the SMTP Relay.

1113
 Managing SPX Networks

If the Assignment Window is exceeded, you can either delete the network or purposely continue
exceeding the Assignment Window.

By exceeding, we mean:
• Configuring an assigned network which start and/or end address exceeds the range of IP ad-
dresses available in the allocated network.
• Allocating an assigned network to a user even if this allocation exceeds the total number of IP
addresses you are allowed to allocate. This sum takes into account the total number of IP ad-
dresses in your Assignment Window over the last 12 months.
For more details, refer to the prerogatives of section 7.0 Assignment Window in the document
RIPE-599, available at http://www.ripe.net/ripe/docs/ripe-599#Assignment-Window.

If you exceed the Assignment Window, keep in mind that you need to:
1. Follow the appropriate RIPE or APNIC procedure to be able to extend your Assignment Window.
2. Once your request is approved by the RIPE or APNIC, you can use the option Validate AW.

If your request is denied, you should delete the assigned network. For more details, refer to the
section Deleting SPX Allocated Networks.

To confirm the new IPv4 assignment window in the GUI

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 .
3. Tick the assigned network(s) marked wait_aw_confirm and approved by the RIPE or APNIC.
4. In the menu, select Edit > SPX > Validate AW. The wizard Assignment Window valid-
ation opens.
5. Click on OK to complete the operation. The report opens and closes. In the columns Waiting
and Status you can monitor the evolution.

Deleting SPX Networks

From the page All networks, you can delete IPv4 and IPv6 SPX networks from SOLIDserver.
However, note that:
• Deleting an SPX allocated network from SOLIDserver does not delete it from your RIPE
or APNIC database. It only removes it from the GUI.
• Once you deleted an aggregated or assigned network via the GUI, you have to wait for the
RIPE or APNIC confirmation. To make sure the aggregated or assigned network deletion was
confirmed, you can display the column Waiting state. For more details, refer to the section
Browsing SPX Networks.

To stop managing an SPX allocated network from SOLIDserver

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the allocated network(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The selected allocated
networks are no longer listed, they might be replaced by Orphan Networks. This deletion
does not delete the allocated network from your RIPE or APNIC database.

1114
 Managing SPX Networks

To delete an SPX aggregated or assigned network

1. In the sidebar, go to IPAM > Networks. The page All networks opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
3. Tick the aggregated or assigned network(s) of your choice. Aggregated networks are only
available in IPv6.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The network state is
Deleting until the RIPE or APNIC confirms its deletion. The column Waiting details the
states.
If the assigned network(s) you deleted contained In use IP addresses, they are placed in
Orphan address container(s). They are displayed in the GUI, but they are no longer used in
your RIPE or APNIC database as the whole network was deleted.
If the assigned network status stays in wait_mail_del, refer to the section Registering SPX
Network Changes.

1115
Chapter 93. Managing SPX AS Numbers
From the module SPX, you can manage RIPE or APNIC registration details.You can add or import
Autonomous System (AS) Numbers, or aut-nums, on the page AS numbers and display the
routing policies they contain on the page All policies.

Each AS number contains routing policies that detail what can be implemented and enforced
locally. Indeed, each policy is obtained by enumerating all the neighboring AS numbers with
which routing information is exchanged. The policies returned detail exactly what is being sent
(announced) and allowed (accepted).

Note that:
• AS numbers are necessary to implement BGP Anycast routing in the module DNS. For more
details, refer to the section Setting up Anycast Using BGP.
• AS numbers can also be displayed, when used in a Route Distinguisher, on the page All routes
of the module NetChange. For more details, refer to the chapter Managing Routes.

Browsing SPX AS Numbers

On the page AS Numbers, a set of columns are dedicated to AS number class parameters. They
allow to sort and filter the page.

Users of the group admin can include these columns to the Displayed list template of the page.
To add them to a new list template instead, refer to the section Adding List Templates.

Note that the column Status indicates if the addition requests to the RIPE or APNIC are confirmed
or denied.

To display the SPX AS Numbers dedicated columns

Only users of the group admin can perform this operation.
1. In the sidebar, go to SPX > AS Numbers. The page All AS Numbers opens.
2. On the right-end side of the menu, click on Listing templates. The window opens.
3. The list Displayed list template displays the name of the current template. You can select
a different one.
4. Tick the SPX AS Numbers dedicated columns to include to the template:

Table 93.1. SPX AS Numbers class parameters

List template name Column name on the page
AutNum name AutNum name
AutNum status Status
Class param: Admin c Administrative contacts
Class param: AS name AS name
Class param: Description Description
Class param: Maintainer Maintainer
Class param: Tech c Technical contacts
AutNum class name Class

Note that most of these parameters are only available if you properly enabled the classes
of the Directory SPX. For more details, refer to the chapter Enabling the SPX Classes.

1116
 Managing SPX AS Numbers

5. Click on SAVE . The page refreshes.

6. You can filter the columns AutNum name, AutNum class name, AS name or any Class
param: column according to your needs.

Adding SPX AS Numbers

From the page All AS Numbers, you can add as many AS Numbers (aut-nums) as you need.
This addition is also notified to the RIPE or APNIC.

To add a SPX AS Numbers

1. In the sidebar, go to SPX > AS Numbers. The page All AS Numbers opens.
2. In the menu, click on Add. The wizard opens.
3. In the list Autnum class, select the SPX class of your choice.
4. If custom classes are enabled at autnum level, in the list Autnum class select a class or
None.
Click on NEXT . The page Add an AS Number of the wizard appears.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Configure the AS Number:
a. In the field AutNum name, the AS Number full name is displayed once you filled in the
field AS Number as follows: AS<AS-number>.
b. In the field AS Number, specify the number of your choice. This number must be
available, composed of 10 digits at the most and lower that 4294967295. The value
entered automatically completes the field AutNum name.
c. In the field AS name, you can name the AS Number.
d. In the field Description, you can specify a description.
e. In the drop-down list Maintainer, select your maintainer.
6. Click on NEXT . The page Contacts opens.
a. Specify the AS Number technical contacts (tech-c):
i. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
ii. Click on SEARCH to retrieve their details.
iii. Click on ADD . The contact is moved to the field Technical contacts.
b. Specify the AS Number administrative contacts (admin-c):
i. In the field Nic handle / Person, specify the user's Nic handle or name (as displayed
in the RIPE or APNIC person field).
ii. Click on SEARCH to retrieve their details.
iii. Click on ADD . The contact is moved to the field Administrative contacts.

7. Click on OK to complete the operation. The report opens and closes. The user is listed, its
state is Creating. Until its status is not OK, the RIPE or APNIC has not confirmed the
addition. Have a look in the column Waiting state for more details regarding the addition
confirmation.

1117
 Managing SPX AS Numbers

Editing SPX AS Numbers

There are two ways of editing an AS Number by:
1. Editing its details, i.e. AS name, Description, Maintainer and Contact information but you
cannot edit the Autnum full name.
2. Editing its content, i.e. deleting some of its policies.

To edit a SPX AS Numbers

1. In the sidebar, go to SPX > AS Numbers. The page All AS Numbers opens.
2. At the end of the line of the AS Number of your choice, click on . The properties pages
opens.
3. In the panel Main properties, click on EDIT . The wizard opens.
4. If custom classes are enabled at autnum level, in the list Autnum class select a class or
None.
Click on NEXT . The page Add an AS Number of the wizard appears.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. Click on NEXT . The page Edit an AS Number opens.
6. Edit the AS Number configuration via the fields AS name, Description and Maintainer,
7. Click on NEXT . The page Contacts opens.
8. Edit the contact details according to your needs.
9. Click on OK to complete the operation. The report opens and closes. The changes are listed
in the panel.

To edit the policies of a SPX AS Numbers

1. In the sidebar, go to SPX > AS Numbers. The page All AS Numbers opens.
2. In the column AutNum name, click on the name of the aut-num of your choice. The page
All policies opens.
3. Tick the policy of your choice, you can tick several.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The policies are no
longer listed.

Exporting SPX AS Numbers

From the page All AS Numbers, you can export the data listed in a CSV, HTML, XML, XLS or
PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

1118
 Managing SPX AS Numbers

Deleting SPX AS Numbers

You can delete AS Numbers, it also deletes the policies it contains.

If you want to delete the policies of an AS Number refer to the section Editing SPX AS Numbers.

To delete a SPX AS Numbers

1. In the sidebar, go to SPX > AS Numbers. The page All AS Numbers opens.
2. Tick the user(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The user state is
Deleting until the RIPE or APNIC confirms its deletion.

1119
 Part XVII. Identity Manager
The module Identity Manager allows to retrieve Windows Active Directory (AD) authentication events.

Within the module, you can add your AD domains as directories. All the users of the domain are retrieved
using the related LDAP repository. In addition, SOLIDserver retrieves all Windows Event Logs, via Windows
Event Forwarding, to allow you to monitor the authentication events of each user within each domain.

Once events are retrieved, you can monitor the activity of all users as identities. These identities can have
one or more sessions that individually identify the connection events of a user and an IP address.

To properly use Identity Manager, you must:

1. Configure the module, this includes configuring the appliance and your AD domain controller(s) as detailed
in the chapter Configuring Identity Manager.
2. Add directories, the highest level of the hierarchy. Each directory corresponds to an AD domain.
3. Monitor identities, the second level of the hierarchy. Each identity matches an AD user.
4. Manage sessions, the lowest level of the hierarchy. Each session corresponds to a user connection.
A session belongs to an identity. For more details, refer to the chapter Managing Sessions.

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.
Table of Contents
94. Configuring Identity Manager .................................................................................. 1122
Prerequisites ....................................................................................................... 1122
Limitations .......................................................................................................... 1122
Preparing the Module .......................................................................................... 1122
Configuring the Directory Synchronization Frequency ............................................ 1126
95. Managing Directories ............................................................................................. 1127
Browsing Directories ............................................................................................ 1127
Adding Directories ............................................................................................... 1128
Synchronizing Directories .................................................................................... 1129
Editing Directories ............................................................................................... 1129
Deleting Directories ............................................................................................. 1130
96. Managing Identities ................................................................................................ 1131
Browsing Identities .............................................................................................. 1131
97. Managing Sessions ................................................................................................ 1133
Browsing Sessions .............................................................................................. 1133
Finding Active Sessions in the IPAM ..................................................................... 1134
Purging Inactive Sessions .................................................................................... 1135

1121
Chapter 94. Configuring Identity Manager
To configure the module Identity Manager and use it to the fullest you must:
1. Meet the prerequisites.
2. Take into account the limitations.
3. Follow the section Preparing the Module to properly configure SOLIDserver and your AD domain
controller(s).

To go further, you can even configure the data synchronization frequency, before adding direct-
ories. For more details, refer to the section Configuring the Directory Synchronization Frequency.

Prerequisites
• A SOLIDserver appliance in version 7.3 or higher.
• An AD domain with a Group Policy (GPO).
• A user with administrative rights over the domain.
• An SSL certificate and its related CA ready, in PEM format, both are required on your appliance
and AD domain controller. Keep in mind that you must use a unique CA:
• If you are configuring the module on several appliances, you need one SSL certificate per
appliance. All certificates must rely on the same CA.
• If you are configuring the module for an AD domain managed from several AD domain con-
trollers, all controllers must rely on the same CA.

Limitations
• Imports and exports are not available in the module.

Preparing the Module

Preparing Identity Manager requires:
1. Configuring SOLIDserver.
2. Configuring Your AD Domain Controllers.

When both configurations are set, SOLIDserver can communicate with your AD domain control-
ler(s) and retrieve the data you monitor from the module Identity Manager.

1. Configuring SOLIDserver
To properly prepare Identity Manager on your appliance you must:
1. Allow traffic on the port 5986, it is dedicated to communicating with AD domain controllers.
2. Configure the service Windows Events Collector. You must configure it with the SSL cer-
tificate and its related CA. This CA must also be used on the AD domain controller(s) managing
the AD domain you intend to monitor from the appliance.

If you are configuring Identity Manager on appliances configured in High Availability, you must
follow the procedure on both the Master appliance and Hot Standby appliance.

To configure SOLIDserver
Only users of the group admin can perform this operation.

1122
 Configuring Identity Manager

1. Make sure your appliance network flows allow traffic on the port 5986. For more details, refer
to the section Identity Manager of the appendix Matrices of Network Flows.
2. Make sure the firewall rule of the port 5986 allows traffic.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section System, click on Firewall rules. The page Firewall rules opens.
c. In the column Destination port, type in 5986 and hit Enter. The rule is the only one
listed.
d. Make sure its Action is set to allow and its Protocol is tcp4 / tcp6.
If not, you must edit the rule, as detailed in the section Editing a Firewall Rule of the
chapter Configuring the Network.
3. Import both certificates.
a. Locate the SSL certificate and CA certificate you want to use. Both must be in PEM
format.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Authentication & Security, click on Certificates and keys. The page
All certificates opens.
d. In the menu, select Import > Certificate. The wizard Import an SSL object opens.
e. In the field Name, name the certificate.
f. In the drop-down list Type, select Certificate.
g. In the field Certificate, paste in the certificate, in PEM format.
h. In the field Private key, paste in its private key.
i. Click on OK to complete the operation. The report opens and closes. The certificate is
listed, its private key is available on the certificate properties page.
j. Once you imported one certificate, repeat the steps b to j for the other one.
4. When both certificates are imported, configure the service Windows Events Collector.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section System, click on Services configuration. The page Services configur-
ation opens.
c. Under the menu, in the drop-down list SOLIDserver, make sure the local appliance is
selected.
d. In the column Name, click on Windows Events Collector. The wizard Change the
current SSL certificate opens.
e. In the drop-down list SSL Certificate, select the SSL certificate you imported.You must
use the same SSL certificate within SOLIDserver and your AD domain controller(s). By
default, None is selected.
f. In the drop-down list Certificate Authority, select the CA certificate you imported. You
must use the same CA certificate within SOLIDserver and your AD domain controller(s).
By default, None is selected.
g. Click on OK to complete the operation. The wizard works for a while and closes. The
name of the SSL certificate and CA certificate you selected are listed.
5. If you are configuring Identity Manager on appliances configured in High Availability, repeat
the steps 1 to 4 on the Hot Standby appliance.

1123
 Configuring Identity Manager

Once SOLIDserver is configured, you must prepare your AD domain controller(s).

2. Configuring Your AD Domain Controllers

Once you configured your appliance, you must configure your AD domain controller to ensure
SOLIDserver can retrieve all the relevant data.

To properly prepare your AD domain controller you must configure:

1. The event forwarding of the controller, and enable authentication via certificate, following
the procedure To configure the event forwarding of your AD domain controller.
2. The log generation within the GPO Editor, following the procedure To configure the log gen-
eration within the Group Policy Editor.

If you intend to retrieve data from several AD domain controllers, you must perform these config-
urations on each domain controller.

To configure the event forwarding of your AD domain controller

1. From a terminal, configure Windows Remote Management to enable authentication via
certificate using the following commands:
winrm qc -q

winrm set winrm/config/client/auth @{Certificate="true"}

2. From your Microsoft Management Console (MMC), import the client authentication certi-
ficate.
If you used OpenSSL to generate it:
a. In the Certificates snap-in of the Local Computer, click on More actions > All Tasks >
Import...â and import the file client.pfx. The file must contain the public and private in-
formation of the SSL certificate for the domain controller and the public information of
the CA. The same CA was imported in SOLIDserver.
b. Enter the private key password, if relevant.
c. Make sure the box Include all extended properties is ticked.
3. From Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe)
configure the NetworkService account.
a. Grant the NetworkService account the proper permissions to access the client certificate.
b. Make sure that the NetworkService account has access to the private key file of the
client authentication certificate using following command:
winhttpcertcfg -g -c LOCAL_MACHINE\my -s <certificate subject name> -a
NetworkService

4. From the Group Policy MMC snap-in (gpedit.msc), configure the source host security policy
to enable event forwarding.
a. Go to Computer Configuration > Administrative Templates > Windows Components >
Event Forwarding.
b. Right-click over the SubscriptionManager setting and select Properties.
c. Enable the SubscriptionManager setting, and click on Show to add a server address.
d. Specify the SOLIDserver appliance that collects your events following the format:
Server=HTTPS://<FQDN of the SDS>:5986/wsman/,Refresh=<Refresh interval in
seconds>,IssuerCA=<certificate authority certificate thumbprint>.

1124
 Configuring Identity Manager

Note that you can copy the IssuerCA fingerprint from your MMC. In the Certificates
snap-in of the Local Computer, you can find the Issuing CA certificate, in the Thumbprint
of the tab Details.
e. Make sure the SubscriptionManager configuration is applied using the following com-
mand:
gpupdate /force

5. From CompMgmt.msc, authorize the forwarding of security logs.

a. Under Local Users and Groups, click Groups > Event Log Readers to open Event Log
Readers Properties.
b. Add the NETWORK SERVICE account to the Event Log Readers group.
c. Reboot the AD controller.
6. If several AD domains controllers manage the AD domain you want to monitor from
SOLIDserver, you must repeat the steps 1 to 5 on each controller.

Once the event forwarding is configured on all relevant AD domain controllers, you must configure
the log generation. This configuration applies to all related AD domain controllers.

To configure the log generation within the Group Policy Editor

1. Open the Group Policy Editor.
2. Run the Group Policy MMC snap-in (gpedit.msc).
3. Go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit
Policy Configuration > System Audit Policies > Account Logon and configure the following:

Policy Value
Audit Credential Validation Success
Audit Kerberos Authentication Service Success
Audit Kerberos Service Ticket Operations Success
Audit Other Account Logon Events Success

4. Go to Computer Configuration > Windows Settings > Security Settings > Advanced Audit
Policy Configuration > System Audit Policies > Logon/Logoff and configure the following:

Policy Value
Account Logon Success
Account Logoff Success

5. Save your configuration changes using the following command:

gpupdate /force

Once your AD domain controller(s) configuration is complete, SOLIDserver can retrieve AD domain
data.

If you want to configure the synchronization frequency of the AD domains you add, refer to the
next section.

1125
 Configuring Identity Manager

Configuring the Directory Synchronization Frequency

Once you prepared the module, you can add AD domains as directories to monitor user activity.

By default, each directory is synchronized every minute to retrieve all its identities, based on its
credentials and endpoint.

As you can manually synchronize directories, you may want to edit the rule 410 and change the
synchronization frequency.

To edit the rule 410 that sets the directory synchronization frequency
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 410 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The rule properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. The name is listed in the column Instance.
7. In the field Comment, you can insert, edit or delete the rule comment.
8. Click on NEXT . The page Rule filters opens.
9. Edit the rule frequency according to your needs.

Table 94.1. Frequency filters of the rule 410

Column Default value
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, every hour is selected. This field is op-
tional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, every minute is selected. This field is optional.

10. Click on OK to complete the operation. The report opens and closes.

1126
Chapter 95. Managing Directories
Directories are the AD domains that you monitor from SOLIDserver. Each directory contains
identities, AD users, and sessions automatically synchronized.

From the page All directories, you can add, edit, synchronize, monitor and delete directories.

Note that any user granted the relevant rights over the directories can display all directories as
well as the identities and sessions they contain. Within Identity Manager, no object can be set
as a group resource.

Browsing Directories
The directory is the highest level of Identity Manager hierarchy.

SESSION

DIRECTORY IDENTITY

SESSION

Figure 95.1. The directory in Identity Manager hierarchy

Browsing the Directory Database

To display the list of directories
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. You can filter the list using the columns search engine. To display more columns, refer to
the next section.

To display a directory properties page

1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. At the end of the line of the directory of your choice, click on . The directory properties
page opens.

Customizing the Display on the Page All Directories

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

All the columns on the page can be sorted and filtered. By default, the page displays the directory
Name and Type.

You can also display the columns Synchronization status, Windows Event Collector Status
and Metas to import. Both status columns are detailed in the next section.

1127
 Managing Directories

Understanding the Statuses on the Page All Directories

The column Synchronization status returns information regarding each directory synchronization.

Table 95.1. The synchronization statuses on the page All directories

Status Description
OK The directory is synchronized.

Invalid endpoint The endpoint configured for the directory is invalid.

Timeout The endpoint configured for the directory is unreachable, or the AD domain controller is
taking too long.
Invalid credentials The login and password configured for the directory are invalid.
N/A No information is available.

The column Event Collector Status returns information regarding the domain controller that
sends information to each directory.

Table 95.2. The event collector statuses on the page All directories
Status Description
OK The domain controller event collection and forwarding is operational.

! Warning No information was received from the domain controller in the last 5 minutes.

Error No information was received from the domain controller in the last hour.

N/A No information was received, either the domain is misconfigured or no certificate was
a
found .
a
To ensure your certificates are properly configured, refer to the chapter Configuring Identity Manager.

Adding Directories
You can add AD domains as directories to monitor user activity. Note that:
• Before adding a directory, you must configure Identity Manager. During this configuration you
must configure one or more AD domain controllers, if several AD domain controllers manage
your AD domain. For more details, refer to the chapter Configuring Identity Manager.
• All directories are automatically synchronized to retrieve user identities and sessions. By default,
all information is retrieved every minute, you can edit this frequency. For more details, refer to
the section Configuring the Directory Synchronization Frequency.
• All directories can be configured with metadata that allow to import the specific user settings
of your domain or repository, like their contact details, company details, country... and
propagate them to the identities.

You can add as many directories as you need.

To add a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. In the menu, click on Add. The wizard Add a directory opens.
3. If custom classes are enabled at directory level, in the field Directory class select a class
or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.

1128
 Managing Directories

4. In the field Name, specify the name of the AD domain of your choice.
5. In the field Session TTL, specify in seconds the maximum lifetime of your AD users ticket.
It sets the maximum length of the sessions.
6. In the field Endpoint, specify the URL of the AD domain controller used to synchronize the
identities of the directory. It must follow the format ldap://<IP-or-name-of-the-server> or
ldaps://<IP-or-name-of-the-server>.
7. In the field Login, specify the login of a user with sufficient rights.
8. In the field Password, specify the corresponding password.
9. In the list Available metadata, select one by one the AD user account details you want to
import for the directory. They are considered metadata entries and can be displayed as a
column on the page All identities.
The available user details are the following: City, Company, Country, Country (abbr.), Creation
date, Description, Email, Fax, First name, Home phone, IP Phone, Job department, Job title,
Last name, Mobile phone, Office, Postal box, State/Province, Street, Telephone and Zip
code.
10. Click on . The entry is moved to the list Metadata to import. To remove an entry from the
list, select it and click on , it is moved back to the list Available metadata.
11. Click on OK . The report opens and closes. The new directory is listed.
Make sure that its Synchronization status and Event collector Status are OK. If any
other status is returned, it may be that either the directory or the module is misconfigured.
For more details, refer to the section Understanding the Statuses on the Page All Directories.

Once a directory is added, its identities and sessions are automatically retrieved.

Synchronizing Directories
All directories are automatically and regularly synchronized.

If you edited the metadata of a directory you can manually synchronize it, rather than wait for the
automated synchronization to ensure that its information is up-to-date.

To synchronize a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. Tick the directory of your choice, you can tick several.
3. In the menu, click on Edit > Synchronize. The wizard Synchronization opens.
4. Click on OK to complete the operation. The report opens and closes. The directory is listed,
its information is up-to-date.

Note that administrators can edit the default synchronization settings. For more details, refer to
the section Configuring the Directory Synchronization Frequency in the chapter Configuring
Identity Manager.

Editing Directories
You can edit directories from the page All directories or from their properties page. Note that:
• You cannot edit the name of a directory.
• If you add or remove Metadata to import, the changes are not taken into account until the dir-
ectory is synchronized. For more details, refer to the section Synchronizing Directories.

1129
 Managing Directories

To edit a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. Right-click over the Name of the directory of your choice. The contextual opens.
3. Click on Edit. The wizard Edit a directory opens.
4. If custom classes are enabled at directory level, in the field Directory class select a class
or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. The Name is displayed in a read-only gray field. You cannot edit it.
6. Edit the Session TTL, Endpoint, Login, Password and/or Metadata to import of the dir-
ectory according to your needs. For more details on the fields, refer to the procedure in the
section Adding Directories.
7. Click on OK to complete the operation. The report opens and closes. The directory is listed,
its properties are updated.

Deleting Directories
You can delete your directories to stop monitoring an AD domain.

Deleting a directory also deletes the identities and sessions it contains.

To delete a directory
1. In the sidebar, go to Identity Manager > Directories. The page All directories opens.
2. Tick the directory of your choice, you can tick several.
3. In the menu, click on . The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The directory is no
longer listed.

1130
Chapter 96. Managing Identities
Identities are the users of each directory. They are automatically retrieved from the AD domain
thanks to the LDAP repository.

All identities are displayed in read-only on the page All identities, where you can monitor them:
• All identities are named after the login used for the connection to the AD domain.
• Each identity inherit the metadata of its directory, you can display them in dedicated columns.
Until the directory is synchronized, some metadata may be missing.
By default, all identities are retrieved every minute, you can edit this frequency. For more details,
refer to the section Configuring the Directory Synchronization Frequency.
• Identities can contain one or more sessions, each session indicates a user connection.
• If the page is missing identities or is empty, it may be that there is a problem at directory level
or that the module was not properly configured. For more details, refer to section Configuring
the Directory Synchronization Frequency in the chapter Managing directories or to the chapter
Configuring Identity Manager.

Note that any user granted the relevant rights over the directories can display all identities.
Within Identity Manager, no object can be set as a group resource.

Browsing Identities
The identity is the second level of Identity Manager hierarchy.

SESSION

DIRECTORY IDENTITY

SESSION

Figure 96.1. The identity in Identity Manager hierarchy

Browsing the Identity Database

To display the list of identities
1. In the sidebar, go to Identity Manager > Identities. The page All identities opens.
2. To display the identities of a specific directory, in the column Directory, click on the name
of your choice. The page refreshes.

To display an identity properties page

1. In the sidebar, go to Identity Manager > Identities. The page All identities opens.
2. At the end of the line of the identity of your choice, click on . The identity properties page
opens.

1131
 Managing Identities

Customizing the Display on the Page All Identities

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

By default, a set of columns are displayed on the page.You can also display the metadata inherited
from the directory in dedicated columns. All the columns can be sorted and filtered.

Table 96.1. The default columns on the page All identities

Column Description
Name The name if the identity, that is to say the login of the user connected to the AD do-
main.
Email The email address associated with the identity, if available.
Directory The name of the parent directory.
Status The status of the identity, for more details refer to the section Understanding the
Statuses on the Page All Identities.

Understanding the Statuses on the Page All Identities

The column Status returns information regarding each identity and its content.

Table 96.2. The statuses on the page All identities

Status Description
Enabled The user account is enabled, their sessions are retrieved.

Disabled The user account is disabled, they cannot connect, no session is available.

N/A The identity was retrieved, but the AD domain controller has not sent status inform-
ation yet.

1132
Chapter 97. Managing Sessions
Sessions are unique user connections to an AD domain. They are automatically retrieved from
your identities and directories.

All user sessions are displayed in read-only on the page All sessions, where you can monitor
and purge them:
• All sessions are displayed on dedicated lines, they can rely on IPv4 or IPv6.
• A session details a user connection activity and indicates when a user was last seen.
• All active sessions combine an identity, an IP address and a start. The user is currently
connected.
• All inactive sessions combine an identity, an IP address, a start and an end.The user session
ended, they may have started a new session.
• Each session duration is set at directory level. The Session TTL set on each directory defines
when the session becomes inactive.
• One identity can have several sessions if there are active and inactive sessions for one IP
address; or if the sessions have a different IP address.
• If the page is missing sessions or is empty, it may be that there is a problem at directory level
or that the module was not properly configured. For more details, refer to section Understanding
the Statuses on the Page All Directories in the chapter Managing directories or to the chapter
Configuring Identity Manager.

Note that any user granted the relevant rights over the directories can display all sessions.
Within Identity Manager, no object can be set as a group resource.

Browsing Sessions
The session is the lowest level of Identity Manager hierarchy.

SESSION

DIRECTORY IDENTITY

SESSION

Figure 97.1. The session in Identity Manager hierarchy

Browsing the Session Database

To display the list of sessions
1. In the sidebar, go to Identity Manager > Sessions. The page All sessions opens.
By default, the page is filtered through the column Last seen to display the sessions of the
last 3 hours.
2. To display the sessions of a specific directory, in the column Directory, click on the name
of your choice. The page refreshes.

1133
 Managing Sessions

3. To display the sessions of a specific identity, in the column Identity, click on the name of
your choice. The page refreshes.

All session information is displayed on the page, sessions do not have a properties page.

Customizing the Display on the Page All Sessions

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

All the columns on the page are displayed by default, they can be sorted and filtered.

Table 97.1. Columns on the page All sessions

Column Description
Identity The name of the identity of the session.
Directory The name of the directory of the session.
IPv4 The IP address of the session. This column returns N/A if the session relies on an IPv6
address.
IPv6 The IP address of the session. This column returns N/A if the session relies on an IPv4
address.
Start The time and date when the session started.
Last seen The time and date when the session was last active/seen, it eventually matches the End
of the session. By default, the page is filtered through this column to display the last 3
hours.
End The time and date when the session ended. The column returns N/A for active sessions.
Source The FQDN of the device that sent the session information.
Status The session status. All statuses are detailed in the next section.

Understanding the Statuses on the Page All Sessions

The column Status provides information on each session.

Table 97.2. The session statuses

Status Description
Active The session is active, an IP address is currently connected to the AD domain.

Inactive The session is over, it is now inactive.

Finding Active Sessions in the IPAM

You can find active sessions associated with IPv4 or IPv6 addresses managed in the IPAM.

From the pages All networks and All addresses, a report allows to find active sessions and their
identity across all directories. You can download the results in TXT, HTML or EXCEL format.

To find sessions at network level, refer to the section Finding Identity Manager Sessions at Network
Level in the chapter Managing Networks.

To find sessions at IP address level, refer to the section Finding Identity Manager Sessions at
IP Address Level in the chapter Managing IP Addresses.

1134
 Managing Sessions

Purging Inactive Sessions

By default, all inactive sessions are deleted if they have been inactive for more that 30 days or
if your database contains more than 2 million inactive sessions. You can edit the rule 411 to
change either threshold.

To edit the rule 411 that sets the sessions purge mechanism
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 411 and hit Enter. The rule is the only one listed.
4. At the end of the line, click on . The rule properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit a rule opens.
6. In the field Rule name, you can rename the rule. The name is listed in the column Instance.
7. In the field Comment, you can insert, edit or delete the rule comment.
8. Click on NEXT . The page Rule filters opens.
9. Edit the rule frequency according to your needs.
These filters define when the rule executes the checks to purge the sessions, if the thresholds
you set on the next page are met.

Table 97.3. Frequency filters of the rule 411

Column Default value
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 23 is selected. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, 15 is selected. This field is optional.

10. Click on NEXT . The page Rule parameters opens.

11. In the list Nb days, specify the number of days of your choice. By default it is set to 30, any
inactive session that ended more than 30 days ago is deleted.
12. In the list Max entries, specify the maximum number of entries to keep in the database. By
default it is set to 2000000, no more than 2000000 sessions are kept in the database, no
matter when they ended.
13. Click on OK to complete the operation. The report opens and closes.

1135
 Part XVIII. Rights Management
Configuring access rights to operations and resources is essential to properly manage an appliance. Rights
management relies on users, group of users and authentication rules.

Users belong to groups, they can access any module if their group has sufficient resources and rights. For
that reason, configuring user access requires to:
1. Add or import users.
2. Add a group of users.
3. Configure that group with users. At group level, the users are considered a resource.
4. Configure that group with rights. From the page Rights of each group you can grant or deny access to
operations in all modules to the users of the group.
5. Configure that group with resources. From the page Resources of each group, you can add existing objects
as resource. The resources define the list of objects on which users can perform operations. If a group
does not have resources, its users are granted rights that they cannot use on any object.

In addition, you can configure rules to authenticate external users.

Rights
display: space
add: network
edit: network
delete: network display: space
...
display: network
IPAM
edit: pool
add: address
Group A Resources
...

IPAM

Group B
display: server
display: scope
edit: range
delete: range
...

DHCP

Group C

Figure 249. The rights and resources of a user depend on the group they belong to

From the module Administration, the hierarchy of Rights Management can include up to 3 levels:
• Groups: the highest level of the hierarchy.The groups contain Rights and Resources, the users and objects.
For more details, refer to the chapter Managing Groups.
• Authentication Rules: an optional second level. The rules define if external Microsoft Active Directory,
RADIUS, LDAP and OpenID users can access SOLIDserver.These rules allow to retrieve user credentials
stored in the corresponding remote directory and to secure remote authentications. The authenticated
users are granted the rights defined by the group they belong to. For more details, refer to the chapter
Managing Authentication Rules.
• Users: the lowest level of the hierarchy. You can manage local and external users on one page. Once
added, you can set them as resource of a group to manage their access rights and restrictions. For more
details, refer to the chapter Managing Users.

Note that the superuser, ipmadmin, is the only user available at first, and belongs to the most privileged
group, admin. They are granted all rights and have access to all existing objects.
Table of Contents
98. Managing Groups .................................................................................................. 1138
Browsing Groups of Users ................................................................................... 1138
Adding Groups of Users ....................................................................................... 1139
Managing the Rights of a Group of Users .............................................................. 1140
Managing the Resources of a Group of Users ....................................................... 1141
Managing the Users of a Group of Users .............................................................. 1145
Editing Groups of Users ....................................................................................... 1146
Enabling or Disabling Groups of Users .................................................................. 1147
Exporting Groups of Users ................................................................................... 1147
Deleting Groups of Users ..................................................................................... 1147
99. Managing Users .................................................................................................... 1148
Browsing Users ................................................................................................... 1148
Adding Users ...................................................................................................... 1149
Editing Users ...................................................................................................... 1150
Changing the User Password ............................................................................... 1151
Configuring the User Password Complexity ........................................................... 1151
Configuring Users Connection Parameters ............................................................ 1152
Configuring User Sessions ................................................................................... 1153
Enabling or Disabling Users ................................................................................. 1154
Generating User Reports ..................................................................................... 1155
Exporting Users .................................................................................................. 1155
Deleting Users .................................................................................................... 1155
100. Managing Authentication Rules ............................................................................. 1156
Browsing Authentication Rules ............................................................................. 1157
Adding Authentication Rules ................................................................................ 1157
Editing Authentication Rules ................................................................................. 1167
Enabling or Disabling Authentication Rules ........................................................... 1167
Deleting Authentication Rules .............................................................................. 1168

1137
Chapter 98. Managing Groups
The groups of users allow to delegate administrative rights to the users they manage. Groups
define user profiles and levels of management. You can add as many groups as you want.

The rights and resources of a group determine what operations its users can perform and on
which resources. Any operation denied to the group is off limits to its users, any resource not
listed among its resources is not available on the managing page even if the group has access
the page itself.

To successfully configure group of users you should:

1. Add a group, as detailed in the section Adding Groups of Users.
2. Grant or deny the rights of your choice to that group, as detailed in the section Managing the
Rights of a Group of Users.
3. Add all the objects relevant to the granted rights as resources of the group, as detailed in the
section Managing the Resources of a Group of Users.
4. Add existing users to the resources of the group. For more details, refer to the chapter Man-
aging Users.

Once users belong to a group configured with rights and resources, their user profile is set.

The groups can manage remote users authenticated via Microsoft Active Directory (AD), RADIUS,
LDAP and OpenID Connect. For more details regarding users secure authentication, refer to the
chapter Managing Authentication Rules.

Browsing Groups of Users

In the rights management hierarchy, groups of users constitute the highest level. It is also is the
key to delegate rights.

AUTHENTICATION

GROUP OF USER
USERS

RESOURCE

RIGHT

Figure 98.1. The group of users in the rights management hierarchy

By default, the group admin is listed on the page Groups. This group manages ipmadmin, the
superuser, and is granted access to all rights and resources by default.You cannot deny it access
to rights or resources. Any user added to this group has full administrative rights, like ipmadmin.

Browsing the Groups Database

To display the list of groups of users
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Groups. The page opens.

1138
 Managing Groups

To display a group of users properties page

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Groups. The page opens.
3. At the end of the line of the group of your choice, click on . The properties page opens.

Customizing the Display on the Page Groups

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding Groups of Users

You can add as many groups as you need. For each group, you can define users, resources and
rights.

Note that you can also import groups of users from a CSV file. For more details, refer to the
section Importing Groups of Users in the chapter Importing Data from a CSV File.

If you intend to add authentication rules, we strongly suggest configuring group of users
before enabling them. Once the authentication rules are enabled, the corresponding users can
access the web interface and are added to the page Users; as they do not belong any group,
they cannot access any module or perform any operation. For more details on Active Directory,
LDAP, RADIUS and OpenID authentication, refer to the chapter Managing Authentication Rules.

To add a group
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Groups. The page opens.
3. In the menu, click on Add. The wizard Add a group opens.
4. In the list Parent group, select the parent group of your choice or None. The selected parent
group can add users to the group you are adding.
5. Click on NEXT . The next page opens.
6. If classes are enabled, in the list Group class, select a class or None.
Click on NEXT . The last page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
7. In the field Group name, name the group. If you intent to authenticate users via AD, name
the group after an existing AD group.
8. In the field Description, you can specify a description.
9. In the drop-down list Copy rights from group, you can select any group, except admin, or
None. The rights of the selected group are granted or denied to the group you are adding,
their rights configuration is exactly the same. You can edit the Rights of the new group later
on.
10. Click on OK to complete the operation. The report opens and closes. The group is listed.

1139
 Managing Groups

Managing the Rights of a Group of Users

The rights are services in essence that can be granted or denied to groups of users.

AUTHENTICATION

GROUP OF USER
USERS

RESOURCE

RIGHT

Figure 98.2. The right in the rights management hierarchy

Before configuring rights keep in mind that:

• Only users from the group admin can configure the rights of the other groups of users.
• The users of each group are granted or denied access to the rights configured for the group(s)
they belong to.
• Rights alone are useless. Without any resource, the users of the group cannot use the rights
they are granted. For more details, refer to the section Adding Resources to a Group.
• The rights are managed one group at a time from the page Rights. The page displays all the
configurable rights and their details in each column. The rights do not have a properties page.
• The group admin is the only one with full administrative rights over SOLIDserver. All the users
of that group, including ipmadmin, are granted all the rights by default and can perform all the
tasks. You cannot remove any rights from this group.
• All the users have access to the page User tracking, where they can view all the operations
they performed in every module they have access to.
You can grant a group access to the operations performed by all SOLIDserver users if you
grant it access to the User tracking right.

The page Rights contains the following columns:

Table 98.1. The columns on the page Rights

Column Description
Permission The permission status of a right: Allow or Deny.
Right The name of the right following the format: <operation>: <object-concerned>.
Module The module or type of the right: Dashboards, IPAM, DHCP, DNS, Application, Guardian,
NetChange, Workflow, Device Manager, VLAN Manager, VRF, SPX, Identity Manager, Admin-
istration, Rights & delegation or Reports.
Access type The type of right: Read or Write.

The name of each right includes a verb detailing the operation. The most used verbs are the
following:

Table 98.2. The most common operations in the name of the rights
Verb Description
Add The service allows to add and edit an object.
Delete The service allows to delete an object.
Display The service allows to display the complete list of objects on its management page.

1140
 Managing Groups

Verb Description
Edit The service allows to perform specific edition operations on an object.
List The service allows to delegate administrative rights from one administrator to the other, usually
group management related rights.

There are more operations available: Configure, Convert, Copy/Move, Display, Migrate, Split...

Configuring the Rights of a Group of Users

From the page Rights, you can set groups with a specific user profile. By default upon addition,
a group of users has all read rights.

The other rights, to add, edit, delete... objects must be granted specifically in each module panel
of the properties page. For instance, if you grant a group the right to edit networks but did not
assign them any network, the users of the group have access to the page All networks and to
the menu Edit but cannot see the list of existing networks. Hence the need to grant right AND
assign resources.

To configure the rights of a group

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the Name of the group of your choice. The page Resources opens.
4. In the breadcrumb, click on Rights. The page opens.
5. Tick the right(s) of your choice. The menu Edit is now selectable.
6. In the menu, select Edit > Allow or Deny. The wizard opens.
7. Click on OK to complete the operation. The page refreshed, the column Permission displays
the current configuration of the right.

You can edit this configuration using the same procedure.

Managing the Resources of a Group of Users

The resources are all the objects for which you can delegate management rights. Some modules
do not allow to set objects as resource.

AUTHENTICATION

GROUP OF USER
USERS

RESOURCE

RIGHT

Figure 98.3. The resource in the rights management hierarchy

To display the resources of a specific group

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Groups. The page opens.

1141
 Managing Groups

3. Click on the Name of the group of your choice. The page Resources opens.

Following each module internal hierarchy, once an object is set as a resource the whole path in
the internal hierarchy of the module is available for display. In the same way, the objects set as
resource provide read-only access to lower levels.

DNS SERVER
ns1.mycorp.com

DNS admin (internal)

VIEW VIEW
Resources
intranet extranet
[email protected]
staff
mycorp.com (intranet)
mycorp.fr
ZONE ZONE
Rights mycorp.com mycorp.com
Add: DNS zones
Copy/move: DNS zones
Send: force-notify on DNS zones, ... ALL
ALL
Add: RRs RECORDS RECORDS
Copy/move: RRs
Delete: RRs, ...

Figure 98.4. Assigning resources grants access to parts of your organization

IPAM resources
• Spaces as resource provide read-only access to the IPv4 and IPv6 block-type networks,
IPv4 and IPv6 subnet-type networks, IPv4 and IPv6 pools and IPv4 and IPv6 addresses
they contain.
• IPv4 block-type network as resource provide read-only access to the subnet-type net-
works, pools and IP addresses they contain.
• IPv6 block-type network as resource provide read-only access to the subnet-type net-
works, pools and IP addresses they contain.
• IPv4 subnet-type network as resource provide read-only access to the pools and IP ad-
dresses they contain.
• IPv6 subnet-type network as resource provide read-only access to the pools and IP ad-
dresses they contain.
• IPv4 pool as resource provide read-only access to the IP addresses they contain.
• IPv6 pool as resource provide read-only access to the IP addresses they contain.
DHCP resources
• Servers as resource provide read-only access to the shared networks, scopes, ranges,
statics, groups, failover channels, option configurations, option definitions and ACLs they
contain.
• Servers (v6) as resource provide read-only access to the shared networks, scopes, ranges,
statics, groups, failover channels, option configurations and option definitions they contain.
• Scopes as resource provide read-only access to the ranges, statics and option configura-
tions they contain as well as to the shared networks of the server they belong to.
• Scopes (v6) as resource provide read-only access to the ranges, statics and option con-
figurations they contain as well as to the shared networks of the server they belong to.

1142
 Managing Groups

DNS resources
• Servers as resource provide read-only access to the options (all) - including forwarding,
access control, notify... -, views, zones, resource records, keys, access control lists and
RPZ rules they contain.
• Views as resource provide read-only access to the options (all) - including forwarding,
access control, notify... -, zones, resource records, keys, access control lists and RPZ
rules they contain.
• Zones as resource provide read-only access to the zone options, resource records, access
control lists and RPZ rules they contain.
• RPZ zones as resource provide read-only access to the resource records, access control
lists and RPZ rules they contain.
Applications resources
• Applications, pools and nodes cannot be assigned as resources. All users have read-only
access to these objects.
• DNS servers as resource provide read-only access to the traffic policy deployments for
applications associated with the selected servers.
Guardian resources
• Policies and triggers cannot be assigned as resources. All users have read-only access
to these objects.
• DNS servers as resource provide read-only access to deployments of policies they are
associated with.
NetChange resources
• Network devices as resource provide read-only access to the ports, VLANs and discovered
items they contain.
VLAN Manager resources
• VLAN domains as resource provide read-only access to the VLAN ranges and VLANs
they contain.
• VLAN ranges as resource provide read-only access to the VLANs they contain.
Identity Manager resources
• Directories, identities and sessions cannot be set as resource. However, once a group is
granted the right to list directories, its users can see all the added directories as well as
the identities and sessions they contain.
Administration resources
• Classes as resource provide read-only access to the class objects (Class Editor) they
contain.

Adding Resources to a Group

Before adding resources to a group keep in mind that:
• A group must be configured with resources and the rights to manage them. Without rights, at
most users can see the resources but cannot perform any operations on them. For more details,
refer to the section Configuring the Rights of a Group of Users.
• A group managing objects configured with custom classes should have these classes among
its resources. Otherwise, its users cannot see or edit the class parameters and every time they
edit resources configured with this class, they delete the value of all the class parameters set
for the object.
• A group of users cannot be set as resource of a group. Only users of the group admin can add,
edit their rights or delete them.

1143
 Managing Groups

• Users of the group admin have access to all resources by default. There is not need to assign
it resources.
• The objects that can be set as resource provide access to their container and the objects they
contain in read-only. You cannot perform operations on objects at higher or lower level if they
are not part of your resources, you only have a clear overview of the objects organization
around the objects that are part of your resources.

You can add objects as resource of a group from the page Resources, the listing page All <object>
or the properties page of an object.

To add resources to a group from the page Resources

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the name of the group of your choice. The page Resources opens.
Note that you cannot select the group admin as, by default, it has authority over all the re-
sources.
4. In the menu, select Add > Resources > <resource-of-your-choice>. The wizard opens.
5. Tick the resource(s) of your choice.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the selected resources are listed on the page.
On the object(s) properties page, the panel Groups access lists the group.

To add resources to a group from a listing page

1. From the listing page of your choice, tick the object(s) you want to set as a resource to a
group.
2. In the menu, select Edit > Rights > Add as group(s) resource(s).The wizard Resources
Management opens.
3. In the list Available group(s), select a group and click on . The group is moved to the list
Add to the resources of the group(s). The selected object is added to the Resources of the
group(s). Repeat these actions for as many groups as needed.
To remove an object from the Resources of a group, in the list Add to the resources of the
group(s), select a group and click on , or double-click on it. The group is moved back to
the list Available group(s).
4. Click on OK to complete the operation. The report opens and closes. The page refreshes.
On the object properties page, the panel Groups access lists the group(s).

To add resources to a group from a resource properties page

1. From the listing page of your choice, click on to display the properties page of the object
of your choice.
Note that the panel Group access lists the group(s) that have the object among their re-
sources along with the addition and deletion rights they have, within the module, over objects
at lower levels.
2. In the panel Group access. Click on EDIT . The wizard Groups opens.
3. In the list Available group(s), select a group and click on . The group is moved to the list
Selected group(s). The selected object is added to the Resources of the group. Repeat these
actions for as many groups as needed.

1144
 Managing Groups

To remove an object from the Resources of a group, in the list Selected group(s), select a
group and click on , or double-click on it. The group is moved back to the list Available
group(s).
4. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the panel is updated.

Removing Resources from a Group

You can remove objects from the resources of a group. This prevents the users of the group from
accessing them unless a container or lower object of the same hierarchy is listed among their
resources.

For instance, take a group with the space Local and the network local-terminal-network as re-
sources. If you remove the space Local from the resources of a group, its users can no longer
perform operations on this space, but they can still access its content because the network local-
terminal-network is still part of their resource.

Keep in mind that by default only users from the group admin, or users with the appropriate rights,
can remove resources from a group.

To remove a resource from a group

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the name of the group for which you want to remove resources.The page Resources
opens.
4. Tick the box of the resource(s) of your choice.
5. In the menu, click on Delete. The wizard Delete: resources from a group opens.
6. Click on OK to complete the operation. The report opens and closes. The selected resources
are no longer listed.

Note that you can also remove resources from any listing page, or from the properties pages of
an object.

Managing the Users of a Group of Users

The purpose of a group is to define a set of rights and resources for the users it contains. Once
you configured the group, you can add existing users to the group to set their profile.

Adding a User to a Group

Once you added a user, you can add it as the resources of any group. It can also belong to
several groups with different resources and rights. The user credentials are the same but their
access correspond to the group they belong to.

For more details regarding user addition, refer to the chapter Managing Users.

To add a user to a group

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the name of the group of your choice. The page Resources of that group opens.

1145
 Managing Groups

4. In the menu, click on Add > Users. The wizard Rights & delegation: Users opens.
5. Tick the user(s) of your choice.
6. Click on OK to complete the operation. The wizard closes and the page refreshes. The user
is listed among the resources of the group.

Removing a User from a Group

To restrict user rights, you can remove them from a group. If they do not belong to any group,
their credentials can open SOLIDserver GUI but they cannot display or edit any module or re-
source.

To remove a user from a group

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Click on the name of the group of your choice. The page Resources of that group opens.
4. Tick the user(s) of your choice.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The user(s) is no longer
listed in the resources so can no longer benefit from the group rights. The user is still listed
on the Users page.

Editing Groups of Users

You can edit the parent group, name, descriptions and rights inheritance of a group.

If you want to edit the users, rights or resources of a group, refer to the sections Managing the
Users of a Group of Users, Managing the Rights of a Group of Users and Managing the Resources
of a Group of Users.

To edit a group main properties

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. At the end of the line of the group you want to edit, click on . The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a group opens.
5. If classes are enabled, in the list Group class, select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Edit the Parent group if need be. For more details, refer to the procedure To add a group.
7. Click on NEXT . The last page opens.
8. Edit the Group name, Description and/or Copy rights from group according to your needs.
For more details, refer to the procedure To add a group.
9. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the panel.

1146
 Managing Groups

Enabling or Disabling Groups of Users

By default when you add groups, they are enabled but you can disable them.

Keep in mind that if you disable a group, the users it contains can still connect to SOLID-
server but do not have access to any module or resource.

To enable/disable a group
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Tick the group(s) of your choice.
4. In the menu, select Edit > Status > Enable or Disable. The corresponding wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The group(s) is marked
OK or Disabled in the column Status.

Exporting Groups of Users

From the page Groups, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Groups of Users

You can delete groups of users.

Keep in mind that if you delete a group, the users it contains can still connect to SOLIDserver
but do not have access to any module or resource.

To delete a group
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. Tick the group(s) you want to delete.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The group is no longer
listed.

1147
Chapter 99. Managing Users
Depending on the group they belong to, users can have administrative or standard access to the
appliance. You can add as many users as you want.

By default, user authentication is performed using the local database. However you can have:
Local users
To use local authentication, you must configure a group and manually add this local user into
the group. Once added to a group, a user is considered as a resource of the group. For more
details, refer to the section Managing the Users of a Group of Users in the chapter Managing
Groups.
Remote users
To use remote user authentication via Microsoft Active Directory (AD), RADIUS, LDAP or
OpenID Connect, you must configure the relevant rule. For more details, refer to the chapter
Managing Authentication Rules.
Once the rule is configured, remote users are automatically added the first time they are
authenticated and granted access to the interface. Until they belong to a group, they cannot
access any module or resource or perform any operation. Therefore, you must either add
them as resource of a group after their first connection to the appliance, or add the remote
users to the page Users and set them as resource of the relevant group before their first
connection.
To ensure access to the appliance if your remote directory is unreachable, you must have
at least one local user in the group admin.

Keep in mind that if you manage local and remote users, every remote and local user must have
a unique login. If a remote user and a local user share the same login, it is no longer possible to
authenticate the remote user.

If you want to manage RIPE or APNIC persons, refer to the part SPX.

Note that any connected user can set their display settings and change their password, as detailed
in the section Account Configuration.

Browsing Users
In the rights management hierarchy, users constitute the lowest level, along with resources and
rights, the services. Users must belong to one or several groups to set profiles.

AUTHENTICATION

GROUP OF USER
USERS

RESOURCE

RIGHT

Figure 99.1. The user in the rights management hierarchy

By default, the superuser ipmadmin is the only user listed on the page. It belongs to the admin
group and has all the rights and every manageable object among its resources.

1148
 Managing Users

Browsing the Users Database

To display the list of users
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.

To display a user properties page

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. At the end of the line of the user of your choice, click on . The properties page opens.

Customizing the Display on the Page Users

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

Adding Users
You can add as many users as you want on the page Users. Once listed on the page, users are
part of local database.

If you locally add users of Microsoft Active Directory (AD), RADIUS, LDAP or OpenID Connect,
make sure that their login is unique. Once you manage local and remote users, if a remote user
and a local user share the same login, it is no longer possible to authenticate the remote user.

Keep in mind that each local user profile depend on:

1. The group or groups, of users they belong to.
2. The right granted or denied to the group(s).
3. The resources granted or denied to the group(s).

Note that you can also import users from a CSV file. For more details, refer to the section Importing
Users in the chapter Importing Data from a CSV File.

To add a local user

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. In the menu, click on Add. The wizard Add a user opens.
4. If classes are enabled, in the list User class, select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the field Login, specify the user login. This login cannot be an email address.
1
6. In the field Password, specify the user password .
7. In the field Confirm password, specify the user password again.
8. To configure additional parameters:

1
If the user is of Unix type and the password is not printable, the system password is used.

1149
 Managing Users

a. Tick the box Expert mode.

b. In the field First name, specify the user first name.
c. In the field Last name, specify the user last name.
d. In the field Official name, the user last and first name are automatically displayed. You
can replace them by a shortname or shorter name if you want.
e. In the field Email, specify the user email address.
f. In the field Login URL, specify the URL toward which the user should be directed after
being authenticated.
g. In the drop-down list Maintainer group, select the group of users that should be able
to edit the user information (names, credentials, email...) and classes.
9. Click on OK to complete the operation. The report opens and closes. The user is listed among
the users with its Login, Official name and Origin in the corresponding columns.

Connected users can edit their session time and date or listing page display, interface language
or password. For more details, refer to the section Account Configuration.

Editing Users
Administrators and users granted the sufficient rights can edit a user details or group.

Note that users must belong to a group, otherwise they can connect to SOLIDserver but their
session cannot access any module or resource, and they cannot perform any operation.

Editing the User Details

Editing the user details means editing the panel Main properties on their properties page.

Note that you can edit the details of the superuser, ipmadmin.

To edit a local user information

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. In the column Login, click on the user name of your choice. The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a user opens.
5. If classes are enabled, in the list User class, select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. Edit the user information according to your needs.You can edit any detail except their Official
name, all parameters are detailed in the procedure To add a local user.
Note that changing a user password takes effect immediately. This change overwrites their
current password and can log them out, they may no longer be able to log in.
7. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the panel.

Editing the User Group

Editing the group of a user allows to change its user profile. From the user properties page, in
the panel Group access, you can edit its group.

1150
 Managing Users

To edit a local user group

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. In the column Login, click on the user name of your choice. The user properties page opens.
4. In the panel Groups access, click on EDIT . The wizard Groups opens.
5. If classes are enabled, in the list User class, select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the list Available group(s), you can select a group and click on . The group is moved
to the list Selected group(s).
7. In the list Selected group(s) are displayed the group(s) the user belongs to. You can select
a group and click on . The group is moved to the list Available group(s).
8. Click on OK to complete the operation. The report opens and closes. The changes are visible
in the panel.

Changing the User Password

Administrators and users granted the sufficient rights can change a user password, from the user
properties page.

Note that:
• Changing a user password takes effect immediately. This change overwrites their current
password and can log them out, they may no longer be able to log in.
• If you want to set a specific password complexity, refer to the section Configuring the User
Password Complexity.

To change a user password

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. In the column Login, click on the user name of your choice. The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit a user opens.
5. If classes are enabled, in the list User class, select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field Password, specify the new password.
7. In the field Confirm password, specify the password again.
8. Click on OK to complete the operation. The report opens and closes.

Configuring the User Password Complexity

An administrator can set up a specific complexity level for all users' passwords.

From the registry database, you can add a dedicated key and set its value using the regular ex-
pression, regex, that suits your needs. For instance:

1151
 Managing Users

# The following regex requires in the password at least: one uppercase character, one
lowercase
# character, one digit and one punctuation mark.

.*(?=.{8,})(?=.*[a-z])(?=.*[A-Z])(?=.*[0-9])(?=.*[^0-9a-zA-Z]).*

Once you added the registry key, you must change the passwords that do not match the regular
expression you set.

To set the users' password complexity level

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, click on Add. The wizard Registry database Add an item opens.
4. In the field Name, type in ipmserver.login.regex_password_complexity.
5. In the field Value, specify a valid regular expression. By default, the key is set to 0, i.e. dis-
abled.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes.
7. Make sure the users' password match the regular expression you just set, otherwise the
users in question can no longer log in. To edit users' password follow the procedure To
change a user password.

Configuring Users Connection Parameters

An administrator can configure the way to handle connexion attempts made using wrong creden-
tials. Using registry keys, they can:
• Set the maximum number of failed connection attempts, from a same IP address, after which
these attempts are locked out. By default, it is set to 3.
• Set the authentication period during which the maximum number of failed connection attempts
is allowed. By default, it is set to 10 seconds.
• Set the lock out period during which connection attempts are not allowed. By default, it is set
to 30 seconds.

To edit the registry key to set the maximum number of failed connection attempts
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with ipmserver.login.bad_login_retry_before_freeze.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value set for the key. The wizard Registry database Edit
a value opens.
6. In the field Name, the key name is displayed in read-only.
7. In the field Value, specify the maximum number of failed connection attempts, from a same
IP address, after which these attempts are locked out.
8. Click on OK to complete the operation. The report opens and closes. The new value is dis-
played.

To edit the registry key to set the authentication period

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

1152
 Managing Users

2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with ipmserver.login.bad_login_test_window.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value set for the key. The wizard Registry database Edit
a value opens.
6. In the field Name, the key name is displayed in read-only.
7. In the field Value, specify the authentication period during which the maximum number of
failed connection attempts is allowed.
8. Click on OK to complete the operation. The report opens and closes. The new value is dis-
played.

To edit the registry key to set the lock out period

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with ipmserver.login.bad_login_freeze_time.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value set for the key. The wizard Registry database Edit
a value opens.
6. In the field Name, the key name is displayed in read-only.
7. In the field Value, specify the number of seconds during which connection attempts are
locked out after the maximum number of failed connection attempts has been reached.
8. Click on OK to complete the operation. The report opens and closes. The new value is dis-
played.

To display the failed connections logs

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Syslog. The page Syslog opens.
3. In the drop-down list SOLIDserver, verify that the local appliance is selected. Only the
hostname appears with no IP address.
4. In the drop-down list Services, select auth. The page refreshes.
5. In the column Log, type in invalid and hit Enter. The repeatedly failed attempts to connect
are listed, as in the example below where the invalid user name is toto:
Feb 23 16:09:36 solid ipmserver[1226]: invalid login/password toto
Feb 23 16:09:37 solid ipmserver: Last message 'invalid login/passwo' repeated 2
times, suppressed by syslog-ng on solid.intranet
Feb 23 16:09:37 solid httpd: SOLIDserver: too many connection attempts with invalid
credentials. Retry later.

Configuring User Sessions

SOLIDserver provides the possibility to set an automated session logout of any user if they do
not do anything on the server after a certain period of time.You can also redirect users after their
session expires or when they log out.

Configuring Users Login Session Time

By default, the session is set to 1800 seconds, i.e. the user session ends after 30 minutes of in-
activity. The session cannot be shorter than 300 seconds, or 5 minutes.

1153
 Managing Users

To edit the time limit for a user login session

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with www.login.session_timeout.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the session time of your choice, in seconds. By default, it is set to
1800, the minimal accepted value is 300.
7. Click on OK to complete the operation. The report opens and closes. The Value is updated.
8. Hit F5 to refresh the web page and take into account your changes. Each user is automatically
logged out if no actions are performed above the specified number of seconds.

Redirecting Users After They Log Out or Their Session Expires

By default, once a user session expires or after a log out, the login page opens. You can choose
to redirect users toward a website instead. A registry database entry can be configured with the
website URL.

To redirect users at the end of their session

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with logout.session.redirect.url.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the URL of your choice following the format http://<website-of-
your-choice>. By Default, the value is empty.
7. Click on OK to complete the operation. The report opens and closes. The new value is visible
in the list and now all users are automatically redirected to the website specified as value
once they log out.

Enabling or Disabling Users

By default adding users, enables them. Disabling users prevents them from connecting to
SOLIDserver, without deleting them from the database. You can enable them again later on.

To enable/disable a user
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page opens.
3. Tick the user(s) of your choice.
4. In the menu, select Edit > Status > Enable or Disable. The corresponding wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The user(s) is marked
OK or Disabled in the column Status.

1154
 Managing Users

Generating User Reports

EfficientIP provides one user dedicated report.

Table 99.1. Available user report

Page Report
Users Users rights in each group

For more details regarding the reports and their generation, refer to the section Managing Reports.

Exporting Users
From the page Users, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Users
Deleting local users prevents them from connecting to SOLIDserver and removes them from the
page Users.

Keep in mind that deleting users connecting remotely, like AD users, does not prevent them from
connecting. Once the rule is enabled, users are added locally upon connection and placed in an
existing group of users if their name matches the name of the group they belong to in the Active
Directory.

To delete a local user

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Users. The page Users opens.
3. Tick the user(s) of your choice.
4. In the menu, click Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The user(s) is no longer
listed.

1155
Chapter 100. Managing Authentication
Rules
Authentication rules allow to securely log in external users to the GUI. These rules set up access
for users whose credentials are stored on remote Microsoft Active Directory, LDAP, RADIUS
servers and/or OpenID compatible identity providers.

To provide secure user connections, all remote authentications are challenged when a user
connects with their login and password. If several authentications rules are configured, the con-
nection process is the following:
1. The first authentication rule is used to authenticate the user. If it fails, SOLIDserver tries the
next authentication rule. Each configured authentication rule is tried and used, whether it relies
on Active Directory, LDAP, RADIUS or OpenID Connect, until it is successful or all authentic-
ations fail.
2. Either the user is granted access, or all rules failed and the user access to the GUI is denied.
3. When the authentication succeeds, the user rights are based on the group they belong to in
SOLIDserver.

Group Admin

[email protected]
[email protected]
...

Group B

LDAP
LDAPserver
server [email protected]
[email protected]
...

LDAP authentication
rule enabled

Group A

SOLIDserver

John Doe Group B

[email protected]

Group C

Figure 100.1. The user connection process when an authentication rule is enabled

To remedy any remote authentication issue, you must have at least one local admin user
configured. With a user in the group admin, you ensure that you have access to SOLIDserver
and can intervene in case of authentication failures, whether a remote directory or server is un-
reachable or a local group of users matching a remote group has insufficient rights or resources.

To set up LDAP or RADIUS remote authentication for SSH connections, refer to the appendix
Using Remote Authentication for SSH Connections to SOLIDserver.

1156
 Managing Authentication Rules

Browsing Authentication Rules

In the rights management hierarchy, authentication rules are optional second level. They are only
useful if you intend to authenticate remote users through AD, LDAP, RADIUS or OpenID Connect.

AUTHENTICATION

GROUP OF USER
USERS

RESOURCE

RIGHT

Figure 100.2. The authentication rule in the rights management hierarchy

By default, the list is empty. Only the rules you add are displayed on the page.

Browsing the Authentication Rules Database

To display the list of authentication rules
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.

To display an authentication rule properties page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. At the end of the line of the rule of your choice, click on . The properties page opens.

Adding Authentication Rules

From the page Authentication rules, you can add as many authentication rules as you want. Note
that authentication rules are also listed to the page Rules.

Each rule allows to enable user authentication relying on Active Directory, LDAP, RADIUS and
OpenID Connect. Note that:
• User credentials can be saved in several remote servers.
• SOLIDserver systematically checks all rules. To provide secure authentication, the credentials
of the user requesting access are compared to all the configured remote servers.
• If the user is found in Active Directory, LDAP, RADIUS and/or OpenID, they are granted
access. The rights and resources they have access to depend on the configuration set for
the local group(s) of users they belong to.
• If the user is not found in any server, or rule, they are denied access.
• The authentication rules check does not follow any specific order. Therefore, you must
keep your authentication servers up-to-date, with the same data. If a user is in the group A on

1157
 Managing Authentication Rules

a server and in the group B on another server, there is no mean to set a preference for one
authentication rule over the other.

Adding Active Directory Authentication Rules

The rule AD authentication allows to configure user authentication through a Microsoft Active
Directory server. You can add as many AD rules as you need.

Active Directory (AD) is a technology created by Microsoft that provides a variety of network
services, including LDAP like directory services and other network information. SOLIDserver
supports remote authentication with any AD running on Microsoft Window Server 2008, 2008
R2, 2012 R2, 2016 or 2019.

To successfully authenticate users and take into account existing AD groups, you must:
1. Already have at least one group added both on the AD server and among SOLIDserver groups
of users with the exact same name, down to the case. The group name in SOLIDserver must
match the AD group name, the group name is case sensitive.
2. Configure said group with the resources and rights that define the users profile.
3. Add and configure the AD authentication rule with the option Synchronize set to Yes. You can
even configure it to deny access to users that do not belong to an AD group.
With this configuration, AD users are automatically added as resource of the matching local
group when they connect, they are granted the relevant rights and resources.

Note that you can import all your users via CSV, you must choose rule as Authentication method.
For more details, refer to the section Importing Users in the chapter Importing Data from a CSV
File.

Once the rule is added, AD users can connect to SOLIDserver. Note that:
• The changes performed on the AD server are not immediately taken into account by SOLID-
server. To avoid waiting, you can delete the AD users you modified from the page Users, when
they connect again, SOLIDserver contacts the AD server and authenticates them with their
new parameters.
• If several email addresses are available for one user, only the first non-empty value is taken
into account.

To add the AD user authentication rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. In the drop-down list Rule, select (000) AD authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on NEXT . The page Rule parameters opens.
9. Configure the basic AD authentication parameters following the table below:

1158
 Managing Authentication Rules

Table 100.1. Active Directory basic parameters

Field Description
AD server The IP address or hostname of the Active Directory server. This field is required.
AD server port The port of the Active Directory server. Leave it empty to use the default AD port.
This field is optional.
Use secure LDAP Tick this box to use secure LDAP during the authentication. SOLIDserver uses
a
LDAP and SSL to connect to the AD server .
Domain of DC The domain of the Domain Controller. Fully Qualified Domain Name (FQDN) of
your AD, for instance mydomain.corp. This field is required.
Default user domain The default domain of the user who connects through AD. This domain is con-
catenated to the user name. For instance, the user login jdoe is concatenated
with mydomain.corp to produce [email protected]. If you let this field empty,
you have to connect with [email protected]. If you configure mydomain.corp
in this field then you only have to connect with jdoe. This field is optional.
a
Secure LDAP configuration relies on the TCP port 636. Make sure this port is open on your network.

10. You can configure the advanced AD authentication parameters.

a. Tick the box Expert mode. The configuration fields appear.
b. In the drop-down list Deny if not in a group, you can select Yes or No. By default, it is
set to Yes so only the members of an AD group can connect to SOLIDserver.
c. By default, the box Manage imbricated groups is unticked. You can tick it to allow
SOLIDserver to look for members in sub-groups of the specified top group on the AD
server during the authentication.
11. Click on NEXT . The last page opens.
12. In the drop-down list Synchronize, set the synchronization behavior of your choice. By default,
No is selected.
Select Yes if you want to synchronize SOLIDserver database with the AD database and
automatically add the users of the AD group name in the matching local group of users. Said
users are granted the same rights and resources as the local group. The box Expert mode
appears.
13. You can tick the box Expert mode to configure further the synchronization.The configuration
fields appear.

Table 100.2. Active Directory parameters for the groups synchronization

Field Description
AD group granted "admin" The name of any group on the AD server. All the users of the specified group
rights are granted access to SOLIDserver with the same rights as the users of the
group admin. These users are also listed as resource of the group admin. This
field is optional.
Login The login of an account that can retrieve the AD attributes of the users that you
want to grant access to SOLIDserver. This field is optional. Note that if your AD
is configured in a very strict manner and do not not specify an account with suf-
ficient rights, standard users might not be able to browse their own attributes.
This field is optional.
Password If you specified a Login, specify its account password. This field is optional.
Base DN The name of the top of the AD tree. The level specified is the starting point of
the search for a matching user account on the server. You can customize this
field in order to look in specific location(s) of the AD. This field is optional.
Use sAMAccountName You can decide to use or not the sAMAccountName field as user login. This
field as login parameter is used for pre-AD installation (basically NTDS) and accepts 8-char-
acters long login names instead of regular longer names. This field is optional.

1159
 Managing Authentication Rules

14. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.

If some users connections fail, some guidelines may help an administrator to troubleshoot the
authentication.

To troubleshoot a remote AD authentication

1. Ask the user(s) whose connection fails to:
a. Try to connect to SOLIDserver with their AD credentials several times. The authentication
rule may not be taken into account immediately. If this fails:
b. Double check their AD credentials, they may not specify the proper ones.
If neither solution solves the problem, go to step 2.
2. Connect to SOLIDserver using the credentials of a local administrator:
a. In the sidebar, click on Administration. The page Admin Home opens.
b. In the section Monitoring, click on Syslog. The page Syslog opens.
c. In the column Log, look for any AD related information: Missing/invalid parameter or
ldap_connect. These messages look as follows:
Missing/invalid parameter : [usr_login]
Missing/invalid parameter : [usr_password]
Missing/invalid parameter : [ad_hostaddr]
Missing/invalid parameter : [ad_domain]
ldap_connect(): could not connect to ''

Most of the time, the source of the problem is that the AD connection is impossible. The
column may even indicate that the AD user credentials are not recognized as a member of
any existing SOLIDserver group.

Adding LDAP Authentication Rules

The rule LDAP authentication allows to configure user authentication through LDAP version 2 or
3. You can add as many LDAP rules as you need.

Lightweight Directory Access Protocol (LDAP) is an application protocol over TCP/IP for querying
and modifying directory services that might hold passwords, addresses, groups, public encryption
keys and other exchange-facilitating data.

To set up authentication for SSH connections, refer to the appendix Using Remote Authentication
for SSH Connections to SOLIDserver.

To successfully authenticate users and take into account an existing LDAP group, before
the first user connection you must:
1. Add a group of users within SOLIDserver matching the relevant LDAP group. This local group
must have the same name as the LDAP group. Therefore, to include the whole LDAP repository
tree structure, it may look as follows: cn=group1,ou=Groups,dc=example,dc=com.
2. Add and configure the LDAP authentication rule with the option Group attribute set to match
this LDAP group.
With this configuration, LDAP users are automatically added as resource of the matching local
group when they connect, they are granted the relevant rights and resources.

If you have clients distributed among several LDAP groups, you can decide to add local groups
that only use the section Common Name (CN) of your LDAP groups. To do so, you need to tick
the relevant box during the rule configuration. Keep in mind that if you tick this box, the name of

1160
 Managing Authentication Rules

all LDAP groups you add within SOLIDserver must only use the CN. You cannot mix long and
short group names in the database to authenticate LDAP users.

Note that you can import all your users via CSV, you must choose rule as Authentication method.
For more details, refer to the section Importing Users in the chapter Importing Data from a CSV
File.

Once the rule is added, LDAP users can connect to SOLIDserver. Note that:
• The changes performed on the LDAP server are not immediately taken into account by
SOLIDserver. To avoid waiting, you can delete the LDAP users you modified from the page
Users, when they connect again, SOLIDserver contacts the LDAP server and authenticates
them with their new parameters.
• If several email addresses are available for one user, only the first non-empty value is taken
into account.

To add the LDAP user authentication rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. From the list Rule, select (018) LDAP authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on NEXT . The page Rule parameters opens.
9. Configure the rule parameters as follows.

Table 100.3. LDAP parameters

Field Description
LDAP server The IP address or hostname of the LDAP server. This field is required.
LDAP server port The port of the LDAP server. Leave it empty to use the default LDAP port.
This field is optional.
Use secure LDAP Tick this box to use secure LDAP during the authentication. SOLIDserver
uses LDAP and SSL to connect to the LDAP repository. This field is optional.
Use LDAP v3 Tick this box to use LDAP in version 3. Otherwise, version 2 is used. This
field is optional.
Base DN The top level of the LDAP repository tree is the base, as follows: dc=ex-
ample,dc=com. This field is required.
Group attribute The name of the attribute(s) in LDAP that matches one or several groups
in SOLIDserver, for instance memberof. If you specify an attribute, you en-
able the synchronization and SOLIDserver can retrieve all the groups of the
user. Several names must be separated by a comma. This field is optional.
Short group name (CN) Tick this box if you want to use only the Common Name (CN) as group
name, instead of the whole directory tree structure. This box should be
ticked for all LDAP rules or none of them, so make sure that all the groups
of users locally added in SOLIDserver are named using only the CN before
the first user authenticates. This field is optional

1161
 Managing Authentication Rules

Field Description
LDAP group granted "admin" The name of any group on the LDAP server. All the users of the specified
rights group are granted access to SOLIDserver with the same rights as the users
of the group admin. These users are also listed as resource of the group
admin. This field is optional.
Login The login of an account that can retrieve the LDAP attributes of the users
that you want to grant access to SOLIDserver. This field is optional and
based on the attribute uid. Note that if your LDAP is configured in a very
strict manner and do not not specify an account with sufficient rights,
standard users might not be able to browse their own attributes.
Password If you specified a Login, specify its account password.

10. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.

Adding RADIUS Authentication Rules

The rule RADIUS authentication allows to configure user authentication through any RADIUS
server. You can add as many RADIUS rules as you need.

Remote Authentication Dial In User Service (RADIUS) is a networking protocol that uses access
servers to provide centralized access management to large networks.

To set up authentication for SSH connections, refer to the appendix Using Remote Authentication
for SSH Connections to SOLIDserver.

To successfully authenticate RADIUS users keep in mind that:

• A user with no access to RADIUS cannot access SOLIDserver either.
• The authentication rule does not allow to specify groups, therefore you should add group(s) of
users before enabling the rule. As the group name is sent by RADIUS, any local group of users
must be named exactly like the relevant RADIUS group, down to the case and potential accents.
RADIUS return value can hold multiple values, i.e. several groups, separated by a comma.
• RADIUS users are automatically added to SOLIDserver when connecting for the first time.
• Users attributes, such as group or email, are updated at each connection.

You can use FreeRADIUS or RADIUS for Cisco ACS with SOLIDserver. For more details, refer
to the appendix Configuring RADIUS.

To add the RADIUS user authentication rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. In the list Rule, select (017) RADIUS authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.

1162
 Managing Authentication Rules

8. Click on NEXT . The page Rule parameters opens.

9. Configure the rule parameters following the table below:

Table 100.4. RADIUS authentication rule parameters

Field Description
RADIUS server IP address The IPv4 address of the host server. This field is required.
The number of the UDP port used to contact the RADIUS server. By
default, the port 1812 is used for authentication. This field is required.
RADIUS server port If you specify the port 0, the library looks up the service RADIUS/UDP
or the service radacct/UDP in the network services database and uses
the port found.
The RADIUS password. This password is necessary to grant SOLID-
RADIUS secret passphrase
server access to RADIUS. This field is required.
The timeout period of your RADIUS server, i.e. the number of seconds
RADIUS request timeout (seconds) after which the server switches to timeout status if no reply is received.
By default, it is set to 3. This field is required.
The maximum number of requests to be sent before the server stops
RADIUS max tries before giving up trying to connect and switches to failure state. By default, it is set to
3. This field is required.
The IP address that SOLIDserver needs to connect to RADIUS. This
RADIUS NAS IP address
field is optional.

10. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.

Adding OpenID Authentication

The rule OpenID Connect authentication allows to configure user authentication through an ex-
ternal compatible OpenID provider.

OpenID Connect is an authentication protocol, based on the OAuth 2.0 family of specifications.
It uses simple JSON Web Tokens (JWT), which you can obtain using flows conforming to the
OAuth 2.0 specifications. It is commonly used by external identity providers like Google or Microsoft
Azure.

To successfully authenticate users via OpenID Connect you must:

1. Meet the prerequisites.
2. Take into account the limitations.
3. Configure the authentication on the identity provider side and on SOLIDserver, as detailed in
the section Configuring the Authentication.
4. Add the OpenID authentication rule to SOLIDserver GUI, as detailed in the section Adding the
OpenID Authentication Rule.
5. Customize SOLIDserver login page with your own link message and an optional image, as
detailed in the section Customizing the Authentication on the Login Page.

Note that once users are authenticated and logged in SOLIDserver, when they log out of their
GUI session they are not logged out of their identity provider session.

Prerequisites
1. SOLIDserver system configuration
• Make sure that the appliance is time synchronized using NTP.

1163
 Managing Authentication Rules

• Make sure that the appliance can reach a DNS resolver and resolve domain names.
• Make sure that the appliance can be accessed through a URL.This URL is used to configure
the application on the provider side.
2. On the provider side, register and configure an application with the proper tokens
• You must name your application and set it with the URL of your SOLIDserver appliance.
• The identity provider must support the following claims: name, email, given name and family
name. For Azure users, the email address must be specified in the field upn. You can also
include the user image.
All the users that can access the application can also access your SOLIDserver appliance,
but they cannot perform any operation if they do not belong to any group.
3. On SOLIDserver side, configure user access
As OpenID authentication does not rely on any group, you must prepare groups locally:
• Add one or more groups of users, grant them all the relevant rights and resources to set
user profiles.
• Add the application users and configure them with the email address declared.
• Add all users as resource of the relevant group(s).
When users connect for the first time, they are identified using their email address and granted
the rights of the group they belong to. If they are not part of any group of users, they cannot
access any module or perform any operation.

Limitations
• You can only configure one OpenID provider per SOLIDserver appliance.
• You can only add the OpenID authentication rule once.
• You can only configure the authentication details via CLI, through an SSH connection to
SOLIDserver.
• If you configure OpenID authentication on appliances configured in High Availability:
• To be able to access the Hot Standby appliance, users must have logged to the Master ap-
pliance first. Once they do, their user information is saved on the Master and replicated on
the Hot Standby.
• If no VIP is set for the appliances, both appliances must have their own authentication con-
figuration. Therefore, each must have an application on the provider side and a unique au-
thentication configuration file that includes its URL. If a VIP is set, one application can au-
thenticate both appliances, the local configuration file of the Master is replicated on the Hot
Standby.
• There is no user synchronization, you need to manually edit the group(s) of users if you want
to grant or deny access to specific users.

Configuring the Authentication

Once you met all the prerequisites and took into account all the limitations, you must:
1. Configure the authentication on the identity provider side.
2. Create the relevant authentication file in SOLIDserver, via CLI.

Keep in mind that if you configure the authentication on appliances in High Availability, you must
perform both operations on each appliance.

If you want to authenticate Google users, you must:

• Configure the application used for the authentication from the API configuration console of the
relevant Google project.

1164
 Managing Authentication Rules

• Connect to SOLIDserver via SSH to create the file /data1/etc/httpd/post/ext-identity.inc. It must

contain:
Define UseModAuthOpenIDC

<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so

OIDCProviderMetadataURL
"https://accounts.google.com/.well-known/openid-configuration"
OIDCClientID "<client-id>"
OIDCClientSecret "<secret>"
OIDCRedirectURI "https://<solidserver>.int.efficientip.com/auth/redirect_uri"
OIDCCryptoPassphrase "<passphrase>"
OIDCScope "openid email"
OIDCSessionInactivityTimeout 900
OIDCCacheType "file"

</IfDefine>

For more details, refer to the section Configuring OpenID Authentication for Google in the ap-
pendix Configuring OpenID Authentication.

If you want to authenticate Microsoft Azure users, you must:

• Configure the application used for the authentication from Azure Active Directory.
• Connect to SOLIDserver via CLI to create the file /data1/etc/httpd/post/ext-identity.inc. It must
contain:
Define UseModAuthOpenIDC

<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so

OIDCProviderMetadataURL
"https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration"
OIDCClientID "<client-id>"
OIDCClientSecret "<secret>"
OIDCRedirectURI "https://<solidserver>.int.efficientip.com/auth/redirect_uri"
OIDCCryptoPassphrase "<passphrase>"
OIDCScope "openid profile email"
OIDCSessionInactivityTimeout 900
OIDCCacheType "file"

</IfDefine>

For more details, refer to the section Configuring OpenID Authentication for Azure in the ap-
pendix Configuring OpenID Authentication.

Adding the OpenID Authentication Rule

Once you configured the authentication, you can add the authentication rule from the GUI.

Note that if you configure the authentication on appliances in High Availability, you only need to
add the rule on the Master appliance, the Hot Standby retrieves it.

To add the OpenID user authentication rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.

1165
 Managing Authentication Rules

3. In the menu, click on Add. The wizard Add a rule opens.

The fields Module and Event are already filled with the values Rights & delegation and Ex-
ternal user login.
4. In the list Rule, select (184) OpenID Connect authentication.
5. In the field Rule name, name the rule. This name is used as the Instance of the rule.
6. In the field Comment, you can add a comment regarding that rule.
7. Click on NEXT . The page Rule filters opens.
8. Click on OK to complete the operation. The report opens and closes. The rule now is listed,
its Instance matches the Rule name you set.

Now the login page includes a link External authentication under the default login fields. You
should customize the page to specify the identity provider in the link message or include their
logo.

Customizing the Authentication on the Login Page

When the rule is added, you should edit the authentication message on SOLIDserver login page
to let users know which identity provider is now available.You can also include the identity provider
logo. Both the link and the logo allow to access the external authentication.

Note that if you configure the authentication on appliances in High Availability, you only need to
customize the login page of the Master appliance, the Hot Standby retrieves all details.

To edit the authentication link message

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with login.auth.ext.text.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the message of your choice. The default message is External au-
thentication.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

If you want to include the identity provider image, you must upload it to the Local files listing and
then set the image name as value of the dedicated registry database entry. The image is shrunk
if it exceeds 100x100 pixels.

To include the identity provider logo on the login page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. Upload the image:
a. In the section Maintenance, click on Local files listing. The page Local files listing
opens.
b. Under the menu, tick the bullet Custom images.The sub-page Custom images opens.
c. In the menu, select Tools > Upload file. The wizard Import a file opens.

1166
 Managing Authentication Rules

d. Click on BROWSE to look for the image of your choice on your computer.
e. In this new window, find the image you want to upload and select it.
f. Click on Open. The window closes. The name of the selected image is displayed in the
field File name.
g. Click on OK to complete the operation. The report wizard opens and closes. The image
is listed.
3. Include the image on the login page:
a. In the sidebar, click on Admin Home. The page Admin Home opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the column Name with login.auth.ext.image.
d. Hit Enter. Only this key is listed.
e. In the column Value, click on <empty>. The wizard Registry database Edit a value
opens.
f. In the field Value, specify the full name of the image, including its extension.
g. Click on OK to complete the operation.The report opens and closes.The page refreshes
and the new value is displayed.

Editing Authentication Rules

You can edit the configuration of authentication rules, from their properties page Main properties
or directly from the list.

To edit a user authentication rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. Right-click over the Name or Instance of the rule you want to edit. The contextual menu
opens.
4. Click on . The wizard Edit a rule opens.
5. Edit the fields Rule name and Comment according to your needs.
6. Click on NEXT . The page Rule filters opens.
7. Click on NEXT . The page Rule parameters opens.
8. Edit the fields and configurations according to your needs. For more details, refer to relevant
procedure in the section Adding Authentication Rules.
9. Click on OK to complete the operation. The report opens and closes. The rule is listed. In
the column Instance, the Rule name you chose is displayed.

Enabling or Disabling Authentication Rules

Authentication rules are automatically enabled when you add them.

You can disable them and stop authenticating the corresponding remote users. When you enable
it again, the rule is checked again at every user connection.

To enable/disable a user authentication rule

Only users of the group admin can perform this operation.

1167
 Managing Authentication Rules

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. Tick the rule(s) of your choice.
4. In the menu, select Edit > Enable or Disable. The corresponding wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The rule is listed and
marked OK or Disabled in the column Status.

Deleting Authentication Rules

If you no longer need an authentication rule, you can delete it. If the corresponding remote users
are not identified in another rule they are denied access to the interface.

To delete a user authentication rule

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Authentication rules. The page Authen-
tication rules opens.
3. Tick the rule(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The rule is no longer
listed.

1168
 Part XIX. Administration
The module Administration should be handled by an administrator as it allows to manage remote appliances
and monitor, maintain or upgrade SOLIDserver. Its homepage, Admin Home, is divided into six sections
that contain links toward all the pages of the module.

Figure 257. Admin Home, the homepage of the module Administration

Note that from the module Dashboards, you can monitor the module data or set up custom shortcuts and
search engines using gadgets. For more details, refer to the part Dashboards.

This part contains the following chapters:

• Centralized Management describes how to manage remote SOLIDserver appliances, monitor them,
configure their network and services and set up High Availability between two appliances.
• Managing Licenses: describes how to refresh licence metrics and renew licenses on local and remote
appliances.
• Monitoring describes how to monitor SOLIDserver from the reports, alerts, logs, statistics and users'
sessions and performed operations to SNMP tools (profiles, monitoring details through the MIBs...).
• Maintenance describes how to maintain or troubleshoot SOLIDserver, manage local files, save/restore
backup files or shut down and rebooting the appliance.
• Securing describes how to manage SSL certificates and encrypt the database.
• Configuring Space Synchronization describes how to synchronize the IPAM space of another appliance.
• Upgrading describes how to upgrade SOLIDserver, some checks must be performed before upgrading.

Some pages and options of the module Administration are detailed in other parts:
• The link Certificates and keys opens the pages All certificates, detailed in the section Changing the HTTPS
Certificate, All GSS-TSIG keys, detailed in the chapter Implementing Dynamic Update and All database
keys detailed in the chapter Securing.
• The part Configuring SOLIDserver details Network configuration, Services configuration and Licenses.
• The part Rights Management details Users, Groups and Authentication rules.
• The part Customization details the GUI customization options, including Language editor, and the pages
Class Studio, Custom DB and Packager. This part also details Smart Folders and IPv6 labels.
Table of Contents
101. Centralized Management ...................................................................................... 1173
Browsing Centralized Management ...................................................................... 1173
Configuring SOLIDserver to Remotely Manage Other Appliances ........................... 1177
Adding Remote Appliances .................................................................................. 1177
Managing the Services and Network Configuration of Another Appliance ................ 1179
Monitoring the Appliances Managed from the Page Centralized Management ......... 1180
Configuring Two Appliances in High Availability ..................................................... 1183
Editing Remote Appliances .................................................................................. 1186
Managing a High Availability Configuration ............................................................ 1186
Replacing Appliances Managed Remotely ............................................................ 1198
Exporting Remote Appliances .............................................................................. 1199
Deleting Remote Appliances ................................................................................ 1199
102. Managing Licenses .............................................................................................. 1202
Browsing the License and License Metrics ............................................................ 1202
Refreshing the Metrics of a License ...................................................................... 1204
Renewing the Licenses ........................................................................................ 1205
Exporting Licenses .............................................................................................. 1209
103. Monitoring ........................................................................................................... 1210
Managing Reports ............................................................................................... 1210
Managing Alerts .................................................................................................. 1219
Managing the Logs .............................................................................................. 1226
Monitoring the Appliance Statistics ....................................................................... 1229
Monitoring from Session Tracking ......................................................................... 1231
Monitoring from User Tracking .............................................................................. 1231
Forwarding Events ............................................................................................... 1233
Managing SNMP Profiles ..................................................................................... 1243
Monitoring Using SNMP ...................................................................................... 1245
Displaying Netstat Data ....................................................................................... 1246
Sizing the Database Tables .................................................................................. 1246
104. Maintenance ........................................................................................................ 1248
Managing Files from the Local Files Listing ........................................................... 1248
Using the Maintenance mode ............................................................................... 1255
Updating the Macros and Rules ........................................................................... 1255
Clearing the Appliance Cache .............................................................................. 1255
Troubleshooting ................................................................................................... 1256
Managing Backups and Restoring Configurations .................................................. 1258
Shutting Down and Rebooting .............................................................................. 1264
105. Securing .............................................................................................................. 1268
Managing SSL Certificates .................................................................................. 1268
Encrypting the Database ..................................................................................... 1277
106. Configuring Space Synchronization ....................................................................... 1284
Prerequisites ....................................................................................................... 1284
Limitations .......................................................................................................... 1284
Exposing a Space ............................................................................................... 1285
Synchronizing an Exposed Space ........................................................................ 1286
Completing the Synchronization Configuration ...................................................... 1287
Monitoring IPAM Synchronization ......................................................................... 1288
Disabling Space Synchronization ......................................................................... 1288
107. Upgrading ............................................................................................................ 1290
Prerequisites ....................................................................................................... 1290
Recommendations .............................................................................................. 1290

1171
 Administration

Upgrading an Appliance ....................................................................................... 1291

Upgrading Appliances Managed Remotely ............................................................ 1292
Upgrading Appliances in High Availability .............................................................. 1293
Troubleshooting the Upgrade ............................................................................... 1295

1172
Chapter 101. Centralized Management
In the module Administration, the page Centralized Management allows administrators to:
• Monitor appliances, locally and remotely. The page returns system, hardware, licence and
maintenance information. For more details, refer to the section Monitoring the Appliances
Managed from the Page Centralized Management.
• Manage remotely other appliances. From the Management appliance you can manage the
service and network configuration, monitor and upgrade remote appliances.
• Set up High Availability between the local appliance and a remote one. In such a configuration
the Master appliance contains all the data you manage and the Hot Standby replicates the
Master database but can have a specific configuration of its services and network.

Whether you want to manage remote appliances or set up a High Availability configuration, you
must:
1. Configure the local appliance.
2. Add a remote appliance to the page Centralized Management.

Note that with remote appliances or a High Availability configuration, the upgrade can be performed
remotely. For more details, refer to the chapter Upgrading.

Browsing Centralized Management

From the page Centralized Management you can configure and manage appliances remotely
managed as well as the ones configured in High Availability (HA).

Browsing the Centralized Management Database

To access the page Centralized Management
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
3. To display license metrics, in the column Name click on the appliance of your choice. The
page All licenses opens. For more details, refer to the chapter Managing Licenses.

Appliances do not have a properties page, all details and properties can be displayed in the
columns. Note that the columns Local and Role provide specific information on the local or remote
appliances. For more details, refer to the next section.

Customizing the Display on the Page Centralized Management

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

The columns on the page provide details regarding the local appliance and any remote appliance,
whether it is configured in High Availability or not. A set of columns are displayed by default, extra
columns dedicated to more specific data are also available.

1173
 Centralized Management

Table 101.1. The default columns on the page Centralized Management

Column Description
Name The appliance hostname. It is used in the list SOLIDserver to differentiate local and remote
appliances.
Local Allows to identify the local appliance, the one you are connect to. The appliance you are
operating on is marked Yes, any remote appliance is marked No.
Manufacturer The appliance manufacturer. It can therefore tell you if you are working on or remotely
managing virtual appliances.
Product The appliance model. It indicates the type of appliance you are working with and its size
if it is not a virtual appliance (e.g. SOLIDserver-250).
Serial # The appliance serial number. If two appliances have the same name, you can differentiate
them using their serial number.
Version The version of SOLIDserver: current is the latest.
IP address The appliance IP address. The IP address of each appliance is used to access all the
appliances that you want to add to the page Centralized Management.
Master address The IP address of the Master appliance in the HA configuration. Master and Standalone
appliances display None in this column.
Role The role of the appliance, it indicates whether or not it is part of a High Availability config-
uration or remotely managed.
Master An appliance running in association with a Hot Standby appliance.
It has a HA UID.
Master (hot standby An appliance that used to be the Master in the HA configuration
init) and is currently becoming the Hot Standby.
Hot Standby An appliance replicating the content of the Master appliance data-
base it is associated with. It has the same HA UID as its master.
Hot Standby (init) A Hot Standby appliance is being enrolled again with the same
Master in case of replication failure.
Hot Standby (switch- An appliance that used to be the Hot Standby in the HA configuration
ing to Master) and is currently becoming the Master.
Standalone An appliance configured and running on its own, with no HA config-
uration. This is the default role of any appliance.
Standalone (hot An appliance becoming the Hot Standby of a Master appliance. It
standby init) is not accessible for a few minutes, until the replication of the entire
database is complete. During this time, the Hot Standby database
is erased and replaced with the replication of the Master appliance
database.
Standalone (switching The local appliance is becoming a Master and enrolling its Hot
to Master) Standby. This status is only visible if the enrollment is taking more
than a few minutes. The appliances Status allows to monitor the
enrollment, for more details refer to the section Understanding the
Statuses on the Page Centralized Management.
Master (recovered) A Hot Standby appliance set as a Master is marked as such during
the role switch, it is immediately operational.
End of license The date and time when a temporary license reaches its expiration. For appliances with
a permanent license, this column is irrelevant. For more details on license renewals, refer
to the chapter Managing Licenses.
End of maintenance The date and time when the maintenance period reaches its expiration.
Time left (license) The number of days, hours and minutes until the End of license. For appliances with a
permanent license, this column is irrelevant. For more details on license renewals, refer
to the chapter Managing Licenses.
Time left (mainten- The number of days, hours and minutes until the End of maintenance.
ance)

1174
 Centralized Management

Column Description
System state The overall state of the appliance. It monitors and returns the information of the columns
CPU load (5 min), Disk I/O load (%), Fans status, HDD space, LAGG status, Memory usage
(%), Power Supply Units status and RAID status. The statuses of these columns are de-
scribed in the next table.
OK The appliance overall state is normal. None of the monitored
columns is alerting.
Unknown One of the monitored columns returns no information.
Critical One of the monitored columns is in critical state.
Warning One of the monitored columns requires attention.
HA UID The key that identifies two appliances configured in High Availability.
Last write period The last time the Hot Standby replicated the Master database.
Time drift The difference, in seconds, between the Master NTP and the Hot Standby NTP. That drift
should not exceed a minute (60 in the column) as this could have consequences on the
DHCP failover replication.
Replication offset The difference, in kilobytes, between the Master database and the Hot Standby database.
As the replication is almost in real time, the difference should be minimal. A great value
in this column could indicate a network disruption. If the Replication offset is Unknown,
the remote SOLIDserver is in Timeout.
Status The appliance status, for more details refer to the section Understanding the Statuses on
the Page Centralized Management.
Security events The security events collection status of the appliance, Yes or No. For more details, refer
to the section Forwarding Security Events in the chapter Monitoring.

In addition to the default columns, you can display columns dedicated to system and hardware
information, among other things.

Table 101.2. The other columns available on the page Centralized Management
Column Description
Firmware date The software image release date.
Device OS version The appliance architecture, either amd64 or i386. i386 is only displayed for remotely
managed appliances in version prior to 6.0.x.
CPU load (5 min) The load of all the appliances' CPU cores, on an average of 5 minutes. You can monitor
and use the values in this column to return the specific statuses in the column System
State, as detailed in the section Configuring Specific Thresholds to Monitor the Column
System State.
Disk I/O load (%) The load of the appliance disk I/O, in percent. You can monitor and use the values in this
column to return the specific statuses in the column System State, as detailed in the section
Configuring Specific Thresholds to Monitor the Column System State.
Memory usage (%) The memory usage of the appliance, in percent. You can monitor and use the values in
this column to return the specific statuses in the column System State, as detailed in the
section Configuring Specific Thresholds to Monitor the Column System State.
PSU status OK The appliance power supply unit(s) is/are up and running.
N/A No information can be retrieved from the power supply unit(s). For in-
stance, on a virtual appliance or if the appliance has only one PSU.
Disabled No PSU redundancy is available on the appliance.
Critical One of the appliances' power supply units is unplugged or defective.
RAID status The status of the RAID disk(s) of SOLIDserver 4th generation hardware appliances (from
SOLIDserver-550) and of all SOLIDserver 5th generation hardware appliances.
OK The appliance RAID disk(s) is/are up and running.
N/A No information can be retrieved from the appliance RAID disk(s).

1175
 Centralized Management

Column Description
Disabled No RAID disk is enabled on the appliance.
Critical The appliance RAID disk(s) is/are enabled but is degraded or offline.
Fans status OK The appliance fan(s) is/are up and running.
N/A No information on the appliance fan(s) is available.
Disabled The appliance fan(s) is/are set to disabled.
Critical At least one appliance fan returns an error (not running, on failure...).
HDD space The space used on the partition /data1 of the appliance, in percent. You can monitor and
use the values in this column to return the specific statuses in the column System State,
as detailed in the section Configuring Specific Thresholds to Monitor the Column System
State.
LAGG status OK The appliance LAGG interface(s) is/are up and running.
N/A No information can be retrieved from the appliance LAGG interface(s).
Disabled No LAGG interface is configured as active on the appliance.
Critical At least one appliance LAGG interface is down.
Time (Management) The time of the remote appliance(s) managed through the local appliance.
Time (Local) The local appliance date and time.
Last write time The exact time of the last database replication.
Multi-status The emergency, warning, critical, error and/or informational message(s) regarding the
appliance. For more details, refer to the section Understanding the Column Multi-Status
or Multi-Status Messages.

Understanding the Statuses on the Page Centralized Management

The column Status provides information regarding the appliances you manage.

Table 101.3. Appliance statuses

Status Description
OK The appliance is up and running.

Not configured The Local appliance has not been configured yet.

Managed (remote) The appliance is being managed remotely, i.e. listed on the page Centralized Man-
agement of another appliance.
Upgrading... The appliance is being upgraded.

Switching to Hot Standby The appliance is switching to Hot Standby role.

Switching to Master The appliance is switching to Master role.

Switching to Standalone The appliance is switching to Standalone role.

Invalid credentials The appliance has been switched to Standalone, was restored or the password of
the SSH admin account has changed. If the appliance database is encrypted, it may
be that the Active key is missing. For more details, refer to the chapter Securing.
Timeout The appliance is not responding.

Split-brain Two appliances are in Restricted mode due to a split-brain. For more details, refer
to the section Troubleshooting a Split-brain.
Repl. stopped The replication stopped, the connection is lost between the appliances. For more
details, refer to the section Configuring Specific Behaviors if the Replication Takes
a Long Time or Stopped.

1176
 Centralized Management

Configuring SOLIDserver to Remotely Manage Other

Appliances
Whether you want to manage remote appliances or use a remote appliance to set up High
Availability, you must first of all configure the Management or Master SOLIDserver locally.

Configuring an appliance locally means assigning it an IP address. It sets the grounds for remote
management and differentiates appliances:
• For remote management, it differentiates the Management appliance from the remote appliance.
• For High Availability configurations, it differentiates the Master appliance from the Hot Standby
appliance.

To configure locally the Management or Master appliance

Only users of the group admin can perform this operation.
1. Connect to the future Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page opens.
In the column Local, your appliance is marked Yes. It does not have an IP address, which
is why its Status is Not configured.
4. In the menu, select Tools > Configure local SOLIDserver. The wizard Configure local
SOLIDserver opens.
5. In the drop-down list SOLIDserver IP address, select the IP address of the appliance you
are currently configuring.
6. Click on OK to complete the operation. The report opens and closes. On the page Centralized
Management, the local appliance details are now complete. Its Role is Standalone and its
Status OK.

Once the appliance is configured, you need to add other appliances to remotely manage them
from the pages Centralized Management, Network configuration and Services configuration.

Adding Remote Appliances

Once you configured your local appliance, you can add other appliances. You can add a large
number of appliances to overview all SOLIDserver appliances used on your network.

The local appliance becomes a management platform where you remotely manage and/or
monitor other SOLIDserver appliances via the drop-down list SOLIDserver available on the pages
Network configuration, Services configuration, Syslog and System statistics of the module Admin-
istration.

Before remotely managing other appliances:

• You must have at least two SOLIDserver appliances.
• You must configure the management platform locally, for more details refer to the section
Configuring SOLIDserver to Remotely Manage Other Appliances.
• The appliances remotely managed must be in software version 5.0.0.P0 or higher.
• The remote management can only be configured from and with appliances using an IPv4 ad-
dress.

1177
 Centralized Management

• On all appliances, the NTP should be configured to make sure they are all set at the same
time and date. For more details, refer to the section Configuring NTP Servers.

Once you configured locally the future Master or Management appliance, you can add remote
appliances to the page Centralized Management. Keep in mind that:
• You can add as many remote appliances as you want to the page.
• You cannot display several High Availability configuration pairs on the page.
• Appliances remotely managed are still accessible locally.

To add a remote appliance

1. Connect to the future Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. In the menu, click on Add. The wizard Add/modify remote SOLIDserver opens.
5. If custom classes are enabled at appliance level, in the list SOLIDserver (appliance) class
select a class or None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
6. In the field SOLIDserver IP address, specify the IP address of the appliance you want to
add to the list.
7. In the field "Admin" account password, you can specify the password of your SSH account.
By default, the default password of the account, admin, is automatically specified in the field.
8. If you want to monitor the remote appliance, tick the box SNMP parameters. The configur-
ation fields open.

Table 101.4. SNMP parameters used to monitor the remote appliance

Field Description
SNMP port The port used to retrieve the remote appliance statistics. By default, the port 161 is used.
If you changed the UDP port of your SNMP server, you must use the same port. For more
details, refer to the section Configuring the SNMP Server.
SNMP profile The SNMP profile used to retrieve the statistics. By default, standard v2c is selected.
This field is optional. The list contains the default profiles (standard v1, standard v2c and
standard v3) and the ones you may have added. Each profile has its own level of security
and enables the definition of a global security policy. For more details, refer to the section
Managing SNMP Profiles.
SNMP retries The number of connection attempts when the server is in timeout, a value between 0 and
5. By default, it is set to 2. This field is required.
SNMP timeout The number of seconds between each connection attempt, either 1, 2, 3, 4, 5, 10 or 30.
By default, it is set to 5. This field is required.

9. Click on OK to complete the operation. The new appliance is listed. Its Role is Standalone
and its Status is Remote (managed).

Once you added a remote appliance:

• You can monitor it, as detailed in the section Monitoring the Appliances Managed from the
Page Centralized Management.
• You can manage it, as detailed in the section Managing the Services and Network Configuration
of Another Appliance.

1178
 Centralized Management

• You can configure it in High Availability, as detailed in the section Configuring Two Appliances
in High Availability.

Managing the Services and Network Configuration of

Another Appliance
Once you added an appliance to the page Centralized Management, you can remotely manage
its services and network configuration from a dedicated drop-down list.

Managing the Network Configuration of Another Appliance

From the page Network configuration of a Management or Master appliance, you can manage
the configuration of any appliance listed on the page Centralized Management.

To remotely manage the network configuration of another appliance

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
3. Under the menu, in the drop-down list SOLIDserver, select the appliance of your choice.
The page refreshes.
All appliances are listed as follows: <hostname> (<IP address>). If an appliance is not
reachable, it is listed as follows: <hostname> (<IP address>) - Timeout.
4. Edit the network configuration according to your needs. For more details, refer to the chapter
Configuring the Network.

Managing the Services Configuration of a Remote Appliance

From the page Services configuration of a Management or Master appliance, you can manage
the configuration of any appliance listed on the page Centralized Management.

Keep in mind that you can edit any service except the source email address of the alert.
The address [email protected] that sends you the alert notifications has to be edited locally.

To remotely manage the services configuration of another appliance

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
3. Under the menu, in the drop-down list SOLIDserver, select the appliance of your choice.
The page refreshes.
All appliances are listed as follows: <hostname> (<IP address>). If an appliance is not
reachable, it is listed as follows: <hostname> (<IP address>) - Timeout.
4. Edit the service configuration according to your needs. For more details, refer to the chapter
Configuring the Services.

1179
 Centralized Management

Monitoring the Appliances Managed from the Page

Centralized Management
Once you added remote appliances to the page Centralized Management you can monitor their
logs, their statistics and any time drift between the local appliance and the remote appliances.

Monitoring the Logs of Another Appliance

From the page Syslog, you can monitor the logs of all the appliances you manage remotely.

To monitor the logs of a remote appliance

Only users of the group admin can perform this operation.
1. Connect to the Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Monitoring, click on Syslog. The page Syslog opens.
4. Under the menu, in the drop-down list SOLIDserver, select the remote appliance of your
choice. The page refreshes.
The local appliance is listed using only its hostname. All remote appliances are listed as
follows: <hostname> (<IP address>). Unreachable appliances are listed as follows: <host-
name> (<IP address>) - Timeout.
5. In the drop-down list Service, select the service of your choice
6. Filter the column Log according to your needs.

Monitoring the Statistics of Another Appliance

From the page System statistics you can display the charts of the appliances you manage remotely.

Note that, if your remote appliances are in version 6.0.1 or higher, you can even generate the
statistics reports of a remote appliances. For more details, refer to the section Generating a Report.

To access the Statistics of a remote SOLIDserver

Only users of the group admin can perform this operation.
1. Connect to the Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Monitoring, click on System statistics. The page System statistics opens.
4. Under the menu, in the drop-down list SOLIDserver, select the remote appliance of your
choice. The page refreshes.
The local appliance is listed using only its hostname. All remote appliances are listed as
follows: <hostname> (<IP address>). Unreachable appliances are listed as follows: <host-
name> (<IP address>) - Timeout.
You can only display the statistics of a remote appliance in version 6.0.1 or higher, appliances
in lower versions are listed as follows: <hostname> (<IP address>) - Not supported.

For more details regarding each chart, refer to the section Monitoring the Appliance Statistics.

1180
 Centralized Management

Monitoring the Time and Date Drift Between Appliances

On the page Centralized Management, the column Time drift allows to monitor and compare the
time and date of your local and remote appliances.

With High Availability configurations, monitoring any time drift between the Master and Hot
Standby is paramount. Both appliances should be set at the same time. To ensure there is no
shortage of data on the Hot Standby appliance in case it needs to become a Master:
1. We strongly recommend that you configure the time and date of both the Master and
Hot Standby appliances via NTP servers. For more details, refer to the section Configuring
NTP Servers.
2. You can configure the alert Member clock drift that monitors the time drift between the Master
and the Hot Standby.

If you do not want to enroll any remote appliance as Hot Standby, the synchronization is optional.
If your local and remote appliances are set at the exact same time, it is useless to configure the
alert Member clock drift; you might even disable it. For more details, refer to the section Enabling
or Disabling Alerts.

Configuring the Alert that Monitors the Time Drift

The alert Member clock drift monitors the time difference between the Management or Master
appliance and the remote appliance(s) it manages. The alert is triggered if the time of any remote
appliance, whether a Hot Standby or not, has drifted too much from the management appliance
time.

You can edit the alert definition settings to suit your needs. By default:
• The alert is based on a filter of the column Time drift. The filter is set with a 20 seconds threshold
as follows: > 20 || < -20. The alert is raised:
• If the absolute time difference between the remote appliance and the Management or Master
appliance is higher than 20 seconds.
• If the absolute time difference between the remote appliance and the Management or Master
appliance is lower than 20 seconds.
To edit the threshold, refer to the procedure To edit the threshold of the alert Member clock
drift.
• The time difference check is performed every 5 minutes. To edit the frequency, refer to the
procedure To edit the alert Member clock drift default frequency and recipients.
• The alert sends an email alert to the users of the group admin. If you did not configure the
users' email address properly, they are not notified. To edit the recipients, refer to the procedure
To edit the alert Member clock drift default frequency and recipients below.

To edit the threshold of the alert Member clock drift

Only users of the group admin can perform this operation.
1. Connect to the Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
4. In the column Alert filter, click on Edit alert filters.You are redirected to the page Centralized
Management, where the alert was added. Above the menu, a blue banner indicates you
are in Alert edition mode.

1181
 Centralized Management

5. In the search engine of the column Time drift, the default filter > 20 || < -20 is visible.
6. Edit the filter according to your needs.
7. On the right-end side of the menu, click on . The wizard Quit editing the alert filters
opens.
8. Tick the box Save changes before quitting to save your new filter.
9. Click on OK to complete the operation. The report opens and closes. You are redirected
back to the page Alerts Definition.

To edit the alert Member clock drift default frequency and recipients
Only users of the group admin can perform this operation.
1. Connect to the Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
4. At the end of the line of the Member clock drift, click on . The properties page opens.
5. In the panel Main properties, click on EDIT . The wizard Edit an alert definition opens.
6. Tick the box Expert mode.
7. To edit the alert check frequency:
a. Tick the box Edit scheduling. The schedule drop-down lists appear.
b. By default, only the drop-down list Minutes is set to Every 5 minutes.
c. Select the values that suit your needs.
8. To edit the group of users receiving the alert or add recipients:
a. Make sure the box Send mail is checked.
b. In the drop-down list Mailing lists, select the group of users of your choice.
c. In the field Additional Mail, specify the email address of a user that does not belong
to the group selected. Click on ADD . The email address is moved to the Additional Mail
List. Repeat these actions for as many users as you need.
9. Click on OK to complete the operation. The report opens and closes.

Configuring Specific Thresholds to Monitor the Column System

State
The column System state returns the overall state of the appliance based on the information
returned by the columns CPU load (5 min), Disk I/O load (%), Fans status, HDD space, LAGG
status, Memory usage (%), Power Supply Units status and RAID status.

You can edit some registry database entries to set up thresholds and ensure that the system
state is Warning or Critical based on the value of the columns CPU load (5 min), Disk I/O load
(%), HDD space and Memory usage (%).

Table 101.5. The configurable registry database entries to return Critical and Warning System states
Registry database entry Description
module.system.member_snmp_cpu_crit The status Critical is returned if the value of the column CPU load
(5 min) matches or exceeds the value you set for the entry.
By default, it is set to 150.
module.system.member_snmp_cpu_warn The status Warning is returned if the value of the column CPU load
(5 min) matches or exceeds the value you set for the entry.

1182
 Centralized Management

Registry database entry Description

By default, it is set to 100.
module.system.member_snmp_hdd_crit The status Critical is returned if the value of the column HDD space
matches or exceeds the value you set for the entry.
By default, it is set to 90 %.
module.system.member_snmp_hdd_warn The status Warning is returned if the value of the column HDD space
matches or exceeds the value you set for the entry.
By default, it is set to 80 %.
module.system.member_snmp_ios_crit The status Critical is returned if the value of the column Disk I/O
load (%) matches or exceeds the value you set for the entry.
By default, it is set to 50 %.
module.system.member_snmp_ios_warn The status Warning is returned if the value of the column Disk I/O
load (%) matches or exceeds the value you set for the entry.
By default, it is set to 25 %.
module.system.member_snmp_mem_crit The status Critical is returned if the value of the column Disk I/O
load (%) matches or exceeds the value you set for the entry.
By default, it is set to 100 %.
module.system.member_snmp_mem_warn The status Warning is returned if the value of the column Disk I/O
load (%) matches or exceeds the value you set for the entry.
By default, it is set to 98 %.

The thresholds that you set only apply to the column System State on the appliance where you
configure the registry database. For that reason, if you manage remote appliances or a High
Availability configuration, you should edit the entries on the Management or Master appliance.

To set up a threshold to return a Warning or Critical state in the column System

State
Only users of the group admin can perform this operation.
1. If you manage remote appliances or a High Availability configuration, connect to the Master
or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Registry database. The page Registry database opens.
4. Filter the column Name with module.system.member_snmp.
5. Hit Enter. The matching keys are listed, for more details refer to the table.
6. In the column Value, click on the line of your choice. The wizard opens.
7. In the field Value, specify the value that suits your needs.
8. Click on OK to complete the operation. The new Value is visible on the page.

Configuring Two Appliances in High Availability

The High Availability (HA) is a system network design that ensures that your network continues
to respond even if one or more of its components fail. This architecture provides integrated disaster
recovery management operations for transparent and efficient service continuity. It also prevents
you from losing any data if anything were to happen to your managing platform.

1183
 Centralized Management

With SOLIDserver, High Availability implies that you connect together two appliances where one
local appliance is a Master and the other, a remote one, is a Hot Standby, i.e. a read-only backup
server replicating the content of the Master appliance database.

Master Hot Standby

The Hot Standby replicates the Master database

Figure 101.1. Appliances in High Availability

The Master and Hot Standby appliances work together to make sure that when the automatic
switch is enabled, if the Master crashes or encounters any problem, the Hot Standby can
replace it immediately and vice versa. Therefore, the Hot Standby must replicate the Master
database as often as possible.

Master Hot Standby

1 The replication stopped

Hot Standby Master

2 The Hot Standby becomes the Master

Hot Standby Master

3 The database replication starts again

Figure 101.2. Switch mechanism if the replication stops

Prerequisites
• You must have two SOLIDserver appliances.
• The HA configuration can only be configured from and with appliances using an IPv4 address.
• The Master appliance should be configured locally as detailed in the section Configuring
SOLIDserver to Remotely Manage Other Appliances.
• The future Hot Standby must be added to the page Centralized Management of the Master as
detailed in the section Adding Remote Appliances.

Limitations
• The database High Availability is configurable only for two appliances.
• We strongly advise against displaying several HA configurations on the page Centralized
Management. If you add an appliance to this list, it means that you want to manage it.Therefore,
if you decide to add to your managing appliance two appliances configured in High Availability,
it means that you intend to manage them from the managing appliance. On the page Centralized
Management of the appliances in HA, the appliance Status changes from OK to Invalid creden-

1184
 Centralized Management

tials because the local admin management password overwrites the management password
locally set on the Master appliance of this other HA configuration.
• The HA does not support the configuration of a NAT between the two appliances. Both
appliances send their local IP address when they communicate, therefore the converted IP
address cannot be used in the HA communication. Configuring a NAT might even break the
HA configuration.
• If you encrypted the database, you cannot enroll a remote appliance as Hot Standby if the
Active key of the local appliance, the future Master, is missing or corrupted.

Setting a High Availability Configuration

Once the Master appliance is configured locally and the future Hot Standby is added to the page
Centralized Management of the Master, you can configure High Availability between the appli-
ances, i.e. enroll the Hot Standby.

This configuration has to be done from the future Master appliance and can be done on layer 2
or 3 of the network. For more details, refer to the section Frequently Asked Questions.

Keep in mind that for the configuration to be viable and effective the two appliances must:
• Meet the prerequisites.
• Be set at the same time. For more details, refer to the section Configuring NTP Servers.
• Have the same version of SOLIDserver.
• Have the same performance rate, to ensure a smooth transition. In the event of a switch, the
former Hot Standby has retrieved all the database information and can actually provide the
same performance and efficiency as the original Master.
• Have the same architecture (32 bits or 64 bits).

To configure High Availability between two appliances

Only users of the group admin can perform this operation.
1. Connect to the future Master appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. Tick the appliance you want to set up as Hot Standby.
5. In the menu, select Edit > Enroll SOLIDserver as Hot Standby. The wizard Enroll
SOLIDserver as Hot Standby opens.
6. Click on OK to complete the operation. The report opens and works for a while until the Hot
Standby appliance database is erased and replaced by the Master appliance database. The
appliance set as Hot Standby is unavailable for a while. Each appliance Role is modified
according to the configuration, they now share the same HA UID.

Once the High Availability is configured:

1. The information on the page Centralized Management of the Master is now also available on
the Hot Standby appliance.
2. On the page Centralized Management of the Hot Standby appliance, the only operation
available is switching the appliances role. For more details, refer to the section Switching the
High Availability Configuration.
3. The Hot Standby appliance is now in read-only mode. Every modification made on the Master
appliance is copied in the Hot Standby database almost in real-time.

1185
 Centralized Management

You can no longer edit the remote appliance database locally but you can still edit the services
and network configuration of both appliances separately. For more details, refer to the sections
Managing the Network Configuration of a Remote Appliance and Managing the Services
Configuration of a Remote Appliance.
4. The Hot Standby appliance replicates the content of the Master appliance database to provide
a backup if it has to replace the current Master appliance.
• From the page Centralized Management of the Master appliance, you should monitor the
columns Time drift and Replication offset, to make sure that the Hot Standby appliance
properly replicates the database. If at some point the replication stops, you can enroll again
the Hot Standby appliance following the procedure To configure High Availability between
two appliances.
• You can, for instance, configure and enable the automatic switch so that, if the Hot Standby
has not replicated the Master database in the last 60 seconds, it should check the Master
status three times in a row, every 4 seconds. If there is no response (timeout, etc.), the Hot
Standby switches to Master. For more details, refer to the section Controlling the Automatic
Switch Mechanisms if the Network is Unreliable.
Note that the automatic switch is not enabled by default. You can manually enable it.
For more details, refer to section Configuring High Availability Advanced Options.

Editing Remote Appliances

You can edit the local and remote appliance(s) IP address, admin account password and/or
SNMP monitoring parameters.

To edit a remote appliance

1. Connect to the future Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. In the column Name, right-click on the appliance of your choice. The contextual menu opens.
5. Click on Edit. The wizard Add/modify remote SOLIDserver opens.
6. Edit the fields SOLIDserver IP address, "Admin" account password and SNMP paramet-
ers according to your needs. For more details, refer to the section Adding Remote Appliances.
Note that for security purposes, the field "Admin" account password is emptied out in the
edition wizard.
7. Click on OK to complete the operation. The new appliance is listed. Its Role is Standalone
and its Status is Remote (managed).

Managing a High Availability Configuration

Once you have successfully configured appliances in High Availability, you can:
• Monitor the Hot Standby from the Master appliance. For more details, refer to the section
Monitoring the Appliances Managed from the Page Centralized Management.
• Manage the configurations on the pages Services configuration and Network configuration of
the Hot Standby from the Master appliance. For more details, refer to the section Managing
the Services and Network Configuration of Another Appliance.
• Update the database of the Hot Standby, as detailed in the section Updating the Database
of the Hot Standby.

1186
 Centralized Management

• Configure advanced options to make sure your High Availability appliances behave as ex-
pected if your network is unreliable or may be disrupted or if the replication is slow or stopped,
as detailed in the section Configuring High Availability Advanced Options.
• Replace SOLIDserver appliances and keep a viable High Availability configuration. You can
replace either appliance, with or without backup, as detailed in the section Replacing An Appli-
ance in High Availability.
• Troubleshoot the configuration as detailed in the section High Availability Configuration
Troubleshooting Solutions.
• Answer some frequently asked questions, all detailed in the section High Availability Con-
figuration Troubleshooting Solutions.

Updating the Database of the Hot Standby

You can execute the option Update HA files database to update the database of the Hot Standby.

This option is useful if any new file on the Master appliance has not been replicated yet on the
Hot Standby or if you intend to manually switch the appliances roles in the configuration, as detailed
in the section Switching the High Availability Configuration

Note that if you enabled the automatic switch, the option is automatically launched before the
switch.

To update the database of appliances in High Availability

Only users of the group admin can perform this operation.
1. Connect to the Master appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. In the menu, select Tools > Update HA files database. The report opens.
5. Click on OK to complete the operation. The report opens and closes. The columns Last
write periods, Time drift and Replication offset are updated.

Switching the High Availability Configuration

Switching the High Availability configuration means switching the Role of each appliance in the
configuration, the Master becomes the Hot Standby and vice versa.

Via the option Manually switch local SOLIDserver to master you can switch a configuration. Note
that:
• The option must be executed from the Hot Standby as you cannot make a Master change
its role to Hot Standby.
• The switch is no longer automatic by default. If you want to automatically detect potential
problems on the Master (timeout, crash...) and switch the appliances roles, you must enable
this behavior. For more details, refer to the section Configuring High Availability Advanced
Options.
• Even with the automatic switch enabled, you can manually switch the configuration.

To switch the appliances role in a High Availability configuration

Only users of the group admin can perform this operation.

1187
 Centralized Management

1. Connect to the Hot Standby appliance GUI. The message This SOLIDserver is a Hot
Standby: Database is in READ-ONLY mode is present on every page.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. Update the Hot Standby database:
a. In the menu, select Tools > Update HA files database. The report opens.
b. Click on OK to complete the operation. The report opens and closes. The columns Last
write periods, Time drift and Replication offset are updated.
5. Switch the configuration:
a. In the menu, select Tools > Manually switch local SOLIDserver to master. The
report opens.
b. Click on OK to complete the operation.
The Role of the former Hot Standby appliance is Master (recovered). The former
Master appliance is marked Master (Hot Standby init). For more details, refer to the
table The default columns on the page Centralized Management.
The Hot Standby appliance is unavailable until it has replicated the Master database.

Configuring High Availability Advanced Options

Some registry database keys allow you to customize the High Availability switch and automatic
re-enrollment mechanisms.

Checking if the Automatic Switch is Enabled

Once you configured the High Availability, you can set up an automatic switch of the appliances
role. First of all, you need to check if the behavior is enabled.

To check if the automatic switch is enabled

Only users of the group admin can perform this operation.
1. Connect to the Master appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Registry database. The page Registry database opens.
4. Filter the column Name with module.system.max_hot_standby_time_skew.
5. Hit Enter. Only this key is listed. If the value is 0 or -1, the automatic switch is disabled.
To enable it or set custom switch behaviors, refer to the section Controlling the Automatic
Switch Mechanisms if the Network is Unreliable.

Controlling the Automatic Switch Mechanisms if the Network is Unreliable

If your network is unreliable, you can monitor both appliances thanks to:
• The column Offset replication, it allows to monitor the Hot Standby database reliability.
• Some keys in the registry database that allow to control the switch mechanism, avoid flapping
and ensure that the switch occurs if and only if there is a problem on the Master appliance.

The High Availability dedicated keys each serve a specific purpose and can impact or be impacted
by one another. They allow to:

1188
 Centralized Management

Control the automatic switch

The key module.system.max_hot_standby_time_skew allows to control and potentially prevent
the automatic switch itself, based on the appliances Last write period.
This key is disabled on fresh installations and the switch is no longer automatic by
default, its value is -1. Note that after an upgrade from a previous version, it can still be en-
abled.
You can edit the key to enable the automatic switch again. Its usual value is 3600 seconds,
if the last write period is greater than an hour, the two appliances cannot switch automatically.
The key can be set with values between -1 and 2^31. Setting the key to 0 or -1 prevents the
automatic switch altogether, regardless of the values set for the other High Availability ded-
icated keys described below. Any value greater than 0 enables the switch.
Keep in mind that if you stop the automatic switch, if your appliances stop communicating
and the Hot Standby stopped replicating the Master database, you must configure the HA
again. For more details, refer to the section Disabling the HA Configuration Without Losing
the Database.
Set the maximum period of time a switch should take
The key module.system.init_hot_standby_timeout allows to control how long a switch should
take, whether you are enrolling an appliance or switching the roles.
By default, it is set to 1000 seconds, if the Hot Standby initialization stage has not evolved
after 16 minutes, the enrollment or switch stops and the appliance keeps its current role as
Standalone or Master.
Setting a high value for this key is useful if the Master database is very large or if your network
is not reliable.
Set a replication lag period before switching
The key module.system.hot_standby_max_replication_lag allows to set a lack of database
replication period before automatically switching the appliances role.
By default, it is set to 60 seconds, if the Hot Standby has not replicated the database in the
last 60 seconds, it tries to contact the Master appliance n times (n is defined by the key
module.system.hot_standby_switch_retry). If the Master is not responding, i.e. it does not
send its role and status, the Hot Standby switches to Master.
Set the number of retries before switching
The key module.system.hot_standby_switch_retry allows to control the number of retries
before automatically switching the appliances role.
By default, it is set to 3 attempts, if the Hot Standby appliance cannot connect to the Master
and check its role and status, it tries to get an answer 3 times in a row. If after 3 attempts
there is still no answer, it takes over the Master role.
Keep in mind that the retries check frequency is defined by the key module.sys-
tem.hot_standby_switch_sleep detailed below.
Set a connection timeout between the appliances
The key module.system.hot_standby_connect_timeout allows to set a maximum response
time for the Master appliance.
By default, it is set to 4 seconds. If after 4 seconds, the connection is not established, the
Hot Standby considers the Master appliance to be down. It then waits for n seconds (the
value of the key module.system.hot_standby_switch_sleep) until it tries establishing a con-
nection again.
Keep in mind that the number of connection retries is defined by the key module.sys-
tem.hot_standby_switch_retry, and that the retry frequency depends on the key module.sys-
tem.hot_standby_switch_sleep.
Set the frequency of the retries
The key module.system.hot_standby_switch_sleep allows to set the retries check frequency.

1189
 Centralized Management

By default, it is set to 4 seconds, if the Hot Standby does not get an answer from the Master,
it tries every 4 seconds n times (depending on the number of retries you set for the key
module.system.hot_standby_switch_retry).
Prevent unexpected switches during minor issues on the network
Among other configurations, the registry database entries can be used to prevent unexpected
switches if the network experiences minor issues. To do so you should increase the switch
lag period (the value of the key module.system.hot_standby_max_replication_lag) and/or
the number of retries (the value of the key module.system.hot_standby_switch_retry). Keep
in mind that a large number of retries might overload the network.
To disable the automatic switch altogether, refer to the section detailing how to control the
automatic switch.

To configure the High Availability switch behavior from the registry database
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with the name the key of your choice. For more details, refer to the
High Availability keys.
4. Hit Enter. Only the key of your choice is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the value of your choice. For more details, refer to the High
Availability keys.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

Anticipating a Network Disruption

At some point you might plan on disrupting the network or shutting it down for potential repairs,
equipment changes... In this case, we strongly recommend that you disable the HA config-
uration.

Indeed, in any event of a network disruption, the appliances configured in High Availability go in
Timeout or switch their roles. If the switch is unsuccessful, when the appliances start again you
may have two Master appliances and a potential case of split-brain. With no appliance set as
Hot Standby, you need to decide which one should switch to this role. For more details, refer to
the section Troubleshooting a Split-brain.

To prevent any loss of data, we suggest that you follow the procedure in the section Disabling
the High Availability Configuration. Once the network is back on, you must configure the HA
again.

Configuring Specific Behaviors if the Replication Takes a Long Time or

Stopped
A set of keys in the registry database allow to automatically re-enroll the Hot Standby, that is
to say replicate again the entire database of the Master.You can customize the triggers or disable
the functionality. The automatic re-enrollment applies if:

1190
 Centralized Management

The database replication stopped

If the replication stopped because the Hot Standby is no longer connected, the Master
automatically re-enrolls it. On the page Centralized Management, the Hot Standby status is
Repl. stopped.
The key module.system.auto_replication_repair is enabled by default. If you want to disable
the automatic re-enrollment, you must set the value of the key to 0.
The database replication is taking a long time
With a large Replication offset a switch could make you lose the latest changes. You can
monitor the offset and set a threshold to automatically re-enroll your Hot Standby.
• The key module.system.warning_replication_lag allows to set the maximum replication
offset before generating a warning message in the logs. By default, it is set to 10240 kB.
• The key module.system.max_replication_lag allows to set the maximum replication offset
before re-enrolling the Hot Standby. By default, it is set to 307200 kB. Note that if the
automatic re-enrollment is disabled, the offset is ignored.
To make sure that the Master does not try re-enrolling the Hot Standby indefinitely, it
automatically tries the re-enrollment a maximum of 3 times over 24 hours. If it does not
succeed, a message is displayed in the GUI and you need to troubleshoot the HA yourself.
For more details, refer to the section Troubleshooting the Messages.
• The key module.system.auto_replication_repair.threshold allows to set how long the
maximum replication offset can be exceeded before re-enrolling the Hot Standby. By default,
it is set to 60 times 10 seconds, i.e. if the module.system.max_replication_lag is exceeded
during 10 minutes or more, the re-enrollment is triggered.
Note that to be notified of any replication delay before the Hot Standby is automatically re-
enrolled, the value of the key module.system.warning_replication_lag should be lower than
the value of the key module.system.max_replication_lag.

Keep in mind that the automatic re-enrollment configuration of the Hot Standby is ignored during
an upgrade of appliances configured in High Availability.

To disable the automatic re-enrollment of the Hot Standby

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.system.auto_replication_repair.
4. Hit Enter. Only this key is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 0 to disable it. The default value is 1.
Note that once the key is disabled, the key module.system.max_replication_lag is ignored.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

To set the maximum replication offset before generating a log message

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with module.system.warning_replication_lag.
4. Hit Enter. Only this key is listed.

1191
 Centralized Management

5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the value of your choice, in kB. The default value is 10240.
7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

To set the maximum replication offset before re-enrollment

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. Make sure the key module.system.auto_replication_repair is enabled, set to 1. If it is disabled,
the automatic re-enrollment is not triggered.
3. In the section Expert, click on Registry database. The page Registry database opens.
4. Filter the column Name with module.system.max_replication_lag.
5. Hit Enter. Only this key is listed.
6. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
7. In the field Value, specify the value of your choice, in kB. The default value is 307200.
8. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

To set how long the maximum replication offset can be exceeded before
re-enrollment
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. Make sure the key module.system.auto_replication_repair is enabled, set to 1. If it is disabled,
the automatic re-enrollment is not triggered.
3. In the section Expert, click on Registry database. The page Registry database opens.
4. Filter the column Name with module.system.auto_replication_repair.threshold.
5. Hit Enter. Only this key is listed.
6. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
7. In the field Value, specify the value of your choice. The default value is 60 time 10 seconds,
i.e. 10 minutes.
8. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new value is displayed.

High Availability Configuration Troubleshooting Solutions

You need to troubleshoot the HA configuration if there is a replication problem or if you have an
improper configuration. Keep in mind that the configuration is viable and effective only if the
two appliances:
• Are set at the same time. For more details, refer to the section Configuring NTP Servers.
• Have the same version of SOLIDserver.
• Have the same performance rate, to ensure a smooth transition. In the event of a switch, the
former Hot Standby has retrieved all the database information and can actually provide the
same performance and efficiency as the original Master.
• Have the same architecture (32 bits or 64 bits).

1192
 Centralized Management

Note that, if you do not meet all these requirements, warning messages are displayed above the
top bar of the Hot Standby appliance GUI.

Troubleshooting the Messages

To help you monitor the High Availability configuration a set of red messages can be displayed
on all the pages of the appliances to inform or warn you.

This SOLIDserver is a Hot Standby: Database is in READ-ONLY mode.

• Appliance: Hot Standby.
• Problem: There is no configuration problem, this message indicates that you cannot edit the
Hot Standby appliance database locally, it automatically replicates the Master database.
• Solution: N/A. This message is informative.

This SOLIDserver is initializing the Master appliance database replication.

• Appliance: Hot Standby, when it is still in Hot Standby (init).
• Problem: There is no problem, the replication is starting. The Hot Standby database should
soon be in read-only.
• Solution: Wait until the replication is complete. This message is informative.

This SOLIDserver cannot automatically switch to Master: its database is out-of-date.

• Appliance: Master recovered.
• Problem: The replication offset is higher than the limit set in the key module.sys-
tem.max_hot_standby_time_skew. Therefore during the appliances switch, the Hot Standby
became Master recovered and the former Master never became Hot Standby.
• Solution: Disable the High Availability configuration following the split-brain manual resolution.

High Availability Configuration: impossible to reach the remote SOLIDserver.

• Appliance: Master.
• Problem: The Hot Standby is unreachable, so it does not replicate the Master database.
• Solution: Delete the Hot Standby from the page Centralized Management, add it to the page
again and enroll it as detailed in the section Configuring Two Appliances in High Availability.

The two SOLIDserver appliances you configured in High Availability have DIFFERENT
ARCHITECTURES. They must have the same architecture for the database replication to
work.
• Appliance: Master.
• Problem: The Master and Hot Standby appliances do not have the same architecture version,
therefore the database replication is impossible.
• Solution: Upgrade the Hot Standby appliance from the Master appliance: the Hot Standby is
automatically upgraded to the architecture version of the Master. For more details, refer to the
section Upgrading Appliances Managed Remotely in the chapter Upgrading.

The two SOLIDserver appliances you configured in High Availability have DIFFERENT
VERSIONS. To avoid configuration problems you should upgrade the Hot Standby from
the Master.
• Appliance: Master.
• Problem: The Master and Hot Standby appliances do not have the same version of SOLIDserver,
therefore the database replication may encounter some problems.

1193
 Centralized Management

• Solution: Upgrade the Hot Standby appliance from the Master appliance: the Hot Standby is
automatically upgraded to the version of SOLIDserver of the Master. For more details, refer to
the section Upgrading Appliances Managed Remotely in the chapter Upgrading.

The information used to identify the local SOLIDserver has changed.

• Appliance: Master and Standalone.
1
• Problem: The manufacturer, product and/or serial number of the Master appliance have been
edited or you restored another appliance's backup. These three pieces of information are
needed to identify the appliance.
• Solution: Delete the unwanted remote appliances from the page Centralized Management and
configure the High Availability again following the procedures in the sections Configuring Two
Appliances in High Availability.

A case of SPLIT-BRAIN was detected: both SOLIDserver appliances configured in HA are

set as Master. As changes have been made through both servers, you are in Restricted
mode. To go back to a proper HA configuration you need to choose which SOLIDserver
should remain the Master: connect as an administrator to the Master and on the page
Centralized Management select Tools > Manually switch this SOLIDserver to master.
• Appliance: Master and Hot Standby.
• Problem: During the appliances switch, the Hot Standby became Master and the former Master
stayed Master as well.The automated detection could not resolve the situation. For more details,
refer to the section Troubleshooting a Split-brain.
• Solution: Disable the High Availability configuration following the split-brain manual resolution.

You are in Restricted mode. From the page Centralized Management you can go back to
Normal mode: either configure the local SOLIDserver or delete all the remote appliances.
• Appliance: Master and Hot Standby.
• Problem: Either your appliances are in split-brain, one of them is in Timeout or the replication
stopped.
• Solution: Follow the troubleshooting solution of the other message displayed in the GUI. Each
problem has a specific solution.

The Hot Standby database replication stopped.

• Appliance: Master.
• Problem: The Hot Standby can no longer replicate the Master database. If they switch, you
lose the latest changes performed on the Master appliance.
• Solution: Find the origin of the problem, you might need to disable the High Availability and
configure it again following the procedures in the sections Configuring Two Appliances in High
Availability.

Troubleshooting a Split-brain
If appliances configured in High Availability did not successfully switch roles and both end up as
Master appliances, they may be in split-brain. In which case, the replication stops and you may
need to intervene.

With two Master appliances, whether they are both Master or one is Master and the other is
Master (recovered), there no longer is a backup appliance and both appliances could potentially
overwrite each other's changes.

1
This information is displayed in the gadget System information of the Master appliance Home page.

1194
 Centralized Management

To help prevent the split-brain, a set of checks are performed, when the appliances communicate
once again:
1. SOLIDserver starts up in Restricted mode and goes back in normal mode if and only if no High
Availability conflicts are detected.
2. SOLIDserver checks if both appliances share the same version. If not, a message is displayed
on every page of the appliance with the latest version.
3. SOLIDserver checks if both appliances share the same role.
If it turns out that both appliances are Master, the automated detection checks are ran to avoid
staying in Restricted mode.
If the automated resolution cannot reconfigure the High Availability, you need to perform the
manual resolution.

Automated Detection
When a Master appliance detects that the other appliance is also a Master, SOLIDserver performs
three checks to try and avoid a case of split-brain:
1. If no appliance has been edited since the last synchronization: the last appliance that
switched to Master remains Master and enrolls the other appliance as Hot Standby.
2. If one appliance has been edited since the last synchronization: the last appliance that
was modified becomes Master and enrolls the other appliance as Hot Standby.
3. If both appliances have been edited since the last synchronization: SOLIDserver puts
them in Restricted mode with the status Split-brain, as specified in the red banner message
displayed above the top bar of both appliances. To configure the appliances in High Availability
again, refer to the manual resolution.

Manual Resolution
The manual resolution is only needed when the appliances in HA are in a case of split-brain that
puts them in Restricted mode, as specified in the red message displayed on every page of both
appliances. This mode implies two behaviors:
1. The synchronization between the appliances stopped, as if you had two Standalone appliances
with the same HA UID.
2. You can still edit the database of both appliances but no changes are actually pushed on the
physical server(s).

To go back to a viable configuration, you have two possibilities:

• Disable the High Availability and configure it again as described in the section Disabling the
HA Configuration Without Losing the Database.
• Force the configuration and choose which appliance becomes the Master as described in the
section Switching the High Availability Configuration.

Disabling the HA Configuration Without Losing the Database

In some cases, like in the event of a split-brain, you might want to disable the HA configuration
but keep both appliances database. In this case, you need to switch one appliance to Standalone.

Before switching an appliance to Standalone, keep in mind that:

1. You should only switch an appliance to Standalone if:
• Your appliances in High Availability are in split-brain. In which case, you end up with two
Master appliances and need to reconfigure the HA. For more details, refer to the section
Troubleshooting a Split-brain.

1195
 Centralized Management

• Your appliances in High Availability disconnected somehow and the automatic switch was
disabled using the registry key detailed in the section Controlling the Automatic Switch
Mechanisms if the Network is Unreliable. In which case, the replication stopped and you
need to set it up again.
In any other case, disabling the configuration should be done using the standard procedure
detailed in the section Disabling the High Availability Configuration.
2. It is impossible to switch a Master appliance to Standalone if it has a Hot Standby.
3. The Hot Standby appliance must always be the first one to be switched to Standalone.
4. Switching an appliance to Standalone erases the database entirely whether the appliance is
a Hot Standby or a Master. So if you switch both appliances to Standalone, you erase your
entire database.
5. Switching an appliance to Standalone automatically saves a backup file for the appliance.
6. Switching an appliance to Standalone has to be done locally.You must connect to the appliance
via its IP address.

To disable HA configuration by putting the Hot Standby appliance in standalone

Only users of the group admin can perform this operation.
1. Connect to your Hot Standby appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. In the menu, select Tools > Reset local SOLIDserver to standalone. The wizard Reset
local SOLIDserver to standalone opens.
5. Click on OK to complete the operation. The report opens and works for a while, a backup of
the database is saved before the appliance database is erased.
The appliance Role is now Standalone. During the switch, the appliance might be unavailable.

Once the former Hot Standby appliance has rebooted and is reachable:
• Connect to its GUI via its IP address and log in using the credentials of a user belonging to the
group admin.
• Configure the Internal module setup once again. For more details, refer to the section Defining
the Internal Module Setup.
• Make sure the appliance is a Standalone, either in the gadget General information of the appli-
ance Main dashboard or directly on the page Centralized Management.
• You can display or download its backup file from the page Backup & Restore. For more details,
refer to the section Managing Backups and Restoring Configurations.

To reconfigure the High Availability, you must:

1. Connect to the Master appliance using its IP address.
2. Go to the page Centralized Management and make sure the former Hot Standby appliance
has:
• The Role Standalone.
• The status OK.
3. If the Standalone appliance status is OK, you must:
• Enroll it as the Hot Standby. For more details, refer to the procedure To configure High
Availability between two appliances.
4. If the Standalone appliance status is not OK, you must:

1196
 Centralized Management

• Delete it from the page Centralized Management of the Master appliance. For more details,
refer to the procedure To disable the High Availability configuration.
• Add it to page the Centralized Management again. For more details, refer to the procedure
To add a remote appliance.
• Enroll it as the Hot Standby. For more details, refer to the procedure To configure High
Availability between two appliances.

Frequently Asked Questions

1. Can I be warned of configuration problems?
Yes, you can set an alert on the page Centralized Management to be informed of any change
via email or SNMP trap. For more details regarding the alerts configuration, refer to the
chapter Managing Alerts.
For instance, filter the appliances through the Status column to detect a Split-brain or any
status different from OK. If your configuration ends up in split-brain, refer to the section
Troubleshooting a Split-brain.
2. Can I set up the HA on any network layer?
The appliances can be configured on layer 2 or 3 of the network.
Layer 2 configuration: If the appliances are configured on layer 2, they belong to the same
LAN. Therefore you can set up a VIP interface that would allow you to access the current
Master appliance of the configuration through the IP address you set (the original master if
it is acting as a master, or the Hot Standby if the configuration was switched). For more details,
refer to the section Configuring a VIP in the chapter Configuring the Network.
Layer 3 configuration: If the appliances are configured on layer 3, they do not belong to the
same LAN.The HA is still configurable and running perfectly through the routers that connect
them but it is impossible to set a VIP to access the Master appliance.
3. Can I customize the HA mechanism to suit my network?
Yes, if your network is unreliable or experiences frequent disruptions, your administrator can
follow the procedure of the section Configuring High Availability Advanced Options. It details
the registry database key that you can edit to modify the HA number of retries or configure
automatic switch parameters.
4. What can I do from the Hot Standby appliance?
You cannot edit the database as it is replicating the content of the Master database. However,
from the Hot Standby appliance you can:
• Switch the appliances roles and convert the Hot Standby in Master. For more details, refer
to the section Switching the High Availability Configuration.
• Switch the Hot Standby to Standalone. This operation must be performed carefully as it
erases the database entirely and disables the High Availability configuration. This operation
is only recommended in the event of a split-brain. For more details, refer to the section
Disabling the HA Configuration Without Losing the Database.
• Set up the Network configuration page according to your needs. This page is independent
from the database and can therefore be configured differently on the Master and Hot
Standby appliances. For more details, refer to the chapters Centralized Management and
Configuring the Network.
• Set up the System configuration page according to your needs. This page is independent
from the database and can therefore be configured differently on the Master and Hot
Standby appliances. For more details, refer to the chapters Centralized Management and
Configuring the Network.
• Save a backup of the appliance. For more details, refer to the section Managing Backups
and Restoring Configurations.

1197
 Centralized Management

However, you cannot restore the backup of an appliance in High Availability. You need to
disable the High Availability, restore the backup and then configure the High Availability
again.

Replacing Appliances Managed Remotely

At some point, you might need to replace an appliance that you manage from the page Centralized
Management.

To replace appliances you must take into account if they are simply remotely managed or con-
figured in High Availability.

Replacing an Appliance Managed Remotely

To successfully replace an appliance managed remotely you need to:
1. Remove the appliance from the page Centralized Management of the managing appliance
For more details, refer to the section Deleting Appliances Managed Remotely.
2. Add the new appliance to the page Centralized Management of the managing appliance
• First, you need to configure locally the new appliance. For more details, refer to the section
Configuring SOLIDserver to Remotely Manage Other Appliances.
• Second, you need to add the new appliance to the page Centralized Management of the
managing appliance. For more details, refer to the section Adding Remote Appliances.

Replacing An Appliance in High Availability

With appliances configured in High Availability, to prevent any loss of data, you must always
replace the Hot Standby appliance. There are two scenarios possible:
1. You can replace an appliance that has a backup, following the recommendations of the section
Replacing a Hot Standby Appliance With Backup.
2. You can replace an appliance that has no backup available, following the recommendations
of the section Replacing a Hot Standby Appliance Without Backup.

Replacing a Hot Standby Appliance With Backup

If you generated a backup of the appliance you need to replace, you must follow the steps below.
1. If the appliance that needs to be replaced is the Master, switch its role to Hot Standby.
For more details, refer to the section Switching the High Availability Configuration.
2. Disable the High Availability configuration from the Master appliance: delete the Hot Standby
from the page Centralized Management. The Hot Standby switches to Standalone. For more
details, refer to the section Disabling the High Availability Configuration.
3. Restore the backup on the Standalone appliance. For more details, refer to the procedure
To restore a backup file.
4. Switch the current Master to Standalone only once when the restoration of the backup on
the other appliance is complete, this ensures your database availability. You now have two
Standalone appliances: one with backup that becomes the Master, and one totally empty that
becomes the Hot Standby.
5. Configure the High Availability again:
• First, connect to the appliance where you restored the backup, the future Master appliance,
and add the future Hot Standby to the page Centralized Management. For more details,
refer to the section Adding Remote Appliances.

1198
 Centralized Management

• Second, enroll the Hot Standby. For more details, refer to the procedure To configure High
Availability between two appliances in the section Setting a High Availability Configuration.
6. If you restored your backup directly on your Hot Standby, manually switch the appli-
ances' role. If you followed this procedure from step 2, your current Master used to be the
Hot Standby so you may need to switch their role back again. For more details, refer to the
section Switching the High Availability Configuration.

Replacing a Hot Standby Appliance Without Backup

The replacement of an appliance in HA with no backup must follow the steps below:
1. Put the appliance that needs to be replaced in Hot Standby role, if it is currently the
Master. For more details, refer to the section Switching the High Availability Configuration.
2. Disable the High Availability configuration. For more details, refer to the section Disabling
the High Availability Configuration.
3. Set the network and services configuration of the future Hot Standby appliance according
to your needs. For more details, refer to the sections Configuring the Network and Configuring
the Services.
We strongly recommend that you use an NTP server to set both appliances at the time.
4. Add the new appliance to the page Centralized Management of the Master appliance
and enroll it:
• First, you need to add the new appliance to the page Centralized Management of the Master
appliance. For more details, refer to the section Adding Remote Appliances
• Second, you need to enroll the new appliance as Hot Standby. For more details, refer to
the procedure To configure High Availability between two appliances.
5. Manually switch the configuration if the new appliance is supposed to be the Master in
the configuration. For more details, refer to the section Switching the High Availability Con-
figuration.

Exporting Remote Appliances

From the page Centralized Management, you can export the data listed in a CSV, HTML, XML,
XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Remote Appliances

At any point you can delete a remote appliance from the page Centralized Management.

Before going further keep in mind that:

• It is impossible to delete the local appliance.
• For appliances remotely managed, deleting an appliance allows to stop managing it re-
motely. For more details, refer to the section Deleting Appliances Managed Remotely.
• For appliances in High Availability, deleting the Hot Standby disables the High Availability.
For more details, refer to the section Disabling the High Availability Configuration

1199
 Centralized Management

Deleting Appliances Managed Remotely

Deleting a remote appliance removes it from the list. You no longer manage the appliance.

If the appliance is configured in High Availability, refer to the section Disabling the High Availab-
ility Configuration.

To delete an appliance from the page Centralized Management

1. Connect to the Master or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. Tick the appliance(s) of your choice.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The appliance is no
longer listed.

Disabling the High Availability Configuration

From the page Centralized Management of the Master appliance you can delete the Hot Standby.
Before going further, keep in mind that:
• Deleting the Hot Standby disables the configuration because its Role is revoked, the
communication with the Master breaks and therefore the replication stops.
• The database of the Hot Standby is erased.
If you want to disable the High Availability and keep the Hot Standby database intact, refer to
the section Disabling the HA Configuration Without Losing the Database.
• The HA UID of the Master appliance changes for two reasons:
1. To prevent any other appliance from managing it as it would delete its database.
2. The HA UID can be used again during the next HA configuration with this appliance as a
Master.

To disable the High Availability configuration

Only users of the group admin can perform this operation.
1. Connect to the Master appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. Tick the Hot Standby appliance.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and works until the Hot Standby
database is erased. The wizard closes. The Hot Standby is no longer listed on the page.
The former Master appliance keeps a Master role.
The former Hot Standby appliance is not accessible while it is reset. When it is back up, it
is a Standalone appliance again.

Once the former Hot Standby has rebooted and is reachable:

1200
 Centralized Management

• Connect to the Hot Standby via its IP address, log in using the credentials of a user belonging
to the group admin.
• The appliance is no longer in read-only mode but its database is empty.
• Configure the Internal module setup once again. For more details, refer to the section Defining
the Internal Module Setup.
• The page Centralized Management displays the following information:
1. The appliance itself (Local) is the only one listed, the former Master appliance is no longer
part of that list.
2. The appliance role is now Standalone.
3. The appliance needs to be configured locally again (Tools > Configure local SOLIDserver).

1201
Chapter 102. Managing Licenses
Licenses define the operations that can be performed on an appliance. They are unique to each
appliance.

The details of each license include the available configurations and operations as metrics. These
metrics can match the license lifetime or be metric subscriptions that expire after a while.

The licenses and their metrics are managed independently.

• You can renew licenses to manage more services, resources, metrics... or change the capab-
ilities of the appliance.
• You can monitor and refresh the metrics of a license on a dedicated page.

If you manage remote appliances, you can manage the license and metrics of the remote appli-
ances from the Management appliance.

Note that the license metrics and maintenance are monitored. If the maintenance or a metric
approaches or reaches its limit, a banner message above the top bar notifies you. You can close
the message for the remainder of the session.

Browsing the License and License Metrics

Each appliance is applied a specific license, each license contains a set of metrics. The license
and its metrics are managed separately.

Browsing the Local License

To display the list of licenses
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Centralized Management > All licenses. The page All licenses opens.
3. The line of the license itself only contains data in the columns Start of license, End of Main-
tenance and Time left (maintenance). If your license is temporary, it contains data in the
columns End of subscription and Time left (subscription).
The page includes several licenses if you manage remote appliances.

The local license properties are displayed on the page License, in dedicated panels. This page
is only accessible locally, so if you manage remote appliances you must connect to each appliance
to access the page.

To display the local license properties

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on License. The properties page opens.

On the properties page, the panel License subscriptions displays the name and the end date
of the module(s) you subscribed to.

1202
 Managing Licenses

Browsing the License Metrics

From the page All licenses you can display the metrics of the license of the local appliance and
of all the appliances you remotely manage.

Each license, whether permanent or temporary, contains configuration details displayed as

metrics. All licenses can also include metric subscriptions. Therefore, each appliance has a
specific set of license metrics. These metrics are all displayed on a dedicated line to reflect the
license configuration.

To display the list of license metrics

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Centralized Management > All licenses. The page All licenses opens.
3. To display the licence metrics of a specific appliance, in the column Name click on the name
of your choice. The page refreshes.

Customizing the Display on the Page All Licenses

Any user can change the column layout of the page via the button List template, on the right-
end side of the menu. Only users of the group admin can add or edit list templates. For more
details, refer to the section Managing List Templates.

You can sort and filter all the columns on the page All licenses. The columns detail the information
of each license metric, the ones of the local license and of the license of the remote appliance(s).
All columns are displayed by default, except the column Start of license.

Table 102.1. The columns on the page All licenses

Column Description
Name The hostname of the appliance the license is activated on.
Local Allows to determine if the license is activated on the local appliance (Yes) or on a
remote appliance (No).
Module The type of metric, it can be a module of SOLIDserver, a service, a hardware metric...
depending on the configuration of the license.
Start of license The date and time when the license starts. By default, this column is not displayed.
End of subscription The date and time when a metric subscription reaches its expiration. This column is
irrelevant for metrics without subscription in the specified Module. If a metric does
not have an end date, the column displays the end date of the license.
Time left (subscription) The number of days, hours and minutes until the End of subscription. This column
is irrelevant for metrics without subscription in the specified Module. For more details
on license renewals, refer to the section Renewing the Licenses.
Metric details The name of the metric and its Maximum use.
Metric The name of the metric.
Current use The current use of the metric. Depending on the Module, it can be a number of re-
sources, servers, settings... currently managed or added on the appliance where the
license is activated on.
Maximum use The maximum number of resources, servers, settings... that can be managed or
added in each Module of the appliance. It depends on the license activated on the
appliance.
Use overview The use ratio of the metric, in percent. A representation of the difference between
Current use and the Maximum use of the metric. It is not available for all metrics.

1203
 Managing Licenses

Column Description
End of maintenance The date and time when the maintenance period reaches its expiration.
Time left (maintenance) The number of days, hours and minutes until the End of maintenance.
Status The status of the appliance the license is activated on, for more details, refer to the
section Understanding the Statuses on the Page All Licenses.

Understanding the Statuses on the Page All Licenses

The column Status returns information on the appliance the license is activated on. All the metrics
of each license return the same data.

Table 102.2. Appliance statuses on the page All licenses

Status Description
OK The appliance is up and running.

Not configured The Local appliance has not been configured yet.

Managed (remote) The appliance is being managed remotely, i.e. listed on the page Centralized Man-
agement of another appliance.
Upgrading... The appliance is being upgraded.

Switching to Hot Standby The appliance is switching to Hot Standby role.

Switching to Master The appliance is switching to Master role.

Switching to Standalone The appliance is switching to Standalone role.

Invalid credentials The appliance has been switched to Standalone, was restored or the password of
the SSH admin account has changed. If the appliance database is encrypted, it may
be that the Active key is missing. For more details, refer to the chapter Securing.
Timeout The appliance is not responding.

Split-brain Two appliances are in Restricted mode due to a split-brain. For more details, refer
to the section Troubleshooting a Split-brain in the chapter Centralized Management.
Repl. stopped The replication stopped, the connection is lost between the appliances. For more
details, refer to the section Configuring Specific Behaviors if the Replication Takes
a Long Time or Stopped in the chapter Centralized Management.

Refreshing the Metrics of a License

All license metrics are automatically refreshed every 24 hours. You can manually refresh your
metrics, as your operations impact the use calculation of the capabilities you subscribed to.

To refresh the metrics of a license

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
3. In the breadcrumb, click on All licenses. The page All licenses opens.
4. In the column Name, select the metric(s) of your choice.
5. In the menu, select Tools > Refresh metrics. The wizard License metrics refresh
opens.
6. Click on OK to complete the operation. The report opens and closes. The metrics are re-
freshed.

1204
 Managing Licenses

Renewing the Licenses

Once you activated a license, you can renew it for a local appliance, a remote one or several
remote appliances. Renewing the license allows to manage more services or extend the main-
tenance period.

It is necessary to renew a license if you are notified, in the gadget System Information or in a
banner above the top bar, that a temporary license, the maintenance period or a metric subscription
is expiring on a local or remote appliance. The banner above the top bar may indicate that:
• 30 days remain before the metric subscription expires.
• The current use of a metric reaches 90% or 100%, hardware metric messages only appear
when their use exceeds 100%. Note that even if 100% is reached, you can still add and edit
its corresponding object.
• A metric subscription expired. However, you can still use its modules.

Note that any license related banner message can be closed for the remainder of the session.

Before renewing a license, note that:

• For a local appliance you must:
1. Retrieve the request key and send it to EfficientIP via the dedicated portal, as detailed in
the section Requesting a License Key for the Local Appliance.
2. When you receive the new license key, you must add it to your appliance to activate the li-
cense as detailed in the section Activating a License.
• For remote appliances you can:
1. Retrieve locally the request key on each remote appliance, connect to the management
appliance to export them all at once, and send them to EfficientIP on the dedicated portal,
as detailed in the section Requesting a License Key for Remote Appliances.
2. When you receive the new license keys, you must go to the page Centralized Management
and import the license keys to activate the license on all the remote appliances at once, as
detailed in the section Activating a License.

Requesting a License
To request a license, whether it includes metric subcriptions or not, you must retrieve the request
key of your local or remote appliance and send it to EfficientIP.

Requesting a License Key for the Local Appliance

From the page License of any appliance, you can retrieve the license request key and send it to
EfficientIP.

To request a new license key

Only users of the group admin can perform this operation.
1. Retrieve the request license key.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section System, click on License. The page License opens.
c. In the menu, select Add > Request license. The wizard Request license opens.

1205
 Managing Licenses

d. Copy the content of the field Request key, it is required when you fill out the request
license form.
e. Click on OK to close the wizard.
2. Send the request key to Efficient IP via the form Request Your License.
a. Go to the page http://www.efficientip.com/license-request/.
b. In the fields First Name, Last Name, Email, Phone, Company and Country Name,
specify your contact details. All these fields are required.
c. In the field License Period Request, select the length of your choice: 1 month, 2 months,
3 months, 6 months or Permanent. This field is required.
d. If you selected Permanent, the following fields appear.
Fill them with the information provided by EfficientIP.

Table 102.3. Required information for permanent licenses

Field Description
Contract Number Your Maintenance contract number. This field is required.
(if permanent license) The Maintenance contract number is composed of 12 digits and your client
name, it looks as follows 221231200101CORP. The first 6 digits are the
maintenance expiry date (yymmdd) and the next 6 digits are the maintenance
start date (yymmdd).
EfficientIP Serial Number Your appliance serial number. This field is required.
(if permanent license) For virtual appliances, it looks as follows SW550-0123. For hardware appli-
ances, it looks as follows A1B23R4.

e. In the field SOLIDserver Model, specify your model number. This field is required. It
looks as follows SDS-570.
f. In the field Request Key, paste your request key or the content of your request key file.
This field is required.
g. In the field Number of External Managed Servers (MVSM, if any), specify the total
number of servers - DNS, DHCP... - you intend to manage from SOLIDserver.
h. In the section Optional Module, tick all the optional modules you might need: DNS
1
Guardian, DNS GSLB, NetChange, Device Manager or SPX.
i. If relevant, fill in the field If requester is NOT end customer, please provide your
contact information (Name, Company, Email, Phone): with all the appropriate data.
j. In the drop-down list Language, you can select in which language to display the Privacy
Policy. By default, English is selected, you can change to French, German or Spanish.
The panel provides a link towards EfficientIP Privacy Statement.
k. Tick the box I accept the Terms and Conditions.
l. Click on SUBMIT to send us your information.

Once EfficientIP has answered your request and sent you a license key, you can renew your li-
cence as detailed in the section Activating a License.

Requesting a License Key for Remote Appliances

From the page Centralized Management of a management appliance, you can export the license
request key of all remote appliances and send them at once to EfficientIP.

1
If you do not tick this box, you are using NetChange-IPL, NetChange basic options.

1206
 Managing Licenses

To request the license request key of all the remote appliances

Only users of the group admin can perform this operation.
1. Retrieve the request license key.
a. Connect to the GUI of the remote appliance of your choice.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on License. The page License opens.
d. In the menu, select Add > Request license. The wizard Request license opens.
e. Copy the content of the field Request key, it is required when you fill out the request
license form.
f. Click on OK to close the wizard.
g. Repeat the steps a-f for all the relevant remote appliances.
2. Export all the license keys from the management appliance.
a. Connect to the management appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized
Management opens.
d. Tick the remote appliances for which you requested a license key.
e. In the menu, select Tools > Export license requests. The wizard opens.
f. Read the License Agreement and click on NEXT . The page Export license requests
opens.
g. Click on OK to complete the operation. The page Report opens.
h. Click on DOWNLOAD to save the file locally.
3. Send the request key to Efficient IP via the form Request Your License.
a. Go to the page http://www.efficientip.com/license-request/.
b. In the fields First Name, Last Name, Email, Phone, Company and Country Name,
specify your contact details. All these fields are required.
c. In the field License Period Request, select the length of your choice: 1 month, 2 months,
3 months, 6 months or Permanent. This field is required.
d. If you selected Permanent, the following fields appear.
Fill them with the information provided by EfficientIP.

Table 102.4. Required information for permanent licenses

Field Description
Contract Number Your Maintenance contract number. This field is required.
(if permanent license) The Maintenance contract number is composed of 12 digits and your client
name, it looks as follows 221231200101CORP. The first 6 digits are the
maintenance expiry date (yymmdd) and the next 6 digits are the maintenance
start date (yymmdd).
EfficientIP Serial Number Your appliance serial number. This field is required.
(if permanent license) For virtual appliances, it looks as follows SW550-0123. For hardware appli-
ances, it looks as follows A1B23R4.

e. In the field SOLIDserver Model, specify your model number. This field is required. It
looks as follows SDS-570.

1207
 Managing Licenses

f. In the field Request Key, paste your request key or the content of your request key file.
This field is required.
g. In the field Number of External Managed Servers (MVSM, if any), specify the total
number of servers - DNS, DHCP... - you intend to manage from SOLIDserver.
h. In the section Optional Module, tick all the optional modules you might need: DNS
2
Guardian, DNS GSLB, NetChange, Device Manager or SPX.
i. If relevant, fill in the field If requester is NOT end customer, please provide your
contact information (Name, Company, Email, Phone): with all the appropriate data.
j. In the drop-down list Language, you can select in which language to display the Privacy
Policy. By default, English is selected, you can change to French, German or Spanish.
The panel provides a link towards EfficientIP Privacy Statement.
k. Tick the box I accept the Terms and Conditions.
l. Click on SUBMIT to send us your information.

Once EfficientIP has answered your request and sent you license keys, you can renew your li-
cences as detailed in the section Activating a License.

Activating a License
Once you received the license key(s), you must activate it:
• For local appliances, you can add the license key on the page License or import it on the page
Centralized Management.
• For remote appliances, you can import all the license keys at once on the page Centralized
Management.

Before activating the license, the appliance should be time synchronized. To make sure the ap-
pliance is on time, we strongly recommend configuring the NTP. For more details, refer to the
chapter Configuring the Time and Date.

If you are activating a license that includes metric subscriptions, note that you can refresh the li-
cense metrics any time. For more details, refer to the section Refreshing the Metrics of a License.

To activate a license locally

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on License. The page License opens.
3. In the menu, select Add > License. The wizard opens.
4. Read the License Agreement and click on NEXT . The page Import licenses opens.
5. In the field License(s), paste the license key.
6. Click on OK to complete the operation.

To activate one or more licenses at once

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
3. Tick the appliance(s) of your choice.
2
If you do not tick this box, you are using NetChange-IPL, NetChange basic options.

1208
 Managing Licenses

4. In the menu, select Tools > Import licenses. The wizard opens.
5. Read the License Agreement and click on NEXT . The page Importing licenses opens.
6. In the drop-down list Import type, choose the import method.
a. To paste the key(s) yourself, select Manual copy and, in the field License(s), paste
the license key(s). If you paste several keys, enter two line breaks between each key.
b. To look for the key(s) on your computer, select File and click on BROWSE to select the
.txt file containing the license key(s).
Note that the license you import automatically overwrites the current license on the relevant
appliance(s).
7. Click on OK to complete the operation.

Exporting Licenses
From the page All licenses, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

1209
Chapter 103. Monitoring
There are many ways of monitoring SOLIDserver, for administrators and standard users, from
the resources to the logs and SNMP profiles and more. This chapter gathers the following mon-
itoring possibilities:
• Managing Reports.
• Managing Alerts.
• Managing the Logs.
• Monitoring the Appliance Statistics.
• Monitoring from Session Tracking.
• Monitoring from User Tracking.
• Forwarding Events.
• Managing SNMP Profiles.
• Monitoring Using SNMP.
• Displaying Netstat Data.
• Sizing the Database Tables.

Note that from the page Centralized Management, you can monitor the status, hardware or li-
cense and maintenance information of an appliance, local or remote. For more details, refer to
the chapter Centralized Management.

Managing Reports
The menu Report allows to generate a number of HTML or PDF reports in the modules DHCP,
DNS, NetChange and Administration. These reports can be generated at a given time or sched-
uled, all existing reports are detailed in the section Available Reports.

Note that this menu is also available on two pages of the module IPAM where it allows to find
Identity Manager sessions, and generate a list in TXT, HTML or EXCEL format. For more details,
refer to the section Finding Active Sessions in the IPAM.

To export your data, refer to the chapter Exporting Data.

Browsing Reports
The reports you generate are available on dedicated pages, depending if you generated them
immediately or scheduled them.

To display the list of reports

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Reports. The Reports page opens.

The configuration details of all the scheduled reports are available on a dedicated page.

To display the list of scheduled reports

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Reports, click on Scheduled.The page Scheduled reports
opens.

1210
 Monitoring

Available Reports
The menu Report indicates on which modules and pages the reports are available, you can
generate:
• DHCP Reports,
• DNS Reports,
• NetChange Reports, or
• Administration Reports.

DHCP Reports
You can generate advanced reports for DHCP servers and scopes.

DHCP Server Reports

All the DHCP server dedicated reports are available in v4 and v6 on the page All servers, on the
server properties page and on all the listing pages displaying the content of a specific server. To
generate these reports, refer to the section Generating a Report.

Clients most used OS

• Prerequisite: Selecting at least one DHCP server managing IPv4.
• Description: Contains a table, for each physical server selected, detailing the lease clients most
used OS for all the scopes of the server. It contains the OS name, the percentage of leases
that use it and the total number of leases that it corresponds to.

Server data exchanges

• Prerequisite: Selecting at least one DHCP server.
• Description: Contains charts detailing the physical servers data exchanges (Discover, Offer,
Request and Acknowledge) over the last 24 hours, last 7 days, last 30 days and last 12 months.

Server options comparison

• Prerequisite: Selecting at least two DHCP servers.
• Description: Compares one by one all the DHCP options configured on the selected servers.
For more details on each option, refer to the appendix DHCP Options.

Server usage chart

• Prerequisite: Selecting at least one DHCP server.
• Description: Contains charts detailing the physical servers IP addressing management, number
of allocated leases, number of used statics, number of free IP addresses: over the last 24
hours, last 7 days, last 30 days and last 12 months.

Most used networks

• Prerequisite: Selecting at least one DHCP server managing IPv4.
• Description: Contains a table for each selected physical server detailing the most used scopes
and what they contain.

Server usage evolution charts

• Prerequisite: Selecting at least one server.

1211
 Monitoring

• Description: Contains lease and request dedicated charts providing an overview of a server
usage evolution. The chart results are based on server usage a daily, monthly, semestrial and
yearly basis.

DHCP Scope Reports

All the DHCP scope dedicated reports are available in v4 on the page All scopes, on the scope
properties page and on all the listing pages displaying the content of a specific scope. To generate
these reports, refer to the section Generating a Report.

Clients most used OS

• Prerequisite: Selecting at least one DHCP server managing IPv4.
• Description: Contains a table, for each physical server scope selected, detailing the lease clients
most used OS. It contains the OS name, the percentage of leases that use it and the total
number of leases that it corresponds to.

Scopes options comparison

• Prerequisite: Selecting at least two scopes.
• Description: Compares one by one all the DHCP options configured on the selected scopes.
For more details on each option, refer to the appendix DHCP Options.

Scopes summary
• Prerequisite: Selecting at least one scope.
• Description: Provides detailed tables of the DHCP options activity and origin of the selected
scope(s). For instance, it indicates if the option was set at scope level or inherited from the
managing server.

DNS Reports
You can generate advanced reports for DNS servers, views and zones.

DNS Server Reports

All the DNS server dedicated reports are available on the page All servers, on the server properties
page and on all the listing pages displaying the content of a specific server. To generate these
reports, refer to the section Generating a Report.

Smart architecture incompatibilities

• Prerequisite: Selecting at least one smart architecture.
• Description: Returns in the column Multi-Status all the object incompatibilities. All the views,
RPZ zones, DNS zone types and DNS record types that you can add to the architecture may
not be supported by the physical servers it manages.

Route 53 incompatibilities
• Prerequisite: Selecting at least one Amazon Route 53 server.
• Description: Contains a list of all the selected server options and configurations incompatible
with Amazon Route 53. No piece of information listed in the tables can ever be replicated on
the Amazon Route 53 server you are managing via SOLIDserver.

Zones NS and IP addresses

• Prerequisite: Selecting at least one Amazon Route 53 server.

1212
 Monitoring

• Description: Contains a list of all the NS records and their corresponding IP address of all the
zones of the server. It also indicates if they were pushed to the smart architecture, that is to
say replicated on all the servers managed by the smart.

A records without an IPv4 address or alias

• Prerequisite: Selecting at least one server configured with DNS to IPAM replication.
• Description: Contains the list of A records that are not associated with an IPv4 address or alias,
by server.

AAAA records without an IPv6 address or alias

• Prerequisite: Selecting at least one server configured with DNS to IPAM replication.
• Description: Contains the list of AAAA records that are not associated with an IPv6 address
or alias, by server.

CNAME records without an alias

• Prerequisite: Selecting at least one server configured with DNS to IPAM replication.
• Description: Contains the list of CNAME records that are not associated with an IPv4 or IPv6
alias, by server.

PTR records without an IPv4 address

• Prerequisite: Selecting at least one server configured with DNS to IPAM replication.
• Description: Contains the list of PTR records that are not associated with an IPv4 address, by
server.

PTR records without an IPv6 address

• Prerequisite: Selecting at least one server configured with DNS to IPAM replication.
• Description: Contains the list of PTR records that are not associated with an IPv6 address, by
server.

Servers configuration
• Prerequisite: Selecting at least one server.
• Description: Contains all the server configuration details divided into 4 tables: Settings (all the
options), ACLs (all the access control lists), Keys (all the DNS keys configured) and Groups
(all the group of users that have access to the server).

Hybrid DNS Engine incompatibilities

• Prerequisite: Selecting at least one physical server.
• Description: Contains the list of all the options and configuration that make the server incom-
patible with Hybrid. For more details, refer to the section Generating the Hybrid Incompatibilities
Report.

Server peak hour

• Prerequisite: Selecting at least one server; except an Amazon Route 53 server. Cloud servers
cannot be monitored by this report.
• Description: Contains a table displaying the selected server peak hour over the last 24 hours.
It indicates the number of queries per second processed by the server at its busiest hour in
the last 24 hours.

Servers configuration comparison

• Prerequisite: Selecting at least two servers.

1213
 Monitoring

• Description: Contains tables that allow to compare the selected servers configurations: DNS
server parameters, DNS server ACLs and DNS server keys.

Query rate per server

• Prerequisite: Selecting at least one server; except an Amazon Route 53 server. Cloud servers
cannot be monitored by this report.
• Description: Contains four charts representing the response to queries curve of the selected
server: over the last 24 hours, last 7 days, last 30 days and last 12 months.

Server reply to queries charts

• Prerequisite: Selecting at least one server; except an Amazon Route 53 server. Cloud servers
cannot be monitored by this report.
• Description: Contains four charts representing the four types of response to queries (success,
failure, inexistent RR set and Nxdomain) for the selected server: over the last 24 hours, last 7
days, last 30 days and last 12 months.

Server usage charts

• Prerequisite: Selecting at least one server.
• Description: Contains usage evolution charts for the selected server: queries over the past
week, last 6 months, last month and past year at the time of the generation of the report.

DNS View Reports

All the DNS view dedicated reports are available on the page All views, on the view properties
page and on all the listing pages displaying the content of a specific view. To generate these re-
ports, refer to the section Generating a Report.

View statistics
• Prerequisite: Selecting at least one view.
• Description: Contains two tables detailing the zones and records of every selected view. The
first table sums up the total number of zones and indicates how many of them are Forward
zones. The second table details for each zone their name, their type and the total number and
distribution of the records they contain. It focuses on A, CNAME, DNSKEY, NS, NSEC3PARAM,
PTR, SOA and TXT records.

DNS Zone Reports

All the DNS zone dedicated reports are available on the page All zones, on the zone properties
page and on all the listing pages displaying the content of a specific zone. To generate these
reports, refer to the section Generating a Report.

Route 53 incompatibilities
• Prerequisite: Selecting at least one Amazon Route 53 server.
• Description: Contains a list of all the selected zone options and configurations incompatible
with Amazon Route 53. No piece of information listed in the tables can ever be replicated on
the Amazon Route 53 server you are managing via SOLIDserver.

Zones NS and IP addresses

• Prerequisite: Selecting at least one Amazon Route 53 zone.
• Description: Contains a list of all the NS records and their corresponding IP address for the
selected zone. It also indicates if they were pushed to the smart architecture, that is to say
replicated on all the servers managed by the smart.

1214
 Monitoring

Zones missing RRs

• Prerequisite: Selecting at least one zone.
• Description: Contains a list of all the misconfigured records within the selected zones divided
into 5 tables: PTR records without A or AAAA, A or AAAA records without PTR, CNAME records
without A or AAAA, NS records without A or AAAA and MX records without A or AAAA.

Zone statistics
• Prerequisite: Selecting at least one zone.
• Description: Contains a table, for each server, detailing the name, the type and the total number
and distribution of the records of the selected zones. It focuses on A, CNAME, DNSKEY, NS,
NSEC3PARAM, PTR, SOA and TXT records.

Zones configuration comparison

• Prerequisite: Selecting at least two zones.
• Description: Contains tables detailing the allow-transfer, allow-update, forward, masters and
notify parameters configuration for the selected zone(s). Each parameter value is listed with
the zone name it is configured for and the server it belongs to.

NetChange Reports
You can generate advanced reports for NetChange network devices.

NetChange Network Device Reports

All NetChange dedicated reports are available on the page All network devices, on the network
device properties page and on all the listing pages displaying the content of a specific network
device. To generate these reports, refer to the section Generating a Report.

Network devices properties

• Prerequisite: Selecting at least one device.
• Description: Contains basic information regarding the selected device(s): the Device name,
Device type, Ports usage (%) and Ports used.

NetChange/IPAM/DHCP data comparison

• Prerequisite: No need to select any device. The report automatically takes into account all the
devices.
• Description: Contains data discrepancies between NetChange and other modules. All the in-
consistencies found are listed in 10 tables focusing on IPv4 and IPv6 addressing. These tables
compare NetChange and IPAM data at device and at discovered items level (IP/MAC addresses
association) as well as NetChange and DHCP data (MAC addresses and lease association).

Network devices summary

• Prerequisite: No need to select any device. The report automatically takes into account all the
devices.
• Description: Contains information regarding all the network devices you manage through
SOLIDserver divided into four sections: Summary that contains all the network devices dedicated
pie charts available by default on NetChange dashboard, Network devices model by vendor
that contains charts displaying your devices vendors and models, Top 50 most used network
devices that contains a table listing the most used devices with the percent of port usage and
the total number of used ports and finally Top 50 most unused network devices that contains
a table listing the least used devices with the percent of port usage and the total number of
used ports.

1215
 Monitoring

Administration Reports
From the module Administration, you can generate advanced reports for the appliance statistics
and users.

Appliance Statistics Reports

All the appliance statistics dedicated reports are available on the page System statistics. To
generate these reports, refer to the section Generating a Report.

Statistics chart
• Prerequisite: No selection required. However, only users of the group admin can access the
page.
• Description: Contains all the charts available on the page System statistics. Their content de-
pends on the time of the generation.

Network traffic
• Prerequisite: No selection required. However, only users of the group admin can access the
page.
• Description: Contains charts representing all the ingoing and outgoing traffic on your network
over the last 24 hours, last 7 days, last 30 days and last 12 months.

User Reports
A report allows to export all the permissions of a user from the page Users. To generate this report,
refer to the section Generating a Report.

Users rights in each group

• Prerequisite: Selection at least one user.
• Description: Contains a table displaying for the selected user(s) their User name, Group name,
Resources and User name. In other words, the group(s) of users they belong to, the objects
they have access to and the actions they can perform on these objects.
The report is empty for disabled users.

Generating a Report
From a set of listing and properties pages you can generate and download reports in PDF or
HTML format.

Keep in mind that:

• If the report you are generating contains charts, choosing the HTML format requires you to be
connected to the appliance via its domain name when you open the report, otherwise the charts
are empty.
• The DNS report Smart architecture incompatibilities does not generate any file, it updates the
column Multi-Status on the page All servers.

To generate a report from a listing page

1. Go to the page of your choice. All existing reports are detailed in the section Available Reports.
2. If necessary, tick the object(s) you want to generate the report for.

1216
 Monitoring

Note that from the page System statistics, in the drop-down list SOLIDserver, you can
select your local appliance or a remote one, only if the remote appliance is in version 6.0.1
or higher.
3. In the menu, select
1
Report > <report-of-your-choice> .The corresponding wizard opens.
4. In the list Report format, select an export format, either HTML or PDF. By default, HTML
is selected.
5. Click on NEXT . The next page opens.
6. In the drop-down list Action, select Generate new data. If you already have generated a
report for the same object, the drop-down list allows to select and generate it again.
7. Click on OK to complete the operation. The report opens and closes.
8. You can click on DOWNLOAD to save the report immediately.
When the report is generated, it is available on the page Reports. For more details, refer to
the procedure To display the list of reports.
9. Click on CLOSE to go back to the page.

To generate a report from a properties page

1. Go to the page of your choice. All existing reports are detailed in the section Available Reports.
2. At the end of the line of the object of your choice, click on . The properties page opens.
3. In the menu, select
1
Report > <report-of-your-choice> .The corresponding wizard opens.
4. In the list Report format, select an export format, either HTML or PDF. By default, HTML
is selected.
5. Click on NEXT . The next page opens.
6. In the drop-down list Action, select Generate new data. If you already have generated a
report for the same object, the drop-down list allows to select and generate it again.
7. Click on OK to complete the operation. The report opens and closes.
8. You can click on DOWNLOAD to save the report immediately.
When the report is generated, it is available on the page Reports. For more details, refer to
the procedure To display the list of reports.
9. Click on CLOSE to go back to the page.

Scheduling a Report
The generation of reports can easily be scheduled for all types of reports through the same wizard
as for immediate generation.

To schedule the generation of a report

1. Go to the page of your choice. All existing reports are detailed in the section Available Reports.
2. If necessary, tick the object(s) you want to generate the report for.
3. In the menu, select Report > <report-of-your-choice>. The corresponding wizard opens.
4. In the list Report format, select an export format, either HTML or PDF. By default, HTML
is selected.
Keep in mind that if the report you are generating contains charts, choosing the HTML format
requires you to be connected to the appliance via its domain name when you open the report,
otherwise the charts are empty.
5. Click on NEXT . The next page opens.

1
The reports dedicated to Compare DNS data with IPAM data and Amazon Route 53 are all listed in the submenu of the same name.

1217
 Monitoring

6. In the drop-down list Action, select Schedule the report. The page refreshes and displays
the scheduling fields.
7. Configure the export frequency or date and time of export using the table below.

Table 103.1. Scheduled report fields

Field Description
Day(s) of the week A day, a frequency or a period of days. By default, every day is selected. This field is
optional.
Date of the month A specific day of the month or every day. By default, every day is selected. This field
is optional.
Month A specific month or every month. By default, every month is selected. This field is
optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 20 is selected. This field is optional.
Minute A moment of the hour, either 00, 15, 30 or 45. The minute respects the UTC standard.
By default, 00 is selected. This field is optional.
Name The name of the report on the page Scheduled reports.You can edit the default name.
Mail to The name of the group which users should receive the export notification email. By
default, the first of your groups, in the ASCII alphabetic order, is selected. This field
is optional.
Note that no email can be sent if the users email address is not valid or if your SMTP
relay is not configured. For more details, refer to the section Configuring the SMTP
Relay in the chapter Configuring the Services.
Rights as The name of the user whose rights and limitations are applied in the report, as follows
<user> [<group>]. Only the items this user has access to are listed in the export. By
default, the first of your users, in the ASCII alphabetic order, is selected. This field is
optional.

8. Click on OK to complete the operation. The report opens and closes.

The scheduled report configuration is available on the page Scheduled reports. For more
details, refer to the procedure To display the list of scheduled reports.
When the report is generated, it is available on the page Reports. For more details, refer to
the procedure To display the list of reports.

For more details regarding scheduled reports refer to the section Managing Scheduled Reports
Configuration Files.

Downloading and Opening Reports

From the page Reports, you can download PDF reports and open the HTML reports in a new
tab of your browser.

All the generated reports are listed on this page whether they were generated at a specific time
or scheduled.

To download a PDF report

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Reports. The page Reports opens.
3. In the column Format, filter the list through to display only PDF reports.
4. In the column Name, click on the report of your choice to download it to your computer.

1218
 Monitoring

To open an HTML report

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Reports. The page Reports opens.
3. In the column Format, filter the list through to display only PDF reports.
4. In the column Name, click on the report of your choice to download it to your computer.

Managing Scheduled Reports Configuration Files

The page Scheduled reports gathers the configuration details of all the scheduled reports. It allows
you to disable and enable back a scheduling or delete it. Every time a report is generated, it is
listed on the Reports page. For more details, refer to the section Downloading and Opening Re-
ports.

To enable/disable a scheduled report

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Reports, click on Scheduled.The page Scheduled reports
opens.
3. All the scheduled reports are listed by name, report type and format.
4. Tick the scheduled report of your choice.
5. In the menu, select Edit > Enable or Disable. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. The scheduled report
configuration is now OK or Disabled.

To delete a scheduled report

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Reports, click on Scheduled.The page Scheduled reports
opens.
3. All the scheduled reports are listed by name, report type and format.
4. Tick the scheduled report(s) of your choice.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation. The report opens and closes. The scheduled report
configuration is no longer listed.

Managing Alerts
SOLIDserver offers a number of customization options that include the alert configuration from
any page. You can be notified of the changes of your choice (new value, status, etc.) either via
email or via an SNMP trap. Alerts provide an extra monitoring system.

Prerequisites
• To properly set an SNMP trap on an alert, make sure the SNMP and SMTP servers are properly
configured. For more details, refer to the chapters Configuring the SNMP Server and Configuring
the SMTP Relay.
• To properly set mail notifications on an alert, you need to specify a group of users or specific
mail addresses. Make sure the email addresses of the group members and/or those you spe-
cified in the wizard are valid as incorrect email addresses cannot receive alerts. Also, make

1219
 Monitoring

sure the groups you specify is configured with sufficient rights to assess the situation. For more
details, refer to the chapter Managing Users.

Browsing Alerts
The Administration module contains two pages dedicated to alerts. You cannot configure the
columns display on these pages.
• The page Alerts displays the details of all the alerts that have been raised: their priority, when
they were raised and released, their current state, etc.
• The page Alerts Definition contains all the alerts configured in SOLIDserver. It displays the
configuration details of each alert, provides a link to edit the alert filters and allows to enable/dis-
able each alert.

Browsing the Alerts Database

To display the page Alerts
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Alerts. The page Alerts opens. Only the raised alerts
are displayed by default.
3. To display all the alerts, whether they are dismissed or not, under the menu, tick the box
Display all alerts .

To display the page Alerts Definition

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. To display the alerts related to a specific alert definition, in the column Alert name, click on
the name of your choice. The page Alerts opens and displays only the alerts related to that
specific definition.
4. To display all the alerts, whether they are dismissed or not, under the menu, tick the box
Display all alerts .

To display an alert properties page

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Alerts. The page Alerts opens.
3. To display an alert properties page from the page Alerts, in the column Alert, click on the
alert of your choice. The properties page opens.
4. To display an alert properties page from the page Alerts Definition:
a. In the breadcrumb, click on Alerts Definition. The page Alerts Definition opens.
b. At the end of the line of the alert name of your choice, click on . The properties page
opens.

Understanding the Columns on the page Alerts Definition

By default, the page Alerts Definition displays the configuration details of all the existing alerts
through six columns. You can sort and filter all columns, but you cannot change their layout.

1220
 Monitoring

Table 103.2. The columns on the page Alerts Definition

Column Description
Alert Name The alert name.
Condition The trigger condition of the alert, 0 being the status or value that triggers the alert if met
(=), different (!=, <, >), etc.
Created on The alert addition date and time.
Scheduling The check frequency for the parameters that trigger the alert.
Alert filters The filters set on the page before adding the alert. Each alert provides the link to edit these
filters. For more details, refer to the section Editing the Filters of an Alert.
State The state of the definition, it returns details on the alert(s).
Released Once the alert is added it is Released on the page Alerts Definition.
Raised Once the configured parameters are met, the alert is Raised and is listed
on the page Alerts.
Status The alert definition status, either Enabled or Disabled.

The alert properties page displays extra information that can be configured such as the severity,
priority, recipients of the email, etc.

Understanding the Columns on the page Alerts

By default, the page Alerts displays all the details of all the currently raised alerts. You can sort
and filter all columns, but you cannot change their layout.

To display the alerts that were dismissed or set back to monitored, refer to the procedure To
display the page Alerts.

Table 103.3. The columns on the page Alerts

Column Description
Severity The severity of the alert, either Minor, Major, Crash or Block.
Module The name of the module where the alert was added.
Sub Module The name of the page within the module where the alert was added.
Alert Name The name given to the alert upon addition.
Priority The level of priority you set upon addition, iother Low, Normal, High, Urgent or Immediate.
Begin date The time and date when the alert went from released to raised, i.e. the moment the para-
meters set were met.
End date The time and date when the alert went from raised to released.
Starting since The period of time since the alert has been raised.
Monitoring The alert monitoring details.
Monitored When you have not dismissed an alert or if you have reinstated it.
Dismissed When you have dismissed an alert.
State The state of the alert.
Released When the alert has reached its End date.
Raised When the parameters set for the alert are met, the alert is raised..

Adding Alerts
From any page you can add alerts via the menu Alerts, gadgets & Smart Folders.

1221
 Monitoring

Before adding alerts you can filter the list to customize the trigger and add the alerts that suit
your needs. So if you decide to filter the page All zones via the column Status with !=OK and
then add an alert, the alert would be triggered when any zone listed changes status to a status
different from OK and send you an email and/or an SNMP trap depending on what you configure.

To add an alert
This procedure is an example, it sends an alert if any zone status changes to anything but OK.
1. Go to the page of your choice and filter the list according to your needs.
a. In the sidebar, go to DNS > Zones. The page All zones opens.
b. In the column Server, click on the name of the server of your choice to display the zones
it contains.
c. In the search engine of the column Status, click on . The filter constructor opens.
d. In the drop-down list on the left, select != (different from).
e. In the field on the right, click on . The statuses drop-down list opens.
f. Select OK and click on APPLY . The page refreshes. The column search engine now
contains != OK and only the zones with a status different from OK are displayed.
2. In the menu, select Alerts, gadgets & Smart Folders > Add an Alert. The wizard Add
an alert definition opens.
3. In the field Name, name the alert. By default, the alert is named after the module and page
from where you configure it, in our example DNS: Zones.
4. In the field Description, you can specify a description if needed.
5. For alerts added from the DNS page Analytics displaying Guardian data, in the drop-down
list Period, select the overall period of data to retrieve, either the last 1h, 3h or 6h.
6. In the section Expert mode, tick the box to display the expert configuration fields.
7. Through the fields Filter results and Value, you can configure the alert execution parameters.

Table 103.4. Alert execution configuration fields

Field Description
Filter results The filter of your choice, either != (different from), > (Greater than), < (Less than) or
== (Equal to). Any of these conditions affects the number specified in the field Value.
By default, != (different from) is selected.
Value A number that corresponds to the threshold of your the filter you set before adding
the alert. By default, 0 is displayed.

For instance, if you do not want the alert to be triggered for less than 2 zones with a status
different from OK, you can select Greater than in the drop-down list Filter results and 2 in
the field Value.
8. In the section Triggered by change, tick the box if you want your alert to match your filter
only by change. In the case of our example, if you do not tick the box and three zones already
correspond to the filter (they could be in delayed create, timeout...), the alert is triggered if,
at the next check, the zones are still not set to OK.
9. In the drop-down list Alert Priority, define the alert priority. It can be Low, Normal, High,
Urgent or Immediate.
10. In the drop-down list Alert Severity, define the alert severity. You can choose among Minor,
Major, Crash and Block.
11. In the drop-down list Alert Group Owner, select a group of users among the ones you added.
12. You can tick the box Edit scheduling to configure a specific check frequency for the alert.
By default, the check is performed every 5 minutes of every hour, every day and every month.

1222
 Monitoring

Table 103.5. Alert check scheduling parameters

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

13. You can tick the box Send mail to notify the users of your choice via email when the alert
definition is met. The following fields appear.
a. In the drop-down list Mailing lists, select an existing group of users. The email address
of the users of the group must be configured, otherwise they can never receive the alert
notification.
b. In the field Additional Mail, specify the target email address of the alert notification.
c. Click on ADD to move the information to the Additional Mail List. The list contains all
the recipients of the alert email.
d. Repeat these actions from as many recipients as needed.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

14. You can tick the box SNMP Trap to send a trap to the device of your choice when the alert
definition is met. The following fields appear.

Table 103.6. SNMP trap configuration parameters

Field Description
SNMP version The version of SNMP used, v2c.
SNMP Destination The IP address of the network management platform.
SNMP Community The community string that would act as a password to access the SNMP agent.
Raised alert SNMP A custom OID to be sent when the alert is raised. You can use and extend the default
OID OID 1.3.6.1.4.1.2440.1.6.1.2.0.1.
Released alert A custom OID to be sent when the alert is released. If this field is empty, no trap is
SNMP OID sent when the alert is released.

15. Click on OK to complete the operation. It is now listed in the page Alerts Definition and
marked as Released.

Editing Alerts
The alerts can be edited in two different ways:
1. You can edit the alert definition: rename it, change the check frequency, add or remove email
recipients, set or remove an SNMP trap...
2. You can edit the filters that were set on the page when the alert was added.

1223
 Monitoring

Editing an Alert Definition

You can edit the properties of your alert, i.e. its definition details.

To edit an alert definition

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. At the end of the line of the alert name of your choice, click on . The properties page opens.
4. In the panel Main properties, click on EDIT . The wizard Edit an alert definition opens.
5. Edit the alert according to your needs. For more details, refer to the steps 3 to 12 of the
procedure To add an alert.
6. Click on OK to complete the operation. The report opens and closes.

Editing the Filters of an Alert

In addition to editing an alert definition, you can edit the filter(s) it uses. This allows you to edit
the alert triggers if the initial alert settings no longer suit your needs.

To edit the filters of an alert

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. In the column Alert filter, click on Edit alert filters for the alert of your choice. You are redir-
ected to the page where the alert was added.
4. Above the menu, a blue banner indicates you are in Alert edition mode.
5. In the search engine of the filtered column(s), edit or remove the filter(s) according to your
needs.
6. Add filters based on new columns if relevant.
7. On the right-end side of the menu, click on . The wizard Quit editing the alert filters
opens.
8. Tick the box Save changes before quitting to save your new filter.
If you do not tick the box, your changes are discarded.
9. Click on OK to complete the operation. The report opens and closes.

Enabling or Disabling Alerts

If at some point you want an alert definition to stop raising alert instances, you can disable it.

When you want it to raise alert instances again, re-enable it.

To enable/disable an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. Tick the alert(s) of your choice.
4. In the menu, select Edit > Enable or Disable. The wizard opens.

1224
 Monitoring

5. Click on OK to complete the operation. The report opens and closes. The alert definition
State is marked as Enabled or Disabled.

From the column State, you can also directly click on Enabled or Disabled to, respectively, disable
or enable a definition.

Updating an Alert State

You can check that you did not miss any alert. It is useful if you did not configure an alert to trigger
on change or if, on the contrary, you just configured it with a check every 5 minutes.

The option Force alert update immediately checks if the selected alert is Raised or Released.

To force an alert definition check

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. Tick the alert(s) that you want to check.
4. In the menu, select Tools > Force alert update. The wizard Force alerts state update
opens.
5. Click on OK to complete the operation. The report opens and closes. To see if the alert is
now raised, go to the page Alerts.

Dismissing an Alert
Once an alert was raised, you can dismiss it in order to make sure that next time it is raised you
actually only see the instances that matter and not old ones. The alert does no longer appear on
the page Alerts unless you tick the box Display All Alerts.

To dismiss an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Alerts. The page Alerts opens.
3. Tick the raised alert(s) that you want to dismiss.
4. In the menu, select Edit > Dismiss. The wizard Dismiss an alert opens.
5. Click on OK to complete the operation. The report opens and closes. The alert is no longer
listed.
6. Under the menu, tick the box Display All Alerts to display all the previous instances.

Reinstating a Dismissed Alert

Once an alert was raised, you can dismiss it as described in the section above.You can however
reinstate it as monitored to display it again on the page.

To monitor an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Alerts. The page Alerts opens.
3. Tick the raised alert(s) that you want to reinstate.
4. In the menu, select Edit > Monitor. The wizard Monitor an Alert opens.

1225
 Monitoring

5. Click on OK to complete the operation. The report opens and closes. The alert is displayed
even though the box Display All Alerts is unticked.

Exporting Alerts
From the page Alerts, you can export the data listed in a CSV, HTML, XML, XLS or PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting an Alert
For safety measures, you cannot delete an alert instance on its own. However, from the page
Alerts Definition, you can delete an alert completely i.e. delete its configuration details and the
instances of when it was raised.

To delete an alert
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Alerts, click on Definition. The page Alerts Definition
opens.
3. Tick the alert(s) of your choice.
4. In the menu, select Edit > Delete an Alert. The wizard Delete an alert opens.
5. Click on OK to complete the operation. The report opens and closes. The alert is no longer
listed on the pages Alerts Definition and Alerts.

Managing the Logs

In the module Administration, two pages allow to manage the logs. You can monitor them from
Syslog and redirect them from Configuration of Network Logs.

Syslog
The page Syslog lists the logs of all the services executed. You can filter the list using the menu
or the columns to display a specific operation. Note that:
• You can display the logs of remote appliances from the management SOLIDserver. For more
details regarding remote management, refer to the chapter Centralized Management.
• The service ipmserver includes the cloud synchronization error messages. For more details,
refer to the chapter Managing Cloud Synchronization.
• You can export the logs in a CSV, HTML, XML, XLS or PDF file. For more details refer to the
chapter Exporting Data.

To display the logs of your choice on the page Syslog

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Syslog. The page Syslog opens.
3. In the drop-down list SOLIDserver, select the appliance of your choice. The page refreshes.
If you are not managing any remote appliance, the list only displays local.
If you are managing remote appliances, the local appliance is listed using only its hostname.
All remote appliances are listed as follows: <hostname> (<IP address>). Unreachable appli-
ances are listed as follows: <hostname> (<IP address>) - Timeout.

1226
 Monitoring

4. In the drop-down list Service, select the service of your choice:

Service Description
named The DNS log messages.
dns-firewall The log messages related to RPZ processing.
dhcpd The DHCP log messages.
ipmserver The internal transactional engine log messages.
messages All the system log messages.
auth The authentication log messages. By default, it logs failed authentications. To also
log successful authentications refer to the section Monitoring Successful Authentica-
tions.
ipmserver-rules The operations executed by rules.
gslb-check The Application log messages regarding initial health check failures and node status
changes.

5. You can tick the box Automatic refresh to automate the refresh of all the logs.
By default, the refresh is scheduled to be executed every 10 seconds. To change the refresh
frequency, refer to the section Editing Syslog Refresh Frequency.
6. You can look for specific logs by filtering the following columns:
a. From the column Time, you can sort and filter the logs based on the date and time of
the service execution. Note that you can edit the time and date format from the top bar
menu My Account > My Settings.
b. From the column Log, you can filter the logs based on the details of the operation per-
formed.

Editing Syslog Refresh Frequency

Administrators can change the frequency of the Automatic refresh via a registry database.

To edit Syslog Automatic refresh frequency

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with syslog.refresh .
4. Hit Enter. Only the key www.system.syslog.refresh is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, specify the number of seconds of your choice. By default, it is set to 10.
7. Click on OK to complete the operation. The report opens and closes. The Value is updated.

Monitoring Successful Authentications

By default, the service auth only returns failed connections. However, administrators can enable
a registry database to also take into account successful authentications in the logs. Note that:
• Monitoring successful authentication events can drastically increase the number of logs.
• Once the key is enabled, if you forward security events to an external device, the successful
authentications are also forwarded. For more details, refer to the section Forwarding Security
Events.

1227
 Monitoring

To monitor successful authentication events

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with success .
4. Hit Enter. Only the key ipmserver.login.log_success is listed.
5. In the column Value, click on the value listed. The wizard Registry database Edit a value
opens.
6. In the field Value, type in 1 to enable the retrieval of successful authentication events. By
default, it is set to 0.
7. Click on OK to complete the operation. The report opens and closes. The Value is updated.

Configuration of Network Logs

The page Configuration of Network Logs allows users of the group admin to redirect the logs of
several appliances toward a remote syslog server to monitor them.

You can redirect the logs of a particular service and severity level. The available severity levels
are listed below.

Table 103.7. Syslog severity levels

Code Severity level Description
0 (maximum severity level) Emergency
1 Alert
2 Critical
3 Error
4 Warning
5 Notice
6 Information
7 (minimum severity level) * (Debug)
The system has completely crashed and is no longer functioning.
The system is unstable and a crash is imminent. Action must be
taken immediately.
Critical conditions. Should be corrected immediately.
Error conditions. Non-urgent failures that should be relayed to ad-
ministrators.
Warning conditions. Indicates that an error is returned if no action
is taken.
Unusual situation or significant event that is typically part of normal
day-to-day operations.
Normal operational messages - may be harvested for reporting,
measuring throughput, etc - no action required.
Useful messages to developers for debugging, not useful during
operations.

Note that selecting a log level automatically includes the logs with a higher severity, the ones
with a smaller code number. Therefore, if you select Warning (4) logs, you also redirect the Error
(3), Critical (2), Alert (1) and Emergency (0) logs.

Note that the service impserver includes the cloud synchronization error messages. For more
details, refer to the chapter Managing Cloud Synchronization.

To add a syslog redirection

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Syslog, click on Configuration. The page Configuration
of network logs opens.

1228
 Monitoring

3. In the menu, clcik on Add. The wizard Syslog configuration opens.

4. In the drop-down list Services, select the service of your choice.

Table 103.8. The services that can be redirected

Service Description
ipmserver The internal transactional engine logs.
dhcp The log messages of the service dhcpd.
dns The log messages of the service named.
dns-firewall The RPZ dedicated log messages of the service named.
posgresql The SQL logs.
messages All the system logs.
anycast The anycast logs.
auth The authentication logs.
security The security logs.
ipmserver-rules The operations executed by rules.
gslb-check The log messages of the service GSLB Server regarding initial health check failures
and node status changes.

5. In the drop-down list Level, select the severity level of your choice. Note that any severity
other than Emergency (0) also redirects higher severity levels, the ones with a lower code.
For more details, refer to the table Syslog severity levels.
6. In the field Target server, specify the IP address and port number of the Syslog server re-
ceiving the logs following the format <ip-address>:<port-number>.
7. Click on OK to complete the operation. The report opens and closes. The page displays the
list of logs redirections.

To delete a syslog redirection

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, next to Syslog, click on Configuration. The page Configuration
of network logs opens.
3. Next to the redirection of your choice, click on DELETE . The wizard Syslog configuration
opens.
4. In the fields Service and Target server are displayed the redirection details. Make sure they
are the ones you want to delete.
5. Click on OK to complete the operation. The report opens and closes. On the page Configur-
ation of Network Logs, the redirection is no longer listed.

Monitoring the Appliance Statistics

The page System statistics provides charts dedicated to the appliance services traffic and state.
Keep in mind that:
• The system stores data during a year.
• The page allows to display the statistics of your local appliance and the statistics of remote
appliances, if they are in version 6.0.1 or higher. For more details regarding remote manage-
ment, refer to the chapter Centralized Management.

1229
 Monitoring

• Every chart displaying local data is a gadget in essence and can be displayed on any dashboard
using the dedicated pushpin. For more details, refer to the chapter Managing Gadgets.
• The charts are empty during the first appliance use, without any traffic, there is no data to dis-
play.
• You cannot use the statistics charts of a remote appliance as a gadget.
• You can export all the charts on the page, whether they display local or remote data, in specific
reports. For more details, refer to the section Appliance Statistics Reports below.
• Except for the panel Processes states, on each chart you can zoom in and out of the charts
or decide the period and data to display. For more details, refer to the section Charts.

To access the page dedicated to SOLIDserver Statistics

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on System statistics. The page System statistics opens.
By default, it displays the local appliance data. To display the statistics of a remote appliance,
refer to the section Monitoring the Statistics of Another Appliance.

Each chart on the page has a specific purpose:

Table 103.9. The charts of the page Statistics

a
Chart Description Unit of
Measurement
DNS traffic The rate of DNS requests sent and received. Bytes per second
DHCP traffic The rate of DHCP requests sent and received. Bytes per second
HTTP traffic The rate of HTTP requests sent and received. Bytes per second
SNMP traffic The rate of SNMP requests sent and received. Bytes per second
Database replication traffic The input and output exchanges during the database replica- Bytes per second
tion between two appliances set in a High Availability config-
uration.
Load average The load of all the system's CPUs on an average of 1, 5 and Bytes
15 min.
CPU per process The percentage of CPU used by each enabled service. Percent
Memory usage per process The memory usage of each enabled service. Bytes
Disk operations The number of read and write operations performed on the Operations per
hard disk. second
I/Os per process The total data input and output of each process. IO per second
SQL queries The number of SQL queries made by the system. Queries per second
Threads The number of threads executed by the system. Threads per second
User sessions The number of users connected. Connections count
Disk usage The disk usage. Percent
Processes state The state of all the services embedded into SOLIDserver: Checked every
either OK or down. The DNS and DHCP analytics are part of minute
the processes as well.
a
The name and IP address of the appliance can be displayed next to the chart name.

Generating Statistics Reports

EfficientIP provides statistics dedicated reports. The reports on inconsistencies might be empty
if the devices configuration is correct.

1230
 Monitoring

Table 103.10. Available Statistics reports

Page Report
a
System statistics Statistics chart
Network traffic
a
Only users of the group admin can access this page.

For more details regarding the reports and their generation, refer to the section Managing Reports.

Monitoring from Session Tracking

The page Session tracking allows to display the list of the users who recently connected or are
currently connected to SOLIDserver. The user connection is checked every 300 seconds.

You can export user sessions in a CSV, HTML, XML, XLS or PDF file. For more details refer to
the chapter Exporting Data.

To track the latest user sessions

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Session tracking. The page Session tracking opens.

You can also track previous sessions on the page Session history.

To display the session history of all users

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Session tracking. The page Session tracking opens.
3. On the right-end side of the menu, click on Session history. The page Session history
opens.
4. To display the latest user sessions again, in the breadcrumb click on Session tracking.

Monitoring from User Tracking

The page User tracking allows to monitor user events, all the operations carried out by every
user. Note that:
• You can track all operations and the user who performed them using the page columns, as
detailed in the section Tracking User Operations.
• You can grant full access to the page to any group of users, as detailed in the section Allowing
Users to Display All the Operations Performed.
• You can display user operations on the page Syslog via a dedicated registry database entry,
as detailed in the section Sending a Copy of User Operations to Syslog.
• You can cancel IP address and alias deletions. For more details, refer to the section Cancelling
Deletions of the chapter Managing IP Addresses.
• You can forward user events via a dedicated rule. For more details, refer to the section For-
warding Events.

1231
 Monitoring

Tracking User Operations

The columns on the page User tracking allow to track user operations and display specific object
additions, editions, deletions... and the user who performed them.

To track user operations

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on User tracking. The page User tracking opens.
3. Filter the list to look for specific operations via the search engine of the column of your choice:
a. In the column Date, you can specify a date and time or double-click to use the filter
constructor.
b. In the column Service, you can specify an operation and/or object. The column returns
services formatted as follows: <operation>: <object-concerned>. For instance, Add:
spaces.
The list of all existing services is available on the page Rights of each group of users.
For more details, refer to the section Managing the Rights of a Group of Users of the
chapter Managing Groups.
c. In the column User, you can specify a user login to only display the operations they
performed.
d. In the column Description, you can specify information on the object the service was
performed on. Depending in the object, the information can be a name, IP or MAC ad-
dress, a parent object name... or even class parameters.
To display all the class parameters details, at the end of the description, click on the
link Class Parameters to displayed them. Note that hovering over the link displays the
details in a pop-up window.
4. Click on REFRESH to display the corresponding user(s).

Allowing Users to Display All the Operations Performed

By default, any user can access the page User Tracking and see all the changes they performed.

Administrators can grant user access to see the changes performed by all the users, including
ipmadmin, if their group of users has the permission User Tracking Display: changes from all the
users.

To grant access to all the changes performed on the appliance to a group of users
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the sidebar, go to Users, Groups & Rights > Groups. The page Groups opens.
3. At the end of the line of the group of your choice, click on . The properties page opens.
4. In the panel Administration, click on EDIT . The wizard Edit group rights opens.
5. The Unauthorized services list displays the services that are not granted to the group.
Select User Tracking Display: changes from all the users and click on . The service is
moved to the list Authorized services.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes.
In the panel, the list Permissions displays the service.

1232
 Monitoring

Once the permission is granted, all the users of the group can see the operations performed by
anyone who logged in SOLIDserver on the page User tracking and in the panel Audit of the
properties page of an object.

Sending a Copy of User Operations to Syslog

Using a dedicated registry key, administrators can save a copy of users operations in the file
ipmserver.log to display them on the pages User Tracking and Syslog.

To send a copy of user operations to Syslog

1. Add the registry key to enable the external storage of user operations
Only users of the group admin can perform this operation.
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. Filter the column Name with module.system.usertracking_use_syslog.
d. Hit Enter. Only this key is listed.
e. In the column Value, click on 0. The wizard Registry database Edit a value opens.
f. In the field Name, the key name is displayed in read-only.
g. In the field Value, delete the 0 and replace it with 1. This value means the key is enabled.
h. Click on OK to complete the operation. The report opens and closes. In the column
Value, a 1 is displayed.
2. Display the user operations in Syslog
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Monitoring, click on Syslog. The page Syslog opens.
c. In the drop-down list SOLIDserver, verify that the local appliance is selected. Only the
hostname appears with no IP address.
d. In the drop-down list Services, select ipmserver. The page refreshes.
e. In the column Log, use the filter ipmserver: . The user operations are listed as follows:
<hostname> <process_name>[<process_id>]: ipmserver: <service_name> <user_name>
<service_parameters>

Exporting User Operations

From the page User tracking, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Forwarding Events
It is possible to forward SOLIDserver events to an external device. Administrators can forward:
• The local user events available on the page User tracking of an appliance.
• A set of security events available on the page Syslog of a local or remote appliance.

1233
 Monitoring

Both forwarding methods rely on the rule 412, each method requires a unique configuration.

Forwarding User Tracking Events

Forwarding local user tracking events only requires to add and configure the rule 412.

On any appliance, the rule allows to specify a forwarding target and to define which events to
forward.

Before adding the rule, keep in mind that:

• The rule relies on the services executed by each user to identify the event logs. On the page
User tracking, they are returned in the column User.
• You must specify the URI of the forwarding target, it must include:
• A forwarding method, either HTTP, HyperText Transfer Protocol or Redis, REmote DIctionary
Server.
Note that via Redis, all event messages are sent to a target group, and all its members receive
the messages.
• A specific device, or host. Note that this device can impact the proper execution of the rule,
if it is not responding or returns any error, the event forwarding stops.
• You can add several instances of the rule, as long as they each forward events to different
URIs.
• You must specify a forward policy, in JSON format, that narrows down the events to forward.
We provide a few policy examples after the procedure.
The policy filter accepts module related information as follows.

Module Expected name in the filter

IPAM ip for IPv4 services
ip6 for IPv6 services
DHCP dhcp
DNS dns
Application app
NetChange iplocator
Workflow workflow
Device Manager hostdev
VLAN Manager vlm

It can also include service related filters, all services are described in the API Reference guides,
2
available on our download portal .
As SOLIDserver can generate many event logs, we recommend that you set a granular for-
warding policy. Otherwise, you may overload the target device or reduce your appliance per-
formances.
• The rule can only forward events if the external device is responding.
If the external device you configure is in timeout, the event forwarding stops.
If the external device returns an error, the event is not forwarded, the next event is forwarded
instead.

2
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.

1234
 Monitoring

Once you added the rule, you can tick it to disable it to stop forwarding events. You can enable
it again later. Note that you can monitor any forwarding errors from the page Syslog.

To add the rule 412 to forward user tracking events

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select Administration.
5. In the drop-down list Event, select Execution of a scheduled rule.
6. In the list Rule, select (412) Forward events.
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can specify a comment.
9. Click on NEXT . The page Rule filters opens. These filters define when the rule is executed.
10. Edit the rule frequency according to your needs.
By default, all the lists are empty, the rule is executed every minute.

Table 103.11. Frequency filters of the rule 412

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

11. Click on NEXT . The page Rule parameters opens.

12. In the field Target URI, specify the URI of the device receiving the events, the relevant cre-
dentials and the forwarding method:
a. To forward events via HTTP or HTTPS, specify the URI following the format:
http[s]://[[username:]password@]host[:port][/path]
b. To forward events via Redis, specify the URI following the format:
redis[s]://[[username:]password@]host[:port][/database]
13. In the drop-down list Log level, select the severity level of the event logs to forward.

Log level Description

Default The minimum security level. Debug events, useful messages to developers for debugging,
not useful during operations. This log level is selected by default.
Warning Warning conditions. Indicates that an error is returned if no action is taken.
Info Normal operational messages - may be harvested for reporting, measuring throughput, etc
- no action required.

14. In the field Retention, specify a retention period threshold, in hours. Every event log older
than the period you specify is not forwarded.

1235
 Monitoring

15. In the field Max. number of events, you can specify the maximum number of event logs to
include in the forwarding message. If there are more events matching the Log level and
Forward policy you set, several messages are sent. By default, the field is empty.
16. In the field Forward policy, specify the events that you want to forward, in JSON format.
The policy defines the forwarding configuration and payload.
The expected format depends on the method set in the Target URI. You can find a few ex-
amples after the procedure.
a. If you forward events via HTTP or HTTPS, specify the policy following the format:
[{
"source": "user_tracking",
"filter": {
},
"method": "<HTTP VERB>",
"query": "<URI query>",
"headers": [
<list of HTTP headers>
],
"content": "<your payload>"
}]

Note that:
• Any module specified in the filter must respect the expected module name in the
policy filter.
• If you do not specify a content, all event details are forwarded, including class para-
meters.You can find these details in the column Description of the page User tracking.
b. If you forward events via Redis, specify the policy following the format:
[{
"source": "user_tracking",
"filter": {
<filters of your choice>
},
"command": "<PUBLISH|RPUSH|LPUSH> <channel>",
"content": "<your payload>"
}]

Note that:
• Any module specified in the filter must respect the expected module name in the
policy filter.
• If you do not specify a content, all event details are forwarded, including class para-
meters.You can find these details in the column Description of the page User tracking.

17. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Here below are some Forward policy examples dedicated to addition, edition and deletion events,
via HTTP(S) and Redis.
Example of a Forward policy for DNS addition events via HTTP(S)
[{
"source": "user_tracking",
"filter": {
"Event_Type": "ADD",
"Event_Name": "dns.*"
},
"method": "POST",
"headers": [
{"Content-Type": "application/json"},
}]

1236
 Monitoring

Example of a Forward policy for DNS server edition events via HTTP(S)
[{
"source": "user_tracking",
"filter": {
"Event_Type": "EDIT",
"Event_Name": "dns_.*"
},
"method": "POST",
"headers": [
{"Content-Type": "application/json"},
{"Custom-Header": "<your-forwarded-log-header>"}],
"content":"{\"ACTION\":${event_type},\"DNS SERVER NAME\":${params[dns_name]}"
}

All DNS editions events are analyzed, but with this content the forwarded message only in-
cludes the name of the DNS server.
Example of a Forward policy for DNS zone deletion events via HTTP(S)
[{
"source": "user_tracking",
"filter": {
"Event_Type": "DELETE",
"Event_Name": "^dns_zone.*"
},
"method": "POST",
"headers": [
{"Content-Type": "application/json"},
}]

Example of a formatted Forward policy for all DNS record event types via HTTP(S)
[{
"source": "user_tracking",
"filter": {
"Event_Type": ".*",
"Event_Name": "dns_rr_.*"
},
"method": "POST",
"headers": [{
"Content-Type": "application/json"
}],
"content": "{\"RR event\": \"$raw{usr_login} $raw{event_type} RR
$raw{params[rr_full_name_utf]} $raw{params[rr_type]} $raw{params[value1]} \" }"
}]

Example of a Forward policy for IPv4 addition events via Redis

[{
"source": "user_tracking",
"filter": {
"Event_Type": "ADD",
"Event_Name": "ip_.*"
},
"command": "PUBLISH 2"
}]

Example of a Forward policy for IPv4 edition events via Redis

[{
"source": "user_tracking",
"filter": {
"Event_Type": "EDIT",
"Event_Name": "ip_.*"
},

1237
 Monitoring

"command": "PUBLISH 2"

}]

Example of a Forward policy for IPv6 block-type network and space deletion events via
Redis
[{
"source": "user_tracking",
"filter": {
"Event_Type": "DELETE",
"Event_Name": "ip6.*"
},
"command": "PUBLISH 2",
"content":"{\"ACTION\":${event_type},\"BLOCK NAME\":${params[subnet6_name]},\"SPACE
NAME\":${params[site_name]}"
}]

All IPv6 block-type networks deletion events are analyzed, but with this content the forwarded
message only includes the name of deleted block-type networks and spaces.
Example of a formatted Forward policy for all DNS record event types via Redis
[{
"source": "user_tracking",
"filter": {
"Event_Type": ".*",
"Event_Name": "dns_rr_.*"
},
"command": "PUBLISH 2",
"content":"{\"RR event\": \"$raw{usr_login} $raw{event_type} RR
$raw{params[rr_full_name_utf]} $raw{params[rr_type]} $raw{params[value1]} \" }"

}]

Forwarding Security Events

Forwarding security events requires to:
1. Prepare the appliance(s). Each appliance must enable the collection of security events.
2. Configure the forwarding, the policy of the rule 412 must take into account security events.

Unlike the forwarding of user tracking events, security events can be forwarded from local and/or
remote appliances.

The procedures below depend on each appliance role, available on the page Centralized Man-
agement:
• Standalone appliances are not managing or managed by another appliance.
• Management appliances remotely manage other appliances.
• Master appliances manage a Hot Standby appliance in a High Availability configuration

For more details, refer to the chapter Centralized Management.

Preparing the Forwarding of Security Events

Before forwarding security events to an external device, you must:
1. Make sure the service Event watcher is enabled and running.
2. Enable the collection of security events.
3. Make sure the rule 421, that collects security events, is enabled and properly configured.

If either is not enabled, the appliance security events cannot be forwarded.

1238
 Monitoring

Making Sure the Service Event watcher is Running

The service Event watcher is dedicated to security events and must be running to forward any
security event. Note that:
• Event watcher must be running to forward any security event logs.
• Event watcher receives the following security events:
• DNS Response Rate Limiting (RRL) messages.
• RPZ client IP, FQDN and/or zone matches.
• Guardian switch to and from rescue mode, trigger arming/disarming events and quarantine
actions.
• Application nodes status change, the status returned after the health check.
• Authentication log messages. By default, failed authentications are logged, but successful
authentications can also be logged. For more details, refer to the section Monitoring Success-
ful Authentications.
The service can only receive events if the event collection is enabled on the appliance.
• If you manage remote appliances, the service must be enabled on all appliances.

To make sure the service Event watcher is running

Only users of the group admin can perform this operation.
1. Connect to a Standalone, Master or Management appliance.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Services configuration. The page Services configuration
opens.
4. In the drop-down list SOLIDserver, select the appliance of your choice. The page refreshes.
5. At the bottom of the column Name, make sure the service Event watcher is Started, Enabled
and OK.
6. If you connected to a Master or Management appliance, repeat the steps 4 and 5 for all rel-
evant appliances.

Enabling the Security Events Collection

Once you ensured the service Event watcher is running, you must enable the collection of security
events on all appliances. Note that:
• The event collection must be enabled on each appliance. It can only be enabled if the appliances
are up and running.
• If the event collection is disabled, no security event logs are sent to the service Event watcher.
• Enabling or disabling the event collection restarts Syslog. For about a minute, until it starts
again, no logs are retrieved.

To enable the collection of security events

Only users of the group admin can perform this operation.
1. Connect to a Standalone, Master or Management appliance.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section System, click on Centralized Management. The page Centralized Manage-
ment opens.
4. If you connected to a Standalone appliance, look at the column Status.
If it is Not configured, you must configure the appliance:

1239
 Monitoring

a. In the menu, select Tools > Configure local SOLIDserver. The wizard Configure
local SOLIDserver opens.
b. In the drop-down list SOLIDserver IP address, select the IP address of the appliance.
c. Click on OK to complete the operation. The report opens and closes. On the page
Centralized Management, the local appliance details are now complete. Its Role is
Standalone and its Status OK.
5. Tick the appliance(s) of your choice.
If you connected to a Standalone appliance, you must tick your local appliance.
If you connected to a Master appliance, you can select the Master appliance and/or the Hot
Standby appliance.
If you connected to a Management appliance, you can select the local appliance and/or any
remote appliance.
6. In the menu, select Tools > Security events collection > Enable. The wizard Enable
security events collection opens.
7. Click on OK to complete the operation.

Making Sure the Rule 421 is Properly Configured

Once you ensured that both the service and collection are enabled on all relevant appliances,
you must make sure the rule 421 suits your needs. Note that:
• By default, the rule is enabled. It retrieves the latest security event logs every minute, you can
edit its retrieval frequency.
• The rule only needs to be set on Standalone, Master and Management appliances.
You do not need to configure it on remote appliances. It automatically retrieves the security
events of all the appliances of the page Centralized Management for which you enabled the
collection of events.
On Standalone appliances, it retrieves only local events.
On Master and Management appliances, it retrieves the local and/or remote appliance events.
• If you disable this rule, no security events can be forwarded.

To edit the retrieval frequency of the rule 421 that collects security events
Only users of the group admin can perform this operation.
1. Connect to a Standalone, Master or Management appliance.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. In the column Rule #, type in 421 and hit Enter. The rule is the only one listed.
5. In the column Status, make sure the rule is OK, it means that it is enabled.
6. Right-click over the rule Description, the contextual menu opens.
7. Click in Edit. The wizard Edit a rule opens.
8. Click on NEXT . The page Rule filters opens. These filters define when the rule is executed.
9. Edit the rule frequency according to your needs.
By default, all the lists are empty, the rule is executed every minute.

Table 103.12. Frequency filters of the rule 421

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.

1240
 Monitoring

Field Description
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

10. Click on OK to complete the operation. The report opens and closes. The rule Filter is up-
dated.

Configuring the Forwarding Rule

Forwarding security events to an external device also relies on the rule 412.

Before adding the rule, keep in mind that:

• The rule can only forward the security events of the appliances you properly configured. For
more details, refer to the section Preparing the Forwarding of Security Events.
• The rule forwards the security events of all the appliances for which you enabled the security
events collection. You must add it on the Standalone, Master or Management appliance.
• You must specify the URI of the forwarding target, it must include:
• A forwarding method, either HTTP, HyperText Transfer Protocol or Redis, REmote DIctionary
Server.
Note that via Redis, all event messages are sent to a target group, and all its members receive
the messages.
• A specific device, or host. Note that this device can impact the proper execution of the rule,
if it is not responding or returns any error, the event forwarding stops.
• You can add several instances of the rule, as long as they each forward events to different
URIs.
• You must specify a forward policy, in JSON format, that narrows down the events to forward.
The source security_events identifies the events received by the service Event watcher.
• The rule can only forward events if the external device is responding.
If the external device you configure is in timeout, the event forwarding stops.
If the external device returns an error, the event is not forwarded, the next event is forwarded
instead.

Once you added the rule, you can tick it to disable it to stop forwarding events. You can enable
it again later. Note that you can monitor any forwarding errors from the page Syslog.

To add the rule 412 to forward security events

Only users of the group admin can perform this operation.
1. Connect to the Standalone, Master or Management appliance you prepared.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. In the menu, click on Add. The wizard Add a rule opens.
5. In the drop-down list Module, select Administration.
6. In the drop-down list Event, select Execution of a scheduled rule.
7. In the list Rule, select (412) Forward events.

1241
 Monitoring

8. In the field Rule name, name the rule. That name is then listed in the column Instance.
9. In the field Comment, you can specify a comment.
10. Click on NEXT . The page Rule filters opens. These filters define when the rule is executed.
11. Edit the rule frequency according to your needs.
By default, all the lists are empty, the rule is executed every minute.

Table 103.13. Frequency filters of the rule 412

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

12. Click on NEXT . The page Rule parameters opens.

13. In the field Target URI, specify the URI of the device receiving the events, the relevant cre-
dentials and the forwarding method:
a. To forward events via HTTP or HTTPS, specify the URI following the format:
http[s]://[[username:]password@]host[:port][/path]
b. To forward events via Redis, specify the URI following the format:
redis[s]://[[username:]password@]host[:port][/database]
14. In the drop-down list Log level, select the severity level of the event logs to forward.

Log level Description

Default The minimum security level. Debug events, useful messages to developers for debugging,
not useful during operations. This log level is selected by default.
Warning Warning conditions. Indicates that an error is returned if no action is taken.
Info Normal operational messages - may be harvested for reporting, measuring throughput, etc
- no action required.

15. In the field Retention, specify a retention period threshold, in hours. Every event log older
than the period you specify is not forwarded.
16. In the field Max. number of events, you can specify the maximum number of event logs to
include in the forwarding message. If there are more events matching the Log level and
Forward policy you set, several messages are sent. By default, the field is empty.
17. In the field Forward policy, specify the security events that you want to forward, in JSON
format. The policy defines the forwarding configuration and payload.
The expected format depends on the method set in the Target URI.
a. To forward security events via HTTP or HTTPS, specify the policy following the format:
[{
"source": "security_events",
"filter": {
"Event_Type": "sshd.*",
"Event_Name": ".*"
},
"method": "POST",
"headers": [
{"Content-Type": "application/json"},

1242
 Monitoring

{"Custom-Header": "<your-forwarded-log-header>"}],
"content":"{\"<custom-name1>\":${<variable>},\"<custom-name2>\":${<variable>}"
}]

where:
• security_events indicates that only security events are forwarded. If the appliance
is not properly configured, no events are forwarded.
• Event_Type can contain a process or a keyword matching any Event watcher log
received.
• content is the policy payload, it is optional. If you include a payload, it can contain
one or several log variables separated by , (a comma).
Each <variable> can be preceded by the text of your choice a <custom-name>.
The accepted variables are:

Table 103.14. Security events forwarding available variables in the payload

Variable Description
event_time The log event timestamp, in UTC format.
event_name The name of the process or appliance providing the log event.
event_params The parameters of the event logged, it depends on the process.
event_origin The IP address of the appliance sending the log event.
raw_event The message received by Event watcher for each log event , without any date.

b. To forward security events via Redis, specify the policy following the format:
[{
"source": "security_events",
"filter": {
"Event_Type": ".*",
"Event_Name": ".*"
},
"command": "PUBLISH 1"
"content":"{\"<custom-name1>\":${<variable>},\"<custom-name2>\":${<variable>}"
}]

The Forward policy configuration [1243] is detailed in the previous step.

18. Click on OK to complete the operation. The report opens and closes. The rule is listed.
The forwarding of security events may take a few minutes.

Managing SNMP Profiles

SNMP profiles are used to collect SNMP data from remote hosts or devices running an SNMP
or proxy SNMP agent, or to monitor the statistics of your DHCP and DNS servers via SNMP.

These profiles can only be used if, on the page Services configuration, the service SNMP server
is configured and enabled. For more details, refer to sections Handling Services and Configuring
the SNMP Server.

By default, the profiles standard v1, standard v2c and standard v3 are available. To edit them,
refer to the section Editing an SNMP Profile.

Adding an SNMP Profile

Administrators can add SNMP profiles, instead of using or in addition to the 3 default profiles.

1243
 Monitoring

To add an SNMP profile

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Network devices & SNMP profiles. The
page Network devices & SNMP profiles opens.
3. In the panel SNMP profiles configuration, click on ADD . The wizard Add an SNMP profile
opens.
4. In the field SNMP profile name, name the profile.
5. In the field Description, you can specify a description.
6. In the drop-down list SNMP version, select v1, v2c or v3.
7. Click on NEXT . The next page opens.
8. If you selected the version v1 or v2c:
a. In the field Read community, specify the read-only community string that would act as
a password for this profile reading requests.
b. In the field Write community, you can specify a write community string that would act
as a password for this profile reading and writing requests.
9. If you selected the version v3, configure the Read access parameters and Write access
parameters:

Table 103.15. SNMP v3 profiles access parameters

Field Description
User name The name of an existing user on the device(s) using the profile.
For the Read access parameters, this field is required.
Authentication key A key to ensure the authentication of the source.
For the Read access parameters, this field is required.
Authentication The cryptographic hash function used for authentication, either MD5, SHA1, SHA224,
SHA256, SHA384, SHA512 or None.
For the Read access parameters, this field is required.
Privacy key The encryption key to prevent snooping from unauthorized sources. This field is op-
tional.
Privacy The encryption type, either DES, AES or None. This field is optional.

10. Click on OK to complete the operation. The profile is listed in the panel.

Editing an SNMP Profile

Administrators can edit any SNMP profile, including standard v1, standard v2c and standard v3
available by default.

To edit an SNMP profile

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Network devices & SNMP profiles. The
page Network devices & SNMP profiles opens.
3. In the panel SNMP profiles configuration, select the profile of your choice.
4. Click on EDIT . The wizard Edit an SNMP profile opens.
5. In the field SNMP profile name, the profile name is displayed, you cannot edit it.

1244
 Monitoring

6. In the field Description, you can edit the description.

7. In the drop-down list SNMP version, you can change the version.
8. Click on NEXT . The next page opens.
9. For profiles in version v1 or v2c, edit the fields Read community and/or Write community
according to your needs. For more details, refer to the procedure To add an SNMP profile.
Note that by default the profiles standard v1 and standard v2 are set with the Read community
public and the Write community private.
10. For profiles in version v3, edit the Read access parameters and Write access parameters
according to your needs. For more details, refer to the procedure To add an SNMP profile.
Note that by default the profile standard v3 is set with the User name default_ipm_user, the
Authentication key default_auth_key, the Authentication MD5 and the Privacy DES.
11. Click on OK to complete the operation. The page refreshes.

Deleting an SNMP Profile

Administrators can delete any SNMP profile, unless they are currently used.

To delete an SNMP profile

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Network devices & SNMP profiles. The
page Network devices & SNMP profiles opens.
3. In the panel SNMP profiles configuration, select the profile of your choice.
4. Click on DELETE . The wizard Delete opens.
5. Click on OK to complete the operation. The profile is no longer listed.

Monitoring Using SNMP

SNMP monitoring allows to supervise SOLIDserver components and processes to ensure they
meet the expected performance and availability.

Combined with an effective alerting system, it allows to gather and store metrics about key system
health indicators to analyze and correlate information. Based on that data, you can intervene in
case of malfunction, define alert triggers and set up automatic actions that prevent an overall
failure of the system.
3
You can monitor these metrics through an external solution such as Nagios as well as some
related plug-ins.

Keep in mind that:

• You need an Internet connection and credentials to access the files *.mib on our download
4
portal .
• Each monitored SOLIDserver should be configured to allow the SNMP collector, which must
use SNMP v2c or v3, to retrieve the SNMP information.

Once your system is properly configured, you can set various SNMP alerts on SOLIDserver objects
to be notified of any unusual behavior. For more details, refer to the chapter Managing Alerts.
3
https://www.nagios.org
4
At https://downloads.efficientip.com/support/downloads/MIBs/, log in using your credentials. If you do not have credentials yet, request
them at www.efficientip.com/support-access.

1245
 Monitoring

For more details regarding the available metrics, refer to the appendix SNMP Metrics.

Displaying Netstat Data

SOLIDserver provides a page listing Netstat data. This tool allows to display the open TCP and
UDP ports to monitor active connections on the management appliance.

To access the page Netstat

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Monitoring, click on Netstat. The page Netstat opens.

This page contains several columns:

Table 103.16. Netstat columns

Column Description
Protocol The protocol name, TCP or UDP.
Local address The local appliance IP addresses. That is to say any IP addresses configured for your
physical interfaces - for more details, refer to the chapter Configuring the Network - and
the loopback IP address.
Local port The number of the local appliance port through which the connection is made. If the port
is not yet established, an asterisk (*) is displayed.
Foreign address The IP address and port number of the remote computer to which the socket is connected.
Foreign port The number of the remote appliance port through which the connection is made. If the
port is not yet established, an asterisk (*) is displayed.
State The state of the TCP connection.
LISTEN. The socket is listening for incoming connections.
ESTABLISHED. The socket has an established connection.
SYN_SENT. The socket is actively trying to establish a connection.
TIME_WAIT. The socket is waiting after close to handle packets still in the network.

Sizing the Database Tables

SOLIDserver provides a page that lists the size of all the tables in the database. This list gives
you all the information in one glance as it includes the Table name, Total size (including the in-
dex), Table size and Tuple size columns to even provide you with the size of the data and tuples
they contain.

To access the page Database tables size

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Database tables size. The page Database tables size opens.

Vacuuming the Database

SOLIDserver embeds a database maintenance task in the rule 180. Enabled by default, this rule
is configured to vacuum the database every night at 4 a.m, on other words, it defragments the
databases and reclaims storage occupied by dead tuples to increase performances of the pro-
cesses related to users queries.

1246
 Monitoring

Users of the group admin can edit the rule to change the database vacuuming frequency. You
should only edit this rule if a member of an EfficientIP technical team specifically asked
for it.

To edit the rule 180 that defragments SOLIDserver database

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the column Rule #, type in 180 and hit Enter. The rule is the only one listed.
4. At the end of the rule line, click on . The properties page opens.
5. In the panel Main properties, click on EDIT .
6. In the fields Module, Event, Rule and Description are details the rule properties.
7. In the field Rule name, you can edit the name of the rule. It is displayed in the column Instance
on the page Rules.
8. In the field Comment, you specify a comment if you want.
9. Click on NEXT . The page Rule filters opens.
Set the schedule parameters:

Table 103.17. Scheduled rules parameters

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. By default, 04 is selected. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. By default, 00 is selected. This field is optional.

10. Click on NEXT . The page Rule parameters opens.

11. In the field Max. wasted space (MB), specify the maximum size of wasted space beyond
which a database table is vacuumed. By default, it is set to 200.
12. Click on OK to complete the operation. The report opens and closes. The changes are dis-
played.

1247
Chapter 104. Maintenance
SOLIDserver needs to be properly maintained over time to run smoothly and reach its maximum
performance. This chapter details the pages and options that allow administrators to manage
local files, troubleshoot SOLIDserver or even enable the Maintenance mode.

This chapter gathers the following maintenance possibilities:

• Managing Files from the Local Files Listing.
• Using the Maintenance mode.
• Updating the Macros and Rules.
• Clearing the Appliance Cache.
• Troubleshooting.
• Managing Backups and Restoring Configurations.
• Shutting Down and Rebooting.

Managing Files from the Local Files Listing

The page Local files listing allows users of the group admin to manage all types of files uploaded
or stored locally on the appliance.

All the files are separated among 6 subpages: Local, TFTP, Logs, Config files, Custom images
and Custom WSDL. From each of these pages, you can upload, download and delete local files.
For more details, refer to the section Managing Local Files below.

Browsing the Local Files Listing Database

From the page Local Files Listing, you can display any local files subpage that suits your needs.

To display the pages of the Local Files listing

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Under the menu, tick the radio button Local, TFTP, Logs, Config files, Custom images
or Custom WSDL. The page opens. By default, the list Local is displayed.

All subpages, except Custom WSDL, share a common set of columns but contains specific files.

Table 104.1. Columns on the page Local files listing

Column Description
Name The entry name and extension if relevant. It is underlined as you can display a directory content
or download a file.
Type Indicates if the entry listed in a File or Directory.
Mode The entry permissions.
Owner The entry owner i.e. the user logged when the entry was generated.
Group The file or directory group.
Size The file or directory size in B, kB or MB.
Last Modified The month, day, date and time of the last update of the entry or its upload date.

1248
 Maintenance

The Page Local

It displays all the files stored locally in the appliance, including:
• The scheduled exports configured from any page of the GUI where the menu Report > Export
is available. Their extension depends on the chosen export file: .csv, .html, .xml, .xls or .pdf.
For more details, refer to the chapter Exporting Data.
• The reports generated from the GUI. Their extension depend on the chosen file format: either
.html or .pdf.
• The file sysaudit.log that stores in real time all the appliance system information (memory
use, partition, netstats, etc). To download this file, refer to the section Downloading Files below.
• The network devices captures. The captures extension is .pcap. For more details, refer to
the section Making a Network Device Snapshot.
• The corrupted configuration files that triggered a Locked synchronization. For more details,
refer to the DNS section Handling the Status Locked Synchronization or the DHCP section
Handling the Status Locked Synchronization.
• The troubleshooting dump files generated from the Administration homepage. For more
details, refer to the section Troubleshooting Dump.

The Page TFTP

This list displays all the files uploaded locally, available for download, and the files uploaded re-
motely via TFTP. For more details, refer to the section Managing the TFTP Upload Authorizations.

The Page Logs

It displays all the appliance log files in alphabetical order. To browse their content, go to the page
Syslog. For more details, refer to the section Syslog.

The Page Config files

It displays all the servers configuration files generated from the Services configuration page. For
more details, refer to the section Downloading a DNS or DHCP Configuration File.

The Page Custom images

It displays all the images that you uploaded to customize SOLIDserver login page and home
page Welcome banner. For more details, refer to the section Uploading an Image.

The Page Custom WSDL

It displays all the WSDL files available for web services management via SOAP on the appliance.
The page contains a specific set of columns:

Table 104.2. Custom WSDL Columns

Column Description
Name The name of the WSDL file.
Endpoint The Endpoint of the WSDL file.
Creation date The time and date when the WSDL file was added.
Dump date The time and date when the WSDL file was dumped on the page Custom WSDL.
Status The status of the WSDL file, either Dumped, Modified since dump, IP doesn't exist or Dumping
in progress.

1249
 Maintenance

Clicking on a WSDL file allows to display all the services it contains. For more details, refer to
the section Managing WSDL Files.

Managing Local Files

From all the pages of the Local Files Listing you can download and delete files. You can only
upload files from the pages Local, TFTP and Custom images.

The page Custom WSDL contains a set of specific options detailed in the section Managing
WSDL Files.

Uploading Files
From the pages Local, TFTP and Custom images you can upload files. This upload updates the
appliance local database from the GUI.

To upload a file to the page Local files listing

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Under the menu, tick the radio button Local, TFTP or Custom images. The page opens.
4. In the menu, select Tools > Upload file. The wizard Import a file opens.
5. Click on BROWSE to select the file to upload from your local file system.
6. Click on OK to complete the operation. The report opens and closes. The file can be down-
loaded from the page Local files listing available from the page Admin Home.

Downloading Files
Any file listed on the Local Files Listing can be downloaded to your local computer from the GUI.

To download a file from the page Local files listing

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Under the menu, tick the radio button of your choice. The page opens.
4. Click on the Name of the file of your choice to download it.

Deleting Files
From any page of the Local files Listing you can delete files from the appliance local database.

To delete a file from the page Local files listing

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Under the menu, tick the radio button of your choice. The page opens.
4. Tick the file(s) of your choice.
5. In the menu, select Edit > Delete file(s). The wizard Delete file opens.

1250
 Maintenance

6. Click on OK to complete the operation. The report opens and closes. The file is no longer
listed.

Managing WSDL Files

You can rely on Web Services Description Language (WSDL) files to execute services via SOAP.

By default a full WSDL file including all the services is available (https://<ip_address>/inter-
faces/wsdl_eip_full.wsdl). Keep in mind that using wsdl_eip_full.wsdl drastically reduces the
performances of the application you develop because it parses all SOLIDserver services one
after the other every time you use it. Therefore, we recommend creating your own files to only
contain the information relevant to the required services.

You can add, edit, dump and delete WSDL files from the page Custom WSDL of the Local files
listing.

Adding a Custom WSDL File

You can add as many WSDL files as you need. Each file can contain as many services as you
need. The addition wizard provides an auto-completion field that recognizes all services name.
Once added:
• WSDL files are automatically dumped, you can call the services listed in the WSDL file no
matter what programming language you use.
• WSDL files are saved in the format <WSDL-file-name>.wsdl in the local directory custom_wsdl
accessible at https://<SOLIDserver-ip-address>/interfaces/custom_wsdl/ .
• You must include the files location in your source code to call the services they contain, and
preferably make sure to copy and store your custom files locally on the SOAP client to reduce
the latency of instantiating the SOAP object.

To add a custom WSDL file through SOLIDserver GUI

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. In the menu, click on Add. The wizard Add a custom WSDL file opens.
5. In the field WSDL file name, name the file without extension, it is automatically in the format
<file-name>.wsdl .
6. In the drop-down list WSDL EndPoint, select Hostname or one of the IP addresses set on
the appliance Network configuration.
7. In the field Service name, specify the first letters of a service. The auto-completion provides
a list of all the services matching what you specified.
8. Select the service of your choice and click on ADD . The service name is moved to the list
Selected services. Repeat these actions for as many services as you want.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

1251
 Maintenance

9. Click on OK to complete the operation. The report opens and closes. The file is listed on the
page and saved in the directory custom_wsdl. To display the list of services it contains refer
to the next procedure.
10. To use the services listed in the WSDL file, you must integrate the file location to your source
code using its absolute address within SOLIDserver database: https://<ip_address>/inter-
faces/custom_wsdl/<your-WSDL-file-name>.wsdl.

The services that you configured in the file are all listed on a dedicated page.

To display the content of a WSDL file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. Click on the name of the WSDL file of your choice. A new radio button appears above the
list, for the page Content of the WSDL file: <selected-file>. The column Service name
displays all the services that the file contains.
5. To go back, above the list tick the radio button Custom WSDL. The page opens.

Editing and Dumping a Custom WSDL File

You can edit the content of a WSDL file, that is to say add services, remove services and/or
change its Endpoint. Keep in mind that editing a WSDL file requires dumping it again.

Adding Services to an Existing Custom WSDL File

You can add as many services as you want to an existing custom WSDL file. Once edited, you
must dump the WSDL file to take into account the changes.

To add services to a custom WSDL file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. Click on the name of the WSDL file of your choice. A new radio button appears above the
list, for the page Content of the WSDL file: <selected-file>. The column Service name
displays all the services that the file contains.
5. In the menu, click on Add. The wizard Add a service opens.
6. In the field Service name, specify the first letters of a service. The auto-completion provides
a list of all the services matching what you specified.
7. Select the service of your choice and click on ADD . The service name is moved to the list
Selected services. Repeat these actions for as many services as you want.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the field(s)
and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
8. If you want to dump the WSDL file upon edition:
a. Tick the box Dump WSDL file(s). The field WSDL Endpoint appears.

1252
 Maintenance

b. In the drop-down list WSDL EndPoint, you can edit the EndPoint. By default, the current
Endpoint is selected.
9. Click on OK to complete the operation. The report opens and closes. The new services are
listed. If you edited the Endpoint, its new value is visible.
If you ticked the box Dump WSDL file(s), the file Status is Dumped and can be used imme-
diately, the changes are saved.
If you did not tick the box Dump WSDL file(s), the file Status is Modified since dump and
you must dump it to take into account your changes. For more details, refer to the section
Dumping an Edited Custom WSDL File.
If you edited the Endpoint, its new value is visible.
10. To go back, above the list tick the radio button Custom WSDL. The page opens.

Removing Services from an Existing Custom WSDL File

You can remove one or several services from an existing WSDL file. Once edited, you must dump
the WSDL file to take into account the changes.

To remove services from a custom WSDL file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. Click on the name of the WSDL file of your choice. A new radio button appears above the
list, for the page Content of the WSDL file: <selected-file>. The column Service name
displays all the services that the file contains.
5. Tick the service(s) of your choice.
6. In the menu, select Edit > Delete a service from a WSDL file. The wizard Delete service
opens.
7. If you want to dump the WSDL file upon edition:
a. Tick the box Dump WSDL file(s). The field WSDL Endpoint appears.
b. In the drop-down list WSDL EndPoint, you can edit the EndPoint. By default, the current
Endpoint is selected.
8. Click on OK to complete the operation. The report opens and closes. The services are no
longer listed.
If you ticked the box Dump WSDL file(s), the file Status is Dumped and can be used imme-
diately, the changes are saved.
If you did not tick the box Dump WSDL file(s), the file Status is Modified since dump and
you must dump it to take into account your changes. For more details, refer to the section
Dumping an Edited Custom WSDL File.
If you edited the Endpoint, its new value is visible.
9. To go back, above the list tick the radio button Custom WSDL. The page opens.

Dumping an Edited Custom WSDL File

If you edited a WSDL file without dumping it during the edition, you can dump its content.

To dump a custom WSDL file

Only users of the group admin can perform this operation.

1253
 Maintenance

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. Tick the file(s) of your choice.
5. In the menu, select Tools > Dump WSDL File(s). The wizard Dump WSDL file(s) opens.
6. If you want to change the EndPoint:
a. Tick the box Dump WSDL file(s). The field WSDL Endpoint appears.
b. In the drop-down list WSDL EndPoint, you can edit the EndPoint. By default, the current
Endpoint is selected.
7. Click on OK to complete the operation. The report opens and closes. The file(s) Status is
marked Dumped.
If you edited the Endpoint, its new value is visible.

Deleting a Custom WSDL File

You can delete a custom WSDL file to stop using it.

To delete a custom WSDL file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. Tick the file(s) of your choice.
5. In the menu, select Edit > Delete file(s). The wizard Delete file opens.
6. Click on OK to complete the operation. The report opens and closes. The file is no longer
listed.

Downloading a Custom WSDL File

You can download your WSDL files, as long as you already dumped them on the page Local of
the Local files listing.

To download a custom WSDL file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Above the menu, tick the radio button Custom WSDL. The page opens.
4. Tick the file(s) of your choice.
5. Dump the file on the page Local:
a. In the menu, select Tools > Dump in Local Files Listing. The wizard opens and
closes.
b. The file is now listed in the page Local of the Local Files Listing.
6. Download the file from the page Local:
a. Above the menu, tick the radio button Local. The page opens.
b. In the list, the WSDL file is listed as follows: <WSDL-file-name>.tar .

1254
 Maintenance

c. Click on the Name of the file to download it.

Using the Maintenance mode

The Maintenance mode allows members of the group admin to work without interferences on
their infrastructures. It disconnects all non-admin users from SOLIDserver during maintenance
work, like reorganizing the network infrastructure or modifying services configuration as users
intervention may affect the administrators actions.

Keep in mind that:

• Enabling the Maintenance mode does not interrupt network services.
• In Maintenance mode, the users that do not belong to the group admin are disconnected and/or
cannot log in. Once the mode is disabled, them can connect again.
• Users of the group admin that are connected when the mode is enabled have a red banner
message is displayed on every page of SOLIDserver to inform them that the mode is on.

To enable/disable the Maintenance mode

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Maintenance Mode. The wizard Enable/Disable
Maintenance mode opens.
3. Click on OK to complete the operation. The report opens and closes.

Updating the Macros and Rules

When you add new macros and rules, usually for customization purposes, SOLIDserver must to
take into account the files that describe them. Therefore, users of the group admin might have
to register the new macros and rules into the system. This operation is usually supervised by the
EfficientIP support team.

To update the macros and rules

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Register new macros & rules. The wizard Register all the
latest macros and rules opens.
3. Click on OK to complete the operation. The report opens and closes.

Clearing the Appliance Cache

In case of changes in SOLIDserver code, for instance when a hotfix was provided, users of the
group admin may have to reload the file system cache. This operation is usually supervised by
the EfficientIP support team.

To clear SOLIDserver's cache

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Clear SOLIDserver cache. The wizard Clear SOLIDserver
cache opens.

1255
 Maintenance

3. Click on OK to complete the operation. The report opens and closes. Any internal modification
of the code has been taken into account.

Troubleshooting
Troubleshooting is a logical and systematic search for the source of a problem. It is needed to
develop and maintain complex systems where symptoms can have many possible causes.

Before Troubleshooting
There is set of simple checks that might help you avoid troubleshooting. These checks are often
overlooked in times of functional problems when they should be an administrator reflex.
1. Make sure that the appliance and the objects it manages are set at the same time. If they
are not, set the appliance time.
Typically, if your appliances and the servers it manages are not the same time, you can en-
counter management problems: the DHCP should be the first impacted with the leases and
then the DNS, especially if you set time check keys for the zones. We recommend that you
configure NTP servers on the appliance as detailed in the section Configuring NTP Servers.
Besides, we strongly advise against setting the time through CLI because it might make
SOLIDserver crash, disrupt your services, trigger errors in the logs, etc. If you do it anyway,
restart SOLIDserver to make sure that all the services impacted by the time change are restarted
and all set at the same time.
2. Make sure there is no Multi-Management of your DNS and DHCP physical servers.
Through the smart architectures, you can manage the servers of your choice so make sure
you did not add and manage twice the same server in two different smart architectures. Every
minute the smart architecture checks that its configuration is pushed to the physical server, if
not it pushes it again. So if one physical server is managed through two different architectures
every minute a configuration is pushed and then overwritten by the other smart architecture.

Troubleshooting Guidelines
Determining what might be the causes of a dysfunction is often a process of elimination.
Troubleshooting also requires confirmation that the solution restores the system to its working
state.

The following guidelines give a generic overview of troubleshooting, and since each case is dif-
ferent, you might need to vary your approach to the problem.

How to troubleshoot your system

1. Confirm the presence of a backup in case of service interruption. You might need the
backup file to restore the previous stable version of your system. However, restoration
overwrites the changes made between the time of the backup and the time of the crash, so
this would be the very last resort. For more details, refer to the section Managing Backups
and Restoring Configurations.
2. Isolate the malfunctioning behavior to pinpoint what services or components are affected.
3. Inspect the status indicators that can highlight a dysfunction.
4. Inspect connections to any attached devices and check their power sources.
5. Review the network and services configuration. For more details, refer to the part Con-
figuring SOLIDserver.

1256
 Maintenance

6. Check if the issue is not due to the customer background, i.e. the customer's use of the
services, operating system, network topology components and levels of software that were
running when the incident occurred.
7. Check the product logs. Do not hesitate to check the DNS logs, DHCP logs, PostgreSQL
logs, the management logs as well as the system logs. For more details, refer to the section
Syslog.
8. Check the system logs. Do not hesitate to check the sysaudit.log file, available on the
Local Files Listing page. For more details, refer to the section Managing Files from the Local
Files Listing.
9. Use the troubleshooting tools described in the section below.
10. Check for any improvement until the complete restoration of the system after every
step in the troubleshooting process.

If the problem remains, do not hesitate to contact the support team with all the information you
have collected. The set of files needed include: the network capture file, the troubleshooting dump
file and the last system backup.

Troubleshooting Tools
SOLIDserver provides users of the group admin with two ways of analyzing the system in case
of a crash:
• The Network Capture, that indicates the DHCP or DNS traffic on a given duration.
• The Troubleshooting Dump, that allows to retrieve key debug information.

Both methods are complementary.

Network Capture
Performing a network capture allows to analyze DHCP and DNS traffic packets for a given period
of time, through the interface, port and via the protocol of your choice.

The retrieved data is saved in a .pcap archive file available on the page Local files listing.

To perform a network capture

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Network capture. The wizard Perform a network capture
opens.
3. In the drop-down list Predefined, you can select one of the following options.

Table 104.3. Available options in the field Predefined

Option Description
Custom Allows to scan both the DNS and DHCP traffic. Custom is selected by default.
DHCP traffic Allows to scan the DHCP traffic. The field Port is automatically filled with 67.
DNS traffic Allows to scan the DNS traffic. The field Port is automatically filled with 53.

4. In the drop-down list Interface, select the name of the network interface for which you want
to capture packets. The available interfaces depend on what is set on the page Network
configuration. For more details, refer to the chapter Configuring the Network.
5. In the field Port, you can specify or edit the port number.

1257
 Maintenance

6. In the field IP address, you can specify the IP address of your choice.
7. In the drop-down list Protocol, select either Any, udp or tcp. By default Any is selected, to
use both protocols.
8. In the drop-down list Duration, select the network capture duration, either 10s, 30s, 1mn,
2mn or 5mn.
9. Click on OK to complete the operation. The report opens and closes. The generated .pcap
file is available on the page Local files listing, accessible from the section Maintenance.

Troubleshooting Dump
The troubleshooting dump is a file containing debug data regarding DNS, DHCP and/or system,
as well as any extra file you consider relevant to troubleshoot the appliance.

Dumping troubleshooting details generates a .tbz archive file containing all the debug information.
This file is available on the page Local files listing.

To generate and download the troubleshooting dump file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. Generate the troubleshooting dump
a. In the section Expert, click on Troubleshooting dump. The wizard Troubleshooting
dump opens.
b. Tick the information you want to include in the troubleshooting dump, Retrieve DNS
information, Retrieve DHCP information and/or Retrieve system information.
c. To include extra files, of any extension, tick the box Include extra files. The field Extra
files list appears. If you do not want to include more files, go to step e.
d. In the field Extra files list, specify the full path to the file of your choice, including the
file name. If you have several files, you must specify them on separate lines.
e. Click on OK to complete the operation. The report opens and closes.
3. Download the file
a. In the section Maintenance, click on Local files listing. The page opens.
b. Filter the column Name with the keyword DEBUG to only list troubleshooting dump files.
If a DEBUG file does not have the extension .tbz, it means it is not fully generated yet.
c. Click on the name of the file of your choice to download it.

Managing Backups and Restoring Configurations

You should regularly backup your appliance. In order to help you perform this maintenance oper-
ation, SOLIDserver includes automatic backup and version management mechanism.

The backup process can either be scheduled or triggered on demand. Note that:
• SOLIDserver automatically generates a new backup before each upgrade to allow revert-
ing back its data and configuration.
• The backup files are stored on the appliance itself, but you can also decide to store the backup
files on a remote FTP server or SFTP server. For ease of use and to prevent confusion, binaries,
system and log files are not included in the backup stored on the appliance. Still, they can be
restored separately, either when you reinstall SOLIDserver or when you update the system.

1258
 Maintenance

• You can archive backup files on a remote server, as detailed in the section Archiving the Backup
Files on an FTP or SFTP Server.
• During the restoration of DNS zones managed via a smart architecture, you can chose to keep
the latest version of the records they contain, or discard the record latest changes. For more
details, refer to the section Restoring a Backup File.

Browsing the Backup Database

The page Backup & Restore gathers all the local backup files of an appliance. On Management
appliances, you can also browse the remote appliances backup files.

To display the list of backup files

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, select the local appliance or a remote
appliance.

The page contains two panels:

Local backup files
This panel contains:
• The list of the backup files available on the appliance.
• The field Hour of backup (SOLIDserver system time): the time of the daily backup.
• The field Retention duration: the number of days beyond which a backup is automatically
deleted from the local database.
Remote archive
If the remote archiving in enabled, this panel contains the fields:
• Remote server: the address or hostname of the remote server storing the backup files.
• Remote port: the port number used on the remote server that communicates with
SOLIDserver.
• Remote directory: the directory on the remote server where the backup files are stored.
• Remote login: the login used to connect to the remote FTP server.
• Mode: the protocol and mode used to connect to the remote server, either Active FTP,
Passive FTP or SFTP.
• Log DNS: indicates if the DNS logs are included in the remote backup (yes) or not (no).
• Log DHCP: indicates if the DHCP logs are included in the remote backup (yes) or not (no).
• System Log: indicates if the System logs are included in the remote backup (yes) or not
(no).
• Retention duration: the number of days beyond which a backup is automatically deleted
from the remote server.

Creating an Instant Backup

You can create an instant backup of the whole system configuration on demand. An image of
the system is generated and stored on the appliance. Each image can be then used to store the
configuration of a SOLIDserver, which allows you to reload a previous backup in case of a revert
back procedure.

1259
 Maintenance

If you activated the database encryption on your appliance, you should download your database
keys, or at least the Active one. That way, if you need to restore the backup, you can import the
key(s) when the restoration is over. For more details, refer to the section Downloading Database
Keys in the chapter Securing.

Keep in mind that creating an instant backup during the enrollment of a Hot Standby appliance
in High Availability may trigger an error.

To create an instant backup

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure your local appliance is se-
lected.
4. In the menu, select Tools > Create instant backup. The wizard Create instant backup
opens.
5. To only save the database, configuration files and certificates, and avoid generating a large
backup file, you can tick any of the following boxes:
• Exclude all the reports, i.e. all the performed operations of the window Notifications in
the top bar.
• Exclude all the files from the directory "tftpboot".
• Exclude all the files from the directory "users". By default, this box is ticked.
6. Click on OK to complete the operation. The report opens and works for a while. Once the
backup is generated, it is listed in the panel Local backup file and named solid-<hostname>-
<year><month><day>-<hour><minutes>.gz.

Once generated, you can download your backup if need be. For more details, refer to the section
Downloading a Backup File.

Editing the Backup Settings

By default, SOLIDserver is configured to generate a backup of its database and network config-
uration every night at 2 a.m. This backup process can be edited to match your own schedule, it
can run at a different hour, store the backup file for a limited time or, on the contrary, an unlimited
number of days, etc.

Editing the backup settings can maximize the disk space of your appliance if you schedule a
backup rotation, the automatic deletion of obsolete backup files.

Keep in mind, that if you activated database encryption on your appliance, you should download
your database keys, or at least the Active one. That way, if you need to restore a backup, you
can import the keys when the restoration is over. For more details, refer to the section Downloading
Database Keys in the chapter Securing.

To edit the backup settings

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.

1260
 Maintenance

3. Under the menu, in the drop-down list SOLIDserver, select the local appliance or a remote
appliance.
4. In the menu, select Edit > Local backup files. The wizard Archive backup parameters
opens.
5. In the drop-down list Hour of backup (SOLIDserver system time), select at what time you
want to generate the daily backup. By default, it set to 1:00.
6. To only save the database, configuration files and certificates, and avoid generating a large
backup file, you can tick any of the following boxes:
• Exclude all the reports, i.e. all the performed operations of the window Notifications in
the top bar.
• Exclude all the files from the directory "tftpboot".
• Exclude all the files from the directory "users". By default, this box is ticked.
7. In the drop-down list Retention, select the number of days beyond which a backup should
be automatically deleted.
8. Click on OK to complete the operation.

Archiving the Backup Files on an FTP or SFTP Server

You can archive a copy of SOLIDserver backup files on a remote server. Note that:
• You can archive backups on an FTP server or an SFTP server. We strongly recommend using
SFTP as it relies on an SSH key instead of a password, which is far more secure than FTP.
• You can configure the remote server to decide which logs to include, how many days they
should keep the backup files, and which port to use. On SFTP servers, usually the same port
than SSH is used.
• If no remote archive is configured, the panel Remote archive contains the message Remote
archive is disabled.

To configure a remote archive on FTP or SFTP

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, select the local appliance or a remote
appliance.
4. In the panel Remote archive, click on EDIT . The wizard Archive server parameters opens.
5. Tick the box Enable remote archive, the wizard refreshes and displays the remote archive
configuration parameters. By default, the box is unticked.
6. Configure the remote archive parameters according to your needs:

Table 104.4. Backup archiving parameters

Field Description
Remote server The IP address or the hostname of the FTP or SFTP server.
Remote port The port used to communicate with the server. If no port is used, the port 21 is used
for FTP and the port 22 for SFTP.
Remote directory The directory where the backup files should be stored.
Mode The protocol and mode used to archive the files: Active FTP, Passive FTP or SFTP.
By default, Passive FTP is selected.

1261
 Maintenance

Field Description
Remote login The login of the account used to connect to the FTP or SFTP server. If you selected
SFTP, the remote login is required.
Remote password If you selected Active FTP or Passive FTP, the password of the account used to
connect to the FTP server.
DNS
DNS firewall (RPZ)
Tick any of these boxes to save the corresponding logs on the remote server.
DHCP
System
Retention The number of days, from 4 days to Unlimited, beyond which a backup should be
automatically deleted from the FTP server. By default, 4 days is selected.

7. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the panel Remote archive displays the configuration you just set.
8. If you selected SFTP, the panel SSH local key displays the SSH public key used. You must
COPY it and paste it on the SFTP server to secure the communication with SOLIDserver.

To disable the remote archive

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, select the local appliance or a remote
appliance.
4. In the panel Remote archive, click on EDIT . The wizard Archive server parameters opens.
5. Untick the box Enable remote archive, the wizard refreshes. It is now empty.
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the panel Remote archive contains the message Remote archive is disabled.

Downloading a Backup File

Administrators can download any backup file.

To download a backup file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, select the local appliance or a remote
appliance.
4. In the panel Local backup file, select the backup file of your choice.
5. You can click on DOWNLOAD to save the file locally, this automatically closes the wizard.

Uploading a Backup File

Administrators can upload an external backup file to the local SOLIDserver file system.

1262
 Maintenance

To upload a backup file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, make sure your local appliance is se-
lected.
4. In the menu, select Tools > Upload a backup file. The wizard Upload SOLIDserver
backup opens.
5. Click on BROWSE to select the image to upload from your local file system.
6. Click on OK to complete the operation. The backup file is now listed in the panel Local
backup files.

Restoring a Backup File

You can restore SOLIDserver database and configuration from a backup file. Keep in mind that:
• You need the backup file name and version number.That's why each new backup generates
an increment number that concatenates the date and hour as follows: solid-<hostname>-
<year><month><day>-<hour><minutes>.gz.
If the backup file you need is not listed, upload it as detailed in the section Uploading a Backup
File.
• The backup file contains the appliance data and configuration as they were set at the time
of the backup generation. During the restoration, you can choose to include both or only the
data:
• The appliance data includes objects from all modules including the ones of the Local Files
Listing as well as all the rules, notifications and reports, unless you excluded them when you
saved the backup.
• The appliance configuration includes the network configuration (hostname, DNS resolver,
firewall configuration, default gateways, default/static route configuration) and services
configuration (services status, xfer account settings, SNMP communities).
• The records belonging to a smart architecture have a dedicated restoration option. If
your backup file includes zones belonging to a physical server managed via a smart architecture,
you can decide to:
• Overwrite their content with the one saved in the backup file. In this case, you loose all the
latest changes (records added or deleted) between the time of the backup and the time of
the restoration.
• Keep their current content if they are present in the backup file.
In both cases, all the zones that are not part of the backup file, as well as their records, are
lost during the restoration.
• You cannot restore a backup on an appliance set in High Availability. You need to disable
the High Availability, restore the backup on a Standalone appliance and then configure the
High Availability again. For more details, refer to the section Replacing a Hot Standby Appliance
With Backup in the chapter Centralized Management.
• Restoring objects of the module Application or Guardian leads to a synchronization
between the GUI and the GSLB or Guardian server: The objects that are on the server and
also in the GUI are kept. The objects that are only present on the server are deleted and the
objects only in the GUI are added on the server.

1263
 Maintenance

Therefore, if you added, edited or deleted objects since the backup was saved, all changes
are lost and may even not be visible in the GUI. Before restoring a backup, make sure you
saved it when the Application or Guardian database was up-to-date.
• If you activated the database encryption you must ensure you downloaded the database
keys, as you need to import them after you restore your backup. For more details, refer to the
section Downloading Database Keys in the chapter Securing.

To restore a backup file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
3. Under the menu, in the drop-down list SOLIDserver, select a Standalone appliance, local
or remote.
You cannot restore a backup on an appliance configured in High Availability.
4. In the panel Local backup files, select the backup file you want to restore.
5. Click on RESTORE . The wizard Restore a backup file opens.
6. Tick the box Restore the system configuration to restore the system configuration of the
backup file. If you do not tick the box, the backup file data is restored but the current system
configuration of the appliance is kept.
Tick it if you are restoring a backup using an NSD or Unbound Hybrid server.
7. Tick the box Overwrite DNS records managed via a smart architecture to restore the
records database as saved during the backup. If you do not tick the box, the restored zones
keep the current version of the records they contain if they are managed via a smart archi-
tecture.
In both cases, a restoration includes all and only the zones present in the backup file.
8. Click on OK to complete the operation.

If you restored a backup on an appliance where the encryption database is activated, a banner
above the top bar notifies you to import your database keys again. You must import them to
synchronize the DHCP and DNS services and enable NetChange discoveries again. For more
details refer to the section Importing Database Keys in the chapter Securing.

Shutting Down and Rebooting

When you reboot or shut down an appliance, SOLIDserver transfers file system cache to disk,
stops all running processes and then reboots or halts (shutdown).

Note that once SOLIDserver operating system is stopped, the power supplies are automatically
turned off.

Rebooting SOLIDserver
There are two ways of rebooting SOLIDserver safely, from the GUI and via CLI.

Note that only users with sufficient rights can reboot SOLIDserver.

Rebooting SOLIDserver from the GUI

You can reboot an appliance from the page Admin Home.

1264
 Maintenance

To reboot the system from the GUI

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Reboot the system. The wizard Reboot the system
opens.
3. Click on OK to complete the operation.

Rebooting SOLIDserver via CLI

You can reboot an appliance via CLI using its IP address, hostname or a serial port.

To reboot the system via CLI

1. Connect to SOLIDserver CLI via a shell session or a port console.
2. Once you are connected, the page WELCOME TO SOLIDSERVER opens.
3. Log in using the credentials admin/admin. The Main menu appears.
4. Hit the key P key to select P Power Management.
5. Hit the key Enter, the page Power Management opens.
6. Hit R to select R Reboot SOLIDserver.

Figure 104.1. Power Management

Hit Enter, the confirmation window opens.

7. The button Yes is highlighted.

Figure 104.2. Reboot confirmation and final message

Hit Enter to reboot SOLIDserver software.

Shutting Down SOLIDserver

SOLIDserver is designed to operate continuously, so under normal circumstances, you do not
need to turn it off or shut it down. However, if you have to turn it off, you can use the GUI, CLI or
the hardware appliance itself.

Note that only users with sufficient rights can reboot SOLIDserver software, however you
can also shut down an appliance from the hardware itself.

1265
 Maintenance

Shutting Down SOLIDserver from the GUI

You can shut down an appliance from the page Admin Home.

Before shutting down an appliance, you must have access to it:

• Hardware appliances must be powered back via the button .
SOLIDserver-50 appliances must unplugged and plug in again.
• Software appliances must be started again.

To shut down SOLIDserver from the GUI

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Shutdown the system. The wizard Shutdown the
system opens.
3. Click on OK to complete the operation.

Shutting Down SOLIDserver via CLI

You can shut down an appliance via CLI using its IP address, hostname or a serial port.

Before shutting down an appliance, you must have access to it:

• Hardware appliances must be powered back via the button .
SOLIDserver-50 appliances must unplugged and plug in again.
• Software appliances must be started again.

To shut down SOLIDserver via CLI

1. Connect to SOLIDserver CLI via a shell session or a port console.
2. Log in using the credentials admin/admin. The Main menu appears.
3. Hit the key P to select P Power Management.

Figure 104.3. Main menu

Hit the key Enter, the page Power Management opens.

4. Hit S to select S Shutdown SOLIDserver.

Figure 104.4. Power Management

1266
 Maintenance

Hit Enter, the confirmation window opens.

5. The button Yes is highlighted.

Figure 104.5. Shutdown confirmation

Hit Enter to shutdown SOLIDserver software.

Shutting Down SOLIDserver from the Hardware Itself

Any SOLIDserver hardware appliance can be shut down for the hardware itself, to avoid an abrupt
shutdown follow the procedure below.

It must be done as a last resort if it is impossible from the GUI or via CLI, note that shutting
down the hardware appliance also shuts down the software.

To shut down SOLIDserver from the hardware itself

1. From the front panel of the appliance, quickly press and release the power button .
Note that a long press stops the appliance abruptly and may trigger errors. The appliance
would stop without properly transferring files or stopping the processes as expected.
For SOLIDserver-50 appliances, you must unplug the appliance and plug it again.
2. The appliance stops automatically after synchronizing its buffer on the disk.

1267
Chapter 105. Securing
To secure SOLIDserver, administrators can use SSL certificates to secure access to appliances
and/or encrypt all sensitive data. This chapter gathers the following:
• Managing SSL Certificates.
• Encrypting the Database.

Managing SSL Certificates

SSL certificates authenticate the HTTPS connections to SOLIDsever.

By default, each appliance uses a self-signed certificate to secure connections. As this certificate
is not trusted by your web browser, warning messages appear to inform you that the certificate
is not from a trusted certifying authority, that its hostname is invalid, etc. This connection can be
prone to a man-in-the-middle (MITM) attack.

When you receive such warnings, you can accept the certificate for the current session and save
it in the certificate store of your browser.

To eliminate the warning messages altogether, you can import or create a valid SSL certificate
and use this one instead of the default one to secure connections.

From the page All Certificates, you can:

• Import X.509 CA signed and self-signed certificates, CSRs (Certificate Signing Requests) and
private keys, as detailed in the section Importing SSL Objects.
If you are configuring the module Identity Manager on your appliance, you must import the
relevant SSL certificate and its related CA.
• Create X.509 self-signed certificates, CSRs and private keys, as detailed in the section Creating
SSL Objects.
• Download the certificate and CSR details and public keys, as detailed in the section Down-
loading SSL objects.
• Delete certificates, CSRs and private keys, as detailed in the section Deleting SSL Objects.

Note that the SSL certificate is unique to each SOLIDserver appliance.

For more details on how to change the SSL certificate that authenticates the connections to the
appliance, refer to the section Changing the HTTPS Certificate in the chapter Configuring the
Services.

Browsing SSL Objects

The page All certificates gathers all the CA certificates, self-signed certificates, CSRs and private
keys. By default, it only lists the certificate Apache SSL Cert Base.

Note that the public key of each certificate is not listed, it is available on the certificate properties
pages.

To display the list of SSL objects

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

1268
 Securing

2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.

To display an SSL object properties page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. At the end of the line of the file of your choice, click on . The properties page opens.

The properties page contains the panels Certificate, Private key and/or Public key. Any configured
Subject Alternative Name is available in the panel Certificate.

The content of every panel can be downloaded, for more details refer to section Downloading
SSL objects.

Importing SSL Objects

On the page All Certificates you can import:
• CA certificates and self-signed certificates, as detailed in the section Importing Certificates.
If you are configuring the module Identity Manager on your appliance, you must import the
relevant SSL certificate and its related CA.
• CSRs (Certificate Signing Request), as detailed in the section Importing CSRs.
• Private keys, as detailed in the section Importing Private Keys.

Note that you cannot edit SSL objects. If you import the wrong object, you can only delete it and
perform the import again for the right one. For more details, refer to the section Deleting SSL
Objects.

Importing Certificates
You can import as many self-signed certificates and CA signed certificates as you need. The
import wizard allows to paste in the certificate details, including any Subject Alternative Names,
and its private key.

Keep in mind that:

• Any valid certificate can be used as HTTPS certificate on the page Services configuration.
• If you import CA certificates, they are used to validate the certificates of external services if
you enable the relevant registry database keys.
• You can only import certificates that do not include any passphrase. If they do, the HTTP protocol
cannot start and you might lose the GUI access to your appliance.
• If you are configuring the module Identity Manager, you must import the relevant SSL certificate
and its related CA. This CA must also be used on the AD domain controller that manages the
data you want to monitor from your appliance. For more details, refer to the section Preparing
the Module in the chapter Configuring Identity Manager.

To create a self-signed certificate, refer to the section Creating Self-signed Certificates.

To import a certificate
Only users of the group admin can perform this operation.

1269
 Securing

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, select Import > Certificate. The wizard Import an SSL object opens.
4. In the field Name, name the certificate.
5. In the drop-down list Type, select Certificate.
6. In the field Certificate, paste in the certificate, in PEM format.
7. In the field Private key, paste in its private key.
8. Click on OK to complete the operation. The report opens and closes. The certificate is listed,
its private key is available on the certificate properties page.

Once you imported a valid certificate, if it is not a CA certificate, you can use it as HTTPS certi-
ficate for your local appliance. For more details, refer to the section Changing the HTTPS Certi-
ficate.

If you are configuring the module Identity Manager, once you imported the SSL certificate and
the CA certificate, you must configure the service Windows Event Collector as detailed in the
section Configuring SOLIDserver.

If you imported a CA certificate, you must enable two registry database keys to validate the cer-
tificate used during the SSL communications between SOLIDserver appliances.

To enable the validation of CA certificates

Only users of the group admin can perform this operation.
1. If you manage remote appliances or a High Availability configuration, connect to the Master
or Management appliance GUI.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Registry database. The page Registry database opens.
4. Filter the column Name with module.system.remote.
5. Hit Enter. Two keys are listed.
6. Enable the key module.system.remote_command.ssl_verify_peer.
a. In the column Value, click on the value listed. The wizard Registry database Edit a
value opens.
b. In the field Value, type in 1 to enable it. By default, it is set to 0.
c. Click on OK to complete the operation. The new Value is visible on the page.
7. Enable the key module.system.remote_command.ssl_verify_host.
a. In the column Value, click on the value listed. The wizard Registry database Edit a
value opens.
b. In the field Value, type in 1 to enable it. By default, it is set to 0.
c. Click on OK to complete the operation. The new Value is visible on the page.

Once you imported a valid CA certificate and enabled the registry database entries, you can use
it as HTTPS certificate for your local appliance. For more details, refer to the section Changing
the HTTPS Certificate.

1270
 Securing

Importing CSRs
You can import as many Certificate Signing Requests (CSR) as you need. The import wizard
allows to paste in the certificate details, including any Subject Alternative Names, and its private
key.

To create a CSR, refer to the section Creating CSRs.

To import a CSR
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, select Import > Certificate. The wizard Import an SSL object opens.
4. In the field Name, name the CSR.
5. In the drop-down list Type, select Certificate Signing Request. The page refreshes.
6. In the field Certificate, paste in the certificate, in PEM format.
7. In the field Private key, paste in its private key.
8. Click on OK to complete the operation. The report opens and closes. The CSR is listed, its
private key is available on the CSR properties page.

Importing Private Keys

You can import as many private keys as you need. Any private key can be used to create certi-
ficates and CSRs.

To create a private key, refer to the section Creating Private Keys.

To import a private key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, select Import > Certificate. The wizard Import an SSL object opens.
4. In the field Name, name the private key.
5. In the drop-down list Type, select Private Key. The page refreshes.
6. In the field Private key, paste in the private key, in PEM format.
7. Click on OK to complete the operation. The report opens and closes. The key is listed.

If you imported a private key, you can use it to create a certificate or a CSR. For more details,
refer to the section Creating Self-signed Certificates or Creating CSRs.

Creating SSL Objects

On the page All Certificates you can create:
• Self-signed certificates, in PEM format. During the creation you can generate a private key or
use an existing one. For more details, refer to the section Creating Self-signed Certificates.

1271
 Securing

• CSRs (Certificate Signing Request), in PEM format. During the creation you can generate a
private key or use an existing one. For more details, refer to the section Creating CSRs.
• Private keys, as detailed in the section Creating Private Keys.

Note that you cannot edit SSL objects. If you create a misconfigured object, you can only delete
it and create it again. For more details, refer to the section Deleting SSL Objects.

Creating Self-signed Certificates

From the page All certificates, you can create as many X.509 self-signed certificates as you need.

As each certificate is unique to a SOLIDserver appliance, you can configure it with Subject Altern-
ative Names for all the DNS names and IP addresses of the appliance.

The certificate creation wizard allows to either configure and generate the certificate private key
or use an existing private key. For more details on private keys import or creation, refer to the
sections Importing Private Keys and Creating Private Keys.

To create a self-signed certificate

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the certificate.
5. In the drop-down list SSL File Type, select X509 certificate.
6. In the drop-down list Encryption type, RSA is displayed in read-only.
7. In the field Encryption, specify the value of your choice. By default, 2048 is displayed.
8. In the field Certificate Validity (days), edit the number of days if need be. By default, 1825
is displayed.
9. In the drop-down list Digest method, select SHA224, SHA256, SHA384 or SHA512.
10. Click on NEXT . The last page opens.
11. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
12. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.

1272
 Securing

• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.
13. Click on OK to complete the operation. The report opens and closes. The certificate is listed,
its private key is available on the certificate properties page.
Once you created a valid certificate, you can use it as HTTPS certificate for your local appli-
ance. For more details, refer to the section Changing the HTTPS Certificate.

To create a self-signed certificate using an existing private key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the certificate.
5. In the drop-down list SSL File Type, select X509 certificate.
6. Tick the box Use a previously generated private key. The field Use key appears.
7. In the drop-down list Use key, select the private key of your choice. All existing keys are
listed, whether they were created, imported or generated along with a certificate.
8. In the field Certificate Validity (days), edit the number of days if need be. By default, 1825
is displayed.
9. In the drop-down list Digest method, select MD5, SHA1 or MD2.
10. Click on NEXT . The last page opens.
11. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
12. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .

1273
 Securing

e. Repeat these operations for all the DNS names and IP addresses of the appliance.
13. Click on OK to complete the operation. The report opens and closes. The certificate is listed.
Once you created a valid certificate, you can use it as HTTPS certificate for your local appli-
ance. For more details, refer to the section Changing the HTTPS Certificate.

Creating CSRs
From the page All certificates, you can create as many Certificate Signing Requests (CSR) files
as you need. The CSR details can be sent to the Certificate Authority that generates your certi-
ficate. Then you must import the certificate you receive, as detailed in the section Importing
Certificates.

As a CSR is used to generated a unique certificate for a SOLIDserver appliance, you can configure
it with Subject Alternative Names for all the DNS names and IP addresses of the appliance.

The CSR creation wizard allows to either configure and generate the certificate private key or
use an existing private key. For more details on private keys import or creation, refer to the sections
Importing Private Keys and Creating Private Keys.

To create a CSR
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the CSR.
5. In the drop-down list SSL File Type, select CSR File. The page refreshes.
6. In the drop-down list Encryption type, RSA is displayed in read-only.
7. In the field Encryption, specify the value of your choice. By default, 2048 is displayed.
8. Click on NEXT . The last page opens.
9. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
10. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .

1274
 Securing

• To delete an entry from the list, select it and click on DELETE .

• To discard changes, click on CANCEL .

e. Repeat these operations for all the DNS names and IP addresses of the appliance.
11. Click on OK to complete the operation. The report opens and closes. The CSR is listed, its
private key is available on the CSR properties page.
Once you created a CSR, you can go to its properties page to download the content of the
panel Certificate and send it to the Certificate Authority. For more details, refer to the section
Downloading SSL objects.

To create a CSR using an existing private key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the CSR.
5. In the drop-down list SSL File Type, select CSR File. The page refreshes.
6. Tick the box Use a previously generated private key. The field Use key appears.
7. In the drop-down list Use key, select the private key of your choice. All existing keys are
listed, whether they were created, imported or generated along with a certificate.
8. Click on NEXT . The last page opens.
9. Configure the file details:
a. In the field Country Code, specify the two letter code of your country.
b. In the field State or Province, specify the state, province or region name in full letters.
c. In the field Locality, specify the city name.
d. In the field Organization Name, specify your company name.
e. In the field Organization Unit Name, specify the name of the department of the final
user.
f. In the field Common Name, specify the appliance hostname.
g. In the field Email address, specify your email address.
10. You can configure Subject Alternative Names for the appliance:
a. In the drop-down list Type, select DNS or IP. The page refreshes.
b. In the field Value, specify the DNS name (hostname) or the IP address of the appliance.
c. In the field Subject Alternative Name, the Type and Value are displayed.
d. Click on ADD . The Subject Alternative Name is moved to the list Subject Alternative
Names.
• To update an entry in the list, select it. It is displayed in the field(s) again. Edit the
field(s) and click on UPDATE .
• To delete an entry from the list, select it and click on DELETE .
• To discard changes, click on CANCEL .
e. Repeat these operations for all the DNS names and IP addresses of the appliance.
11. Click on OK to complete the operation. The report opens and closes. The CSR is listed.

1275
 Securing

Once you created a CSR, you can go to its properties page to download the content of the
panel Certificate and send it to the Certificate Authority. For more details, refer to the section
Downloading SSL objects.

Creating Private Keys

From the page All certificates, you can create as many private keys as you need.

Private keys can be used to create certificates or CSRs. For more details, refer to the sections
Creating Self-signed Certificates and Creating CSRs.

To create a private key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the menu, click on Add. The wizard Create an SSL object opens.
4. In the field Object Name, name the private key.
5. In the drop-down list SSL File Type, select Private Key. The page refreshes.
6. In the drop-down list Encryption type, RSA is displayed in read-only.
7. In the field Encryption, specify the value of your choice. By default, 2048 is displayed.
8. Click on OK to complete the operation. The report opens and closes. The private key is listed.

Downloading SSL Objects

You can download SSL object details from the panels of their properties pages.
• From the properties page of a certificate you can download the Certificate, Private key and
Public key.
• From the properties page of a CSR you can download the Certificate, Private key and Public
key.
• From the properties page of a private key you can only download the Private key.

Note that the panel Certificate is displayed in PEM format and includes all the configured Subject
Alternative Names.

To download SSL objects details

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. At the end of the line of the certificate, CSR or private key of your choice, click on . The
properties page opens.
4. In the panel Certificate, Private Key or Public Key, click on DOWNLOAD and save the file.
On the properties page of a CSR, only the content of the panel Certificate needs to be sent
to the Certificate Authority to generate the appliance certificate. Then you must import the
certificate you receive, as detailed in the section Importing Certificates.

1276
 Securing

Deleting SSL Objects

You can delete any SSL object, except the certificate currently used by the appliance.

To delete an SSL object

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. Tick the object(s) of your choice.
4. In the menu, click on . The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The certificate is no
longer listed.

Encrypting the Database

To secure your appliance, you can encrypt its database. Using specific database keys, you can
encrypt all sensitive data, including passwords. Note that:
• The database keys are not included in the appliance backup file.You must download and keep
them in a safe location.
• In High Availability, once the Hot Standby has replicated the Master data, both appliances have
an encrypted database.

Browsing Database Keys

From the page All database keys, you can add, activate, import, download, deactivate and delete
database keys.

To display the list of database keys

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.

By default, only on fresh installations, a database key is available on the page. You can sort and
filter all the columns on the page but you cannot change their layout.

To display a database key properties page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. At the end of the line of the key of your choice, click on . The properties page opens.

The panel Database key displays all the properties of the key and allows to download it.

1277
 Securing

Understanding the Database Keys Statuses

The column Status provides information regarding the database keys you manage.

Table 105.1. Database keys statuses

Status Description
Active The key is active, it currently encrypts the database.

! Active (missing) The key should be active but is missing from the key file. The database is not encryp-
ted. To activate the database encryption, you must import the key. For more details,
refer to the section Importing Database Keys.
Inactive The key is inactive and saved, it can be used to encrypt the database. For more
details, refer to the section Activating the Database Encryption.
! Inactive (missing) The key is inactive and missing from the key file. It cannot be used to encrypt the
database. If you want to use it to encrypt the database, you must import the key. For
more details, refer to the section Importing Database Keys.
! Inactive (unsaved) The key is inactive and unsaved, it cannot be used to encrypt the database. This is
the default status of all the keys you add. If you want to use the key to encrypt the
database, you must download it. For more details, refer to the section Downloading
Database Keys or Activating the Database Encryption.

Adding Database Keys

You can add as many database keys as you want. No matter the number of keys you manage,
only one can be activated at a time to encrypt the database. Note that:
• By default on fresh installations, a key is already available. If you want to activate it rather than
adding a new one, refer to the section Activating the Database Encryption.
• If you configured appliances in High Availability, the Hot Standby automatically replicates the
database keys of the Master.
• If you already have database keys, you can import them. For more details, refer to the section
Importing Database Keys.

To add a database key

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the menu, click on Add. The wizard Generate a database key opens.
5. In the drop-down list Encryption cipher, select either AES or Camellia.
6. In the drop-down list Key size (bits), select either 256, 192, or 128.
7. In the drop-down list Encryption mode, select either CBC, CFB, OFB or CTR.
8. Click on OK to complete the operation. The report opens and closes. The key is listed, its
Status is ! Inactive (unsaved). Until you download the key, its status does not evolve.

Once you added a key, you can activate it.

Activating the Database Encryption

To encrypt sensitive data, you must activate one of your database keys.

Before activating the encryption, keep in mind that:

1278
 Securing

• You must download the key file before activating it.

• You cannot activate the encryption using a missing key, one with the Status Active (missing)
or Inactive (missing). For more details, refer to the section Understanding the Database Keys
Statuses.
• Only one key can be activated at a time. Activating a new key automatically deactivates and
replaces the currently Active key. For more details, refer to the procedure To replace the cur-
rently Active key.
• On Management appliances, once you activate the encryption, you cannot enroll a remote
appliance as Hot Standby if the Active key of the local appliance is missing or corrupted.

If a banner above the top bar notifies you of any activation error, refer to the section
Troubleshooting the Database Encryption.

To activate the database encryption

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the menu, select Tools > Activate encryption. The wizard Enable database encryp-
tion opens.
5. Click on DOWNLOAD KEY FILE to save the file locally. Make sure to keep it in a safe location.
6. Once you saved the file, tick the box The key file has been downloaded, saved in a safe
place and compared to the MD5 checksum.
7. Click on NEXT . The last page opens.
8. In the list Encryption key, select a key.
9. Click on OK to complete the operation. The report opens and closes. The key is active.

Once the database encryption is active, you can use a different database key to encrypt sensitive
data. Note that, in the procedure below, we tick the key that replaces the current active one, but
you can also execute the option Activate encryption without ticking any key and select it on the
last page of the wizard.

To replace the currently active key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the column ID, select the key(s) of your choice.
5. In the menu, select Tools > Activate encryption. The wizard Enable database encryp-
tion opens.
The page displays the ID of the currently Active key.
6. Click on DOWNLOAD KEY FILE to save the file locally. Make sure to keep it in a safe location.
7. Once you saved the file, tick the box The key file has been downloaded, saved in a safe
place and compared to the MD5 checksum.
8. Click on NEXT . The last page opens.

1279
 Securing

The page displays the ID of the key you selected.

9. Click on OK to complete the operation. The report opens and closes. The key is active.

Importing Database Keys

You can import as many keys as you need on the page.

Importing keys is useful if you already have database keys that can be used to encrypt sensitive
data, if the key used to encrypt the database has the Status Active (missing) or after restoring a
backup.

Note that if you configured appliances in High Availability, the Hot Standby automatically replicates
the database keys of the Master.

To import database keys

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the menu, select Import > Key file. The wizard Import database keys opens.
5. Click on BROWSE to select the key file to import. The selected file is visible in the field File
name.
6. Click on OK to complete the operation. The report opens and closes. The keys are listed.

Downloading Database Keys

You can download as many database keys as you want in a single file. Make sure to keep the
file in a safe location.

It is recommended to download the relevant keys before you generate a backup or before upgrad-
ing the appliance.

To download database keys

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the column ID, select the key(s) of your choice.
5. In the menu, select Tools > Download keys. The wizard Download database key file
opens.
6. Click on DOWNLOAD to save the file locally. Make sure to keep it in a safe location.
7. Click on OK to close the wizard. The report opens and closes.

1280
 Securing

Deactivating the Database Encryption

To stop encrypting the database, you must deactivate the Active key.

Once a key is deactivated, you can activate it again or delete it.

To deactivate the database encryption

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the menu, select Tools > Deactivate encryption. The wizard Deactivate password
encryption opens.
5. Click on OK to complete the operation. The report opens and closes. The key is now ! In-
active.

Deleting Database Keys

You can delete database keys. Note that:
• You can delete Inactive, Inactive (missing) and Inactive (unsaved) keys.
• You cannot delete Active and Active (missing) keys.

To delete a database key

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Authentication & Security, click on Certificates and keys. The page All
certificates opens.
3. In the breadcrumb, click on All database keys. The page opens.
4. In the column ID, select the key of your choice.
5. In the menu, click on Delete. The wizard opens.
6. Click on OK to complete the operation. The report opens and closes. The key is no longer
listed.

Troubleshooting the Database Encryption

If you activated the database encryption and an error occurs, a banner above the top bar may
notify you that the active key is missing or unsaved.
If the active key is unsaved
The database encryption is deactivated. The key status is Active (unsaved), to activate it
again you must download it. For more details, refer to the section Downloading Database
Keys.
If the active key is missing and you downloaded your database keys
The database encryption is deactivated. The key status is Active (missing), to activate it again
you must import the database key file. For more details, refer to the section Importing Database
Keys.

1281
 Securing

If the active key is missing but you did not download your database keys
The encryption is deactivated but all sensitive data has been encrypted and you can no longer
decrypt it. You need to decide if you want to encrypt the database again or if you want to
deactivate the encryption. The procedure differs if you are troubleshooting a Standalone
appliance or appliances in High Availability.
For Standalone appliances:
• To encrypt the database again, you must:
1. Specify again the password of all servers, appliances, and relevant profiles of your ap-
pliance to decrypt them:
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing DHCP Servers,
Editing DNS Servers and Editing Remote Appliances.
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
2. Add a new database key and activate it. For more details, refer to the sections Adding
Database Keys and Activating the Database Encryption.
• To stop encrypting the database, you must:
1. Specify again the password of all servers, appliances, and relevant profiles of your ap-
pliance to decrypt them:
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing DHCP Servers,
Editing DNS Servers and Editing Remote Appliances.
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
2. Deactivate the database encryption. For more details, refer to the section Deactivating
the Database Encryption.
3. You can delete the database keys. For more details, refer to the section Deleting
Database Keys.
For appliances configured in High Availability:
• To encrypt the database again on both appliances, you must:
1. Disable the High Availability as detailed in the section Disabling the High Availability
Configuration.
2. Specify again the password of all servers, remote appliances, and relevant profiles of
your Master appliance to decrypt them:
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing DHCP Servers,
Editing DNS Servers and Editing Remote Appliances.
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
3. Add a new database key on the Master appliance and activate it. For more details, refer
to the sections Adding Database Keys and Activating the Database Encryption.
4. Add and enroll again the Hot Standby appliance. For more details, refer to the sections
Adding Remote Appliances and Configuring Two Appliances in High Availability.

1282
 Securing

• To stop encrypting the database both appliances, you must:

1. Disable the High Availability as detailed in the section Disabling the High Availability
Configuration.
2. Specify again the password of all servers, remote appliances, and relevant profiles of
your Master appliance to decrypt them:
If you manage DHCP servers, DNS servers and/or remote appliances, their status is
Invalid credentials. You must specify again the "Admin" account password of each
server and appliance. For more details, refer to the section Editing DHCP Servers,
Editing DNS Servers and Editing Remote Appliances.
If you have SNMPv3 profiles and/or network devices connection profiles, you must edit
each one of them and specify again the password and access parameters. For more
details, refer to the section Editing an SNMP Profile and Editing Connection Profiles.
3. Deactivate the database encryption. For more details, refer to the section Deactivating
the Database Encryption.
4. You can delete the database keys. For more details, refer to the section Deleting
Database Keys.
5. Add and enroll again the Hot Standby appliance. For more details, refer to the sections
Adding Remote Appliances and Configuring Two Appliances in High Availability.

1283
Chapter 106. Configuring Space
Synchronization
SOLIDserver appliances can locally synchronize the space of an external appliance.

Via two dedicated rules, administrators can first expose a space on one appliance and then
synchronize this space from another appliance. This configuration allows to display in read-only
a remote space and its content in the module IPAM.

SOLIDserver1.mycorp.com SOLIDserver2.mycorp.com

IPAM The appliance exposes IPAM The appliance synchronizes the

the space Clients exposed space of another appliance

SUPPLIERS STAFF

EUROPE R&D

CLIENTS
CLIENTS
(EXTERNAL)

AMERICA Read-only version of AMERICA

the space Clients,
renamed locally
ASIA ASIA

Figure 106.1. Space synchronization between two appliances

To properly configure space synchronization between two appliances you must:

1. Meet the prerequisites.
2. Take into account the limitations.
3. Expose a space to external appliances following the section Exposing a Space.
4. Synchronize the exposed space from another appliance following the section Synchronizing
an Exposed Space.
5. Make sure the synchronization is successful and grant the relevant users access to the space
following the section Completing the Synchronization Configuration.

Prerequisites
• Having at least two SOLIDserver appliances configured with the appropriate rule.
• Making sure the appliances can communicate via HTTPS through the TCP port 443.

Limitations
• You can only synchronize IPv4 data.
• You can only expose one space per appliance. The exposed space can be synchronized on
as many appliances as you need.
• You cannot expose a space belonging to a VLSM organization.

1284
 Configuring Space Synchronization

Exposing a Space
To allow other appliances to synchronize one of the local spaces, you must expose it.

Adding the rule 300 allows to specify which space is exposed and lets other appliances synchronize
all its data. Note that:
• One appliance can only expose one space.
• You cannot add several instances of the rule on one appliance.
• You can synchronize the exposed space on as many appliances as you need.

After adding the rule, you must complete the configuration by granting the exposing right to one
of your groups of users.

To add the rule 300 that exposes a space to other appliances

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select Administration.
5. In the drop-down list Event, select Execution of a scheduled rule.
6. In the list Rule, select (300) Expose a space to to external IPAM(s).
7. In the field Rule name, name the rule. That name is then listed in the column Instance.
8. In the field Comment, you can specify a comment.
9. Click on NEXT . The page Rule filters opens.
10. Edit the rule frequency according to your needs.
This allows to set the synchronization frequency, we recommend setting it to at least every
hour.
If you leave the fields empty, the rule is not executed.

Table 106.1. Frequency filters of the rule 300

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

11. Click on NEXT . The page Expose a space to external IPAM(s) opens.
12. In the drop-down list Space, select the space of your choice. Note that you cannot expose
several spaces or a space belonging to a VLSM organization.
13. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Once you added the rule, you must grant the exposing right to at least one local group of users.
The credentials of any user of that group are required to configure the synchronization of the
exposed space on external appliances. Therefore you must:
1. Go to the module Administration and open the page Groups.

1285
 Configuring Space Synchronization

2. Add or edit a group of users to grant it the right Expose: a local space to external SOLIDservers.
For more details, refer to the section Configuring the Rights of a Group of Users in the chapter
Managing Groups.

When the appliance exposing a space is configured, you must synchronize it from another appli-
ance.

Synchronizing an Exposed Space

Once an appliance exposes one of its spaces, any other appliance can synchronize it.

Adding the rule 301 allows to identify an appliance exposing a space. Once configured with the
proper credentials, it automatically synchronizes the data of the exposed space.

Note that you can synchronize the exposed space of several appliances. Therefore, you can add
several instances of the rule as long as they each synchronize the spaces of different appliances.

To add the rule 301 that synchronizes the exposed space of another appliance
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Rules. The page Rules opens.
3. In the menu, click on Add. The wizard Add a rule opens.
4. In the drop-down list Module, select Administration.
5. In the drop-down list Event, select Execution of a scheduled rule.
6. In the list Rule, select (301) Synchronize an exposed IPAM space.
7. In the field Rule name, name the rule. We recommend naming the rule after the space you
want to retrieve. That name is then listed in the column Instance.
8. In the field Comment, you can specify a comment.
9. Click on NEXT . The page Rule filters opens.
10. Edit the rule frequency according to your needs.
This allows to set the synchronization frequency, we recommend setting it to at least every
hour.
If you leave the fields empty, the rule is not executed.

Table 106.2. Frequency filters of the rule 301

Field Description
Day(s) of the week A day, a frequency or a period of days. This field is optional.
Date of the month A specific day of the month or every day. This field is optional.
Month A specific month or every month. This field is optional.
Hour A specific hour, a set of hours, every hour, or every hour over a specific period. The
hour respects the UTC standard. This field is optional.
Minute A moment of the hour (00, 15, 30 or 45) or a frequency. The minute respects the UTC
standard. This field is optional.

11. Click on NEXT . The page Synchronize an exposed IPAM space opens.
12. In the field Remote SOLIDserver, specify the IP address or FQDN of an appliance exposing
a space.
13. In the field Remote login, specify the login of a user granted the right Expose: a local space
to external SOLIDservers.

1286
 Configuring Space Synchronization

14. In the field Remote password, specify the relevant password.

15. In the field Local space name, name the space to synchronize. This name is only used
locally, the name of the exposed space remains the same on the Remote SOLIDserver.
16. Click on OK to complete the operation. The report opens and closes. The rule is listed.

Now that you have synchronized an exposed space, you must complete the configuration.

Completing the Synchronization Configuration

Once you configured an appliance to expose a space and another to synchronize it, you have to
complete the configuration.

From any appliance that synchronizes an exposed space you should:

1. Ensure the synchronization is successful following the section Checking the Synchronization
in the IPAM.
2. Grant user access to the synchronized spaces by adding them as group resource as detailed
in the section Configuring User Access to Synchronized Spaces.

Checking the Synchronization in the IPAM

In the module IPAM, you can ensure that the synchronization of any external space is successful.
All synchronized information is available on the pages All spaces, All networks, All pools and All
addresses. Keep in mind that:
• Any synchronized space is set with the class remote space.
• You can use it to differentiate local and synchronized spaces.
• If the exposed space is configured with a class, it is locally overwritten. Any class applied to
objects of the space remains unchanged.
• The properties page of the synchronized space displays both the original and local class
parameters in the panel Main properties.
• On the page All spaces, the columns Class and Last sync provide useful information on syn-
chronized spaces. For more details on how to add or display customized list templates, refer
to the section Managing List Templates.

To make sure the synchronization is successful

1. Connect to an appliance that synchronizes a space using the superuser credentials.
2. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
3. The page should list synchronized space(s). In the column Class, they are set to remote
space and the column Last sync indicates the date and time of the last synchronization.
4. In the column Name, click on the name of a synchronized space. The page All networks
opens. The content of the space is listed.
5. In the breadcrumb, click on All pools or All addresses. The content of the networks is listed.

Configuring User Access to Synchronized Spaces

By default, only users of the group admin have access to synchronized spaces. To grant access
to the spaces to more users, you must add them to the resources of the relevant groups.

Note that:

1287
 Configuring Space Synchronization

• Adding synchronized spaces to the resources of a group does not grant them any right, it allows
them to see the space and its content in the IPAM.
• Only users of the group admin should be able to edit synchronized spaces and their content.
They should be in read-only for everyone else.

To add a synchronized space as group resource

1. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
2. Tick the synchronized space(s) of your choice.
3. In the menu, select Edit > Rights > Add as group(s) resource(s).The wizard Resources
Management opens.
4. In the list Available group(s), select a group and click on to add the selected space(s)
to the Resource list. The group is moved to the list Add to the resources of the group(s).
Repeat the operation for as many groups as needed.
5. In the list Add to the resources of the group(s), the groups that have the selected space(s)
as resource(s) are listed. To remove a group from that list, select the group and click on .
The group is listed back in the list Available group(s).
6. Click on OK to complete the operation. The report opens and closes. The page refreshes.

Monitoring IPAM Synchronization

You can monitor synchronization error messages from the page Syslog of the module Adminis-
tration:
• All synchronization activity is listed under the Service ipmserver.
• Via the column Log, you can filter the list with the keyword Multi-IPAM-Sync to only display
synchronization logs. Based on that filter, you can even add alerts.
For more details on Syslog and alerts, refer to the sections Managing the Logs and Managing
Alerts.

Disabling Space Synchronization

To disable the space synchronization, you can either disable the rules, if you intent to enable
them again, or delete them altogether.

Note that:
• The rule 300 that exposes a space should not be disabled or deleted on its own. Disabling
or deleting it breaks the synchronization, therefore you should also disable or delete the cor-
responding instance of the rule 301, and stop the synchronization on the relevant appliance(s).
• The rule 301 that synchronizes an external space can be disabled or deleted on its own.
Disabling or deleting it does not impact the synchronization configured on other appliances.

To disable a rule
Only users of the group admin can perform this operation.
1. Connect to the appliance on which you configured the rule you want to disable.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. Filter the list through the column Rule # and hit Enter. Only the matching rules are listed.
5. Tick the rule of your choice.

1288
 Configuring Space Synchronization

6. In the menu, select Edit > Disable. The wizard opens.

7. Click on OK to complete the operation. The report opens and closes. In the column Status,
the rule is marked Disabled.

To enable a rule again, follow the procedure above and select Enable. In the column Status,
the rule is marked Enabled.

To delete a rule
Only users of the group admin can perform this operation.
1. Connect to the appliance on which you configured the rule you want to delete.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Expert, click on Rules. The page Rules opens.
4. Filter the list through the column Rule # and hit Enter. Only the matching rules are listed.
5. Tick the rule of your choice.
6. In the menu, click on Delete. The wizard opens.
7. Click on OK to complete the operation. The report opens and closes. The rule is no longer
listed.

1289
Chapter 107. Upgrading
This chapter details the procedures to successfully upgrade SOLIDserver 8.1 to a higher patch.

To upgrade SOLIDserver from a previous minor or major version, refer to the guide SOLIDserv-
1
er_Upgrade_to_Version_8.1.pdf available on our download portal .

Before upgrading SOLIDserver, note that:

1. You must take into account the prerequisites and recommendations.
2. The upgrade process can take a while as the appliance:
a. Generates and saves a backup of the database at the time of the upgrade before rebooting.
b. Upgrades the appliance version and database schema before rebooting a second time.

Prerequisites
1. Have an Internet connection and your credentials ready to download the version of
SOLIDserver that suits your needs on our download portal.
2. Have an installed license under maintenance contract to be able to upgrade to the latest
version.
3. Make sure you have sufficient rights to upgrade. Only users of the group admin, like ipmad-
min, can perform the operations detailed in this document.
4. If you installed hot-fixes, they are deleted during the upgrade. The upgrade wizard retrieves
a list of all installed hot-fixes that you can download.
Note that hot-fixes are only detected locally. When you upgrade a remote SOLIDserver from
the Management appliance, hot-fixes are deleted but the list of files is not available.
5. Keep the upgrade file as is. You cannot rename SOLIDserver upgrade files, otherwise the
upgrade may fail.
6. If you encrypted the database, make sure you have access to the database encryption key
file before upgrading a Standalone or Management appliance, in case you need to import the
keys again. For more details, refer to the section Downloading Database Keys in the chapter
Securing.

Recommendations
1. Follow the proper upgrade procedure.
• If you want to upgrade an appliance, either managing remote appliances or not, refer to the
section Upgrading an Appliance.
• If you want to upgrade appliances managed remotely, refer to the section Upgrading Appli-
ances Managed Remotely.
• If you want to upgrade appliances configured in High Availability, refer to the section Upgrad-
ing Appliances in High Availability.
2. Save the backup file generated during the upgrade. All backup files are automatically deleted
after the number of days defined in the Retention duration you set. If for any reason you need
to troubleshoot the upgrade beyond that period, you will need the latest backup. For more
details regarding troubleshooting, refer to the section Troubleshooting the Upgrade.

1
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.

1290
 Upgrading

For more details regarding the backup retention time, refer the section Managing Backups and
Restoring Configurations.

Upgrading an Appliance
If you meet the prerequisites, you can upgrade SOLIDserver to a higher patch, it implies to:
1. Download the image of the latest patch of version 8.1.
2. Upgrade the appliance.
3. Save the backup generated during the upgrade.

Note that:
• Once the appliance is upgraded, the page Services configuration might display different statuses:
any service that was stopped restarts when SOLIDserver reboots. Only disabled services are
not started after an upgrade.
• If an error occurs during the upgrade, refer to the section Troubleshooting the Upgrade of a
Standalone or Remote Appliance.

If you are upgrading an appliance in High Availability, refer to the section Upgrading Appliances
in High Availability.

If you are upgrading a Management appliance and its remote appliance(s), refer to the section
Upgrading Appliances Managed Remotely.

To upgrade a Standalone or Management appliance

Only users of the group admin can perform this operation.
1. Download the image of the latest patch of version 8.1
a. Use your client account credentials to connect to our download portal at
https://downloads.efficientip.com/support/downloads/SOLIDserver/.
b. Open the folder 8.1/.
c. Download the file solidserver-<architecture>-<version> that suits your needs. The file
must be without extension and its version must be higher than the version you are up-
grading from.
2. Upgrade the appliance
a. Connect to the appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Upgrade. The wizard Upgrade SOLIDserver
opens.
d. Click on BROWSE to select the file containing the upgrade image.The name of the selected
file is displayed in the field File name.
Once the file retrieved, the fields Current version and Upgrade to appear. They both
indicate the version and architecture as follows: <version> (<architecture>).
If you installed hot-fixes, all related files are listed under Modified files on the page. For
more details, refer to the prerequisites.
You can click on DOWNLOAD FULL REPORT to retrieve both lists.
e. Click on NEXT . The last page opens.
f. To start the upgrade, click on UPGRADE .

1291
 Upgrading

After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
3. Save the backup file
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
c. In the panel Local backup file, select the latest backup file. It is named solid-<host-
name>-<year><month><day>-<hour><minutes>.gz.
d. Click on DOWNLOAD to save the file locally.

Upgrading Appliances Managed Remotely

If you meet the prerequisites, you can upgrade SOLIDserver appliances managed remotely to a
higher patch.

You can upgrade all remote appliances at once to the same version and architecture as their
Management appliance. Which is why you must:
1. Check the version of your Management appliance.
2. Upgrade the remote appliance(s) to the same version from the Management appliance.
3. Save the backup file of each remote appliance, it is generated during the upgrade.

Note that:
• To upgrade a remote appliance, the Management appliance should already be upgraded.
• When you upgrade remote appliances from the Management appliance, you cannot retrieve
the list of hot-fixes because it is only available locally.
• Once appliances are upgraded, the page Services configuration might display different statuses:
any service that was stopped is started when SOLIDserver reboots. Only disabled services
are not started after an upgrade.
• If an error occurs during the upgrade, refer to the section Troubleshooting the Upgrade of a
Standalone or Remote Appliance.

If you are upgrading a Standalone appliance or only the Management appliance, refer to the
section Upgrading an Appliance.

If you are upgrading appliances in HA, refer to the section Upgrading Appliances in High Availab-
ility.

To upgrade one or several remote appliances

Only users of the group admin can perform this operation.
1. Check the version of the Management appliance
a. Connect to the Management appliance GUI.
b. On the Main dashboard, the gadget System Information indicates the appliance version
and architecture. Once upgraded, the remote appliance(s) should match this version.
2. Upgrade the remote appliance(s) from the Management appliance
a. Connect to the Management appliance GUI.

1292
 Upgrading

b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized
Management opens.
d. Tick the appliance(s) you want to upgrade.
e. In the menu, select Edit > Upgrade remote SOLIDserver. The wizard Upgrade
remote SOLIDserver opens.
If you installed hot-fixes, you cannot retrieve the list of these files as they are only
available locally.
f. To start the upgrade, click on OK . The report opens and works until the selected appli-
ance(s) version matches the version of the Management appliance. The wizard closes.
The appliance(s) is not accessible for a few minutes.
3. Save the backup file of each remote appliance
a. Connect to the remote appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
d. In the panel Local backup file, select the latest backup file. It is named solid-<host-
name>-<year><month><day>-<hour><minutes>.gz.
e. Click on DOWNLOAD to save the file locally.
f. Repeat steps a to e for each of the remote appliances you upgraded.

Upgrading Appliances in High Availability

To upgrade appliances configured in High Availability to a higher patch, you must meet the basic
upgrade prerequisites and go to the page Centralized Management of both appliances to make
sure that the High Availability configuration is properly set:
• One appliance must be the Master and have the Status OK.
• The other appliance must be the Hot Standby and have the Status Managed (remote).
• Both appliances must share the same HA UID.
• Both appliances must share the same version.
• There should be little to no Time drift between them.
• The page Centralized Management of the Master and the Hot Standby appliances must display
the same information.

Upgrading appliances in High Availability must be performed from the Master appliance.

Since version 8.x, during the upgrade process:

1. The Master appliance is upgraded first. As the upgrade requires to stop and restart the
appliance, which would switch the appliances role, the automatic re-enrollment is ignored. In
addition, the Hot Standby appliance replication is stopped while its upgrade is scheduled.
2. The Hot Standby appliance is upgraded once the Master upgrade is complete. Once the
Master is upgraded, the Hot Standby appliance can be stopped and restarted for the upgrade.

This process ensures that the appliances do not switch roles and that the Hot Standby database
is available even during the upgrade. Note that:

1293
 Upgrading

• Once the appliances are upgraded, the page Services configuration might display different
statuses as any service that was stopped is started when SOLIDserver reboots. Only disabled
services are not started after an upgrade.
• If an error occurs during the upgrade, refer to the section Troubleshooting the Upgrade of Ap-
pliances in High Availability.
• Since version 7.1.3, you can no longer manually upgrade appliances from the Hot Standby.

If you are not upgrading an appliance in High Availability, refer to the section Upgrading an Ap-
pliance or Upgrading Appliances Managed Remotely.

To upgrade appliances in High Availability

Only users of the group admin can perform this operation.
1. Make sure the appliances meet all upgrade prerequisites
Make sure that both the Master and Hot Standby appliances meet the basic upgrade pre-
requisites and the High Availability prerequisites.
2. Download the image of the latest patch of version 8.1
a. Use your client account credentials to connect to our download portal at
https://downloads.efficientip.com/support/downloads/SOLIDserver/.
b. Open the folder 8.1/.
c. Download the file solidserver-<architecture>-<version> that suits your needs. The file
must be without extension and its version must be higher than the version you are up-
grading from.
3. Update the HA files database from the Master
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized
Management opens.
d. In the menu, select Tools > Update HA files database. The report opens.
e. Click on OK to complete the operation. The report opens and closes.
4. Upgrade to version 8.1 both appliances from the Master
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Upgrade. The wizard Upgrade SOLIDserver
opens.
d. Click on BROWSE to select the file containing the upgrade image.The name of the selected
file is displayed in the field File name.
Once the file retrieved, the fields Current version and Upgrade to appear. They both
indicate the version and architecture as follows: <version> (<architecture>).
If you installed hot-fixes on the Master appliance, all related files are listed under Modified
files on the page. For more details, refer to the prerequisites.
You can click on DOWNLOAD FULL REPORT to retrieve both lists.
e. Click on NEXT . The last page opens.
f. To start the upgrade, click on UPGRADE .

1294
 Upgrading

After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
5. Check that both appliances are upgraded
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized
Management opens.
d. In the column Version, the value for the Master should match the one on the Hot
Standby appliance.
e. Connect to the Hot Standby appliance GUI and repeat steps b to d to make sure both
appliances are in the same version of SOLIDserver. If they do not, refer to the section
Troubleshooting the Upgrade of Appliances in High Availability.
6. Save the backup file of both appliances
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
d. In the panel Local backup file, select the latest backup file. It is named solid-<host-
name>-<year><month><day>-<hour><minutes>.gz.
e. Click on DOWNLOAD to save the file locally.
f. Connect to the Hot Standby appliance GUI and repeat the steps b to e if you set a
specific network/services configuration.

Troubleshooting the Upgrade

To troubleshoot an upgrade you can roll back to the version previously installed:
1. Connect to the appliance via CLI.
2. Execute the command that rolls back the installation and restores the backup saved right before
the upgrade.
3. Wait for the appliance to reboot.

Follow the proper troubleshooting procedure:

• The procedure is the same for Standalone, Management or remote appliances. For more details,
refer to the section Troubleshooting the Upgrade of a Standalone or Remote Appliance.
• To troubleshoot an appliance configured in High Availability refer to the section Troubleshooting
the Upgrade of Appliances in High Availability.

Troubleshooting the Upgrade of a Standalone, Management or

Remote Appliance
If the appliance was upgraded to the correct version but an error occurred, whether it is
remotely managed or not, you can roll back via CLI. This restores the appliance version and
database as they were before the upgrade.

1295
 Upgrading

To troubleshoot an appliance configured in High Availability refer to the section Troubleshooting

the Upgrade of Appliances in High Availability.

Note that you need the backup file of the previous version or patch to be stored locally on the
appliance. It was generated during the upgrade to version 8.1.

To roll back the upgrade of a Standalone, Management or remote appliance

Only users of the group admin can perform this operation.
1. Make sure the backup file is stored on the appliance
a. Connect to the appliance GUI.
b. On the Main dashboard, in the gadget System information, check the Version currently
installed on the appliance.
c. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
d. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
e. In the panel Local backup files, make sure the backup generated during the upgrade
to the desired version is listed.
If the backup file is not listed, in the menu select Tools > Upload a backup file. Browse
your computer to find it and click on OK to make sure it is listed in the panel.
2. Roll back the appliance
a. Using a terminal emulator, open a shell session to connect to the appliance CLI you are
troubleshooting using its IP address or hostname.
b. Log in using the credentials admin/admin. The CLI Main menu appears.

Figure 107.1. Main menu

c. Hit the key T to select T Tools and hit the key Enter. The page Tools opens.
d. The line S Start a shell is selected, hit Enter. The terminal closes.
e. Execute the following command to get root permissions:
sudo -s

Hit Enter. A new shell connection opens.

f. Execute the rollback command:
# /usr/local/nessy2/script/rollback_upgrade.sh

The menu SOLIDserver rollback opens.

g. In the menu Choose backup to restore to <previous-version>-<architecture>, use
the arrows of your keyboard to highlight the backup file that suits your needs.

1296
 Upgrading

Note that only the backup files saved when the previous version was installed are listed,
so if you upgraded a few days ago, none of the backup files saved between the upgrade
and the rollback are listed.
h. Once the backup file of your choice is highlighted, click on Enter. The page WARNING
ROLLBACK WILL RESTORE A BACKUP opens.
i. Hit the key Y to highlight the line ( ) Y CONFIRM ROLLBACK. Press the key Space to
select this option, the * indicates the line is selected: (*) Y CONFIRM ROLLBACK.
j. Hit Enter to confirm.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.

Troubleshooting the Upgrade of Appliances in High Availability

To troubleshoot the upgrade of appliances in High Availability, check if both appliances upgraded
to the same version and then follow one of these two procedures:
• If HA Appliances Were Both Upgraded to the Same Version.
• If HA Appliances Were Both Upgraded to Different Versions.

If both appliances were properly upgraded to the desired version but the High Availability
configuration was broken, you only need to reconfigure it. For more details, refer to the section
Setting a High Availability Configuration.

If HA Appliances Were Both Upgraded to the Same Version

If an error occurred but both HA appliances were upgraded to the same patch of version
8.1, you can roll back via CLI starting with the Master appliance. This restores the appliances
version and database as they were before the upgrade.

Before troubleshooting HA appliances:

• You need the backup file, generated during the upgrade, to be stored locally on each appliance.
• You need to disable the High Availability configuration, if it is enabled, before rolling back.

To roll back the upgrade of HA appliances

Only users of the group admin can perform this operation.
1. Make sure the backup file is stored on both appliances
a. Connect to the Master appliance GUI.
b. On the Main dashboard, in the gadget System information, check the Version currently
installed on the appliance.
c. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
d. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
e. In the panel Local backup files, make sure the backup generated during the upgrade
to the desired version is listed.
If the backup file is not listed, in the menu select Tools > Upload a backup file. Browse
your computer to find it and click on OK to make sure it is listed in the panel.
f. Connect to the Hot Standby appliance GUI and repeat the steps b to e.

1297
 Upgrading

2. Make sure the High Availability is properly disabled

a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized
Management opens.
If the High Availability configuration is already disabled, i.e. both appliances have a
Standalone role, go to the next numbered step.
d. Tick the Hot Standby appliance.
e. In the menu, click on Delete. The wizard Delete opens.
f. Click on OK to complete the operation. The report opens and works until the Hot Standby
database is erased. The wizard closes. The Hot Standby is no longer listed on the page.
The former Master appliance keeps a Master role.
The former Hot Standby appliance is not accessible while it is reset. When it is back up,
it is a Standalone appliance again.
3. Roll back the appliances
a. Using a terminal emulator, open a shell session to connect to the Master appliance CLI
you are troubleshooting using its IP address or hostname.
b. Log in using the credentials admin/admin. The CLI Main menu appears.

Figure 107.2. Main menu

c. Hit the key T to select T Tools and hit the key Enter. The page Tools opens.
d. The line S Start a shell is selected, hit Enter. The terminal closes.
e. Execute the following command to get root permissions:
sudo -s

Hit Enter. A new shell connection opens.

f. Execute the rollback command:
# /usr/local/nessy2/script/rollback_upgrade.sh

The menu SOLIDserver rollback opens.

g. In the menu Choose backup to restore to <previous-version>-<architecture>, use
the arrows of your keyboard to highlight the backup file that suits your needs.
Note that only the backup files saved when the previous version was installed are listed,
so if you upgraded a few days ago, none of the backup files saved between the upgrade
and the rollback are listed.
h. Once the backup file of your choice is highlighted, click on Enter. The page WARNING
ROLLBACK WILL RESTORE A BACKUP opens.

1298
 Upgrading

i. Hit the key Y to highlight the line ( ) Y CONFIRM ROLLBACK. Press the key Space to
select this option, the * indicates the line is selected: (*) Y CONFIRM ROLLBACK.
j. Hit Enter to confirm.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
k. Connect to the Hot Standby appliance CLI and repeat the steps b to j.

After the rollback, you might want or need to re-enroll the appliances to make sure there is no
replication delay. For more details, refer to the section Configuring High Availability Advanced
Options.

If HA Appliances Were Both Upgraded to Different Versions

If both appliances in High Availability were upgraded to two different versions, a banner
above the top bar prompts you to downgrade your software version. You can downgrade each
appliance locally via CLI, starting with the Master appliance.

Note that:
• You need the backup file, generated during the upgrade, to be stored locally on each appliance.
• You need to disable the High Availability configuration, if it is enabled, before downgrading
both appliances separately.

To downgrade HA appliances upgraded to different versions

Only users of the group admin can perform this operation.
1. Download the image of a previous version
a. Use your client account credentials to connect to our download portal at
https://downloads.efficientip.com/support/downloads/SOLIDserver/.
b. Open the folder of the version you want to downgrade to.
c. Download the file solidserver-<architecture>-<version> of the last version installed on
the appliances before the upgrade. The file must be without extension.
2. Make sure the backup file is stored on both appliances
a. Connect to the Master appliance GUI.
b. On the Main dashboard, in the gadget System information, check the Version currently
installed on the appliance.
c. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
d. In the section Maintenance, click on Backup & Restore. The page Backup & Restore
opens.
e. In the panel Local backup files, make sure the backup generated during the upgrade
to the desired version is listed.
If the backup file is not listed, in the menu select Tools > Upload a backup file. Browse
your computer to find it and click on OK to make sure it is listed in the panel.
f. Connect to the Hot Standby appliance GUI and repeat the steps b to e.
3. Make sure the High Availability is properly disabled
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.

1299
 Upgrading

c. In the section System, click on Centralized Management. The page Centralized

Management opens.
If the High Availability configuration is already disabled, i.e. both appliances have a
Standalone role, go to the next numbered step.
d. Tick the Hot Standby appliance.
e. In the menu, click on Delete. The wizard Delete opens.
f. Click on OK to complete the operation. The report opens and works until the Hot Standby
database is erased. The wizard closes. The Hot Standby is no longer listed on the page.
The former Master appliance keeps a Master role.
The former Hot Standby appliance is not accessible while it is reset. When it is back up,
it is a Standalone appliance again.
4. Downgrade both appliances separately
a. Connect the future Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section Maintenance, click on Upgrade. The wizard Upgrade SOLIDserver
opens.
d. Click on BROWSE to select the file containing the upgrade image.The name of the selected
file is displayed in the field File name.
Once the file retrieved, the fields Current version and Upgrade to appear. They both
indicate the version and architecture as follows: <version> (<architecture>).
If you installed hot-fixes, all related files are listed under Modified files on the page. For
more details, refer to the prerequisites.
You can click on DOWNLOAD FULL REPORT to retrieve both lists.
e. Click on NEXT . The last page opens.
f. To start the upgrade, click on UPGRADE .
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
g. Connect to the future Hot Standby appliance GUI and repeat the steps b to f.
5. Restore the backup of both appliances separately via CLI
a. Using a terminal emulator, open a shell session to connect to the Master appliance CLI
using its IP address or hostname.
If the connection cannot be established, it means that SOLIDserver did not finish
downgrading. Wait and open another shell session.
b. Log in using the credentials admin/admin. The CLI Main menu appears.

Figure 107.3. Main menu

1300
 Upgrading

c. Hit the key B to select B Backup Management and hit the key Enter. The page Backup
Management opens.
d. Select R Restore backup and hit Enter. The page Backup files opens.
e. Using the digit keys, select the backup file generated before the unsuccessful upgrade.
f. Hit Enter to select it. The message Do you also want to restore the configuration
of the system? appears.
g. The answer Yes is selected. Hit Enter to select it.
The message Do you really want to restore <backup-file-name>? Your server will
automatically be rebooted to complete the process if you continue appears and
the answer Yes is selected
h. Hit Enter to confirm.
After a while, the connection is automatically interrupted as the appliance shuts down
and reboots. Do not interrupt the process. Once the GUI is reachable again, it displays
the restart progression. When the login fields appear, you can connect to the appliance.
i. Connect to the Hot Standby appliance CLI and repeat steps b to h if you want to restore
the network/services configuration of the future Hot Standby appliance.
Note that, if you do not need to restore the network/services configuration of your Hot
Standby appliance, you can restore only the Master appliance.
6. Enroll the Hot Standby again
a. Connect to the Master appliance GUI.
b. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
c. In the section System, click on Centralized Management. The page Centralized
Management opens.
d. In the menu, click on Add. The Add/Modify remote SOLIDserver appears.
e. In the field SOLIDserver IP address, specify the IPv4 address of the appliance you
want to add to the list.
f. If the field "Admin" account password is empty, specify the SSH password, i.e. the
default one (admin) or the one you set if you changed it.
g. Click on OK to complete the operation. The report opens and closes. The new appliance
is listed and marked Standalone in the column Role and Managed (remote) in the
column Status.
h. Tick the future Hot Standby.
i. In the menu, select Edit > Enroll SOLIDserver as Hot Standby. The wizard Enroll
SOLIDserver as Hot Standby opens.
j. Click on OK to complete the operation. The report opens and works for a while, until the
Hot Standby appliance database is erased and replaced by the Master appliance
database. The appliance set as Hot Standby is unavailable for a while. Each appliance
role is modified according to the configuration, they both get the same HA UID.
7. Contact your reseller's support team to correct your database and successfully upgrade
SOLIDserver.

After the rollback, you might want or need to re-enroll the appliances to make sure there is no
replication delay. For more details, refer to the section Configuring High Availability Advanced
Options.

1301
 Part XX. Customization
There are many ways of customizing SOLIDserver to suit your needs from the GUI to the data you manage.

You can customize the GUI following the chapters:

• Customizing the GUI details how to specify the text of your choice in the home page Welcome banner,
or include images on the Home page or the login page.
• Managing Smart Folders details how to set up a tree-like display of your data for the modules IPAM,
DHCP, DNS, NetChange and Device Manager using Smart Folders in the Tree View. This completely
virtual organization of the objects can help you simplify deep organizations.
• Managing IPv6 Labels details how to add and use IPv6 labels above the IPv6 addresses of your IPAM
and DHCP entries and differentiate containers more easily.

You can also customize your databases even further following the chapters:
• Configuring Classes details how administrators can manage classes to configure custom properties for
your resources and tailor your database.
• Custom DB details how to add databases tailored to your needs. They can, for instance, be used when
to ease the configuration of your classes.
• Managing Customization Packages details how to install packages to import customized functionalities
from an archive file.
Table of Contents
108. Customizing the GUI ............................................................................................ 1304
Customizing SOLIDserver Login Page .................................................................. 1304
Customizing the Main Dashboard Welcome Banner ............................................... 1307
Customizing the Interface Names and Fields ......................................................... 1309
109. Managing Smart Folders ...................................................................................... 1311
Browsing Smart Folders ....................................................................................... 1311
Adding Smart Folders .......................................................................................... 1312
Editing Smart Folders .......................................................................................... 1313
Sharing Smart Folders ......................................................................................... 1313
Deleting Smart Folders ........................................................................................ 1314
110. Managing IPv6 Labels .......................................................................................... 1315
Limitations .......................................................................................................... 1315
Adding Labels ..................................................................................................... 1315
Displaying or Hiding Labels .................................................................................. 1316
Editing Labels ..................................................................................................... 1316
Deleting Labels ................................................................................................... 1317
111. Configuring Classes ............................................................................................. 1318
Browsing Class Studio Database .......................................................................... 1319
Managing Classes ............................................................................................... 1321
Configuring the Classes Content .......................................................................... 1328
112. Configuring Custom Databases ............................................................................. 1376
Managing Custom Databases .............................................................................. 1376
Managing Custom Data ....................................................................................... 1378
113. Managing Customization Packages ....................................................................... 1381
Browsing the Packages Database ........................................................................ 1381
Uploading Packages ............................................................................................ 1382
Creating Packages .............................................................................................. 1382
Editing Packages ................................................................................................. 1384
Installing Packages .............................................................................................. 1384
Uninstalling Packages ......................................................................................... 1384
Downloading Packages ........................................................................................ 1385
Deleting Packages .............................................................................................. 1385

1303
Chapter 108. Customizing the GUI
You can customize the Login page and the Main dashboard, SOLIDserver homepage, with images
and messages or even edit most GUI fields name.
• Customizing SOLIDserver Login Page
• Customizing the Main Dashboard Welcome Banner
• Customizing the Interface Names and Fields

Note that only users of the group admin can perform these changes.

Customizing SOLIDserver Login Page

Three areas of the Login page can be customized.

Figure 108.1. SOLIDserver Login page

In the Login page backgound, behind the login window and the disclaimer, you can display
an image.
In the login window, above the appliance hostname and credentials fields, you can display
a different logo.
At the bottom of the page, a banner includes the disclaimer and its title.

You can customize the Login page with images, as background and in the login window, or with
a disclaimer:
• Customizing the Login Page With Images
• Customizing the Login Page With a Disclaimer

Customizing the Login Page With Images

On the Login page, you can either display images as a logo in the login window or as a back-
ground. To customize the login page with an image you must:

1304
 Customizing the GUI

1. Upload the image(s) to the local files listing.

2. Specify the image name as value of the dedicated registry database entry.

Only users of the group admin can perform these changes.

Uploading an Image
You can upload as many images as you need to the page Local files listing. Keep in mind that:
• Uploading images with a transparent background allows to fully integrate them to the graphical
interface.
• The image used to customize the logo must not exceed 373x74 pixels.

To upload an image to customize the login page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Maintenance, click on Local files listing. The page Local files listing opens.
3. Under the menu, tick the bullet Custom images. The sub-page Custom images opens.
4. In the menu, select Tools > Upload file. The wizard Import a file opens, you can only
upload one file at a time.
5. Click on BROWSE to look for the image of your choice on your computer.
6. In this new window, find the image you want to upload and select it.
7. Click on Open. The window closes. In the field File name, the name of the selected image
is displayed.
8. Click on OK to complete the operation. The report wizard opens and closes. The image is
listed.

Displaying a Background Image on the Login Page

To display an image as a background on the login page, you have to set its name as value of
the appropriate registry database entry.

If you have not uploaded an image yet on Local files listing, refer to the section Uploading an
Image.

To display a background image in the login page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with bg.generic.
4. Hit Enter. Only the key www.display.login_page.bg.generic is listed.
5. In the column Value, click on <empty>. The wizard Registry database Edit a value opens.
6. In the field Value, specify the full name of the image you want to display, including its exten-
sion.
7. Click on OK to complete the operation. The specified image is displayed as background of
SOLIDserver login page. To see the changes open SOLIDserver in a different browser or
log out.

To change the background image, upload the new image and click on the Value of the registry
database entry to specify the name of the other image.

1305
 Customizing the GUI

To stop displaying the image, click on the Value of the registry database entry and empty the
field. The default background is displayed again.

Displaying a Logo in the Login Window

To display an image as a new logo in the login window, you have to set its name as value of the
appropriate registry database entry.

If you have not uploaded an image yet on Local files listing, refer to the section Uploading an
Image.

To display a new logo in the login window

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with logo.generic.
4. Hit Enter. Only the key www.display.login_page.logo.generic is listed.
5. In the column Value, click on <empty>. The wizard Registry database Edit a value opens.
6. In the field Value, specify the full name of the image you want to display, including its exten-
sion.
7. Click on OK to complete the operation. The specified image replaces the default Login page
logo. To see the changes, open SOLIDserver in a different browser or log out.

To change the login window logo, upload the new image and click on the Value of the registry
database entry to specify the name of the other image.

To stop displaying the logo, click on the Value of the registry database entry and empty the field.
The default logo is displayed again.

Customizing the Login Page With a Disclaimer

To display a disclaimer at the bottom of the page, you must set the appropriate registry database
entries. One defines the text of the disclaimer and the other its title.

The disclaimer is saved in the appliance backup. If you have appliances configured in High
Availability, the disclaimer configured on the Master is also visible from the Hot Standby login
page.

Keep in mind that:

• Only users of the group admin can perform these changes.
• The disclaimer only supports plain text and cannot exceed 255 characters. You cannot format
it or choose to display it on separate lines.
• The disclaimer cannot be translated. It is always displayed in its original language, even if you
display the interface in a different language and, unlike many fields and names, it cannot be
translated from the page Language editor.

To add a disclaimer on the login page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.

1306
 Customizing the GUI

3. Filter the column Name with login.disclaimer.text.

4. Hit Enter. Only this key is listed.
5. In the column Value, click on <empty>. The wizard Registry database Edit a value opens.
6. In the field Value, specify the message you want to display.
7. Click on OK to complete the operation. To see the disclaimer, open SOLIDserver in a different
browser or log out. It is displayed at the bottom of the login page.

You can also add a title above the disclaimer.

To add a disclaimer title on the login page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, click on Add. The wizard Registry database Add an item opens.
4. In the field Name, type in login.disclaimer.title .
5. In the field Value, specify the title you want to display.
6. Click on OK to complete the operation. To see the title, open SOLIDserver in a different
browser or log out. It is displayed at the bottom of the login page.

To edit the disclaimer or its title, click on the Value of the relevant registry database entry to
specify the new information.

To stop displaying the disclaimer or its title, click on the Value of the relevant registry database
entry and empty the field. It is no longer displayed.

Customizing the Main Dashboard Welcome Banner

SOLIDserver Main dashboard, the homepage, displays by default a welcome banner.

Figure 108.2. SOLIDserver Main dashboard welcome banner

The welcome banner can contain an image.

You can set your own welcome banner message.

You can edit the welcome banner message, display an image or hide it altogether:
• Editing the Welcome Banner Message
• Displaying an Image on the Welcome Banner
• Hiding the Welcome Banner

Only users of the group admin can edit the welcome banner.

1307
 Customizing the GUI

Editing the Welcome Banner Message

By default, the welcome banner contains the message Welcome to SOLIDserver™, you can edit
it if you want.

To edit the welcome banner message

Only users of the group admin can perform this operation.
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. In the right corner of the welcome banner, click on . The wizard Editing the welcome
banner opens.
3. In the field Title, specify the message of your choice.
4. Click on OK to complete the operation. The report opens and closes. The Main dashboard
refreshes, the new message is visible.

Displaying an Image on the Welcome Banner

You can display an image next to the message of the welcome banner. The size of this image
does not matter as it is automatically resized to fit in the welcome banner.

To display an image on the welcome banner

Only users of the group admin can perform this operation.
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. In the right corner of the welcome banner, click on . The wizard Editing the welcome
banner opens.
3. Click on BROWSE to look for the image of your choice on your computer.
4. In this new window, find the image you want to upload and select it.
5. Click on Open. The window closes. In the field File name, the name of the selected image
is displayed.
6. Click on OK to complete the operation. The report opens and closes. The Main dashboard
refreshes, the image is visible on the appliance welcome banner.

If you want to display a different image, follow the procedure and select another image.

Keep in mind that the selected image(s) is saved on the page Local files listing and listed on the
sub-page Custom images. For more details, refer to the section Managing Files from the Local
Files Listing.

Hiding the Welcome Banner

You can hide the welcome banner from the Main dashboard. A dedicated registry database entry
is added to hide the banner.

To hide the welcome banner

Only users of the group admin can perform this operation.
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. In the right corner of the welcome banner, click on x. The wizard Hiding the welcome
banner opens.
3. Click on OK to complete the operation. The report opens and closes. The Main dashboard
refreshes, the banner is no longer visible.

1308
 Customizing the GUI

Displaying the Welcome Banner Again

If you hid the welcome banner from the Main dashboard, to display it again you need to delete
the appropriate registry database entry.

To display the welcome banner again

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. Filter the column Name with panel.home.
4. Hit Enter. Only the key panel.home.welcome.delete is listed.
5. Tick the entry panel.home.welcome.delete .
6. In the menu, click on Delete. The wizard Delete opens.
7. Click on OK to complete the operation. The page refreshes, the item is no longer listed.
8. In the sidebar, click on Quit administration to leave the module Administration.
9. In the sidebar, click on Dashboards. The page refreshes. The banner is visible again.

Removing the Image from the Welcome Banner

You can remove the image displayed in the welcome banner.

To remove the image displayed on the Welcome banner

Only users of the group admin can perform this operation.
1. In the sidebar, click on Dashboards. The Main dashboard opens.
2. In the right corner of the welcome banner, click on . The wizard Editing the welcome
banner opens.
3. Tick the box Remove the image from the banner.
4. Click on OK to complete the operation. The report opens and closes. The Main dashboard
refreshes, the image is no longer visible.

Customizing the Interface Names and Fields

From the page Language editor, you can rename GUI labels, the default name of most fields,
menus, pages and columns. Keep in mind that:
• Only users of the group admin can perform these changes.
• The label customization applies to the language you chose to display the interface in.
If you copy a label from the English version of the interface and rename it, the new value only
applies to the English interface. If you display the interface in French, the default label is dis-
played. To also rename the label for the interface displayed in French you need to copy the
label and rename it as well. For more details on how to display the interface in another language,
refer to the chapter Understanding the GUI in the section Configuring the User Display Settings.
• All labels, fields, columns and page titles can be renamed except:
• The title of the page Language editor itself.
• The disclaimer on the login page. To change it, refer to the section Customizing the Login
Page With a Disclaimer.
• The Main dashboard welcome banner message. To edit it, refer to the section Customizing
the Main Dashboard Welcome Banner.

1309
 Customizing the GUI

To add a customized label

1. From any page or wizard within SOLIDserver, copy the name of a field, page, column or
menu that you want to replace with your label.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Customization, click on Language editor. The page Language editor opens.
4. In the menu, click on Add. The wizard opens.
5. In the field Key, paste the value you want to replace. We recommend that you copy/paste
the label name because Language editor is case sensitive.
6. If your appliance is displayed in English, in the field English, specify the new label value.
7. Click on OK to complete the operation. The entry is listed. Go back to the page where you
copied the label to see the new name.

To edit a customized label

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Language editor. The page Language editor opens.
3. In the column Key, click on the label name. The wizard opens.
a. In the field Key, you can edit the label itself. This edits a different field, column or page,
or nothing at all if it does not correspond to anything in the GUI.
b. If your appliance is displayed in English, in the field English, you can edit the label.
4. Click on OK to complete the operation. The entry is listed. Go to the page the label is displayed
on: it now displays the edited label in the corresponding language.

To delete a customized label

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Language editor. The page Language editor opens.
3. In the column Key, click on the label name. The wizard opens.
4. Empty all the fields.
5. Click on OK to complete the operation. The entry is no longer listed. Go to the page the label
is displayed on: it now displays the standard label.

1310
Chapter 109. Managing Smart Folders
Smart folders are a customization tool that allow to organize your items in a different way than
what you find on listing pages.

Smart folders provide a view of your database that helps you organize data into a tree-like hier-
archy. This display is completely virtual and does not affect in any way your data.

You can add, edit, delete and/or share smart folders with other users based on data available
from the modules IPAM, DHCP (only in v4), DNS, NetChange, Device Manager and Identity
Manager.

Each smart folder organization can have as many levels as you need and be composed of any
of the columns from the page it is added from, including meta-data (class parameters).

Like the gadgets, smart folders can either be personal or shared with other users. For more details,
refer to the section Sharing Smart Folders.

Browsing Smart Folders

All the smart folders can be displayed in the side panel, next to the sidebar, from any module
except Administration.

To manage them, you must go to the page My Smart Folders.

Displaying the Smart Folders in the Sidebar

To display the smart folders
1. In the sidebar, click on My Smart Folders. The page refreshes, the side panel Smart
Folders opens.
All smart folders are listed in the ASCII alphabetic order.
2. Click on to display the content of a smart folder. Click on to collapse a level or smart
folder.
3. You can expand the side panel to the right or refresh the data displayed using the button .

The smart folders are displayed as follows:

• The icon indicates an existing smart folder or the levels of hierarchy with a smart folder.
• Within a smart folder
• Each level of hierarchy is indented.
• Each level of hierarchy has a name followed by a number between brackets. This number
indicates how many sub-levels or resources it contains.
• The lowest level of the hierarchy is preceded by the icon of the resource where the smart
folder was added: , , ...

Note that:
• If a level does not appear when you expand the hierarchy of the smart folder, it means there
is no data to display.
• If a level is called N/A, it represents a level not relevant to the resource at the lowest level. For
instance, if you add a smart folder from the page All addresses and include a level "pool name",
if some IP addresses are not managed by a pool, they are listed under N/A.

1311
 Managing Smart Folders

Browsing the Smart Folders Database

From the page My Smart Folders you can manage edit, delete or share your smart folders.

To access the page My Smart Folders

1. From any page, in the top bar, select My Account > My Smart Folders. The page My
Smart Folders opens.
2. The columns on the page include all the information regarding each smart folder. They do
not have a properties page.

Table 109.1. The columns on the page My Smart Folders

Column Description
My Smart Folders The name of each smart folder.
All users The smart folder visibility. Yes indicates that the smart folder is shared with the other users.
No indicates that only the User who added it can see it.
User The name of the user who added the smart folder(s) listed.
Type The page where the smart folder was added, listed as follows: <module>:<page>.
Hierarchy The smart folder hierarchy.

Adding Smart Folders

Smart folders can be added from any listing page within the modules IPAM, DHCP, DNS,
NetChange, Device Manager and Identity Manager. They allow to organize into a customized
hierarchy the data displayed. Do not hesitate to filter the data at your convenience to visualize a
tree displaying only the pieces of information of your choice.

To add a smart folder

1. Go to the page of your choice.
2. Filter the data if needed.
3. In the menu, select Alerts, gadgets & Smart Folders > Add a Smart Folder. The
wizard Add a Smart Folder opens.
4. In the field Smart Folder Name, name your smart folder.
5. Select the content of your smart folder:
a. In the drop-down list Hierarchy, select a column or a class parameter.
b. Click on . The selected value is moved to the list Selected items in the hierarchy.
c. Repeat these steps for as many columns and class parameters as needed.
6. Organize the hierarchy of your smart folder. The order impacts the final display of the smart
folder.
a. In the list Selected items in the hierarchy, select a value and move it using the buttons
and .
b. To remove a value, select it in the list and click on . It moved back to the list Hierarchy.
7. Tick the box Visible to the other users if you want to share your smart folder with the other
users.
8. Click on OK to complete the operation. The report opens and closes.

Once added, the smart folder is listed in the Tree view. If you do not see it use the button.

1312
 Managing Smart Folders

Editing Smart Folders

From the page My smart folders, you can edit all the details of your smart folders except the
column User.

To edit a smart folder

1. From any page, in the top bar, select My Account > My Smart Folders. The page My
Smart Folders opens.
2. Right-click over the name of the smart folder you want to edit. The contextual menu opens.
3. Click on . The wizard Edit a Smart Folder opens.
4. In the field Smart Folder Name, change the name if need be.
5. Add more columns and/or class parameters if need be:
a. In the drop-down list Hierarchy, select a column or a class parameter.
b. Click on . The selected value is moved to the list Selected items in the hierarchy.
c. Repeat these steps for as many columns and class parameters as needed.
6. Edit the hierarchy of your smart folder if need be:
a. In the list Selected items in the hierarchy, select a value and move it using the buttons
and .
b. To remove a value, select it in the list and click on . It moved back to the list Hierarchy.
7. Tick the box Visible to the other users if you want to share your smart folder with the other
users. You can untick it as well.
8. Click on OK to complete the operation. The report opens and closes. Your changes are dis-
played on the page My Smart Folders and in the Tree view.

Once edited, the smart folder new configuration can be displayed in the Tree view. Click on
to refresh the display.

Sharing Smart Folders

From the page My smart folders, you can decide how to share the smart folders you added. You
can either share them with other users, or make them accessible only to you.

Note that you can also decide how to share smart folders when you add them. For more details,
refer to the section Adding Smart Folders

To make a smart folder visible to all users

1. From any page, in the top bar, select My Account > My Smart Folders. The page My
Smart Folders opens.
2. In the list, tick the smart folder you want to share. Filter the smart folders if need be.
3. In the menu, select Edit > Visible to all users > Yes. The wizard Smart Folder visibility
opens.
4. Click on OK to complete the operation. The report opens and closes. In the column All Users,
the smart folder is marked Yes.

The same procedure allows you to make a smart folder visible only to you.

1313
 Managing Smart Folders

To make a smart folder visible only to you

1. From any page, in the top bar, select My Account > My Smart Folders. The page My
Smart Folders opens.
2. In the list, tick the smart folder you want to make visible only to you. Filter the smart folders
if need be.
3. In the menu, select Edit > Visible to all users > No. The wizard Smart Folder visibility
opens.
4. Click on OK to complete the operation. The report opens and closes. In the column All Users,
the smart folder is marked No.

Deleting Smart Folders

Smart folders can be deleted from the smart folder list. You can delete one or several smart
folders at a time.

To delete a smart folder

1. From any page, in the top bar, select My Account > My Smart Folders. The page My
Smart Folders opens.
2. In the list, select the smart folder(s) of your choice.
3. In the menu, click on Delete. The wizard Delete opens.
4. Click on OK to complete the operation. The report opens and closes. The selected smart
folder is no longer listed.

1314
Chapter 110. Managing IPv6 Labels
Labels provide a visual aid for IPv6 addresses management that allows to display the letters and
colors of your choice above a defined part of the addresses.

They allow to gather at a glance IP addresses belonging to a common container in the modules
IPAM, DHCP, Application and NetChange.

Figure 110.1. Example of a geographical distribution of labels in the IPAM

In the example above, the labels are named after the block-type and subnet-type networks. The
colors reflect the hierarchy. Also, the label goes above, and therefore hides, the configured ad-
dress, whether it is a full IP address or part of an address.

Limitations
• When configuring a label, you must specify the uncompressed version of the IP address. For
instance, to add a label for a network starting with the address 12:: , you must type in 0012::
• A label applies to IPv6 addressing regardless of the module, once set it applies to IPAM, DHCP,
Application and/or NetChange. Within the IPAM, if you have common network start addresses
among several spaces or networks, they all have the same label (see the East Coast and NYC
network labels in the example above).

Adding Labels
The labels are all managed from the same wizard, accessible in the menu Extra options.
You can add as many labels as you need on the following pages:
Ancienne taille de la page

• In the module IPAM, you can manage labels on the IPv6 pages All networks, All pools and All
addresses.
• In the module DHCP, you can manage labels on the IPv6 pages All scopes, All ranges, All
leases and All statics.
• In the module Application, you can manage the labels on the page All nodes.
• In the module NetChange, you can manage the labels on the IPv6 pages All addresses and
All routes.

To add a label
1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Scopes, Ranges, Leases or Statics. The page opens.

1315
 Managing IPv6 Labels

c. Go to Application > Nodes. The page opens.

d. Go to NetChange > Addresses or Routes. The page opens.
2. If you accessed IPAM, DHCP or NetChange, make sure the button V6 is black, otherwise
click on it. The page refreshes and the button turns black.
3. In the menu, select Extra options > Configure IPv6 labels. The wizard Configure IPv6
labels opens.
Ancienne taille de la page

4. In the field IPv6, type in or paste the uncompressed address you want to label, or part of it.
5. In the field Label Name, specify the label name of maximum 3 characters, letters or numbers.
The label is visible in the Preview.
6. Under Choose a color, click on the color of your choice.
The color is visible in the Preview.
7. Click on ADD . The label is moved to the List of labels.
Repeat these steps for as many labels as you need.
8. Click on OK to complete the operation.

Once added, the labels need to be displayed manually, as detailed below.

Displaying or Hiding Labels

Once you added labels, you can choose to display or hide them.

To display/hide the labels

1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Scopes, Ranges, Leases or Statics. The page opens.
c. Go to Application > Nodes. The page opens.
d. Go to NetChange > Addresses or Routes. The page opens.
2. If you accessed IPAM, DHCP or NetChange, make sure the button V6 is black, otherwise
click on it. The page refreshes and the button turns black.
3. On the right-end side of the menu, click on Use IPv6 labels. The configured labels are
visible and the button turns black.
4. On the right-end side of the menu, click on Do not use IPv6 labels. The configured
labels are no longer displayed and the button turns white.

Editing Labels
You can edit existing labels directly in their addition wizard.

To edit a label
1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Scopes, Ranges, Leases or Statics. The page opens.
c. Go to Application > Nodes. The page opens.
d. Go to NetChange > Addresses or Routes. The page opens.

1316
 Managing IPv6 Labels

2. If you accessed IPAM, DHCP or NetChange, make sure the button V6 is black, otherwise
click on it. The page refreshes and the button turns black.
3. In the menu, select Extra options > Configure IPv6 labels. The wizard Configure IPv6
labels opens.
Ancienne taille de la page

4. In the field List of labels, select the label you want to edit.
5. Edit the label IPv6, Label Name and/or Color.
6. Click on UPDATE to save the changes. The label is no longer listed in the field.
Repeat these steps for as many labels as you need.
7. Click on OK to complete the operation.

Keep in mind that the labels need to be displayed manually. For more details, refer to the section
Displaying or Hiding Labels.

Deleting Labels
Like for the edition, you can delete existing labels directly in their addition wizard.

To delete a label
1. Depending on your needs, in the sidebar:
a. Go to IPAM > Networks, Pools or Addresses. The page opens.
b. Go to DHCP > Scopes, Ranges, Leases or Statics. The page opens.
c. Go to Application > Nodes. The page opens.
d. Go to NetChange > Addresses or Routes. The page opens.
2. If you accessed IPAM, DHCP or NetChange, make sure the button V6 is black, otherwise
click on it. The page refreshes and the button turns black.
3. In the menu, select Extra options > Configure IPv6 labels. The wizard Configure IPv6
labels opens.
Ancienne taille de la page

4. In the field List of labels, select the label of your choice. You can only delete labels one at
a time.
5. Click on DELETE . The label is no longer listed in the field.
Repeat these steps for as many labels as you need.
6. Click on OK to complete the operation.

1317
Chapter 111. Configuring Classes
Classes allow to configure properties and behaviors that change the addition and edition wizard
of the resources of your choice, they allow to tailor databases to their needs.

From the page Class Studio, users of the group admin can add, edit, rename, duplicate or move
classes, to another directory or resource.

Figure 111.1. The page Class Studio

Before configuring classes, keep in mind that:

1. The class is a container. All classes are listed on the page Class Studio. For more details,
refer to the section Managing Classes.
2. The class content is managed independently. All the parameters of a class, its class objects,
are configured in a dedicated wizard. For more details, refer to the section Configuring the
Classes Content.
When a class is selected, its parameters are available for configuration in the addition/edition
wizard of the resource. If the class is added empty, the wizard is unchanged.
Class parameters can be inherited and/or propagated from one module level to another. For
more details, refer to the section Inheritance and Propagation.

Within SOLIDserver, you can apply existing classes to resources from their addition/edition wizard.

There are 3 types of classes:

• Default is a class associated by default with every type of resource. These classes are auto-
matically applied to a resource in the addition and edition wizard and set the object's advanced
properties. For more details, refer to the chapter Managing Advanced Properties.
You cannot delete or edit default classes.
• Global is a class associated by default with every type of resources as well. These classes
are automatically applied to a resource in the addition and edition wizard and set the resource's
Meta-Data, the user defined fields of your choice.
You can edit but not delete global classes. For more details, refer to the section Editing Classes.
• custom classes are all the classes you add from the page Class Studio. These classes must
be manually selected and applied to resources in their addition and edition wizard. The wizard
automatically detects that a custom class is enabled for the type of resource and provides,
before anything else, the list <resource> class, where you select the class of your choice or
None.
You can manage custom classes. For more details, refer to the section Managing Classes.
Note that custom classes can be set as resource of groups of users. If users have management
rights over objects configured with a custom class but the class is not among their resources,
they cannot display or edit the class parameters and they clear the value of all the class para-

1318
 Configuring Classes

meters when they edit a resource. For more details regarding user resources, refer to the
section Adding Resources to a Group.

Applying an enabled class may change the fields available in the addition/edition wizard of the
resource. In the example below, an administrator configured a network class called location in-
cluding an input field labeled City. When editing the network internal, a user selected this class,
and can now specify that the network is located in the City of Chicago.

Figure 111.2. Example of an input class object labeled "City"

Note that classes can also be used to configure automatic list templates based on the class applied
to parent objects. For more details, refer to the section Adding An Automatic List Template.

Browsing Class Studio Database

In the module Administration, the page Class Studio allows to display all existing classes and
their content.

The classes are all listed on the page, while their content must be listed and managed from a
dedicated window, Class Editor.

Browsing Classes
To display the list of classes
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.

By default, Class Studio displays as many global and default classes as there are resources
within SOLIDserver.

1319
 Configuring Classes

You cannot change the columns layout on the page.

Table 111.1. Class Studio columns

Column Description
Name The class name.
Directory The directory in which the class is located.
Module The module where the class is meant to be applied.
Type The type of resource in the selected Module the class can be applied to.
Template The class template status. It indicates if the class is used as template. For more details, refer
to the chapter Managing IPAM Templates.
Last modified The time and date of the last modification made on the class.
Status The class activation status, either Enabled or Disabled.

To display a class properties page

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. At the end of the line of the class of your choice, click on . The properties page opens.

Browsing Class Objects

The classes configuration is available in a window, named Class Editor, that allows to add and
edit the objects of the class.

Class Editor opens when you click on the name of any class on the page Class Studio.

Figure 111.3. The window Class Editor

The name of the class is displayed in the header.

This icon indicates the class object was set as Required.
This button allows to edit class objects. It appears when you hover over any object of the
class.
This button allows to delete class objects. It appears when you hover over any object of
the class.

1320
 Configuring Classes

The information banner. It displays the edition state and allows to save or cancel the latest
changes.
The search bar allows to filter class objects.
This button allows to close Class Editor. If you exit the window without saving your
changes, they are lost.
The right section displays the list of available class objects.
The left section is the class content, it displays the Label of the class objects you added. Its
name in the wizard where the class is applied.
This button allows to drag and drop, reorder, the class objects.

Note that the information banner is gray by default, it changes color depending on the class edition
state:
• If the banner is blue, you must save your configuration.
• If the banner is green, your configuration is successfully saved or canceled.
• If the banner is red, an error occurred.

To open Class Editor

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. The window Class Editor opens.

Class Editor allows to edit any of your own classes and the class global of any resource.

Managing Classes
From Class Studio, you can add, edit, rename, duplicate, move, stop using and/or delete classes.
Once added you can apply classes to the type of resource they were configured for.

Keep in mind that two types of class are available by default but their management is more limited:
• Default classes: you cannot edit or delete any default class. However, you can choose the
advanced properties you want to use, for more details refer to the chapter Managing Advanced
Properties.
• Global classes: you can edit each global class from the menu Extra options > Meta-data
but you cannot delete them. For more details, refer to the section Editing Classes.
Ancienne taille de la page

This section only describes the classes themselves, to configure their content, or class objects,
refer to the section Configuring the Classes Content.

You can add and manage classes for the following resources, the columns correspond to the
drop-down lists available in the class addition wizard.

Table 111.2. Resources that can be configured with a class

Module Type
Administration SOLIDserver (appliance).
Application Application.
DHCP DHCP server, DHCPv6 server, DHCP scope, DHCPv6 scope, DHCP range, DHCPv6
range, DHCP group, DHCPv6 group, DHCP static, DHCPv6 static.
DNS DNS server, DNS view, DNS zone, DNS resource record.

1321
 Configuring Classes

Module Type
Device Manager Device, Port/Interface.
IPAM Space, Network, Network (v6), Pool, Pool (v6), Address, Address (v6).
NetChange Network device, port.
Rights & delegation Group, User. The groups of users are managed from the module Administration.
SPX Autnum. The Autnums are managed from the module IPAM.
VLAN manager VLAN domain, VLAN range, VLAN. Each type can be applied to VLAN and VXLAN objects.
VRF VRF.
Workflow Request. The resource Requests only applies to outgoing requests.

Adding Classes
You can add as many classes as you need. The custom classes must then be applied to the re-
sources of your choice, when you add or edit them.

Class Studio is case sensitive, therefore, even if the name of each class must be unique, you
can add classes with the same name if they have different cases.

To add a class
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the menu, click on Add. The wizard Add a new class wizard.
4. Configure the class:

Table 111.3. Class addition parameters

Field Description
Filename Name your class. The name cannot contain any special characters. This field is re-
quired.
Sub-directory You can fill in the directory where you want to save your class. If it does not exist, it
is added. On the wizards class selection page, classes placed in a directory are dis-
played as such: <directory>/<class>. This field is optional.
Module Select the module of your choice. This field is required.
Type Select the resource of your choice. This field is required.
Enable class Tick this box if you want to enable the class upon addition. If a class is not enabled,
it is ignored in the database and not listed in the addition/edition wizard of the resource
it applies to. This field is optional as you can enable it later on, For more details, refer
to the section Enabling or Disabling Classes.

5. Click on OK to complete the operation. The report opens and closes. The class is listed.

Once you added a class, keep in mind that:

• A class is empty by default, whether it is a global or a customized one. Once added, you
can click on the name of a class name to add and configure its class objects through Class
Editor. For more details, refer to the section Configuring the Classes Content.
• A class must be enabled to be used. If a custom class is not enabled, it is not available in
the addition and edition wizards of the resource. For more details, refer to the section Applying
Classes.

1322
 Configuring Classes

Only global classes are enabled by default and can be edited and automatically integrated to
the wizards of the resources they are set for.

Applying Classes
Once at least one custom class is added and enabled, the addition and edition wizard of the re-
source it can be applied to displays a dedicated page <resource> class.

Figure 111.4. The page Network class in an addition/edition wizard

This page allows to select and apply a class, that is to say load and configure its class objects
in the wizard.

Note that in some modules, you can configure and apply classes at many levels. When you are
adding resources at low levels without filtering the page to display the content of a specific con-
tainer, you need to select the resource container(s). If classes are applied at container levels,
you need to select a <resource> class for each container level, this does not load class objects
in the wizard, it allows to filter the list of potential containers for the resource you are adding.

To apply a class
Only users of the group admin can perform this operation.
1. Go to the page All <resources> of a resource for which you enabled a class.
2. Add or edit a resource. The wizard opens.
3. On the page <resource> class, select a value.
a. If no class was added at higher level:

Table 111.4. Class selection options

Option Description
None Select this option if you do not want to apply any custom class to the resource.

1323
 Configuring Classes

Option Description
<class-name> Select a class to apply it on the resource and load its content in the wizard. Classes
belonging to a directory are listed as follows: <directory>/<class-name>.

b. If you need to select a container and at least one class was applied at higher level:

Table 111.5. Container class selection options

Option Description
All Select this option to display the list of all the available containers on the next page,
whether they are configured with or without a customized class.
<class-name> Select a class to display the list of all the containers using it on the next page.
Classes belonging to a directory are listed as follows: <directory>/<class-name>.
No class Select this option to only display the containers configured without custom class
on the next page. If the option is not available, it means that all the containers are
configured with a class.

4. Click on NEXT . The next page opens. All the class object fields are displayed in addition to
the standard fields, you can or must configure them. They may be displayed on several
pages.
If you are adding a low level resource and did not filter the list, you need to select its contain-
er(s) and potential classes set at higher level before getting to the page <resource> class.
5. Click on OK to complete the operation. The report opens and closes.

Editing Classes
You can edit the content of a custom class or the class global, that is to say edit the class objects
it contains or edit their order.

To edit a class
Only users of the group admin can perform this operation.
1. Make sure your browser allows pop-up windows.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Customization, click on Class Studio. The page Class Studio opens.
4. In the column Name, click on the class you want to edit. Class Editor opens.
5. Edit the class object according to your needs following the procedure that suits your needs
in the section Configuring the Classes Content.
6. Click on OK to complete the operation. The object is updated in the left side of the wizard.

Keep in mind that you can also edit the configuration of the class global of a specific resource
directly from its management page, except for the following objects:
• DHCP groups, leases, ACLs, ACL entries, option definitions and failover channels.
• DNS views, DNSSEC keys, RPZ zones and RPZ rules.
• NetChange configurations, routes, addresses, VLANs and discovered items.
• VRF Route Targets.
• SPX policies.

To edit the class global of a resource from its management page

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.

1324
 Configuring Classes

2. Click on of the resource of your choice. The page opens.

3. In the menu, select Extra options > Meta-data. Class Editor opens and displays the
class objects of the class global of the chosen resource.
Ancienne taille de la page

4. Edit the class object according to your needs following the procedure that suits your needs
in the section Adding Class Objects.
5. Click on OK to complete the operation. The object is updated in the left side of the window.

Renaming Classes
You can rename custom classes from their properties page. Renaming a class does not affect
the class objects it contains. Once a class has been renamed, it is updated on the properties
page of the concerned resources.

To rename a class
Only users of the group admin can perform this operation.
1. Make sure your browser allows pop-up windows.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Customization, click on Class Studio. The page Class Studio opens.
4. At the end of the line of the class of your choice, click on . The properties page opens.
5. In the menu, select Edit > Rename. The wizard Rename class opens.
6. In the field Old, the current class name is displayed.
7. In the field New Name, specify the new name for the class.
8. Click on OK to complete the operation. The class new name is displayed in the panel and
modified in the list.

Duplicating Classes
You can duplicate custom classes. These duplicates can then be edited and renamed to manage
them more easily, for instance you might need to apply them to other types of resource or even
move them.

Duplicating classes can be useful since object values set for a resource are automatically inherited
by the resources it contains. For instance, if the value "Chicago" is set for a block-type network
through an input field "city", it is automatically inherited by the subnet-type networks it contains
if said subnet-type network also has an input field named "city".

To duplicate a class
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. Tick the class(es) you want to duplicate.
4. In the menu, select Edit > Duplicate. The wizard Duplicate class opens.
5. Click on OK to complete the operation. The duplicated class is listed and named as such:
copy_<original class name>.

1325
 Configuring Classes

Moving Classes
You can move custom classes from a directory to another or from a type of resource to another.
For instance, a class added for DNS servers can be moved and made available for a completely
different type of resource, like the DHCP ranges.

Keep in mind that:

• You can only move custom classes. You cannot move the classes default and global, as they
already exist for all the relevant resources.
• You cannot move custom classes if they are already applied.

To move a class
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. Tick the class(es) you want to move.
4. In the menu, select Edit > Move. The wizard Move class wizard.
5. In the field Sub-directory, specify a directory if need be. It can be a new directory for the
class or an existing one.
6. In the drop-down list Module, select a module for the class. It can be the same one or a new
one.
7. In the drop-down list Type, select a resource to which the class should be applied. It can be
the same one or a new one.
8. Click on OK to complete the operation. The report opens and closes. The data is updated
in the list.

Setting a Class as Template

You can set a class as template to configure IPAM templates. Note that you can only set network
and pool classes as template. For more details, refer to the section Managing IPAM Templates.

Enabling or Disabling Classes

Upon addition, a custom class can either be enabled straight away or left disabled. Since deleting
classes may result in unwanted complications, disabling classes allows to store them for future
use rather than deleting them. Keep in mind that:
• The default and global classes cannot be disabled and are automatically applied on the re-
sources they are set for.
• You cannot disable classes that are already applied.

There are two ways to enable a class, either from Class Studio or from a listing page.

To enable/disable a class from Class Studio

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. Tick the class(es) of your choice.
4. In the menu, select Edit > Enable class or Disable class. The wizard opens.

1326
 Configuring Classes

5. Click on OK to complete the operation. The report opens and closes, the page refreshes.
The class is marked as Enabled or Disabled in the column Status.

To enable/disable a class from a listing page

Only users of the group admin can perform this operation.
1. Go to the listing page of your choice.
2. In the menu, select Extra options > Classes configuration. The wizard <object>
Classes Configuration opens.
Ancienne taille de la page

3. In the list Classes library, select a class and click on to enable it. The class is moved to
the list Enabled classes. You can enable as many classes as you need.
4. In the list Enabled classes, the classes enabled for this type of object are listed. You can
select the classes one by one and click on to disable them. Each class is moved back to
the list Classes library.
5. Click on OK to complete the operation. The report opens and closes.

Changing or Stop Using Classes

You can decide not to use a particular class on the resource of your choice. For instance, you
might decide not to use a class that you want to delete or need to use another class for a partic-
ular resource.

As classes must not be used at all in SOLIDserver to be deleted, the following procedure might
come in handy. Keep in mind that the columns layout on the page can help you find the resources
using a class. For more details, refer to the section Managing List Templates.

To change or stop using a class on a specific resource

Only users of the group admin can perform this operation.
1. Go to the page All <resources> of a resource for which you enabled a class.
2. Click on of the resource of your choice. The page opens.
3. At the end of the line of the resource of your choice, click on . The properties page opens.
4. In the panel Main properties, click on EDIT . The related edition wizard opens.
5. Click on NEXT until you reach the page <Resource> class of the wizard.
6. In the list <Resource> class, select None or a class different from the one you intend to
delete.
7. Click on NEXT until you reach the last page of the wizard.
8. Click on OK to complete the operation. The report opens and closes. The class has been
dissociated from the resource.

Deleting Classes
Only custom classes can be deleted. Keep in mind that:
• You can delete custom classes if and only if they are not used by any resource within SOLID-
server. Therefore, you might need to stop using the class before deleting it. For more details,
refer to the section Changing or Stop Using Classes.
• Deleting a class deletes the class objects it contained and displayed on the resources properties
page. You might simply want To enable/disable a class from Class Studio or To enable/disable
a class from a listing page to use it again later.

1327
 Configuring Classes

To delete a class
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. Tick the class(es) of your choice.
4. In the menu, click on Delete. The wizard Delete class.
5. Click on OK to complete the operation. The report opens and closes. The class has been
deleted is no longer listed.

Defining a Class as a Group Resource

In SOLIDserver, only users of the group admin can manage and edit the items of every module.
Adding a custom class as resource of a specific group allows the users of that group to apply the
class as long as they have class rights granted and any object the class can be applied to among
its resources.

Granting access to a class as a resource also grants access to its class parameters, so users
can configure them when they add or edit the objects configured with the class. If a group does
not have a customized class in its resources, editing objects configured with it empties the value
of all the class parameters. For more details, refer to the section Adding Resources to a Group
in the chapter Managing Groups.

Configuring the Classes Content

Once you added classes, you must configure them, in other words set the class objects that
define what the class does when it is applied to an object. As every new class is empty, it does
not bring any changes to the resource it applies to.

Once set, a class customizes addition and edition wizards of the resource with extra pages,
comments, boxes, lists, input fields etc. that can be prefilled with a value retrieved automatically
or set manually.

You need to add class objects within a class to configure its behavior. Keep in mind that:
• custom classes only affect the addition and edition wizard of a resource if they are enabled.
Whereas global classes automatically affect them.
• The object values set for a resource are automatically inherited by the objects it contains. For
instance, if the value Chicago is set for a block-type network through an input field city, it is
automatically inherited by the subnet-type networks it contains if said subnet-type network also
has an input field named city.
You can set the inheritance or propagation property of class parameters on several objects at
once. For more details, refer to the section Inheritance and Propagation.

For each class, Class Editor includes a large library of class objects listed in alphabetical order:

Table 111.6. Available class objects

Class object Description
Autocompletion Displays an input field that can be configured to provide data completion for the values
of your choice via a SEARCH button.
Checkbox Displays a customizable checkbox, or box.
Comment Displays a Notice, Warning or Information message that contain the text of your
choice.

1328
 Configuring Classes

Class object Description

Counter Displays a counter that increments every time the class is applied.
DHCP options Displays the DHCP options configuration fields in the addition or edition wizard. For
more details, refer to the appendix DHCP Options.
DHCP shared network Displays a drop-down list containing all the existing DHCPv4 shared networks.
Force VLSM Allows to prevent from adding subnet-type terminal networks.
Force class Allows to define on a container which classes are available at lower level.
Force prefix Allows to force a prefix on a network.
Hidden data Allows to set a parameter for the resource and hide it from the addition and edition
wizard.
Hide IP alias Allows to hide the alias request page when assigning an IP address. For more details,
refer to the section Configuring and Managing IP Address Aliases.
Horizontal separator Displays a line to separate and organize the class objects.
Icon Allows to associate an icon with classes applied in Device Manager.
Include class Allows to embed the class objects of another class to your class.
Input Displays an input field in the wizard.
Jump to page Splits the wizard in several pages, it adds a button NEXT at the bottom of the page.
Multiple input Displays a button ADD and a list under a field Input to save several values.
Multiple select Displays a button and a list under a Select to save several values. These can be
fixed values or value automatically imported from a CSV file, a service list or a custom
DB.
Object name Sets some naming convention rules for a resource.
Owner Displays a field containing the name of the user who added the resource.
Pre-defined variable Preconfigured class objects with a single purpose that you can enable and integrate
in classes dedicated to a set of objects.
Select Displays a drop-down list returning data from a list of manually set or automatically
retrieved values. These values can come from a CSV file, a service list or a custom
DB.
Select DHCP range Displays a drop-down list containing all the existing DHCPv4 ranges.
Select DHCP scope Displays a drop-down list containing all the existing DHCPv4 scopes.
Select DHCP server Displays a drop-down list containing all the existing DHCPv4 servers.
Select DHCP static Displays a drop-down list containing all the existing DHCPv4 statics.
Select DNS domain Displays a drop-down list containing all the existing DNS domains.
Select DNS server Displays a drop-down list containing all the existing DNS servers.
Select DNS zone Displays a drop-down list containing all the existing DNS zones.
Select class Displays a drop-down list containing the existing classes of a specific resource type.
Text area Displays a large input field in the wizard.
Time stamp Displays a field containing the date and time of the addition of the resource.
Upload file Allows to upload a file in the wizard.

Note that you can sort and filter resources on listing pages thanks to your classes. All applied
classes can be returned in the column Class and every class object can be displayed in a dedicated
Class param: column on all relevant pages. For more details on how to add and display customized
list templates, refer to the section Managing List Templates.

1329
 Configuring Classes

Adding Class Objects

You can add as many class object as you want to your classes. Keep in mind that:
• Any class object can be added to any class, but some are designed for specific resources.
• You must save your configuration before closing Class Editor, otherwise your changes are not
taken into account.
• After an hour of inactivity, any unsaved changes are lost and your configuration can no longer
be saved.
• Once you added your class objects, you can reorder them. For more details, refer to the section
Reordering Class Objects.

Autocompletion
The class object Autocompletion allows to display an autocompletion field in the wizard. It config-
ures an input field that allows to SEARCH for values matching what users type in. The available
values in the drop-down list depend on your configuration and can be based on:
• SOLIDserver services. All services and parameters are described in the API Reference guides
1
on our download portal .
• A custom database. For more details, refer to the chapter Custom DB.

To add an autocompletion input field using services

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Autocompletion.
5. In the class objects list, click on Autocompletion or drag and drop it among the class objects.
The wizard Autocompletion opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Manual.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
1
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.

1330
 Configuring Classes

11. Click on NEXT . The next page opens.

12. Configure the autocompletion based on services:
a. In the field Service name, specify the name of the listing service to call, for example
ip_subnet_list.
b. In the field Parameter name, specify the name of the input parameter that should be
used to pass the searched value. By default, it is WHERE.
c. In the field Search condition, specify a search condition, i.e. a variable, to display in
the Autocompletion drop-down list followed by like '%#%' . In our example, you can type
in subnet_name like '%#%' to format the display of all the IPv4 subnet-type networks
name.You can also filter the list by replacing the hash symbol (#) by a specific matching
value.
d. In the field Parameter name for reverse search, specify the input parameter name,
used to do reverse searches. Indeed, if a user chose a network name for instance, the
system only has its ID. With this parameter you can pass the ID of the object instead of
a string-like parameter. By default, the parameter name is WHERE.
e. In the field Reverse search condition, specify a second variable to associate with the
one to display in the drop-down list, in our example subnet_id='#' .You can also filter
the list by replacing the hash symbol (#) by a specific matching value.
f. In the field Key, specify the key of the second variable, in our example subnet_id .
g. In the field Display format, specify the value that corresponds to the final display of the
data in the autocompletion drop-down list. You can format this value with as many
variables (preceded by $) or literal symbols as needed. For instance, the $subnet_name
(in $block_name > $site_name) - id = $subnet_id value displays the selected networks
in the following format: subnet_name (in block_name > site_name) - id = subnet_id.
h. Tick the box Allow non-matching values if you want to allow the input field to accept
values that are not part of the database.
i. Tick the box Automatic accept if you want the field to provide a list of matching Custom
DB entries when the user types in values.
PNG

13. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

To add an autocompletion input field using a custom DB

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Autocompletion.
5. In the class objects list, click on Autocompletion or drag and drop it among the class objects.
The wizard Autocompletion opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...

1331
 Configuring Classes

7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Custom DB.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
11. Click on NEXT . The next page opens.
12. Configure the autocompletion based on a custom database:
a. In the field Custom DB name, specify the name of the Custom database of your choice.
The field autocompletes and the wizard refreshes. For more details on Custom data-
bases, refer to the chapter Custom DB.
b. In the drop-down list Key column, select the column containing the values to retrieve.
The values to save in SOLIDserver database (string of characters: _a-z0-9 only). To
prevent GUI conflicts, avoid names that are already used in the code such as: site, mac-
addr, gateway, vlan, domain, user, port, password...
c. In the drop-down list Label column, select the column containing the information you
want to display in the wizard, the label of the values.
d. Tick the box Allow non-matching values if you want to allow the input field to accept
values that are not part of the database.
e. Tick the box Automatic accept if you want the field to provide a list of matching Custom
DB entries when the user types in values.
PNG

13. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Checkbox
The class object Checkbox allows to insert a box in a wizard. This box is configured using the
true and false value of your choice, the true value is applied when the box is ticked. You can use
checkboxes alone or in combination with other class objects and parameters to validate complex
regular expressions.

To add a checkbox
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Checkbox.

1332
 Configuring Classes

5. In the class objects list, click on Checkbox or drag and drop it among the class objects. The
wizard Checkbox opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. In the field "TRUE" value, specify the value you want to set for your box when it is ticked
(value yes or 1).
9. In the field "FALSE" value, specify the value you want to set for your box when it is not
ticked (value no or 0).
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
c. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
d. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
11. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.

1333
 PNG
Configuring Classes

original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Comment
The class object Comment allows to include your own information, notice or warning message
in the wizard. The Comment is always placed after the wizard standard fields.

To add a comment
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Comment.
5. In the class objects list, click on Comment or drag and drop it among the class objects. The
wizard Comment wizard.
6. In the field Comment, specify the message you want to display in the wizard.
7. In the drop-down list Style, select the information type of comment. It can either be the
content of the Comment field in a gray area (None), a Warning or a Notice.

Value Description
None The message is a comment displayed in a gray area.
Warning The message is a warning displayed in an orange area entitled WARNING.
Notice The message is informational and displayed in a blue area entitled INFO.

8. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors. PNG

9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. The selected comment style is displayed.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.
Note that the Comment is displayed on one line. You can hover over it to display the entire
message.

Counter
The class object Counter allows to count the number of times the class was applied to a resource.
Its value automatically increments and displays a read-only field in the wizard.

To add a counter
Only users of the group admin can perform this operation.

1334
 Configuring Classes

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Counter.
5. In the class objects list, click on Counter or drag and drop it among the class objects. The
wizard Counter wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Padding to display all the digits of the counter, including the zeros.
9. In the field Number of digits, you can specify the number of digits for your counter.
10. In the field Min value, you can specify the counter start value. It appears when the page is
accessed for the first time.
11. In the field Max value, you can specify the maximum value you want to set for your counter.
PNG

12. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

DHCP options
The class object DHCP options allows to include the DHCP option configuration fields in the
wizard. That way, you can configure DHCP options when adding or editing servers, groups,
scopes, ranges and statics, instead of relying on the dedicated wizard only available on the
properties page of each object. For more details regarding the options, refer to the appendix
DHCP Options.

To embed DHCP options configuration fields

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in DHCP options.
5. In the class objects list, click on DHCP options or drag and drop it among the class objects.
The wizard DHCP options opens.
6. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.

1335
 Configuring Classes

PNG

7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

DHCP shared network

The class object DHCP shared network allows to display a drop-down list containing all the existing
DHCPv4 shared networks in the wizard, whether they were added from the page All shared
networks or from existing scopes.

The shared network you select is displayed as a parameter on the properties page of the resource
the class is applied to.

To associate a shared network with a resource

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in DHCP shared network.
5. In the class objects list, click on DHCP shared network or drag and drop it among the class objects.
The wizard DHCP shared network wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Save the selected object name instead of its ID as parameter
value to display the shared network name instead of its ID on the resource properties
page.
b. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
c. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

1336
 Configuring Classes

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
d. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Force VLSM
The class object Force VLSM is used to prevent the addition of terminal networks. It allows to
untick and hide the box Terminal network in the subnet-type network addition wizard. For more
details, refer to the section Adding Networks Manually.

With this class object, at the network level of your choice, any new network can be forced to non-
terminal, and contain other networks. For more details on network-based VLSM organizations,
refer to the chapter Using VLSM to Manage Your IPAM Network.

If you add the object Force VLSM, you cannot set the predefined variable NO_VLSM_SUBNET.
For more details, refer to the appendix Class Studio Pre-defined Variables.

To force VLSM on a subnet-type network

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Force VLSM.
5. In the class objects list, click on Force VLSM or drag and drop it among the class objects. The
wizard Force VLSM wizard.
6. Tick the box Force non-terminal networks creation if you want to always untick and hide
the box Terminal network in the addition and edition wizard of subnet-type networks.
If set at space level or on a block-type network, the box is not displayed or left unticked.
7. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.

1337
 Configuring Classes

8. In the drop-down list Network level, select a value between 0 (block-type networks) and 15
(subnet-type networks). This value defines at which level of network organizations the Force
VLSM is applied. By default, None is selected.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. Select in the list Spaces, one of your existing spaces. In a space-based VLSM organiz-
ation where two sub-spaces are at the same level, this allows to favor the space you
select and set up the delegation within the space of your choice.
Click on . The space in moved to the list Spaces. Only the spaces of this second list
are available in the list VLSM space, at the end of the wizard, when you add a non ter-
minal subnet-type network in a parent space and the corresponding block-type network
in a child space.
b. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
PNG

10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Force class
This class object Force class allows to determine which classes are available at a lower level.
For instance at space level, it allows to decide that only two classes can be configured at network
level; even if ten network classes exist, only the ones you set are available in the addition and
edition wizard of the networks that space. Note that:
• The classes you force on lower level resources must be configured and enabled.
• You can force several classes on the same resource, so make sure they do not have conflicting
class object names.

To force a class on a lower level

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. Filter the list.
4. Make sure the class you want to force on a lower level was not set at the lowest level of the
module hierarchy.
5. In the column Name, click on the class you want to edit. Class Editor opens.
6. In the search bar, type in Force class.
7. In the class objects list, click on Force class or drag and drop it among the class objects. The
wizard Force class wizard.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.

1338
 Configuring Classes

9. In the drop-down list Type, select one of the lower levels of objects displayed according to
your needs. The wizard refreshes.
If you are forcing a class on IPAM objects, selecting Networks displays the drop-down list
Network level. In that list you can select a level between 0 (block-type networks) and 15
(subnet-type networks). This value defines at which level of network organizations the Force
class is applied. By default, None is selected.
10. Select the class(es) to force at lower level:
a. In the list Class, double-click on the class of your choice. The available classes depend
on the Module and Type set for the class. The class is moved to the list Classes.
b. In the list Classes, you can select any class and reorder the classes using and or
remove any class using .
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
PNG

12. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Force prefix
The class object Force prefix allows to force a specific prefix on a network and can be applied
on the subnet-type network itself or on the block-type network or space it is belongs to.

Note that there are some special cases:

• Forcing a prefix on a preexisting subnet-type network may cause an error.
• Forcing a prefix on a non-terminal subnet-type network only applies to the network itself, it
does not apply to the terminal network it contains.

This object can also be set as the Pre-defined variable, it corresponds to FORCE_SUBNET_PRE-
FIX.

To force a prefix on a network

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Force prefix.
5. In the class objects list, click on Force prefix or drag and drop it among the class objects. The
wizard Force prefix opens.
6. In the field Name, FORCE_SUBNET_PREFIX is displayed. You cannot edit it.

1339
 Configuring Classes

7. In the drop-down list Network level, select a value between 0 (block-type networks) and 15
(subnet-type networks). This value defines at which level of network organizations the Force
prefix is applied. By default, None is selected.
8. In the field Value, specify the prefix you want to force for the resource. By default, it is set
to 24.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors. PNG

10. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Hidden data
The class object Hidden data allows to configure a resource with a parameter that is not displayed
in the wizard. It allows to set a class object that does not require any configuration from the user
or to hide another class object of the class.

This non-displayed data string could be used as a hidden signature for a class or to populate
other fields if you configure the field Constructor, via the Expert mode.

You can also configure the class object to force a value and overwrite a preexisting content, for
instance if its value is inherited from a parent. Note that all class object values, inherited or
overwritten, are visible on the properties pages of the resource configured with the class.

To add hidden data

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Hidden data.
5. In the class objects list, click on Hidden data or drag and drop it among the class objects. The
wizard Hidden data wizard.
6. In the field Name, either specify the name of the class object in SOLIDserver database or
specify the Name of another class object of the class.
If you specify another class object, once the Hidden data is fully configured the class object
should no longer be displayed in the wizard.
7. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Constructor, you can specify the value of other class objects of the class
and use them as variables to automatically overwrite the Name of the field with the data
of your choice in the wizard.

1340
 Configuring Classes

For example, you could type in %v{<value1>}, %v{<value2>} where <value#> is the
value of an existing class object in the class. If <value1> is a city and <value2> is a
state, the field Name would be replaced with Chicago, Illinois in the wizard.
b. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
c. You can tick the box Force the object value to force the value of your choice when
you apply the class. The field Value to force appears.
In the field Value to force, specify a value or leave it empty. The vaIue you set is applied
without being displayed in the wizard. If you specified the Name of another class object
in the field Name, it overwrites the value of that object.
If you do not tick the box, the hidden data you add is configured for the class but has
no value to apply. PNG

8. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Hide IP alias
The class object Hide IP alias allows to shorten the IP address addition wizard and skip the page
Aliases configuration. For more details, refer to the section Configuring and Managing IP Address
Aliases.

This object can also be set as the Pre-defined variable, it corresponds to HIDE_IP_ALIAS.

To hide the IP alias dedicated page in the IP address addition wizard

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Hide IP alias.
5. In the class objects list, click on Hide IP alias or drag and drop it among the class objects. The
wizard Hide IP alias opens.
6. In the field Name, HIDE_IP_ALIAS is displayed. You cannot edit it.
7. In the field Value, true is displayed. The class object is enabled.
8. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.

1341
 Configuring Classes

PNG

9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Horizontal separator
The class object Horizontal separator allows to display a line to structure and divide the class
objects in the wizard.

In the left section, the Horizontal separator is represented as a straight line.

To add a horizontal separator

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Horizontal separator.
5. In the class objects list, click on Horizontal separator or drag and drop it among the class objects.
The wizard Horizontal separator opens.
6. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors. PNG

7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Icon
The class object Icon allows to display an image next to the name of a class applied to Device
Manager devices, in the column Class.

Before configuring an Icon for a device class, you must upload it to the page Custom images.
For more details, refer to the section Uploading an Image.

To associate an icon with a device class

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. Filter the columns Module and Type to display Device Manager and Device.
4. In the column Name, click on the class you want to edit. Class Editor opens.

1342
 Configuring Classes

5. In the search bar, type in Icon.

6. In the class objects list, click on Icon or drag and drop it among the class objects. The wizard
Icon opens.
7. In the field Icon path, type in the complete path of the icon: /img/customImg/<uploaded-im-
age.extension>. PNG

8. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.
9. To display the icon next to the class name:
a. In the sidebar, go to Device Manager > Devices. The page All devices opens.
b. On the right-end side of the menu, click on List Templates. The window opens.
c. In the drop-down list Displayed list template, select a template containing the column
Device class name.
Only users of the group admin can add or edit list templates. For more details, refer to
the section Managing List Templates.

Include class
The class object Include class allows to embed another class and the objects it contains. That
way, if you configure a class X to include the class Y, that already includes the class Z, when
users apply the class X they actually have the class objects of all three classes in the wizard.

To include a class
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Include class.
5. In the class objects list, click on Include class or drag and drop it among the class objects. The
wizard Include class opens.
6. In the drop-down list Module, select the module associated with the class you want to include.
7. In the drop-down list Type, select the type of resources associated with the class you want
to include.
8. In the drop-down list Class name, select the class you want to include.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.

1343
 PNG
Configuring Classes

original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Input
The class object Input allows to display an input field in the wizard that users can fill in with a
data string.

Note that an Input is different from a Multiple input. For more details, refer to the section Multiple
input.

To add an input field

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Input.
5. In the class objects list, click on Input or drag and drop it among the class objects. The wizard
Input opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the field Input field maximum length, specify the maximum number of characters, includ-
ing spaces, that users can type in the field. By default, the maximum field length is 64.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Not editable to prevent users from editing the class object's value.
If you tick the box, the object appears in gray in the addition and edition wizards.
b. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
c. In the field Constructor, you can specify the value of other class objects of the class
and use them as variables to automatically overwrite the Name of the field with the data
of your choice in the wizard.
For example, you could type in %v{<value1>}, %v{<value2>} where <value#> is the
value of an existing class object in the class. If <value1> is a city and <value2> is a
state, the field Name would be replaced with Chicago, Illinois in the wizard.
d. In the drop-down list Predefined format, you can select a format for the Name to be
valid. It can either be an IP address (v4), IP address (v6), Text, Unsigned integer, Signed
Integer, Domain name, FQDN Host, MAC address or Email address.
e. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.

1344
 Configuring Classes

f. In the field Placeholder, you can specify a short hint describing the expected value of
the input field. If it exceeds 45 characters, including spaces, the placeholder is not entirely
readable in the input field.
g. In the field Regex match, you can type in a regular expression that checks the syntax
of the value specified in the field. Some basic regular expression symbols are detailed
after the procedure.
h. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
i. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
j. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
11. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. It is followed by if you ticked the box Required and displayed in
gray, as a read-only field, if you made it Not editable.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

In the field Regex match you can enforce the format of data accepted in the Input field using
regular expressions. For instance, you could allow alpha characters in lower and uppercase using
[a-zA-Z], limit numbers to the range [1-99] or set a maximum string length using {}.

The field accepts the following basic regular expression symbols.

Table 111.7. Basic regex symbols

Symbol Description
. Matches any single character. If put between bracket, the dot symbol matches a literal dot. For example,
a.c matches "abc", etc., but [a.c] matches only "a", ".", or "c".

1345
 Configuring Classes

Symbol Description
[] A bracket expression. Matches a single symbol contained within the brackets. For example, [abc]
matches "a", "b", or "c". [a-z] specifies a range matching any lowercase letter from "a" to "z". These
forms can be mixed: [abcx-z] matches "a", "b", "c", "x", "y", or "z", as does [a-cx-z]. The - symbol is
treated as a literal symbol if it is the last or the first (after the ^) symbol within the brackets: [abc-], [-
abc]. Note that backslash escapes are not allowed. The ] symbol can be included in a bracket expres-
sion if it is the first (after the ^) symbol: []abc].
[^ ] Matches a single symbol that is not contained within the brackets. For example, [^abc] matches any
symbol other than "a", "b", or "c". [^a-z] matches any single symbol that is not a lowercase letter from
"a" to "z". Likewise, literal symbols and ranges can be mixed.
^ Matches the starting position within the string. In line-based tools, it matches the starting position of
any line.
$ Matches the ending position of the string or the position just before a string-ending newline. In line-
based tools, it matches the ending position of any line.
() Defines a marked subexpression.
* Matches the preceding element zero or more times. For example, ab*c matches "ac", "abc", "abbbc",
etc. [xyz]* matches "", "x", "y", "z", "zx", "zyx", "xyzzy", and so on. (ab)* matches "", "ab", "abab",
"ababab", and so on.

Jump to page
The class object Jump to page allows to display class objects on the new page of the wizard,
you can name this page and include a message above the class objects if you want.

Any class object located after the Jump to page is moved to a new page, users have to click on
NEXT to display them.

To add a page to a wizard

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Jump to page.
5. In the class objects list, click on Jump to page or drag and drop it among the class objects. The
wizard Jump to page opens.
6. In the field Title, you can name the page of the wizard you are adding.
7. In the field Comment, you can specify a message that is displayed in a gray area under the
page title.
8. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.

1346
 Configuring Classes

PNG

9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. The new page Title is listed in a bigger font size than the other class objects.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Multiple input
The class object Multiple input allows to include a list under an Input field of the class and
therefore configure several values for the field. Under the Input field, a button ADD and a list are
displayed to configure the list of values.

Keep in mind that the Multiple input:

• Relies on an existing Input in the class to be configured.
• Must always be placed right under the Input it is associated with in Class Editor.

Note that a Multiple input is different from an Input. For more details, refer to the section Input.

To add a multiple input field

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. Make sure an Input is available, without one you cannot configure a Multiple Input. For more
details, refer to the section Input.
5. In the search bar, type in Multiple input.
6. In the class objects list, click on Multiple input or drag and drop it among the class objects. The
wizard Multiple input wizard.
7. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
8. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
9. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
10. In the field Input object name, specify the name of the Input class object associated with
the Multiple input.
11. If you set the Expert mode to Yes, you can:
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

1347
 Configuring Classes

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
PNG

12. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.
13. Make sure the multiple input is located right under the input field. To reorder the list, refer to
the section Reordering Class Objects.

Multiple select
The class object Multiple select allows to include a list under a Select of the class and therefore
configure several values of the list. The first list provides the button , to move one by one the
selected values in the second list. The data listed can be:
• Fixed values added to the list directly from the wizard.
• CSV values retrieved from a CSV file using a semi-colon ; to separate values.
• Service list values picked from the SOLIDserver services. All services and parameters are
2
described in the API Reference guides on our download portal . Note that this type of data can
help you display custom databases in the wizard.

Keep in mind that the Multiple select:

• Relies on an existing Select in the class to be configured.
• Must always be placed right under the Select it is associated with in Class Editor.

Note that a Multiple select is different from a Select. For more details, refer to the section Select.

To add a multiple select drop-down list using fixed values

Only users of the group admin can perform this operation.

2
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.

1348
 Configuring Classes

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Multiple select.
5. In the class objects list, click on Multiple select or drag and drop it among the class objects.
The wizard Multiple select wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. This name is used for
both lists. Only this name is seen by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Fixed values. The wizard refreshes.
10. Configure the content of the multiple select:
a. In the field Key, specify an object name for the database using only the string of char-
3
acters _a-z0-9 . The key is displayed in the field Label/Key.
b. In the field Label, specify the label of the Key to display in the wizard. The label and the
key are displayed in the field Label/Key as follows: <Label>#<Key>.
c. Click on ADD . The value is moved to the list Options.
d. Repeat these actions for as many values as needed. You can use to remove one by
one values from the list, or and to reorganize them.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Have none label if you want to include the value None to the drop-
down list.
b. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.

3
To prevent GUI conflicts, avoid names that are already used in SOLIDserver database like site, mac-addr, gateway, vlan, domain,
user, port, password...

1349
 Configuring Classes

Value Description
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
PNG

12. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

To add a multiple select drop-down list using CSV values

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Multiple select.
5. In the class objects list, click on Multiple select or drag and drop it among the class objects.
The wizard Multiple select wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. This name is used for
both lists. Only this name is seen by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select CSV values. The wizard refreshes.
10. Configure the content of the multiple select:
a. In the field CSV file, specify the complete path of the file stored in the appliance. This
file must separate values with a semi-colon.
b. In the field Value column, specify the number of the column in the CSV file containing
the values to retrieve.
c. In the field Label column, specify the number of the column in the CSV file containing
the values to display in the wizard, the label of each value.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Have none label if you want to include the value None to the drop-
down list.

1350
 Configuring Classes

b. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
PNG

12. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

To add a multiple select drop-down list using services

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Multiple select.
5. In the class objects list, click on Multiple select or drag and drop it among the class objects.
The wizard Multiple select wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...

1351
 Configuring Classes

7. In the field Label, specify the name of the class object in the wizards. This name is used for
both lists. Only this name is seen by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Service list values. The wizard refreshes.
10. Configure the content of the multiple select:
a. In the field Service, start specifying the name of a service. The matching services are
listed, select the one that suits your needs.
b. In the field Key, specify the object name as it should be saved in SOLIDserver database
(string of characters: _a-z0-9 only). To prevent GUI conflicts, avoid names that are
already used in the code such as: site, mac-addr, gateway, vlan, domain, user, port,
password...
c. In the field Label, specify the name of the input parameter, the label of the value to
display in the wizard.
d. In the field Where, specify an SQL condition to filter the retrieved values if need be.
e. In the field Order by, specify an SQL condition to sort the results if need be.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Have none label if you want to include the value None to the drop-
down list.
b. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.

1352
 Configuring Classes

PNG

12. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Object name
The class object Object name allows to build an automatic naming rule for a resource, such as
%v{city}-%v{store code} where city and store code are the names of objects belonging to the
same class. By convention, an Object name and the class objects used to build it should be
placed in the first page of the wizard.

To name a resource automatically

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Object name.
5. In the class objects list, click on Object name or drag and drop it among the class objects. The
wizard Object name opens.
6. In the field Constructor, you can specify the value of other class objects of the class and
use them as variables to automatically overwrite the Name of the field with the data of your
choice in the wizard.
For example, you could type in %v{<value1>}, %v{<value2>} where <value#> is the value
of an existing class object in the class. If <value1> is a city and <value2> is a state, the field
Name would be replaced with Chicago, Illinois in the wizard.
7. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors. PNG

8. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Owner
The class object Owner allows to display the name of the user who added the resource and applied
the class, no matter who edits it later.

To add a field Owner

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

1353
 Configuring Classes

2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Owner.
5. In the class objects list, click on Owner or drag and drop it among the class objects. The
wizard Owner wizard.
6. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors. PNG

7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Pre-defined variable
The class object Pre-defined variable allows to apply specific behaviors and configurations in
classes dedicated to IPAM objects, DHCP statics, DNS zones, Workflow requests, Device Manager
devices and Administration users.

Most IPAM pre-defined variables and the DNS zone pre-defined variable are dedicated to
Workflow requests.

Each variable can be enabled with a specific Value. For more details, refer to the appendix Class
Studio Pre-defined Variables.

Select
The class object Select allows to display a drop-down list in the wizard returning:
• Fixed values added to the list directly from the wizard.
• CSV values retrieved from a CSV file using a semi-colon ; to separate values.
• Service list values picked from the SOLIDserver services. All services and parameters are
4
described in the API Reference guides on our download portal .
• Custom DB values retrieved directly from your custom databases. We strongly recommend
using this type rather than a CSV file. For more details, refer to the chapter Custom DB.

Note that a Select is different from a Multiple select. For more details, refer to the section Multiple
select.

To add a select drop-down list using fixed values

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.

4
At https://downloads.efficientip.com/support/downloads/docs/, in the relevant version folder. Log in using your credentials. If you do
not have credentials yet, request them at www.efficientip.com/support-access.

1354
 Configuring Classes

2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select.
5. In the class objects list, click on Select or drag and drop it among the class objects. The wizard
Select wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Fixed values. The wizard refreshes.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.

1355
 Configuring Classes

Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
g. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
11. Click on NEXT . The last page opens.
12. Configure the content of the select based on fixed values:
a. In the field Key, specify the object name as it should be saved in SOLIDserver database
(string of characters: _a-z0-9 only). To prevent GUI conflicts, avoid names that are
already used in the code such as: site, mac-addr, gateway, vlan, domain, user, port,
password... The field Label/Key autopopulates.
b. In the field Label, specify the word string, corresponding to the key, as it should be
displayed in the list. The field Label/Key autopopulates following the format <La-
bel>#<Key>.
c. Click on . The value is moved to the list Options.
d. Repeat these actions for as many values as needed. You can use to remove one by
one values from the list, or and to reorganize them.
13. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

To add a select drop-down list using a CSV file

Only users of the group admin can perform this operation.
1. Make sure your browser allows pop-up windows.
2. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
3. In the section Customization, click on Class Studio. The page Class Studio opens.
4. In the column Name, click on the class you want to edit. Class Editor opens.
5. In the search bar, type in Select.
6. In the class objects list, click on Select or drag and drop it among the class objects. The wizard
Select wizard.
7. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
8. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
9. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
10. In the drop-down list Select type, select CSV values. The wizard refreshes.
11. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,

1356
 Configuring Classes

the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
g. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
12. Click on NEXT . The last page opens.
13. Configure the content of the select based on a CSV file:
a. In the field CSV file, specify the complete path of the file stored in the appliance. This
file must separate values with a semi-colon.
b. In the field Value column, specify the number of the column in the CSV file containing
the values to retrieve.
c. In the field Label column, specify the number of the column in the CSV file containing
the values to display in the wizard, the label of each value.
14. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.

1357
 PNG
Configuring Classes

original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

To add a select drop-down list using service list values

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select.
5. In the class objects list, click on Select or drag and drop it among the class objects. The wizard
Select wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Service list values or Manual. The wizard refreshes.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.

1358
 Configuring Classes

Value Description
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
g. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
11. Click on NEXT . The last page opens.
12. Configure the content of the select based on services:
a. In the field Services, start specifying the name of the service to call. The matching
services are listed, select the one that suits your needs.
b. In the field Key, specify the name of the input parameter corresponding to the values
to retrieve.
c. In the field Label, specify the name of the input parameter corresponding to the label
of the values to display in the wizard.
d. In the field Where, specify an SQL condition to filter the retrieved values if need be.
e. In the field Order by, specify an SQL condition to sort the results if need be.
f. In the field Limit, specify the maximum number of results to display.
g. In the field Tags, specify an SQL condition to filter the retrieved class parameters if
need be. You might need assistance from Efficient IP support team to fill in this field.
13. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

To add a select drop-down list using Custom DB values

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select.
5. In the class objects list, click on Select or drag and drop it among the class objects. The wizard
Select wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...

1359
 Configuring Classes

7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Select type, select Custom DB. The wizard refreshes.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
f. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
g. In the field Default value, you can specify a default value for the field if no data is spe-
cified. The value you specify is by default displayed in the wizard and users can edit it.
11. Click on NEXT . The last page opens.
12. Configure the content of the select based on a custom database:
a. In the field Custom DB name, specify the name of the Custom database of your choice.
The field autocompletes and the wizard refreshes. For more details on Custom data-
bases, refer to the chapter Custom DB.

1360
 Configuring Classes

b. In the drop-down list Key column, select the column containing the values to retrieve.
The values to save in SOLIDserver database (string of characters: _a-z0-9 only). To
prevent GUI conflicts, avoid names that are already used in the code such as: site, mac-
addr, gateway, vlan, domain, user, port, password...
c. In the drop-down list Label column, select the column containing the information you
want to display in the wizard, the label of the values.
13. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select DHCP range

The class object Select DHCP range allows to display a drop-down list containing all the DHCPv4
ranges in the wizard.

To add a drop-down list containing all the DHCP ranges

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DHCP range.
5. In the class objects list, click on Select DHCP range or drag and drop it among the class objects.
The wizard Select DHCP range opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

1361
 Configuring Classes

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select DHCP scope

The class object Select DHCP scope allows to display a drop-down list containing all the DHCPv4
scopes in the wizard.

To add a drop-down list containing all the DHCP scopes

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DHCP scope.
5. In the class objects list, click on Select DHCP scope or drag and drop it among the class objects.
The wizard Select DHCP scope opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

1362
 Configuring Classes

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select DHCP server

The class object Select DHCP server allows to display a drop-down list containing all the DHCPv4
servers in the wizard.

To add a drop-down list containing all the DHCP servers

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DHCP server.
5. In the class objects list, click on Select DHCP server or drag and drop it among the class objects.
The wizard Select DHCP server opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.

1363
 Configuring Classes

Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select DHCP static

The class object Select DHCP static allows to display a drop-down list containing all the DHCPv4
statics in the wizard.

To add a drop-down list containing all the DHCP statics

Only users of the group admin can perform this operation.

1364
 Configuring Classes

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DHCP static.
5. In the class objects list, click on Select DHCP static or drag and drop it among the class objects.
The wizard Select DHCP static opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.

1365
 PNG
Configuring Classes

original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select DNS domain

The class object Select DNS domain allows to display a drop-down list containing all the domains,
or DNS Master Name zones, in the wizard.

To add a drop-down list containing all the DNS domains

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DNS domain.
5. In the class objects list, click on Select DNS domain or drag and drop it among the class objects.
The wizard Select DNS domain opens.
6. In the field Name, domain is displayed by default. You can set a different name used in
SOLIDserver database.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, Domain name is displayed. You can set a different name for the object
that will be displayed in the GUI. Only this name is seen by the user in the wizards.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. Set the value of the field Order by, specify a value to filter the selected domain by a
key. This key must respect the format: dz.{your_value}.
b. You can tick the box Have none label if you want to include the value None to the drop-
down list.
c. You can tick the box Reload on change if you want to reload the wizard page when a
value is selected in the drop-down list.
d. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
e. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.

1366
 Configuring Classes

Value Description
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select DNS server

The class object Select DNS server allows to display a drop-down list containing all the DNS
servers in the wizard.

The DNS server you select is displayed as a parameter on the properties page of the resource
the class is applied to.

To add a drop-down list containing all the DNS servers

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DNS server.
5. In the class objects list, click on Select DNS server or drag and drop it among the class objects.
The wizard Select DNS server opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Save the selected object name instead of its ID as parameter
value to display the DNS server name instead of its ID on the resource properties page.
b. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

1367
 Configuring Classes

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
c. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
d. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select DNS zone

The class object Select DNS zone allows to display a drop-down list containing all the DNS zones
in the wizard.

To add a drop-down list containing all the DNS zones

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select DNS zone.
5. In the class objects list, click on Select DNS zone or drag and drop it among the class objects.
The wizard Select DNS zone opens.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.

1368
 Configuring Classes

9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
b. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
c. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
10. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Select class
The class object Select class allows to include a drop-down list containing existing classes in the
wizard. It can only return classes that apply to IPAM spaces, IPv4 networks, pools and addresses;
DNS servers and zones; DHCPV4 servers, scope, ranges and statics; and Administration groups
and users.

To add a select class drop-down list

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Select class.

1369
 Configuring Classes

5. In the class objects list, click on Select class or drag and drop it among the class objects. The
wizard Select class wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Type, select the resource to which apply the classes you want to display:
Space, Network, Pool, Address, DNS server, DNS zone, DHCP server, DHCP scope, DHCP
range, DHCP static, User or Group.
10. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
b. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
c. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
d. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.

1370
 Configuring Classes

11. Click on OK to complete the operation. The object is now displayed in the left section and
PNG

part of the class content. You can preview the drop-down list content in Class Editor. It is
followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Text area
The class object Text area allows to display an input area in the wizard.

In Class Editor, it looks like an input with a black square at the right-end of the field, as illustrated
in the image The window Class Editor in the section Browsing the Class Objects.

To add a text area

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Text area.
5. In the class objects list, click on Text area or drag and drop it among the class objects. The
wizard Text area wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. You can tick the box Required to make the class object configuration compulsory in the re-
source addition and edition wizards.
9. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Rows, you can specify the number of rows to display in the text area.
b. You can tick the box Translate the label if you want the name of the class object, its
Label, to be translated when users set the GUI in another language. If you tick the box,
the label translation must be available on the page Language editor. For more details,
refer to the section Customizing the Interface Names and Fields.
c. In the drop-down list Inheritance property, you can configure the inheritance behavior
of the value of the class object:

Value Description
None The property is not set, this is the default value. Users can set it to Inherit or Set.
Inherit The property is forced to Inherit. Users cannot change it to None or Set.
Set The property is forced to Set. Users cannot change it to None or Inherit.

For more details regarding the inheritance property, refer to the chapter Inheritance and
Propagation.
d. In the drop-down list Propagation property, you can configure the propagation behavior
of the value of the class object:

1371
 Configuring Classes

Value Description
None The property is not set, this is selected by default. Users can set it to Propagate or
Restrict.
Propagate The property is forced to Propagate. Users cannot change it to None or Restrict.
Restrict The property is forced to Restrict. Users cannot change it to None or Propagate.

For more details regarding the propagation property, refer to the chapter Inheritance
and Propagation.
e. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
PNG

10. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content. It is followed by if you ticked the box Required.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Time stamp
The class object Time stamp allows to include the exact time and date of addition of a resource
in a dedicated field of the wizard. It respects the format mm/dd/yyyy regardless of the date format
on your Settings.

Note that if you edit a resource that was not configured with this class object, the time stamp
matches the moment you apply the class and not its actual addition date and time.

To add a field Time stamp

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Time stamp.
5. In the class objects list, click on Time stamp or drag and drop it among the class objects. The
wizard Time stamp wizard.
6. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
7. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left section.

1372
 PNG
Configuring Classes

original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Upload file
The class object Upload file allows to include an upload tool in the wizard. It displays a field File
name and a button BROWSE to upload any file. Keep in mind that:
• Uploaded files cannot exceed 300 MB.
• Uploaded files are stored temporarily in the directory /tmp of the appliance and deleted shortly
after. The upload tool can therefore be used to import CSV files or other types of files to be
processed straight away by other class objects.

To add a field Upload file

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Upload file.
5. In the class objects list, click on Upload file or drag and drop it among the class objects. The
wizard Upload file wizard.
6. In the field Name, specify the name of the class object in the database. That name is never
displayed in Class Editor.
Note that names must be unique and in lowercase. You can use hexadecimal characters
and underscores "_", but no spaces. To prevent GUI conflicts, avoid names that are already
used in the GUI, like site, mac-addr, gateway, vlan, domain, user, port, password...
7. In the field Label, specify the name of the class object in the wizards. Only this name is seen
by the users.
8. In the drop-down list Expert mode, you can select Yes to further configure the class object.
a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors. PNG

9. Click on OK to complete the operation. The object is now embedded into the class and listed
in the left side of the window.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Editing Class Objects

Class objects can be edited even if the class they belong to is already in use. Keep in mind that:
• Renaming an object already used by a resource deletes all the class data it is associated
with. It can only be retrieved by renaming the object back, before filling any new class data
through the newly edited object.

1373
 Configuring Classes

• You must save your configuration before closing Class Editor, otherwise your changes are not
taken into account.
• After an hour of inactivity, any unsaved changes are lost and your configuration can no longer
be saved.

Note that you can also edit the class global.

To edit a class object

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the left section, within the class content, put your cursor on the class object to edit and
double-click on it or click on . The wizard opens.
5. Edit the class object according to your needs. For more details, refer to the relevant class
PNG

object in the section Adding Class Objects.

6. Click on OK to complete the operation. The object is updated.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

Reordering Class Objects

The order of the objects of a class defines in which order users have to configure the custom
fields in the wizard.You can drag & drop the objects of your choice to reorder them. Keep in mind
that:
• A Multiple select is only effective if placed right under the Select it is associated with.
• A Multiple input is only effective if placed right under the Input it is associated with.
• You must save your configuration before closing Class Editor, otherwise your changes are not
taken into account.
• After an hour of inactivity, any unsaved changes are lost and your configuration can no longer
be saved.

To reorder class objects

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
PNG

4. In the left section, within the class content, drag and drop the class objects one by one to
change their display order.
original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

1374
 Configuring Classes

Deleting Class Objects

You can remove a class object from a class. Keep in mind that:
• Deleting a class object removes the related custom fields and data from all the resources it is
applied to.
• You must save your configuration before closing Class Editor, otherwise your changes are not
taken into account.
• After an hour of inactivity, any unsaved changes are lost and your configuration can no longer
be saved.

To delete a class object

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the left side of the window, move your cursor on the class object to edit and click on .
The wizard opens. PNG

5. Click on OK to complete the operation. The object is no longer listed in the left side of the
wizard. original

You must click on to save the class configuration or to undo the object addition. If you
exit without saving, your changes are lost. Note that you can keep adding other class
objects to the same class and save it.

1375
Chapter 112. Configuring Custom
Databases
You can add your own custom databases on the page Custom DB. These databases are directly
embedded in SOLIDserver and can contain a maximum of 10 pieces of information, custom data,
displayed on the dedicated page as columns named Label #.

Custom databases can come in handy when configuring classes with parameters like select,
multiple select or autocompletion. For more details, refer to the chapter Configuring Classes.

By default, a custom database named Vendor is already available, it cannot be edited. This
database is used by SOLIDserver to link MAC address and the Vendor of the Ethernet card to-
gether.

Managing Custom Databases

From the page Custom database, you can add, edit and delete custom databases.

Browsing Custom Databases

To display the list of custom databases
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The Custom database listing page
opens. By default, it contains the database Vendor.

By default, the page Custom database displays all the columns. You can sort and filter them, but
you cannot change their layout.

To display a custom database properties page

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. At the end of the line of the custom database of your choice, click on . The properties page
opens.

On the properties page, the panel Main properties displays the custom database name, Type,
Description, Read only status, and the labels it contains.

Adding a Custom Database

You can add as many custom databases as you need. Each one can contain up to 10 columns
to structure its custom data.

To add a custom database

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the menu, click on Add. The wizard Create a custom DB opens.
4. Configure your custom database:

1376
 Configuring Custom Databases

Table 112.1. Custom database addition parameters

Field Description
Database name The name of the custom database you are adding. This field is required.
Type The database type. This field is optional.
Description The database description. This field is optional.
Label # The name of the labels of the custom database. It can have up to 10 labels, used as
columns on the page Custom data. The labels allow to organize the content of your
database. These fields are optional.

5. Click on OK to complete the operation. The report opens and closes. The custom database
is listed.

Editing a Custom Database

You can edit a custom database, however keep in mind that:
• If you rename a custom database, make sure that this name is unique and not already used.
• You cannot edit the default custom database Vendor, it is in read-only.

To edit a custom database

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the column Name, right-click on the name of the database you want to edit. The contextual
menu opens.
4. Click on . The wizard Create a custom DB opens.
5. Edit the Database name, Type, Description and Label # according to your needs.
6. Click on OK to complete the operation. The report opens and closes. The changes are dis-
played in the list.

Exporting Custom Databases

From the page Custom database, you can export the data listed in a CSV, HTML, XML, XLS or
PDF file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting a Custom Database

You can delete your custom databases, however keep in mind that:
• You cannot delete the default custom database Vendor, it is in read-only.

To delete a custom database

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. Tick the custom database(s) of your choice.
4. In the menu, click on Delete. The wizard opens.
5. Click on OK to complete the operation. The report opens and closes. The custom database
is no longer listed.

1377
 Configuring Custom Databases

Managing Custom Data

Once a custom database is added, it is empty and you must add its custom data.

Once your database contains everything you need, you can use it within classes and apply it to
the resource(s) that suits your needs. For more details, refer to the chapter Configuring Classes.

Browsing Custom Data

To display the list of custom data
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the breadcrumb, click on Custom data. The page Custom data opens.
4. To display the custom data of a specific custom database, in the column Name, click on the
custom database of your choice. The page refreshes.

By default, the page Custom data displays all the columns. You can sort and filter them, but you
cannot change their layout.

To display a custom data entry properties page

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. At the end of the line of the entry of the custom data of your choice, click on .The properties
page opens.

On the properties page, the panel Main properties displays the name of the custom database
it belongs to, and its defined labels and their value.

Adding Custom Data

From the page Custom data, you can add entries to existing custom databases.

You can also import custom data. For more details, refer to the section Importing Custom Data
in the chapter Importing Data from a CSV File.

To add a custom data entry

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the breadcrumb, click on Custom data. The page Custom data opens.
4. In the menu, click on Add. The wizard Add custom data opens.
5. In the drop-down list Database, select the custom database of your choice.
6. Click on NEXT . The last page opens.
7. Fill in the fields according to your needs, all 10 fields are optional. The fields can either have
the default name Value 1... Value 10 or have the name (label) that was set for its custom
database.
8. Click on OK to complete the operation. The report opens and closes. The custom data entry
is listed.

1378
 Configuring Custom Databases

To add a custom data entry in a specific custom database

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the list, click on the name of the custom database of your choice. The page Custom data
opens.
4. In the menu, click on Add. The wizard Add custom data opens.
5. Fill in the fields according to your needs, all 10 fields are optional. The fields can either have
the default name Value 1... Value 10 or have the name (label) that was set for its custom
database.
6. Click on OK to complete the operation. The report opens and closes. The custom data entry
is listed.

Editing Custom Data

You can edit the content of a custom database, however keep in mind that:
• If you rename custom data entries, make sure that the name is unique and not already used.
• You cannot edit custom data entries of the default custom database Vendor, they are in read-
only.

To edit a custom data entry

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.
3. In the column Name, click on the custom database of your choice. The page Custom data
opens.
4. In the first column, right-click on the entry you want to edit. The contextual menu opens.
5. Click on . The wizard opens.
6. Edit the value of the fields according to your needs.
7. Click on OK to complete the operation. The report opens and closes. The changes are dis-
played in the list.

Exporting Custom Data

From the page Custom data, you can export the data listed in a CSV, HTML, XML, XLS or PDF
file.

Like any other export, you can retrieve the data immediately or schedule it. For more details,
refer to the chapter Exporting Data.

Deleting Custom Data

You can delete custom data entries from your custom databases, however keep in mind that:
• You cannot delete custom data entries from the default custom database Vendor, they are in
read-only.

To delete a custom data entry

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Custom DB. The page Custom database opens.

1379
 Configuring Custom Databases

3. In the column Name, click on the custom database of your choice. The page Custom data
opens.
4. Tick the custom data entry of your choice, you can tick several.
5. In the menu, click on Delete. The wizard Delete opens.
6. Click on OK to complete the operation.

1380
Chapter 113. Managing Customization
Packages
From the Administration module, you can import archive files, or packages, containing a set of
customized functionalities from the page Packager.

Once imported and uploaded, installing these packages can affect interfaces, databases, system
files, etc. depending on what they contain. These functionalities can take the form of classes,
services (also called macros), reports or rules.

Packager is composed of two pages: All Packages and All package files. From the page All
Packages, you can import or create, install, uninstall and delete your packages. The page All
package files provides the content of the packages.

Packager reuses the principle of the module of the same name in 3.0.1, however, it uses different
services. Therefore, packages created or used in previous versions of SOLIDserver cannot be
used with the current version.

Browsing the Packages Database

The packages and their content are displayed on two different pages. The packages management
options are only available on the page All packages.

To display the list of packages

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.

The page All packages contains seven columns: Name, Description, Version, Vendor, Creation
time, Install time and Status. You cannot change their layout.

To display all the information in one panel, open the package properties page.

To display a package properties page

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. At the end of the line of the package of your choice, click on . The server properties pages
opens.

The packages content is listed on the page All package files.

To display the list of package files

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. In the breadcrumb, click on All package files. The page All package files opens.

To display the package files of a specific package

1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.

1381
 Managing Customization Packages

3. Click on the name of the package of your choice. The page All package files of the selected
package opens.

The page All package files contains five columns: filename, Directory, Type, Package version
and Version. You cannot change their layout.

Uploading Packages
From the page All packages, you can upload your own packages in a .tar archive file.

Keep in mind that:

• Uploading a package simply stores it locally on the appliance. Once uploaded, you need to
install it to push the files it contains. For more details, refer to the section Installing Packages.
• Each package has a unique name, version and content, so you cannot upload a package if it
is already listed on the page unless the version or name differs. If at least one of the files it
contains is already installed, you cannot install your package.
• Packages from previous versions of SOLIDserver are not compatible and therefore not suppor-
ted.

To upload a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. In the menu, click on Add. The wizard Upload a package opens.
4. Click on BROWSE to search for the .tar file to import. A window opens to help you browse
through folders.
5. Double-click on the needed file. The window closes and the file is visible in the field File
name of the wizard.
6. Click on OK to complete the operation. The report opens and closes. The package is listed
but it is not installed yet.

Creating Packages
You can create your own packages and configure them with existing rules, services, reports and
classes.

Keep in mind that:

• Creating a package does not install it. Once created, you need to install it to push the files it
contains. For more details, refer to the section Installing Packages.
• Each package has a unique name, version and content, so you cannot upload a package if it
is already listed on the page unless the version or name differs. If at least one of the files it
contains is already installed, you cannot install your package.
• You cannot include system files to your package. If you include any of SOLIDserver system
files during the creation, you cannot install the package.

To create a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. In the menu, select Tools > Expert > Create a package. The wizard Create a package
opens.

1382
 Managing Customization Packages

4. Configure the package details:

a. In the field Package name, name the package.
b. In the field Version, specify a version for your package following the format <num-
ber>.<number> .
c. In the field Description, you can describe the package.
d. In the field Vendor, you can specify a vendor name.
5. Click on NEXT to configure the package content. The page Package files selection opens.
6. You can add classes to your package:
a. In the drop-down list Files type, select Class.
b. In the drop-down list Module, select the module of your choice. It can be Administration,
DHCP, DNS, Device Manager, IPAM, NetChange, Rights & delegation, SPX, VLAN
Manager, VRF or Workflow.
c. In the drop-down list Type, select the object the class applies to within the module.
d. In the drop-down list Available files, select an existing class. If it belongs to a specific
directory, it is listed as follows: <directory-name>/<class-name>. For more details re-
garding classes, refer to the chapter Configuring Classes.
e. Once you selected the class that suits your needs, click on ADD . The class is moved to
the list Selected files. You can add as many classes as needed.
7. You can add services to your package:
a. In the drop-down list Files type, select Macro.
b. In the drop-down list Module, select the module of your choice. It can be Administration,
DHCP, DNS, Device Manager, IPAM, NetChange, Rights & delegation, SPX, VLAN
Manager, VRF or Workflow.
c. In the drop-down list Available files, select the service of your choice.
d. Once you selected the service that suits your needs, click on ADD . The service is moved
to the list Selected files. You can add as many services as needed.
8. You can add reports to your package:
a. In the drop-down list Files type, select Report.
b. In the drop-down list Available files, select the report of your choice. For more details
regarding the reports refer to the chapter Managing Reports.
c. Once you selected the report that suits your needs, click on ADD . The report is moved
to the list Selected files. You can add as many reports as needed.
9. You can add rules to your package:
a. In the drop-down list Files type, select Rule.
b. In the drop-down list Module, select the module of your choice. It can be Administration,
DHCP, DNS, Device Manager, IPAM, NetChange, Rights & delegation, SPX, VLAN
Manager, VRF or Workflow.
c. In the drop-down list Available files, select an existing rule applying to the selected
module.
d. Once you selected the rule that suits your needs, click on ADD . The rule is moved to the
list Selected files. You can add as many rules as needed.
10. In the drop-down list Selected files are listed all the classes, services, reports and rules that
the package contains.
To remove an entry, select it the list and click on DELETE .

1383
 Managing Customization Packages

11. Click on OK to complete the operation. The report opens and closes. The package is listed
but it is not installed yet.

Editing Packages
You cannot edit a package. If one of your packages contains files that you no longer require or
if it misses files, you need to replace it.
1. Uninstall the useless package.
2. Upload the package that replaces it or create another package. To make sure you do not forget
any file, you can look at the list All package files of the package you want to replace.
3. Delete the useless package.
4. Install the new package.

Installing Packages
Installing a package pushes its files to the relevant parts of the appliances. When uploading or
creating a package, it is simply listed in the GUI. If you do not install it, the files it contains are
simply stored locally but not used.

Keep in mind that:

• You cannot install a package containing SOLIDserver system files.
• You cannot install a package if it contains one or several files that were already installed with
another package.
• Once you installed a package, you cannot delete it, you must uninstall it before being able to
delete it.

To install a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package(s) you want to install.
4. In the menu, select Edit > Install. The wizard Install a package opens.
5. Click on OK to complete the operation. The report opens and works until all the files are
pushed. In the column Status the package is marked installed.

Uninstalling Packages
Uninstalling a package allows to revert all the changes that the files it contains were performing.
It also allows to delete a package: you cannot delete a package if it is installed, i.e. used.

To uninstall a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package(s) you want to uninstall.
4. In the menu, select Edit > Uninstall. The wizard Uninstall a package opens.
5. Click on OK to complete the operation. The report opens and closes. In the column Status
the package is marked uninstalled.

1384
 Managing Customization Packages

Downloading Packages
You can download a package, whether it is installed or not. Keep in mind that you can only
download one package at a time.

To download a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package you want to download.
4. In the menu, select Edit > Download. The wizard Downloading a package opens.
5. Click on OK to complete the operation. The report opens and displays the package which is
an archive .tar file that can be downloaded from the page Local files listing available from
the page Admin Home.
6. Click on DOWNLOAD to download the file before closing the wizard.
7. Click on CLOSE .

Deleting Packages
Once you no longer need a package, you can delete it as long as it is no longer used. This means
that if the package you want to delete is currently installed, you need to uninstall it before following
the procedure below. For more details, refer to the section Uninstalling Packages.

To delete a package
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Packager. The page All packages opens.
3. Tick the package(s) of your choice.
4. In the menu, click on Delete. The wizard Delete opens.
5. Click on OK to complete the operation. The report opens and closes. The package is no
longer listed.

1385
Appendix A. Matrices of Network Flows
This appendix maps out the networks flows that you must open to manage your SOLIDserver
appliance or remotely manage servers. They are detailed in tables divided as follows:
• SOLIDserver network flows.
• IPAM network flows.
• DHCP network flows.
• DNS network flows.
• NetChange network flows.
• Identity Manager network flows.
• Remote Management network flows.

Each flow detail includes its Source IP, Port, Destination IP, Port, Protocol, Service used and
Notes, when relevant. The Source IP and Destination IP may contain the following:

Source IP / Destination IP Description

administrator The computer belonging to a user with administrative rights.
DHCP client The device querying the DHCP server.
DHCP server Any DHCP server, the flow must be opened for all servers.
DHCP backup A server managed in a SOLIDserver smart architecture that has a backup role
in your failover configuration.
DHCP master A server managed in a SOLIDserver smart architecture that has a master role
in your failover configuration.
DNS client The device querying the DNS server.
DNS server Any DNS server, the flow must be opened for all servers.
DoH client The device querying the DNS server via DNS over HTTPS.
DoH server Any DNS server answering queries via DNS over HTTPS, the flow must be
opened for all servers.
iDRAC The integrated Dell Remote Access Controller for SOLIDserver rack hardware
appliances of the 4th generation (SOLIDserver-260+) and 5th generation
(SOLIDserver-270+).
Kerberos servers Your Kerberos authentication server.
MS DHCP A Microsoft DHCP server managed from SOLIDserver.
MS DNS A Microsoft DNS server managed from SOLIDserver.
Network device All the routers, switches and/or firewalls which information you want to retrieve.
They must be managed in the module NetChange.
SOLIDserver Any SOLIDserver appliance.
SOLIDserver Hot Standby A SOLIDserver appliance configured in High Availability which role is Hot
Standby. As the Hot Standby can be switched to Master, the matrices flows
on both HA appliances should be configured the same.
SOLIDserver Management A SOLIDserver appliance managing another SOLIDserver or any external
server or service.
SOLIDserver Master A SOLIDserver appliance configured in High Availability which role is Master.
The matrices flows on both the Master and Hot Standby appliances should be
configured the same.
Windows AD Controller A Windows AD domain controller that allows your SOLIDserver appliance to
retrieve its data in the module Identity Manager.

1386
 Matrices of Network Flows

SOLIDserver
Basic Configuration
Source IP Port Destination IP Port Protocol Service Notes
administrator any SOLIDserver 80 TCP HTTP Graphic User Interface (GUI)
administrator any SOLIDserver 443 TCP HTTPS Graphic User Interface (GUI)
administrator any SOLIDserver 22 TCP SSH Command Line Interface (CLI)
SOLIDserver any DNS server 53 UDP DNS DNS resolution, DDNS update
SOLIDserver any DNS server 53 TCP DNS DNS resolution, DNS zone transfer
SOLIDserver any NTP server 123 UDP NTP Time synchronization
SOLIDserver any FTP server 21 TCP FTP Remote archive on an FTP or SFTP
SOLIDserver any SFTP server 22 TCP SFTP server

External Authentication
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver any LDAP/AD 389 TCP LDAP LDAP or AD authentication
SOLIDserver any LDAPS/AD 636 TCP LDAPS LDAPS or AD authentication
SOLIDserver any RADIUS 1812 UDP RADIUS RADIUS authentication

TFTP and NTP Services

Source IP Port Destination IP Port Protocol Service Notes
TFTP client any SOLIDserver 69 UDP TFTP File transfer
NTP client any SOLIDserver 123 UDP NTP NTP server

Monitoring and Logging

Source IP Port Destination IP Port Protocol Service Notes
Monitoring
any SOLIDserver 161 UDP SNMP
server SNMP pooling
SOLIDserver any SOLIDserver 161 UDP SNMP
Monitoring
SOLIDserver any 162 UDP SNMP SNMP trap
server
SOLIDserver any Log server 514 UDP Syslog Syslog export

iDRAC
Source IP Port Destination IP Port Protocol Service Notes
administrator any iDRAC 22 TCP SSH iDRAC SSH
administrator any iDRAC 80 TCP HTTP iDRAC GUI
administrator any iDRAC 443 TCP HTTPS iDRAC GUI
administrator any iDRAC 5900 TCP VNC Virtual Console

1387
 Matrices of Network Flows

IPAM
Cisco DNA
Source IP Port Destination IP Port Protocol Service Notes
Required to configure DNA synchroniza-
DNA center any SOLIDserver 443 TCP HTTPS
tion

SPX
RIPE

Source IP Port Destination IP Port Protocol Service Notes

SOLIDserver any RIPE database 43 TCP WHOIS Retrieve RIPE data (Whois)
SOLIDserver any RIPE database 80 TCP WHOIS Send data to the RIPE (Whois)
SOLIDserver any RIPE database 443 TCP HTTPS/POST Send data to the RIPE directly

APNIC

Source IP Port Destination IP Port Protocol Service Notes

APNIC data-
SOLIDserver any 43 TCP WHOIS Retrieve APNIC data (Whois)
base
APNIC data-
SOLIDserver any 80 TCP WHOIS Send data to the APNIC (Whois)
base
APNIC data-
SOLIDserver any 443 TCP HTTPS/POST Send data to the APNIC directly
base

1388
 Matrices of Network Flows

DHCP
EfficientIP DHCP Servers
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage an EfficientIP DH-
any DHCP server 443 TCP HTTPS
Management CP server on a SOLIDserver appliance
Failover channel port on the backup
DHCP master any DHCP backup 647 TCP Failover
server
Failover channel port on the master
DHCP backup any DHCP master 847 TCP Failover
server
DHCP client 68 DHCP server 67 UDP DHCP Required by the service DHCP
DHCP server 67 DHCP client 68 UDP DHCP Required by the service DHCP
DHCP client 546 DHCP server 547 UDP DHCP Required by the service DHCPv6
DHCP server 547 DHCP client 546 UDP DHCP Required by the service DHCPv6
Broadcast ad- Required by the DHCP protocol on the
DHCP client 68 67 UDP DHCP
dress local segment
a
DHCP server - any - ICMP ICMP Only if the option ping-check is enabled
a
For more details, refer to the section Preventing IP Address Duplication.

Microsoft Windows DHCP Servers

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Microsoft Remote Procedure Calls (MS
any MS DHCP 135 TCP MS RPC
Management RPC)
SOLIDserver
any MS DHCP 445 TCP SMB MS RPC locator
Management
49152
SOLIDserver a
any MS DHCP - TCP MS RPC MS RPC dynamic ports range
Management
65535
DHCP client 68 MS DHCP 67 UDP DHCP Required by the service DHCP
MS DHCP 67 DHCP client 68 UDP DHCP Required by the service DHCP
Broadcast ad- Required by the DHCP protocol on the
DHCP client 68 67 UDP DHCP
dress local segment
a
Stateful firewall configurations do not require a specific rule for dynamic ports. An ephemeral port is used for the session
conversation.

Linux Packages
Prerequisite before configuring a Linux Package: configuring DHCP network flows as detailed
in the section EfficientIP DHCP Servers.

Source IP Port Destination IP Port Protocol Service Notes

SOLIDserver Required to manage the DHCP server
any DHCP server 443 TCP HTTPS
Management on Linux packages

1389
 Matrices of Network Flows

DHCP Statistics
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver SNMP v1, v2c and v3 to retrieve the
any DHCP server 161 UDP SNMP
Management server statistics

1390
 Matrices of Network Flows

DNS
EfficientIP DNS Servers
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage an EfficientIP DNS
any DNS server 443 TCP HTTPS
Management server on a SOLIDserver appliance
SOLIDserver DNS resolution, DDNS update, DNS
any DNS server 53 UDP/TCP DNS
Management zone transfer
DNS resolution, DDNS update, DNS
DNS server any DNS server 53 UDP/TCP DNS
zone transfer
DNS client any DNS server 53 UDP/TCP DNS DNS resolution
10000
SOLIDserver a
DNS server - 2053 UDP DNS DNS notify (optional)
Management
65535
a
The port 2053 allows to speed up zone transfers between SOLIDserver Management and its managed DNS servers.
Keep in mind that not all DNS engines support this functionality, for instance Microsoft DNS engines do not support it.

Microsoft Windows DNS Servers

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Microsoft Remote Procedure Calls (MS
any MS DNS 135 TCP MS RPC
Management RPC)
SOLIDserver
any MS DNS 445 TCP SMB MS RPC locator
Management
49152
SOLIDserver a
any MS DNS - TCP MS RPC MS RPC dynamic ports range
Management
65535
SOLIDserver DNS resolution, DDNS update, DNS
any MS DNS 53 UDP/TCP DNS
Management zone transfer
DNS client any MS DNS 53 UDP/TCP DNS DNS resolution
MS DNS any MS DNS 53 UDP/TCP DNS DNS resolution, DNS zone transfer
a
Stateful firewall configurations do not require a specific rule for dynamic ports. An ephemeral port is used for the session
conversation.

Amazon Route 53 Servers

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Required to manage a Route 53 DNS
any AWS Route 53 443 TCP HTTPS
Management server on Amazon Web Service (AWS)
SOLIDserver DNS resolution, DDNS update, DNS
any AWS Route 53 53 UDP/TCP DNS
Management zone transfer

1391
 Matrices of Network Flows

Linux Packages
Prerequisite before configuring a Linux Package: configuring the DNS network flows as detailed
in the section EfficientIP DNS Servers.

Source IP Port Destination IP Port Protocol Service Notes

SOLIDserver Required to manage the DNS server on
any DNS server 443 TCP HTTPS
Management Linux packages

DNS Statistics
Source IP Port Destination IP Port Protocol Service Notes
SNMP v1,v2c or v3 to retrieve the stat-
SOLIDserver
any DNS server 161 UDP SNMP istics of DNS servers on SOLIDserver
Management
appliances or Linux Packages

GSS-TSIG
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Kerberos serv-
any 88 Protocol Kerberos Kerberos authentication
Management ers

Routing Protocols for Anycast

Source IP Port Destination IP Port Protocol Service Notes
Router's IP(s) any SOLIDserver 179 TCP BGP
Router's IP(s) - 224.0.0.0/24 - OSPF OSPF
SOLIDserver - 224.0.0.0/24 - OSPF OSPF
- - - - - IS-IS

Guardian
Cache Sharing via Unicast

Source IP Port Destination IP Port Protocol Service Notes

<port
set Guardian cache sharing, via the port of
SOLIDserver any SOLIDserver UDP Cache Sharing
by your choice
user>

Cache Sharing via Multicast

Source IP Port Destination IP Port Protocol Service Notes

Local Net-
- 224.0.0.0/24 - IGMP IGMP
work(s) IGMP
SOLIDserver - 224.0.0.0/24 - IGMP IGMP

1392
 Matrices of Network Flows

DNS over TCP

Source IP Port Destination IP Port Protocol Service Notes

The port 5353 is used by Guardian to
handle DNS TCP queries. No configura-
any any SOLISserver 5353 TCP DNS tion is required on the network firewall,
it is only set in the firewall rules of your
local SOLIDserver appliance.

DoT

Source IP Port Destination IP Port Protocol Service Notes

DNS client any DNS server 853 TCP DNS
DNS over TLS required configuration
DNS server 853 DNS client any TCP DNS

DoH

Source IP Port Destination IP Port Protocol Service Notes

DoH client any DoH server 443 TCP DNS
DNS over HTTPS required configuration
DoH server 443 DoH client any TCP DNS

1393
 Matrices of Network Flows

NetChange
Source IP Port Destination IP Port Protocol Service Notes
Network
NetChange any 161 UDP SNMP SNMP v1, v2c, v3
device
NetChange any DNS server 53 UDP DNS DNS resolution
Network
NetChange any 22 TCP SSH
device
Save the configuration
Network
NetChange any 23 TCP SNMP
device

1394
 Matrices of Network Flows

Identity Manager
Source IP Port Destination IP Port Protocol Service Notes
Windows AD
any SOLIDserver 5986 TCP WEF Required to retrieve sessions.
Controller

1395
 Matrices of Network Flows

Remote Management
High Availability
Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver SOLIDserver
any 443 TCP HTTPS
Hot Standby Master
Health check
SOLIDserver SOLIDserver
any 443 TCP HTTPS
Master Hot Standby
SOLIDserver SOLIDserver
any 5432 TCP PostgreSQL
Hot Standby Master
Replication
SOLIDserver SOLIDserver
any 5432 TCP PostgreSQL
Master Hot Standby

Remote Management of Other Appliances

Source IP Port Destination IP Port Protocol Service Notes
SOLIDserver Management of remote SOLIDserver
any SOLIDserver 443 TCP HTTPS
Management appliances

1396
Appendix B. Default Gadgets
SOLIDserver offers gadgets by default in the Gadgets Library. Among them, 4 are displayed by
default on the Main dashboard.
Alert on ports/interfaces reconciliation drift
• Type: Top List.
• Description: The 5 first port and/or interfaces in Device Manager that have a Drift in the
Reconciliation column of the page All ports & interfaces. For more details, refer to the
section Tracking Changes on the Page All ports & interfaces.
If you upgraded to this version, this gadget may be displayed on Device Manager dashboard.
Alerts
• Type: Top List.
• Description: The 10 latest raised alerts. Click on the alert name to go to the page Alerts.
For more details, refer to the chapter Managing Alerts.
All networks
• Type: Quick Search.
• Description: A search engine gadget to find networks in the IPAM. The data entered in the
fields automatically add filters on the page All networks through the columns Name and
Address.
DHCP ranges
• Type: Top List.
• Description: A list of the 10 first DHCP ranges sorted by address with the server they belong
to, their occupation rate and status.
DHCP Servers
• Type: Top List.
• Description: A list of the 10 first DHCP servers sorted by name with their type, protocol,
synchronization status and status.
DNS RR type
• Type: Chart.
• Description: A pie chart representing the managed records repartition per type.
DNS Servers
• Type: Top List.
• Description: The 10 first DNS servers sorted by name with their IP address, synchronization
status and status.
General information
• Type: Descriptive.
• Description: A gadget gathering the appliance configuration information, running services,
hostname, IP address(es), default gateway(s), role and status. For more details, refer to
the section General Information in the chapter Managing Gadgets.
This gadget is displayed by default on the Main dashboard of the superuser session.
My account preferences & configuration
• Type: Shortcut.
• Description: A gadget gathering user dedicated shortcuts, toward the Gadgets Library and
the wizard Change Language.
This gadget is displayed by default on the Main dashboard of all users.

1397
 Default Gadgets

NetChange active ports speed (bps)

• Type: Chart.
• Description: A pie chart representing NetChange Active ports repartition per speed. The
Inactive and Disabled ports are not represented.
If you upgraded to this version, this gadget may be displayed on NetChange dashboard.
NetChange network devices vendor
• Type: Chart.
• Description: A pie chart representing NetChange network devices repartition per vendor.
If you upgraded to this version, this gadget may be displayed on NetChange dashboard.
NetChange port status
• Type: Chart.
• Description: A pie chart representing NetChange ports repartition per status.
If you upgraded to this version, this gadget may be displayed on NetChange dashboard.
Networks
• Type: Top List.
• Description: The 10 first networks sorted by start IP address with their start address and
prefix, name, proportion of used IP addresses and status.
Number of interfaces used per device
• Type: Chart
• Description: A pie chart representing Device Manager used ports repartition per device.
If you upgraded to this version, this gadget may be displayed on Device Manager dashboard.
Number of NetChange ports per device
• Type: Chart.
• Description: A pie chart representing NetChange ports repartition per network device.
If you upgraded to this version, this gadget may be displayed on NetChange dashboard.
Number of ports used per device
• Type: Chart.
• Description: A pie chart representing Device Manager used interfaces repartition per device.
If you upgraded to this version, this gadget may be displayed on Device Manager dashboard.
Number of SPX assigned networks allocated per year
• Type: Chart.
• Description: A pie chart representing the SPX assigned networks repartition per year.
Sum of allocated SPX assigned networks size per year
• Type: Chart.
• Description: A pie chart representing the SPX allocated networks repartition per size over
the years.
System Information
• Type: Descriptive.
• Description: A gadget gathering the appliance basic information, user connected, version,
time and date, license type and expiration, manufacturer and product. For more details,
refer to the section System Information in the chapter Managing Gadgets.
This gadget is displayed by default on the Main dashboard of the superuser session.
SOLIDserver Configuration Checklist
• Type: Configuration.

1398
 Default Gadgets

• Description: A gadget gathering appliance configuration shortcuts. For more details, refer
to the section SOLIDserver Configuration Checklist in the chapter Managing Gadgets.
This gadget is displayed by default on the Main dashboard of the superuser session.

1399
Appendix C. Synchronizing Cisco DNA
You can configure your Cisco DNA Center to push its pools, subpools and IP addresses to
SOLIDserver.

Once the configuration is complete, all the pools, subpools and IP addresses you add are available
as block-type networks, subnet-type networks and IP addresses in the IPAM. If you configure
advanced properties, the information sent by DNA Center can even update the DNS and the
DHCP.

To properly synchronize Cisco DNA new data requires:

1. Meeting the prerequisites.
2. Taking into account the limitations.
3. Preparing SOLIDserver to ensure the IPAM can receive your DNA data.
4. Configuring the synchronization from Cisco DNA Center to specify which IPAM space receives
the data.

Prerequisites
• A SOLIDserver appliance in version 7.3.1 or higher configured with the relevant network flows.
For more details, refer to the IPAM network flows in the dedicated appendix.
• Sufficient Cisco DNA Center permissions. The user must be allowed to edit the system settings
and manage pools.
• Sufficient SOLIDserver permissions. The user must be granted sufficient rights and resources
to manage IPAM networks.

Limitations
• Configuring DNA synchronization only takes into account the new pools, subpools and IP ad-
dresses you add to Cisco DNA center. The objects you managed from DNA center before the
configuration are not pushed.
• Synchronizing DNA pools, subpools and IP addresses allows to register them into the IPAM,
however their edition is limited.
• You can edit synchronized DNA data in the IPAM, but any change is performed locally, it is
not pushed to your DNA center.
• You can delete synchronized DNA data from the IPAM, but it does not affect the data of your
DNA center.

Preparing SOLIDserver
To push DNA data in SOLIDserver, you must prepare the IPAM:
• DNA pools correspond to block-type networks in the IPAM, they require a space.
• DNA subpools correspond to subnet-type networks in the IPAM, they require a space containing
a block-type network that can receive them.
• DNA IP addresses correspond to IP addresses in the IPAM, they require a space containing
a block-type network and a terminal network that can receive them.

Keep in mind that all DNA data is pushed to one space of the IPAM.

1400
 Synchronizing Cisco DNA

To prepare the IPAM for Cisco DNA synchronization

1. Connect to SOLIDserver.
2. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
3. Click on the Name of the space of your choice to display its content. The page All networks
opens.
If you want to add a space, refer to the section Adding Spaces of the chapter Managing
Spaces.
4. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
5. To prepare a DNA pool synchronization, make sure the space can receive your new
pool(s) as block-type network(s). It must either be empty or contain block-type networks that
manage addresses that do not overlap the pool you add and synchronize.
If the space contains an overlapping block-type network, you can either delete it or synchron-
ize your data in a different space.
6. To prepare a DNA subpool synchronization, make sure that the space contains block-
type network(s) that can receive your new subpool(s) as subnet-type network(s).
a. Make sure the space contains block-type network(s) that can receive your new subpool(s)
as subnet-type network(s).
If you need to add block-type network(s), refer to the section Adding Networks of the
chapter Managing Networks.
b. Click on the Name of the block-type network of your choice. The page All networks
refreshes.
c. Make sure the block-type network can receive your new subpool(s). It must either be
empty or contain networks managing addresses that do not overlap the subpool(s) you
add and synchronize. Note that non-terminal subnet-type networks cannot receive
subpools.
7. To prepare a DNA IP address synchronization, make sure that the space contains block-
type network(s) containing terminal network(s) that can receive your new IP addresses(s).
a. Make sure the space contains block-type network(s) that can receive your new IP ad-
dresses(s).
If you need to add block-type network(s), refer to the section Adding Networks of the
chapter Managing Networks.
b. Click on the Name of the block-type network of your choice. The page All networks
refreshes.
c. Make sure the block-type network contains terminal network(s) that can receive your
new IP addresses(s).
If you need to add terminal subnet-type network(s), refer to the section Adding Networks
of the chapter Managing Networks.
d. Click on the Name of the terminal network of your choice. The page All addresses
opens.
e. Make sure the terminal network can receive your IP addresses(s). It must either be
empty or contain In use IP addresses that do not overlap the IP addresses(s) you add
and synchronize.
8. If you want the DNA data you add and synchronize to automatically update the DNS and
DHCP:
a. From the Main dashboard, configure the Internal module setup to include the modules
IPAM, DNS and DHCP as detailed in the section Defining the Internal Module Setup.

1401
 Synchronizing Cisco DNA

b. Configure IPAM advanced properties at space and/or network level. All properties are
inherited by the pools, subpools and IP addresses you add and synchronize as networks
and IP addresses. For more details, refer to the chapter Managing Advanced Properties.

Now that the IPAM is ready to receive your DNA data, you can configure the synchronization
from Cisco DNA center.

Configuring the Synchronization

Once you prepared the IPAM, you must configure Cisco DNA center to specify which appliance
and space synchronize new data.

To configure the synchronization from Cisco DNA Center

1. Connect to Cisco DNA Center.
2. From the right-end side of the home page, in the menu, select System > System Settings.
The page refreshes.
3. In the tab System 360, go to Externally Connected Systems.
4. In the section IP Address Manager (IPAM), click on Configure. A form opens.
5. Fill in the form as follows:
a. In the field Server Name, specify the name of your choice.
b. In the field Server URL, specify your SOLIDserver appliance IP address or FQDN fol-
lowing the format: https://<IP-address-or-FQDN>/dna/latest .
c. In the field Username, specify the login of the relevant SOLIDserver user.
d. In the field Password, specify the user password.
e. In the drop-down list Provider, select GENERIC.
f. In the drop-down list View, select the space you prepared.
6. Click on Apply to validate the form.
7. Click on the tab System 360 and verify the information to ensure that the configuration
succeeded.

Once the configuration is complete, the pools, subpools and IP addresses you add to Cisco DNA
center are pushed to SOLIDserver and listed in the IPAM on the pages All networks and All Ad-
dresses.

To make sure the synchronization to SOLIDserver succeeded

1. Connect to Cisco DNA center and add a pool, subpool or IP address.
2. Connect to SOLIDserver.
3. In the sidebar, go to IPAM > Spaces. The page All spaces opens.
4. Click on the Name of the space you configured earlier. The page All networks opens.
5. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
6. If you added a DNA pool, it is listed as a block-type network and may contain subnet-type
networks and IP addresses.
7. If you added a DNA subpool, it is listed as a subnet-type network and may contain subnet-
type networks and/or IP addresses.
8. If you added a DNA IP address, click on the Name of the relevant terminal network. The
page All addresses opens.

1402
 Synchronizing Cisco DNA

9. The synchronized IP address is In use.

Once the synchronization is complete, note that:

• You can edit the synchronized networks and IP addresses in the IPAM, but all changes are
only performed locally, they do not affect your DNA center.
• You can delete synchronized networks and IP addresses from the IPAM, but the corresponding
pools, subpools and IP addresses are still available in Cisco DNA center.
• If you delete any pool, subpool or IP address from Cisco DNA Center, the corresponding network
or IP address is no longer available in the IPAM.

1403
Appendix D. DHCP Options
This appendix describes all the DHCP options that you can configure at server, group, scope
range and static level.

They are described following their Option category in the configuration wizard:
• Most Used Options.
• Basic.
• Server Parameters.
• Lease Information.
• WINS/NetBIOS.
• Host IP.
• Interface.
• Servers.
• BootP Compatible.
• DHCP Packet Fields.
• Microsoft DHCP Client.
• NetWare Client.
• NIS/NISplus.
• Miscellaneous.
• Vendor Nwip.
• Vendor MSFT Options.

At all levels, the properties page allows to configure DHCP options from a dedicated panel.

To configure DHCP options

1. In the sidebar, go to DHCP > Servers, Groups, Scopes, Ranges or Statics depending
on your needs. The page opens.
2. On the right-end side of the menu, click on V4 or V6 depending on your needs. The page
refreshes and the button turns black.
Note that you cannot configure DHCP options on DHCPv6 ranges.
3. At the end of the line of the object of your choice, click on . The properties page opens.
4. In the panel DHCP options, click on EDIT . The wizard Configure DHCP options opens.
5. For DHCP options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, Most Used Option
is selected.
6. For DHCPv6 options, in the drop-down list Option category, you can select a category. The
wizard refreshes and only displays the options of the category. By default, DHCPv6 is selec-
ted.
7. Add, edit or delete the option(s) of your choice, via their input field or drop-down list.
You must empty out input fields or set drop-down lists to Unset to delete options.
For more details refer to the relevant section, each one gathers options per category.
8. Click on OK to complete the operation. The report opens and closes. The panel displays the
current configuration.

1404
 DHCP Options

Most Used Options

Table D.1. Most used DHCP options
Name Code Value type Description
domain-name 15 text (name) The domain name the client uses when resolving
name via DNS.
domain-name-servers 6 list of IP addresses The list of Domain Name Servers (DNS) avail-
able for this client These servers are listed by
order of preference.
routers 3 list of IP addresses The list of routers for client subnet. These serv-
ers are listed by order of preference.
default-lease-time N/A duration in seconds The default lease duration.
local-address N/A IP address The IP address that the DHCP server listens on
for DHCP requests, rather than listening on all
local IP addresses. Configure this option if the
server only clients are reached via unicast, such
as via DHCP relay agents.
max-lease-time N/A duration in seconds The maximum lease duration (unavailable for
BOOTP lease).
min-lease-time N/A duration in seconds The minimum lease duration.
one-lease-per-client N/A boolean Allows to ensure a server only delivers a single
lease to a client. If set to Yes, when a client re-
quests a lease the server frees any other lease
the client holds.
ping-check N/A boolean Allows to check via ICMP request if the target
address is not used.

Basic
Table D.2. Basic DHCP options
Name Code Value type Description
auto-configure 116 boolean Allows to ask whether, and be notified if, auto-
configuration should be disabled on the local
subnet.
For more details, refer to the RFC2563 available
on IETF website at
https://tools.ietf.org/html/rfc2563.
broadcast-address 28 IP address The broadcast address for the interface subnet.
host-name 12 text (name) The client host name.
allow-booting N/A boolean Allows to decide whether or not to respond to
queries from a particular client. It must be set in
a host declaration.
By default, booting is allowed. If you disable it
for a particular client, that client cannot to get an
address from the DHCP server.
allow-bootp N/A boolean Allows to decide whether or not to respond to
bootp queries. By default, bootp queries are al-
lowed.
authoritative N/A boolean Allows to check and allocate leases to clients
based on the network segment they connect
from.
ping-timeout N/A duration in seconds The maximum timeout answer for a ping from
the DHCP server.

1405
 DHCP Options

Name Code Value type Description

site-option-space
use-host-decl-names
vendor-option-space
subnet-mask
N/A text (name) Allows to specify from which option space the
site-local options are taken. The site-local op-
tions are the ones with an option code between
224 and 254.
N/A boolean Allows to use the hostname of the host declara-
tion as value of the option hostname provided
to the clients.
N/A boolean The Option space containing the vendor-specific
information. For more details, refer to option 43
(vendor-encapsulated-options).
1 IP address The subnet mask of the connected interface.

Server Parameters
These options concern the technical parameters on the server side.

Table D.3. Available server parameters

Name Code Value type Description
adaptative-lease-time-threshold N/A number between 1 The allocated lease time within a range. When
and 100, percentage the number of allocated leases rises above the
percentage stated, all the DHCP clients get the
minimal lease time (min-lease-time value). Once
the number of allocated leases drops back below
the threshold, the server reverts back to normal
lease times.
authoritative N/A boolean Allows to check and allocate leases to clients
based on the network segment they connect
from.
leasequery N/A boolean Allows to specify if the server should respond to
DHCPLEASEQUERY packets sent by CMTSs,
i.e. send back lease information (creation/expir-
ation date...).
ping-check N/A boolean Allows to check via ICMP request if the target
address is not used.
ping-timeout N/A duration in seconds The maximum timeout answer for a ping from
the DHCP server.
storm-detection-check-request N/A number The number of requests that have to be received
in order to trigger the MAC address black listing.
Only MAC addresses associated with an IP ad-
dress are taken in account in the black list. It
means that the clients have to make a DHCP
request first with an IP address.
This parameter has to be used in conjunction
with the parameters storm-detection-check-sec
and storm-detection-ignore-sec.
If nothing is specified in the field, the default
value is 20. If you set a different value, it must
be between 1 and 65535.
storm-detection-check-sec N/A duration in seconds The period during which the system allows re-
quests. It then checks if it has more than X re-
quests in this time lap, then if it is over, it black-
lists the MAC for X seconds.
This parameter has to be used in conjunction
with the parameters storm-detection-check-re-
quest and storm-detection-ignore-sec.

1406

Name
storm-detection-ignore-sec
Lease Information
These options concern the technical mechanisms on the client side of SOLIDserver DHCP protocol.
Table D.4. Lease information options
Name
dhcp-rebinding-time
dhcp-renewal-time
WINS/NetBIOS
Table D.5. WINS/NetBIOS options
Name
netbios-dd-server
netbios-name-servers
netbios-node-type
netbios-scope
Host IP
Table D.6. Host IP options
Name
default-ip-ttl
DHCP Options
Code Value type Description
If nothing is specified in the field, the default
value is 2. If you set a different value, it must be
between 1 and 65535.
N/A duration in seconds The number of seconds during which any DHCP
request from the blacklisted device should be
ignored.
This parameter has to be used in conjunction
with the parameters storm-detection-check-re-
quest and storm-detection-check-sec.
If nothing is specified in the field, the default
value is 30. If you set a different value, it must
be between 1 and 65535.
Code Value type Description
59 duration in seconds The time interval from address assignment until
the client transitions to the REBINDING state.
58 duration in seconds The time interval from address assignment until
the client transitions to the RENEWING state.
Code Value type Description
45 list of IP addresses The list of NetBIOS datagram distribution servers
(NBDD), defined by RFC1001 and RFC1002.
These servers are sorted by order of preference.
44 list of IP addresses The list of WINS servers or of Net-BIOS name
servers (NBMS). These servers are sorted by
order of preference.
For more details, refer to RFC1001 available on
IETF website at https://tools.ietf.org/html/rfc1001
and to RFC1002 at
https://tools.ietf.org/html/rfc1002.
46 number The type of NetBIOS knot described in RFC1001
and RFC1002. The value is represented by a
numerical code: 1 for B-node, 2 for P-node, 4
for M-node, 8 for H-node.
47 text (name) The Netbios-scope name value of NetBIOS
scope specified in RFC1001 and RFC1002.
Code Value type Description
23 duration in seconds The default lifetime that the client must use to
send a datagram on the network. Valid values
between 1 and 255.
1407

Name
ip-forwarding
max-dgram-reassembly
non-local-source-routing
path-mtu-aging-timeout
path-mtu-plateau-table
policy-filter
subnet-selection
Interface
Table D.7. Interface options
Name
all-subnets-local
arp-cache-timeout
auto-configure
broadcast-address
classless-static-route
DHCP Options
Code Value type Description
19 boolean Allows to enable or disable IP forwarding, accord-
ingly the client should configure its IP layer for
packets forwarding.
For more details, refer to RFC1533 available on
IETF website at https://tools.ietf.org/html/rfc1533.
22 number The maximum size of datagram which the client
must prepare to assemble.
20 boolean Allow the source-routing forwarding if the next-
hop is on a different physical interface from that
crossed by the datagram.
For more details, refer to RFC1122 available on
IETF website at https://tools.ietf.org/html/rfc1122.
24 second The aging time for the Path MTU Discovery
defined for the client.
For more details, refer to RFC1191 available on
IETF website at https://tools.ietf.org/html/rfc1191.
25 list of numbers The list of MTU sizes for the PMTU RFC1191.
MTU sizes are prioritized by the order and do
not have to be lower than 68.
21 2 IP addresses The filtering policy for the non-local-source-
routing. These filters are defined by a list of
destination and netmask IP address couplets
which specify the destination of entering routes.
Any "routedsource" datagram not figuring in the
list of filters is destroyed.
118 IP address The DHCP server determines the subnet from
which the request originated.
For more details, refer to RFC3011 available on
IETF website at https://tools.ietf.org/html/rfc3011.
Code Value type Description
27 boolean Allows to ensure that all the subnets communic-
ating with the IP interface use the same MTU as
the physical interface.
35 duration in seconds The timeout in seconds for ARP cache entries.
116 boolean Allows to ask whether, and be notified if, auto-
configuration should be disabled on the local
subnet.
For more details, refer to the RFC2563 available
on IETF website at
https://tools.ietf.org/html/rfc2563.
28 IP address The broadcast address for the interface's subnet.
121 list of IP addresses Allows to use the routers used by the IP protocol
to set up a packet transmission path between
two IP hosts (one source and one destination
host) through the router IP address, listed in the
routing table.
This option obsoletes the Static Route option
(option 33).
1408

Name
default-tcp-ttl
ieee802-3-encapsulation
interface-mtu
mask-supplier
perform-mask-discovery
router-discovery
router-solicitation-address
static-routes
subnet-mask
tcp-keepalive-garbage
tcp-keepalive-interval
trailer-encapsulation
Servers
Table D.8. Server options
Name
cookie-servers
DHCP Options
Code Value type Description
For more details, refer to the RFC3442 available
on IETF website at
https://tools.ietf.org/html/rfc3442.
37 duration in seconds The default TTL that the client should use when
sending TCP segments.
36 boolean The encapsulation version to use on an Ethernet
interface, either Ethernet Version 2 or IEEE
802.3.
26 number The size of MTU to use for this interface, it
should be at least 68 bytes.
30 boolean Allows to specify if the interface must declare its
netmask during an ICMP echo.
29 boolean Allows to specify if the client should attempt an
ICMP discovery to find the subnet mask of the
local subnet they are connecting to via this inter-
face. Note that using this parameter is not recom-
mended, as the first response received is taken
into account and may be incorrect.
31 boolean Allows to specify the client should solicit routers
by the "Router Discovery" mechanism when
connecting via this interface.
For more details, refer to the RFC1256 available
on IETF website at
https://tools.ietf.org/html/rfc1256.
32 IP address The address by which, for this interface, the cli-
ent must emit its solicitation requests to the
routers.
33 2 IP addresses In the route interface's cache, the first entry in
the list is the destination address and the second
is the router's address. The default route
(0.0.0.0) is not tolerated here.
This option, introduced in RFC2132, was obsol-
eted by the Classless Static Route Option (option
121).
1 IP address The subnet mask for the network segment to
which the client is connected.
39 boolean Allows to specify if the client must send a
garbage byte with a keepalive message.
38 duration in seconds The time to wait before sending a keep alive
message on a TCP connection.
34 boolean Allows to specify if the client must negotiate the
use of trailers with ARP.
For more details, refer to the RFC893 available
on IETF website at
https://tools.ietf.org/html/rfc893.
Code Value type Description
8 list of IP addresses The list of cookie servers available for this client.
These servers are listed by order of preference.
1409
 DHCP Options

Name Code Value type Description

For more details, refer to the RFC865 available
on IETF website at
https://tools.ietf.org/html/rfc865.
finger-server 73 list of IP addresses The list of Finger servers. These servers are
sorted by order of preference.
font-servers 48 list of IP addresses The list of system-X Windows font servers
available for this client. These servers are sorted
by order of preference.
ien116-name-servers 5 list of IP addresses The list of IEN 116 name servers for this client.
These servers must be sorted by preference
order.
impress-servers 10 list of IP addresses The list of Imagen Impress servers available for
this client. These servers are listed by order of
preference.
irc-server 74 list of IP addresses The list of Internet Relay Chat server.
log-servers 7 list of IP addresses The list of UDP log servers (MIT-LCS syslog),
available for this client. These servers are listed
by order of preference.
lpr-servers 9 list of IP addresses The list of printer servers available for this client.
These servers are listed by order of preference.
For more details, refer to the RFC1179 available
on IETF website at
https://tools.ietf.org/html/rfc1179.
mobile-ip-home-agent 68 list of IP addresses The list of mobile IP home agent.
nis-servers 41 list of IP addresses The list of IP of NIS servers available for the cli-
ent. The servers can be sorted by order of pref-
erence.
nisplus-servers 65 list of IP addresses The list of IP addresses of NIS+ servers avail-
able for the client. The servers can be sorted by
order of preference.
nntp-server 71 list of IP addresses The list of NNTP news servers. These servers
are sorted by order of preference.
ntp-servers 42 list of IP addresses The list of NTP news servers. These servers are
sorted by order of preference.
pop-server 70 list of IP addresses The list of POP3 message servers. These serv-
ers are sorted by order of preference.
resource-location-servers 11 list of IP addresses The list of resource servers available for this
client. These servers are listed by order of pref-
erence.
For more details, refer to the RFC887 available
on IETF website at
https://tools.ietf.org/html/rfc887.
leasequery N/A boolean Allows to specify if the server should respond to
DHCPLEASEQUERY packets sent by CMTSs,
i.e. send back lease information (creation/expir-
ation date...).
smtp-server 69 list of IP addresses The list of SMTP message servers. These
servers are sorted by order of preference.
streettalk-directory-assistance- 76 list of IP addresses The list of IP addresses in order of preference
server for STDA servers available to the client.
Streettalk-server 75 list of IP addresses The list of StreetTalk servers. These servers are
sorted by order of preference.

1410
 DHCP Options

Name Code Value type Description

tftp-server-name 66 list of IP addresses The name of the TFTP server to use when the
field Sname is used to carry Options.
www-server 72 list of IP addresses The list of WEB servers.
x-display-manager 49 list of IP addresses The list of X Window XDM system servers.
These servers are sorted by order of preference.

BootP Compatible
Table D.9. BOOTP compatibility options
Name Code Value type Description
boot-size 13 number The length in block of 512 bytes of the boot im-
age file for this client.
bootfile-name 67 number The name of the boot file to use when the File
field is used to carry options.
cookie-servers 8 list of IP addresses The list of Cookie servers available. These
servers are sorted by order of preference.
For more details, refer to the RFC865 available
on IETF website at
https://tools.ietf.org/html/rfc865.
domain-name-servers 6 list of IP addresses The list of domain name servers (DNS), available
for this client. These servers are listed by order
of preference.
extensions-path 18 path The name of the file containing additional options
to be interpreted. The format is described in
RFC2132.
For more details, refer to the RFC2132 available
on IETF website at
https://tools.ietf.org/html/rfc2132.
impress-servers 10 list of IP addresses The list of Imagen Impress servers available for
this client. These servers are listed by order of
preference.
merit-dump 14 path The path of file in which the client must copy the
memory image in the event of a crash. This path
is constituted by a set of NVT ASCII characters.
resource-location-servers 11 list of IP addresses The list of resource servers available for this
client. These servers are listed by order of pref-
erence.
For more details, refer to the RFC887 available
on IETF website at
https://tools.ietf.org/html/rfc887.
root-path 17 path The path of the disk route for this client. This
path is constituted by a set of NVT ASCII char-
acters.
filename N/A file name The name of the boot file to use when the field
is used to carry options.
next-server N/A IP address Allows to specify the IP address of the server
from which the initial boot file (specified in the
statement filename) has to be loaded. The
server-name should be a numeric IP address.
If no next-server parameter applies to a given
client, the DHCP server's IP address is used.
Some clients prefer to receive the server name
in the server-name option.

1411
 DHCP Options

Name Code Value type Description

server-name N/A text (name) Allows to inform the client of the name of the
server from which it is booting.This name should
be the same as the one provided to the client.
swap-server 16 IP address The IP address of the client's Swap Server.
time-offset 2 duration in seconds The time offset from UTC (Coordinated Universal
Time).
time-servers 4 IP address The time server available for this DHCP client.

DHCP Packet Fields

Table D.10. Packet fields options
Name
dhcp-client-identifier
dhcp-parameter-request-list
dhcp-rebinding-time
dhcp-renewal-time
dhcp-server-identifier
user-class
vendor-class-identifier
vendor-encapsulated-options
Code Value type Description
61 text A unique identifier for DHCP clients. It allows to
identify clients using the option value rather than
their MAC address.
55 list of numbers Allows a DHCP client to request specific option
type values from the DHCP server. Each option
type is requested and listed by a number value
containing a valid or recognized DHCP option
code for the server.
59 duration in seconds The time interval from address assignment until
the client transitions to the REBINDING state.
58 duration in seconds The time interval from address assignment until
the client transitions to the RENEWING state.
54 IP address The identifier is the IP address of the selected
server.
77 text The information on the client class.
60 text Allows to identify the vendor type and configura-
tion of a DHCP client.
43 provided by the Allows to use encapsulated options provided by
vendor your vendor. The option can contain a single
vendor-specific value or one (or more) vendor-
specific sub-options. The configuration set for
each vendor is saved in a class. All the vendor
classes are kept separately in the DHCP server
configuration and trigger a unique response for
each vendor.

Microsoft DHCP Client

Table D.11. Microsoft DHCP client options
Name Code Value type Description
dhcp-lease-time 51 duration in seconds Allows to let the clients ask for the lease time of
the IP address they are allocated with a request
DHCPDISCOVER or DHCPREQUEST.
dhcp-rebinding-time 59 duration in seconds The time interval from address assignment until
the client transitions to the REBINDING state.
dhcp-renewal-time 58 duration in seconds The time interval from address assignment until
the client transitions to the RENEWING state.
dhcp-server-identifier 54 address The identifier is the IP address of the selected
server.

1412
 DHCP Options

Name Code Value type Description

domain-name
domain-name-servers
domain-search-list
netbios-name-servers
netbios-node-type
netbios-scope
routers
www-proxy-server
15 name The domain name that client should use when
resolving hostnames via the Domain Name
System.
6 list of IP addresses A list of Domain Name System name servers
available to the client. Servers should be listed
in order of preference.
135 list of domains In some circumstances, it is useful for the DHCP
client to be configured with the domain search
list. Note that Microsoft Windows 200x, XP do
not support a list of domain search.
44 list of IP addresses The list of Net-BIOS name servers (NBMS).
These servers are sorted by order of preference.
For more details, refer to RFC1001 available on
IETF website at https://tools.ietf.org/html/rfc1001
and to RFC1002 at
https://tools.ietf.org/html/rfc1002.
46 hexadecimal The NetBIOS node type option allows NetBIOS
over TCP/IP clients which are configurable to
be configured as described in RFC1001 and
RFC1002. Available values are: 0x1 = B-node;
0x2 = P-node; 0x4 = M-node; 0x8 = H-node .
47 name The NetBIOS over TCP/IP scope parameter for
the client as specified in RFC1001 and
RFC1002.
3 list of IP addresses A list of IP addresses for routers on the client's
subnet. Routers should be listed in order of
preference.
252 URL Allows to automatically configure proxy settings
for the client's browser. Specify the URL of the
server that stores the information.

NetWare Client
Table D.12. NetWare client options
Name Code Value type Description
nds-context 87 text The initial NDS context the client should use.
nds-servers 85 IP address One or more NDS servers for the client to con-
tact for access to the NDS database. Servers
should be listed in order of preference.
nds-tree-name 86 name The initial NDS context the client should use.
nwip-domain 62 name Allows to convey the NetWare/IP domain name
used by the NetWare/IP product.
autoretries 8 provided by the A list of Quote of the Day servers available to
vendor the client. The servers should be listed in order
of preference.
autoretry-secs 9 provided by the A list of LPR servers available to the client. The
vendor servers should be listed in order of preference.
nearest-nwip-server 7 provided by the A list of MIT-LCS UDP servers available to the
vendor client. The servers should be listed in order of
preference.
nsq-broadcast 5 provided by the A list of Name servers available to the client.
vendor The servers should be listed in order of prefer-
ence.

1413
 DHCP Options

Name Code Value type Description

nwip-1-1 10 provided by the A list of Imagen Impress servers available to the
vendor client. The servers should be listed in order of
preference.
preferred-dss 6 provided by the A list of DNS servers available to the client. The
vendor servers should be listed in order of preference.
primary-dss 11 provided by the A list of RLP servers available to the client. The
vendor servers should be listed in order of preference.
Slp-directory-agent 78 address IP The location of one or more SLP Directory
Agents.
Slp-service-scope 79 scope The scopes that a SLP Agent is configured to
use.

NIS/NISplus
Table D.13. NIS/NISplus options
Name Code Value type Description
nis-domain 40 name The name of the client's NIS domain. The do-
main is formatted as a character string consisting
of characters from the NVT ASCII character set.
nis-servers 41 list of IP addresses The list of IP addresses of NIS servers available
for the client. The servers can be sorted by order
of preference.
nisplus-domain 64 name The name of the client's NIS+ domain. The do-
main is formatted as a character string consisting
of characters from the NVT ASCII character set.
nisplus-servers 65 list of IP addresses A list of IP addresses indicating NIS+ servers
available to the client. Servers should be listed
in order of preference.

Miscellaneous
Table D.14. Miscellaneous DHCP options
Name Code Value type Description
Avaya-96xxx 242 ascii string The private use options - Useful for Avaya 96xxx
(Refer to vendor documentation)
Mitel-DSCP-Priority 133 unsigned integer Allows to set the IEEE 802.1D/P Layer 2 Priority,
between 1 and 6 useful for Mitel IP phones. For more details, refer
to vendor documentation.
Mitel-IP-PHONE 130 ascii string Allows to set a discrimination string, useful for
Mitel IP phones. For more details, refer to vendor
documentation.
Mitel-RTC-Controller 129 IP address Allows to set the IP address of the call server,
useful for Mitel IP phones. For more details, refer
to vendor documentation.
Mitel-TFTP-Server 128 IP address Allows to set the IP address of the TFTP server,
useful for Mitel IP phones. For more details, refer
to vendor documentation.
Mitel-VLAN-ID 132 unsigned integer Allows to set the VLAN ID, useful for Mitel IP
between 1 and 4094 phones. For more details, refer to vendor docu-
mentation.
default-url 114 ascii string The default URL to present in a web browser.

1414
 DHCP Options

Name Code Value type Description

For more details, refer to the RFC3679 available
on IETF website at
https://tools.ietf.org/html/rfc3679.
dhcp-max-message-size 57 unsigned integer Allows a DHCP client or server to specify the
maximum size of DHCP message it is willing to
accept. The minimum legal value is 576 bytes.
For more details, refer to the RFC2132 available
on IETF website at
https://tools.ietf.org/html/rfc2132.
dhcp-message 56 ascii string Allows a DHCP server to send an error message
to a message DHCPNAK to a client in the event
of a failure. The option can be used by the client
in a message DHCPDECLINE to indicate why
the client declined the offered parameters.
For more details, refer to the RFC2132 available
on IETF website at
https://tools.ietf.org/html/rfc2132.
dhcp-message-type 53 unsigned integer Allows to convey the type of the DHCP message
via an integer. Expected values: 1 (DHCPDIS-
COVER), 2 (DHCPOFFER), 3 (DHCPRE-
QUEST), 4 (DHCPDECLINE), 5 (DHCPACK),
6 (DHCPNAK) or 7 (DHCPRELEASE).
For more details, refer to the RFC2132 available
on IETF website at
https://tools.ietf.org/html/rfc2132.
dhcp-option-overload 52 see RFC Allows to indicate that the DHCP fields sname
or file are being overloaded when used to carry
DHCP options. Specify it if the returned paramet-
ers exceed the usual space alloted for options.
For more details, refer to the RFC2132 available
on IETF website at
https://tools.ietf.org/html/rfc2132.
dhcp-requested-address 50 IP address Allows DHCP clients to ask to be assigned a
particular IP address in their request (DHCPDIS-
COVER).
For more details, refer to the RFC2132 available
on IETF website at
https://tools.ietf.org/html/rfc2132.
domain-search 119 list of domains The DNS domain search list.
For more details, refer to the RFC3397 available
on IETF website at
https://tools.ietf.org/html/rfc3397.
name-service-search 117 see RFC The Name Service Search. For more details,
refer to the RFC2937 available on IETF website
at https://tools.ietf.org/html/rfc2937.
nwip-suboptions 63 see RFC The NetWare/IP option code will be used to
convey all the NetWare/IP related information
except for the NetWare/IP domain name.
For more details, refer to the RFC2242 available
on IETF website at
https://tools.ietf.org/html/rfc2242.
always-broadcast N/A boolean Allows to force the DHCP server to always
broadcast its responses to clients by setting this
flag to on for the relevant scope.
To avoid creating excess broadcast traffic on
your network, we recommend limiting this option
use to as few clients as possible.

1415
 DHCP Options

Name Code Value type Description

always-reply-rfc-1048 N/A boolean Allows the DHCP server to respond with an
RFC-1048-style vendor options fields even if the
BOOTP clients do not follow the RFC1048 when
sending their requests.
boot-unknown-clients N/A boolean Allows to decide whether or not to dynamically
assign addresses to unknown clients.
Dynamic address assignment to unknown clients
is allowed by default.
An unknown client is a client that has no host
declaration.
client-updates N/A boolean Allows to decide whether or not to honor the cli-
ent's intention to do its own update of its A re-
cord.
This is only relevant when doing interim DNS
updates.
log-facility N/A ascii string Allows the DHCP server to do all of its logging
on the specified log facility.
min-secs N/A unsigned integer The minimum number of seconds since a client
between 1 and 255 began trying to acquire a new lease before the
DHCP server responds to its request.
remote-port N/A unsigned integer Allows the DHCP server to transmit DHCP re-
between 0 and sponses to DHCP clients upon the UDP port
65535 specified in port, rather than on port 68.
stash-agent-options N/A boolean Allows a server to record the relay agent inform-
ation options sent to a given client, during the
initial DHCPREQUEST message, when the client
was in the SELECTING state.
The server behaves as if these options were in-
cluded in all subsequent DHCPREQUEST
messages sent in the RENEWING state.
update-optimization N/A boolean Allows the server, if set to false, to attempt a
DNS update for a client each time they renew
their lease, rather than only attempting an update
when it appears to be necessary.
This will allow the DNS to heal from database
inconsistencies more easily, but the cost is that
the DHCP server must do many more DNS up-
dates.
We recommend enabling this option, its default
setting, as it only affects the behavior of the in-
terim DNS update scheme, and has no effect
on the ad-hoc DNS update scheme.
update-static-leases N/A boolean Allows the DHCP server to do DNS updates for
clients even if these clients are being assigned
thei IP address using a fixed-address statement.
This can only work with the interim DNS update
scheme.
It is not recommended because the DHCP
server has no way to tell that the update has
been done, and therefore will not delete the re-
cord when it is not in use.
vivco 124 binary The V-I Vendor Class, or Vendor-Identifying
Vendor Class. For more details, refer to the
RFC3925 available on IETF website at
https://tools.ietf.org/html/rfc3925.

1416
 DHCP Options

Name Code Value type Description

vivso 125 binary The V-I Vendor-Specific Information, or Vendor-
Identifying Vendor-Specific Information. For more
details, refer to the RFC3925 available on IETF
website at https://tools.ietf.org/html/rfc3925.

Vendor Nwip
All NetWare/IP Domain Name options below apply to servers, so when configuring these options,
make sure to list all the servers in order of preference. For more details, refer to the RFC2242
available on IETF website at https://tools.ietf.org/html/rfc2242.

Table D.15. Vendor Nwip options

Name Code Value type Description
autoretries 8 provided by the A list of Quote of the Day servers available to
vendor the client.
autoretry-secs 9 provided by the A list of LPR servers available to the client.
vendor
nearest-nwip-server 7 provided by the A list of MIT-LCS UDP servers available to the
vendor client.
nsq-broadcast 5 provided by the A list of Name servers available to the client.
vendor
nwip-1-1 10 provided by the A list of Imagen Impress servers available to the
vendor client.
preferred-dss 6 provided by the A list of DNS servers available to the client.
vendor
primary-dss 11 provided by the A list of RLP servers available to the client.
vendor

Vendor MSFT
Table D.16. Vendor MSFT options
Name
default-routers-ttl
disable-netbios
release-on-shutdown
Code Value type Description
3 list of IP addresses A list of 32 bit IP addresses for routers on the
client's subnet. The routers should be listed in
order of preference.
1 provided by the The subnet mask for the network segment to
vendor which the client is connected.
2 provided by the The offset of the client's subnet in seconds from
vendor Coordinated Universal Time (UTC).

1417
Appendix E. MAC Address Types
References
This appendix lists all the MAC address types used in SOLIDserver that you can display on the
page DHCP All statics both in IPv4 and IPv6. There is a set of 31 different types of MAC addresses
that you can specify when adding or editing DHCP statics. Each type corresponds to a protocol
that has been assigned a reference number defined in the IANA Address Resolution Protocol
(ARP). In the GUI, this reference adds an extra byte at the beginning of the MAC addresses listed
in the column MAC address on the page All statics. Typically, the MAC addresses listed in this
column look as follows: <1_byte_MAC_type_reference>:<6_bytes_MAC_address>.

The different types of MAC addresses can be listed separately from the MAC address itself using
the DHCP static MAC type column. This column displays two columns: the column MAC type
that displays the MAC type code (except for Ethernet that is listed in full letters) and the column
MAC address that displays the MAC address in its traditional format.

Note that every reference is listed in hexadecimal form in the wizard. Therefore, the ARP
parameter 10 (for Autonet) is listed as 0a and so forth.

Table E.1. Supported MAC address types references

MAC type Reference
Unknown Any hexadecimal reference number, as long as it is not already listed below.
Ethernet 01
Experimental ethernet 02
Amateur radio AX25 03
Proteon ProNET Token Ring 04
Chaos 05
Token Ring 06
ARCNET 07
FDDI 08
Lanstar 09
Autonet 0a
LocalTalk 0b
LocalNet 0c
Ultralink 0d
SMDS 0e
Frame Relay 0f
ATM 15
HDLC 11
Fibre Channel 12
Serial Line 14
MIL-STD-188-220 16
Metricom 17
IEEE 1394.1995 18
MAPOS 19
Twin Axial 1a

1418
 MAC Address Types References

MAC type Reference

EUI-64 1b
HIPARP 1c
IP/ARP over ISO 7816-3 1d
ARPSec 1e
IPSec tunnel 1f
InfiniBand 20

1419
Appendix F. Custom AWS IAM Policy
Route 53 Minimal Permissions
Before managing Amazon Route 53 servers from the GUI, you must configure your Amazon
Account to grant sufficient permissions to users.

From AWS Management console, the service Identity and Access Management (IAM) allows to
manage the user permissions of your account via policies, ideally set on groups.

Among the default policies, you can assign the predefined IAM policy AmazonRoute53FullAccess
to allow users to manage Amazon Route 53 servers. However, if it is too permissive, you can
add a custom policy.

Before adding and assigning a custom policy, note that the IAM policy should contain the fol-
lowing minimal permissions. The AWS expected format may change without notice.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"route53:GetChange",
"route53:GetHostedZone",
"route53:GetReusableDelegationSetLimit",
"route53:ChangeResourceRecordSets",
"route53:CreateQueryLoggingConfig",
"route53:GetReusableDelegationSet",
"route53:CreateVPCAssociationAuthorization",
"route53:ListTagsForResource",
"route53:DeleteVPCAssociationAuthorization",
"route53:ListTagsForResources",
"route53:ListResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:DeleteHostedZone",
"route53:GetHostedZoneLimit",
"route53:AssociateVPCWithHostedZone",
"route53:UpdateHostedZoneComment",
"route53:DeleteQueryLoggingConfig"
],
"Resource": [
"arn:aws:route53:::hostedzone/*",
"arn:aws:route53:::change/*",
"arn:aws:route53:::queryloggingconfig/*",
"arn:aws:route53:::delegationset/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"route53:GetAccountLimit",
"route53:ListReusableDelegationSets",
"route53:CreateHostedZone",
"route53:DisassociateVPCFromHostedZone",
"route53:TestDNSAnswer",
"route53:ListHostedZones",
"route53:GetHostedZoneCount",
"route53:ListHostedZonesByName"
],

1420
 Custom AWS IAM Policy Route 53
Minimal Permissions

"Resource": "*"
}
]
}

Once the permissions of your Amazon account are configured, you can add Amazon Route53
servers. For more details, refer to the section Managing Amazon Route 53 Servers in the chapter
Managing DNS Servers.

1421
Appendix G. DNS Resource Records
Configuration Fields
This appendix details the fields to configure when adding resource records to a DNS or DNSSEC
master zone.

Note that if you add records to a smart architecture managing server(s), the last page of the
wizard returns a warning message if any server does not support their type. You can force the
addition to add them to the server(s) that do support them.

To add a resource record to a master zone

1. In the sidebar, go to DNS > RRs. The page All RRs opens.
2. In the column Zone, click on the name of the master zone of your choice. The page refreshes
and only displays the records it contains.
3. In the menu, click on Add. The wizard Add a DNS RR opens.
4. If custom classes are enabled at record level, in the list DNS RR class select a class or
None.
Click on NEXT . The next page opens.
If no custom class is enabled, the class dedicated page is automatically skipped. Note that
applying a class on an object can impact the configuration fields available and/or required.
5. In the drop-down list RR type, select the type of your choice.
6. Set the RR Name and TTL according to your needs.
7. Configure the record:
a. To configure a DNS record, refer to the table DNS resources records configuration fields.
b. To configure a DNSSEC record, refer to the table DNSSEC resources records configur-
ation fields.
8. Click on OK to complete the operation.The report opens and closes.The record is now listed.

Note that only the records supported by SOLIDserver are detailed, these records may not be
supported by all DNS servers. For more details on supported servers, refer to the section Adding
Resource Records in the chapter Managing DNS Resource Records.

Table G.1. DNS resources records configuration fields

Record type Related field(s) Description
A IP address The IPv4 Address of the host.
AAAA IPv6 address The IPv6 Address of the host.
AFSDB Preference The version of AFS service used: 1 (AFS version 3.0) or 2 (OSF DCE/NCA
version).
AFS server The AFS hostname.
CAA Flags An integer, between 0 and 255, that influences the interpretation of the
record. 0 means that the record is not critical.
Property identifier The CAA record tag, including but not limited to the following.
issue authorizes a single certificate authority to issue a certificate of any
type for the hostname.
issuewild authorizes a single certificate authority to issue a wildcard cer-
tificate for the hostname.

1422
 DNS Resource Records
Configuration Fields

Record type Related field(s) Description

iodef specifies the URL to which a certificate authority may report policy
violations.
Value The domain of the CA associated with the tag or a URL, depending on
the tag specified in the Property identifier.
CERT Type An integer 0 and 65535 that specifies the type of certificate where 1 is
PKIX, 2 is SPKI, 3 is PGP, 4 is IPKIX, 5 is ISPKI, 6 is IPGP, 7 is ACPKIX,
8 is IACPKIX, 253 is URI and 254 is OID.
Key tag The certificate's key tag, a 16-bit value computed for the key embedded
in the certificate.
Algorithm The public key's cryptographic algorithm.
Certificate or CRL The certificate, encoded in base-64 format.
The record CERT is described in RFC 4398 available at https://tools.ietf.org/html/rfc4398.
CNAME Hostname The hostname.
DHCID Key The encoded DHCP client identifier (DUID) in a binary format, encoded
in base-64.
For more details, refer to the section 3 of RFC 4701, available at
https://tools.ietf.org/html/rfc4701#section-3.
DNAME Domain The name of a subdomain of the zone.
HINFO CPU Select the CPU description in the drop-down list. If yours is not listed,
type it in the field and let the default value in the list (Other).
OS Select the OS in the drop-down list. If yours is not listed, type it in the
field and let the default value in the list (Other).
MINFO Responsible email The email address of the administrator of the mail list.
Error email The email address that should receive the error messages regarding the
mail list.
MX Preference An integer, between 0 and 65535, that defines which server has priority
if there are several records in the zone. The lowest the value has the
priority over the other server(s).
Mail server The mail server hostname.
The accepted configuration of MX and NS records is detailed in the section 10.3 of RFC 2181,
available at https://tools.ietf.org/html/rfc2181.
NAPTR Order An integer, between 0 and 65535, that defines which RR has priority if
there are several NAPTR records in the zone. The lowest the value has
the priority over the other record(s).
Preference An integer, between 0 and 65535, that defines which RR has priority if
there are several NAPTR records have the same order in the zone. The
lowest the value has the priority over the other record(s).
Flags The string that corresponds to the action you want your client application
to perform. The flag specified impacts the data expected in the field Ser-
vices, Regex and/or Replace.
Services The services parameters to which applies the action specified in the field
Flags. You must respect your client application syntax.
Regex The string that contains a substitution expression matching the format
<delimit ereg delimit substitution delimit flag> to which applies the action
specified the field Flags.
Replace An FQDN domain name to which applies the action specified the field
Flags. You can specify no domain name if you type in . (dot) in the field.
The record NAPTR is described in RFC 3403, available at https://tools.ietf.org/html/rfc3403.
NS DNS server The DNS server hostname.

1423
 DNS Resource Records
Configuration Fields

Record type Related field(s) Description

The accepted configuration of MX and NS records is detailed in the section 10.3 of RFC 2181,
available at https://tools.ietf.org/html/rfc2181.
NSAP Name The NSAP address of the end system. It should start with 0x and not ex-
ceed 255 hexadecimal characters separated by dots.
The NSAP RR is described in the RFC 1706, available at https://tools.ietf.org/html/rfc1706.
OPENPGPKEY Key The OpenPGP public key, without the last line. The last line is preceded
by the character =.
The record OPENPGPKEY is described in RFC 7629, available at
https://tools.ietf.org/html/rfc7929.
PTR Localization The hostname that should be returned when the address is queried.
SSHFP Algorithm An integer that identifies the algorithm used by the Public Key: 1 (RSA),
2 (DSA), 3 (ECDSA) or 4 (Ed25519).
Type An integer that identifies the type of fingerprint used: 1 (SHA-1) or 2 (SHA-
256).
Fingerprint An hexadecimal string representing the hash result.
SRV Priority An integer, between 0 and 65535, that defines which server has priority
if there are several SRV records in the zone. The lowest the value has
the priority over the other server(s).
Weight An integer, between 0 and 65535, that defines the server weight. If two
SRV records have the same priority, the weight defines which one is more
used. The field gives priority to the SRV RR with the greatest weight
value: the greater the value is, the more the server is solicited. If you type
in 0, there is no weighting.
Ports The port number that delivers the service to the target.
Target The hostname of the server delivering the service.
TXT Text The description of your choice (max. 255 characters including spaces).
TLSA Certificate Usage The association data provided to match the certificate presented in the
TLS handshake. It is identified via an integer, between 0 and 255, among
the the following.
1 specifies an end entity certificate, or the public key the certificate. It
must be matched with the end entity certificate given by the server in
TLS.
2 specifies a certificate, or the public key the certificate. It must be used
as the Trust anchor when validating the end entity certificate given by the
server in TLS.
3 specifies a certificate, or the public key the certificate. It must match
the end entity certificate given by the server in TLS.
Selector The part of the TLS certificate that the server presents to compare with
the association data, where 0 is the Full certificate and 1 is the Subject-
PublicKeyInfo.
Matching Type The way the association data is presented, where 0 is the Exact match
on selected content, 1 is an SHA-256 hash of selected content and 2 is
an SHA-512 hash of selected content.
Certificate Associ- The certificate association data to be matched. The expected value in
ation Date the field is a string of hexadecimal characters, it can include spaces.
The record TLSA is described in RFC 6698, available at https://tools.ietf.org/html/rfc6698.
URI Priority An integer, between 0 and 65535, that defines which target URI has pri-
ority if there are several URI records in the zone. The lowest value has
the priority over the other URI.
Weight An integer, between 0 and 65535, that defines the target URI weight. If
two URI records have the same priority, the weight defines which one is
more used. The field gives priority to the URI record with the greatest

1424
 DNS Resource Records
Configuration Fields

Record type Related field(s) Description

weight value, the greater the value is, the more the URI is solicited. If you
type in 0, there is no weighting.
Target The targeted URI, specified using the syntax described in the RFC3986.
The record URI is described in RFC 3986, available at https://tools.ietf.org/html/rfc3986.
WKS IP address The IPv4 Address of the host that contains the services listed in the field
Services.
Protocol The protocol that suites your needs.
Services The list of needed services.
The WKS record type is obsolete.

Table G.2. DNSSEC resources records configuration fields

Record type Related field(s) Description
CDNSKEY Flags The zone key flag.
Protocol The protocol value.
Algorithm The public key's cryptographic algorithm.
Key The public key material.
The records CDNSKEY is described in RFC 7344, available at https://tools.ietf.org/html/rfc7344.
CDS Key Tag The key tag of the DS record of the zone used in the delegation.
Key Algorithm The algorithm key of the DS record of the zone used in the delegation.
Digest Type The digest type of the DS record of the zone used in the delegation.
Digest The digest of the DS record of the zone used in the delegation.
The records CDS is described in RFC 7344, available at https://tools.ietf.org/html/rfc7344.
DNSKEY Flags The zone key flag.
Protocol The protocol value.
Algorithm The public key's cryptographic algorithm.
Key The public key material.
DS Key Tag The child zone DS key tag.
Key Algorithm The child zone DS algorithm key.
Digest Type The child zone DS digest type.
Digest The child zone DS digest.

For more details on DNSSEC configurations, refer to the chapter DNSSEC.

1425
DNS
DNS IPAM DHCP
IPAM properties
Update IPAM: yes DHCP properties IPAM properties
DNS SPACE DHCP failover channel: failover-dhcp1.mycorp.com
DHCP Push leases to IPAM: yes
SERVER DNS properties SERVER
Add a PTR: yes DNS properties Use client name (FQDN): yes
ns1.mycorp.com America DNS server: ns1.mycorp.com dhcp1.mycorp.com DNS properties
DNS view: intranet Update DNS: yes
Update DNS: yes

DNS properties
VIEW NETWORK Add a DNS reverse zone for every terminal network added: yes
BLOCK Default domain: mycorp.com
intranet USA DNS server for reverse zone: ns1.mycorp.com

IPAM
10.6.0.0/15 DNS view for reverse zone: intranet

NEW SCOPE
NEW IPAM properties NEW NETWORK SUBNET Name: New York
NEW NETWORK SUBNET NETWORK
ZONE ZONE REVERSE 10.6.0.0/24 Gateway offset: -1 Name: New York 10.6.0.0/24 SCOPE
ZONE SUBNET 10.6.0.0/24 DHCP option
mycorp.com Name: routers: 10.6.0.254
0.6.10.in-addr.arpa

DHCP properties NEW POOL NEW RANGE

POOL Add a DHCP range: yes Name: Manhattan Name: RANGE

1426
10.6.0.1-10.6.0.50 10.6.0.1-10.6.0.50

NEW IP ADDRESS
IP ADDRESS IP address: 10.6.0.42 NEW LEASE
RECORD RECORD TWO NEW IP Address: 10.6.0.42 ADDRESS IP address: 10.6.0.42 MAC: ab:ba:12:34:ab:ba LEASE
RECORDS Name: laptop.mycorp.com MAC: ab:ba:12:34:ab:ba Name: laptop.mycorp.com
Name: laptop.mycorp.com
Type: A Type: PTR IP: 10.6.0.42
Name: laptop.mycorp.com

DHCP properties NEW IP ADDRESS

NEW IP ADDRESS
TWO NEW IP Address: 10.6.0.100 Add a DHCP
IP Address: 10.6.0.100 NEW
RECORD RECORD ADDRESS MAC address: be:ef:00:00:be:ef STATIC
STATIC
RECORDS Name: client.mycorp.com static: yes Name: client.mycorp.com
Type: A Type: PTR IP: 10.6.0.100 IPAM advanced properties
IP Address: 10.6.0.100 Push leases to IPAM: yes
Name: client.mycorp.com MAC address: be:ef:00:00:be:ef Use client name (FQDN): yes
DHCP advanced properties
DHCP advanced properties DHCP failover channel: failover-dhcp1.mycorp.com Name: client.mycorp.com DNS advanced properties
NEW RECORD DHCP failover channel: failover-dhcp1.mycorp.com Add a DHCP range: yes Update DNS: yes
Add a DHCP range: yes
RECORD NEW IP ADDRESS Add a DHCP static: yes DNS advanced properties
Type: A IP Address: 10.6.0.142 ADDRESS DNS server: ns1.mycorp.com
DNS advanced properties DNS view: intranet
Value: 10.6.0.142 Name: pc Name: pc.mycorp.com DNS server: ns1.mycorp.com Default domain: mycorp.com
Complete name: pc.mycorp.com DNS view: intranet DNS server for reverse zone: ns1.mycorp.com
Default domain: mycorp.com DNS view for reverse zone: intranet
DNS server for reverse zone: ns1.mycorp.com Update DNS: yes
DNS view for reverse zone: intranet IPAM advanced properties
NEW Update DNS: yes Gateway offset: -1
RECORD RECORD IPAM advanced properties
Gateway offset: -1
Type: PTR
Value: pc.mycorp.com Name: 142
IPAM advanced properties Complete name: 142.0.6.10.in-addr.arpa
Update IPAM: yes
DNS advanced properties
Add a PTR: yes
Appendix H. Advanced Properties

Figure H.1. All the advanced properties between the modules IPAM, DNS and DHCP

DHCP
 Advanced Properties

On EfficientIP DHCP servers, if IPAM to DHCP, DHCP to IPAM and IPAM to DNS advanced
properties are configured, DHCP statics do not update the DNS until the client connects to the
network. When clients with static reservation connect to the network, they are allocated a lease
and that lease information is sent to the DNS to add the matching record once the IPAM is updated.

DHCP IPAM DNS

IPAM properties DHCP properties
DHCP Push leases to IPAM: yes SPACE DHCP failover channel:
DNS
SERVER failover-dhcp1.mycorp.com
SERVER
DNS properties
dhcp1.mycorp.com Update DNS: yes America Add a DHCP static: yes ns1.mycorp.com
DNS properties
DNS server: ns1.mycorp.com
NETWORK DNS view: intranet VIEW
BLOCK Default domain: mycorp.com
USA Update DNS: yes intranet
10.6.0.0/15

NETWORK ZONE
SCOPE SUBNET
New York New York mycorp.com
10.6.0.0/24 10.6.0.0/24

RANGE POOL
10.6.0.1-10.6.0.50 Manhattan
10.6.0.1-10.6.0.50

NEW
STATIC IP Address: 10.6.0.10
IP Address: 10.6.0.10 MAC address: be:ef:00:00:be:ef
MAC address: be:ef:00:00:be:ef Name: <empty>
Name: <empty>

The client connects NEW IP

ADDRESS
to the network

NEW IP Address: 10.6.0.10 NEW

LEASE MAC address: be:ef:00:00:be:ef RECORD
Name: myname.mycorp.com
IP Address: 10.6.0.10 Type: A
MAC address: be:ef:00:00:be:ef DHCP advanced properties IP Address: 10.6.0.10
Name: myname.mycorp.com DHCP failover channel: failover-dhcp1.mycorp.com Name: myname.mycorp.com
Add a DHCP static: yes
IPAM advanced properties
Push leases to IPAM: yes DNS advanced properties
DNS server: ns1.mycorp.com
DNS advanced properties DNS view: intranet
Update DNS: yes Default domain: mycorp.com
Update DNS: yes

Figure H.2. The replication of DHCP statics in the DNS for EfficientIP DHCP servers

1427
Appendix I. Multi-Status Messages
This appendix provides a list of messages returned in the column Multi-status in the modules:
• DHCP.
• DNS.
• Application.

For more details, refer to the section Understanding the Column Multi-Status in the chapter Un-
derstanding the GUI.

DHCP Multi-Status Messages

Code Level Message
60000 Multistatus 60000: Communications-interrupted.
60001 Multistatus 60001: Partner-down.
60002 Multistatus 60002: Recovering.
60003 Multistatus 60003: Starting up.
60004 Multistatus 60004: Server management via SNMP can only be in read-only. We recommend to
update to SSL.
60005 Multistatus 60005: This server type is no longer supported. To manage a Microsoft server, create
a "Microsoft DHCP" server.
60006 Multistatus 60006: The shared network is not saved in the DHCP server configuration until it is
associated with at least one scope.
60007 Multistatus 60007: The shared network is not saved in the DHCP server configuration until it is
associated with at least one scope.
60008 Multistatus 60008: The prefix delegation is not saved in the DHCP server configuration until it
belongs to a shared network associated with at least one scope.

DNS Multi-Status Messages

Code Level Message
61000 Multistatus 61000: Zone type incompatible with Hybrid.
61001 Multistatus 61001: Hybrid servers cannot manage authoritative and recursive zones.
61002 Multistatus 61002: Hybrid does not support forward on authoritative servers.
61003 Multistatus 61003: Hybrid does not support forwarders on authoritative servers.
61004 Multistatus 61004: Hybrid server with authoritative zones cannot be recursive.
61005 Multistatus 61005: RR type incompatible with Hybrid.
61006 Multistatus 61006: Server type incompatible with Hybrid.
61007 Multistatus 61007: TSIG keys not supported on Hybrid recursive servers.
61008 Multistatus 61008: Hybrid servers do not support views.
61009 Multistatus 61009: Hybrid does not support forwarding configuration on authoritative servers.
61010 Multistatus 61010: Zone type incompatible with Route 53.
61011 Multistatus 61011: RR type incompatible with Route 53.
61012 Multistatus 61012: Route 53 servers do not support views.
61013 Multistatus 61013: At least one character in the value of the record is not supported by Route
53 servers.

1428
 Multi-Status Messages

Code Level Message

61014 Multistatus 61014: Only TLD zones are replicated on Route 53 servers.
61015 Multistatus 61015: Maximum number of AWS zones reached.
61016 Multistatus 61016: Maximum number of RRset per AWS zone reached.
61017 Multistatus 61017: Maximum number of records per RRset per AWS zone reached.
61018 Multistatus 61018: This RPZ zone cannot be replicated on one of the physical servers of the
smart.
61019 Multistatus 61019: The syntax of the BIND include file is incorrect.
61020 Multistatus 61020: RRL is not supported on this version of BIND.
61021 Multistatus 61021: RRL is not supported on this DNS server.
61022 Multistatus 61022: The zone name does not comply with AWS format.
61023 Multistatus 61023: The server has no GSS-TSIG key.
61024 Multistatus 61024: Server management via SNMP can only be in read-only. We recommend to
update to SSL.
61025 Multistatus 61025: This server type is no longer supported. To manage a Microsoft server, create
a "Microsoft DNS" server.
61026 Multistatus 61026: The zone has records configured with geolocation routing policy. You cannot
edit or delete it from our GUI.
61027 Multistatus 61027: The zone has records configured with routing policy or health check option.
You cannot edit or delete it from our GUI.
61028 Multistatus 61028: Hybrid servers must be managed via a smart architecture.
61029 Multistatus 61029: Maximum number of Azure zones reached.
61030 Multistatus 61030: Zone type incompatible with Azure DNS.
61031 Multistatus 61031: RR type incompatible with Azure DNS.
61032 Multistatus 61032: Maximum number of RRsets per Azure zone reached.
61033 Multistatus 61033: Only TLD zones are replicated on Azure DNS servers.
61034 Multistatus 61034: Azure DNS servers do not support views.
61035 Multistatus 61035: Maximum number of records per RRset per Azure zone reached.
61036 Multistatus 61036: The architecture contains views.They are not supported by one of its servers.
61037 Multistatus 61037: The architecture contains zone types not supported by one of its servers.
61038 Multistatus 61038: The architecture contains RPZ zones. They are not supported by one of its
servers.
61039 Multistatus 61039: The architecture contains record types not supported by one of its servers.
61040 Multistatus 61040: A delegation set of Amazon Route 53 servers cannot have a conflicting do-
main.
61041 Multistatus 61041: TXT record value not supported on Amazon Route 53 servers.
61042 Multistatus 61042: Maximum number of private Azure zones reached.
61043 Multistatus 61043: Maximum number of RRset per private Azure zone reached.
61044 Multistatus 61044: This zone is misconfigured. It belongs to a server configured with at least
one VPC already associated with this private domain.
61045 Multistatus 61045: Maximum number of zones configured with this delegation set reached.

Application Multi-Status Messages

Code Level Message
62001 Multistatus 62001: A node was disabled due to the health check result.

1429
Appendix J. Configuring OpenID
Authentication
To authenticate external users via OpenID Connect, you must:
1. Take into account prerequisites and limitations detailed in the section Adding OpenID Authen-
tication of the chapter Managing Authentication Rules.
2. Configure the relevant environment:
• Either configure the authentication details on Google and then on SOLIDserver side.
• Or configure the authentication details on Azure side and then on SOLIDserver side.

Configuring OpenID Authentication for Google

To authenticate Google users you must:
1. Configure the authentication of SOLIDserver from the API configuration console of the relevant
Google project.
2. Create and configure the file /data1/etc/httpd/post/ext-identity.inc on SOLIDserver appliance.

Keep in mind that if you configure the authentication on appliances in High Availability, you must
perform both operations on each appliance.

Configuring the Authentication from Google

You must register an application in the relevant Google project that enables the authentication
on your SOLIDserver appliance.

To configure the authentication in Google project

1. From any browser, log in to your Google account.
2. Access Google developer console at https://console.developers.google.com/getting-started.
3. In the left menu, click on Credentials. The creation form opens.
4. In the drop-down list Create credentials, select OAuth client ID. The page Create client ID
opens.
5. In the list Application type, tick Web application.
6. In the field Name, name the OAuth client ID application.
7. In the section Restrictions, in the field Authorized redirect URIs, specify the URL of your
SOLIDserver appliance. Leave the field Authorized JavaScript origins empty.
The full external URL usually looks as follows: https://<solidserver>.int.efficientip.com/au-
th/redirect_uri
8. Click on Create.
9. In the list of credentials, copy the value of the client ID and client secret of the application.

Now that you have configured the application and retrieved the client ID and secret, you can
configure the authentication on SOLIDserver.

1430
 Configuring OpenID Authentication

Configuring the Authentication via SOLIDserver CLI

Now that Google is set to authorize authentications on your SOLIDserver appliance, you must
configure SOLIDserver to do the same, via CLI.

Users with administrative rights over SSH connections to SOLIDserver must create and configure
the file ext-identity.inc, it incorporates authentication details directly in the configuration of the
service Apache, or httpd.

Keep in mind that there is a validation check for this file, and any invalid configuration may prevent
the service from running properly or prevent you from accessing the GUI altogether.

To incorporate Google users authentication via OpenID Connect in SOLIDserver

1. Connect to your appliance using an SSH session or a port console and root permissions.
2. Create and configure the file /data1/etc/httpd/post/ext-identity.inc to incorpor-
ate all authentication details:
• <client-id> is the Client ID you retrieved when you configured the authentication in
Google Project.
• <secret> is your Client Secret.
• <solidserver> is the SOLIDserver appliance for which you are configuring the authen-
tication.
• <passphrase> is the passphrase of your choice.
The complete file must look as follows:
Define UseModAuthOpenIDC

<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so

OIDCProviderMetadataURL
"https://accounts.google.com/.well-known/openid-configuration"
OIDCClientID "<client-id>"
OIDCClientSecret "<secret>"
OIDCRedirectURI "https://<solidserver>.int.efficientip.com/auth/redirect_uri"
OIDCCryptoPassphrase "<passphrase>"
OIDCScope "openid email"
OIDCSessionInactivityTimeout 900
OIDCCacheType "file"

</IfDefine>

3. Make sure the whole configuration file is still viable using the command:
apachectl configtest

If no errors are returned and the file syntax is OK, go to the next step. If not, you must edit
the content of the included file(s) because you might no longer be able to access or GUI or
prevent the service from running.
4. Once the configuration is OK, restart the Apache daemon to take into account your changes
with the command:
apachectl restart

5. Make sure the daemon is running with the command:

apachectl status

1431
 Configuring OpenID Authentication

When the file is ready, you can add the OpenID authentication rule and complete the authentic-
ation. For more details, refer to the section Adding the OpenID Authentication Rule in the chapter
Managing Authentication Rules.

Configuring OpenID Authentication for Azure

To authenticate Microsoft Azure users you must:
1. Configure the authentication of SOLIDserver from Azure.
2. Create and configure the file /data1/etc/httpd/post/ext-identity.inc on SOLIDserver appliance.

Keep in mind that if you configure the authentication on appliances in High Availability, you must
perform both operations on each appliance.

Configuring the Authentication from Azure

You must register an application in Azure Active Directory that enables the authentication on
your SOLIDserver appliance.

To configure the authentication in Azure Active Directory

1. From any browser, log in to your Azure account.
2. Access Azure Active Directory.
3. Register an application:
a. In the left menu, click on App Registration.
b. Click on New Registration. The creation forms opens.
c. In the field Name, name your application.
d. In the section Supported Account Types, select the type of your choice.
e. In the section Redirect URI, select WEB and specify the URI of your SOLIDserver ap-
pliance.
The full external URL usually looks as follows: https://<solidserver>.int.efficientip.com/au-
th/redirect_uri
f. Click on Register. The new application is listed.
4. Click on the application you just registered. The application overview opens.
5. Configure the application. It must have:
• An Implicit grant for ID tokens.
• A Client secret, among the Certificates & keys.
• A Token Configuration that includes the claims email and upn.
6. Copy the value of the Client secret of the application.
7. In the left menu, go back to the application Overview.
8. Copy the value of the Tenant ID and Client ID of the application.

Now that you have configured the application and retrieved the tenant ID, client ID and client
secret, you can configure the authentication on SOLIDserver.

Configuring the Authentication via SOLIDserver CLI

Now that Microsoft Azure is set to authorize authentications on your SOLIDserver appliance, you
must configure SOLIDserver to do the same, via CLI.

1432
 Configuring OpenID Authentication

Users with administrative rights over SSH connections to SOLIDserver must create and configure
a file ext-identity.inc, that you must name. It incorporates authentication details directly in the
configuration of the service Apache, or httpd.

Keep in mind that there is a validation check for this file, and any invalid configuration may prevent
the service from running properly or prevent you from accessing the GUI altogether.

To incorporate Microsoft users authentication via OpenID Connect in SOLIDserver

1. Connect to your appliance using an SSH session or a port console and root permissions.
2. Create and configure the file /data1/etc/httpd/post/ext-identity.inc to incorpor-
ate all authentication details:
• <tenant-id> is your Tenant ID.
• <client-id> is your Client ID.
• <secret> is your client secret.
• <solidserver> is the hostname of the SOLIDserver appliance for which you are config-
uring the authentication.
• <passphrase> is the passphrase of your choice.
The complete file must look as follows:
Define UseModAuthOpenIDC

<IfDefine UseModAuthOpenIDC>
LoadModule auth_openidc_module libexec/apache24/mod_auth_openidc.so

OIDCProviderMetadataURL
"https://login.microsoftonline.com/<tenant-id>/v2.0/.well-known/openid-configuration"

OIDCClientID "<client-id>"
OIDCClientSecret "<secret>"
OIDCRedirectURI "https://<solidserver>.int.efficientip.com/auth/redirect_uri"
OIDCCryptoPassphrase "<passphrase>"
OIDCScope "openid profile email"
OIDCSessionInactivityTimeout 900
OIDCCacheType "file"

</IfDefine>

3. Make sure the whole configuration file is still viable using the command:
apachectl configtest

If no errors are returned and the file syntax is OK, go to the next step. If not, you must edit
the content of the included file(s) because you might no longer be able to access or GUI or
prevent the service from running.
4. Once the configuration is OK, restart the Apache daemon to take into account your changes
with the command:
apachectl restart

5. Make sure the daemon is running with the command:

apachectl status

When the file is ready, you can add the OpenID authentication rule and complete the authentic-
ation. For more details, refer to the section Adding the OpenID Authentication Rule in the chapter
Managing Authentication Rules.

1433
Appendix K. SNMP Metrics
This appendix provides a list of the most relevant indicators, the SNMP metrics, you can monitor
from an external solution.

The SNMP metrics are detailed in Management Information Bases (MIB) that formally describe
the network objects you can monitor. The MIB content is hierarchized thanks to a suite of numbers
called Object IDentifiers (OID). All the OIDs of a MIB are organized like a tree of information with
common trunks appended by unique ends that refer to a specific node, a unique set of information.
Each OID node can therefore match a network object, such as the status of a power supply, or
a specific property of the network object, like a variable name or values.

This appendix includes proprietary, IANA, IEEE and IETF managed MIBs:
• IDRAC-MIB
• UCD-SNMP-MIB
• HOST-RESOURCES-MIB
• IF-MIB
• EIP-STATS
• EIP-DNSGUARDIAN
• EIP-MON-MIB

To monitor SNMP metrics:

• You must meet the prerequisites.
• You should have a look at how they are presented in this appendix.
• You may need to know to retieve SNMP metrics via CLI.

All metrics are distributed in the following sections:

• Monitoring the Hardware.
• Monitoring the System.
• Monitoring the DHCP Service.
• Monitoring the DNS Service.
• Monitoring DNS Guardian.

Prerequisites
• Have an Internet connection and your credentials ready to download the files *.mib on our
1
download portal .
You can get a tree overview of each MIB at http://www.oidview.com.
• Make sure each monitored SOLIDserver is configured to allow the SNMP collector to retrieve
the SNMP information:
• From SOLIDserver, you must configure the SNMP agent with an access list using either
community strings in SNMP v1/v2c, or authentication credentials in SNMP v3.
By default, a v1/v2c profile exists with the community string public. For more details, refer
to the section Configuring the SNMP Server.

1
At https://downloads.efficientip.com/support/downloads/MIBs/, log in using your credentials. If you do not have credentials yet, request
them at www.efficientip.com/support-access.

1434
 SNMP Metrics

• From the SNMP collector's side, you must use SNMP v2c or v3 and configure the external
monitoring solution to ensure it can access SOLIDserver SNMP agent and leverage the
metrics that you need.
Note that you can also configure SNMP traps.

Once your system is properly configured, you can set various SNMP alerts on SOLIDserver objects
to be notified of any unusual behavior. For more details, refer to the chapter Managing Alerts.

Understanding the SNMP Metrics Presentation

Within this appendix, OIDs are detailed in tables as follows:

Table K.1. How OIDs are described

.x.x.x.x.x.x.xxx.xxxxx.x.x.xxx.xx.x.x The OID of the metric
Variable name: <name>. The name of the OID, as declared in the MIB Type: <type>
Description: <description>. Information on the OID. The OID value format.
Expected values: <value>. The value(s) that the OID can return.

In addition, the OIDs presented can be followed by an asterisk * .

The asterisk represents subsets, for which, the default value of the first object can be 0 or 1. In
the case of the OID 1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.*, if you have two power supply units:
• You can specify 1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.0 to retrieve the status of the first
supply unit, or
• You can specify 1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 to retrieve the status of the second
one.

Retrieving SNMP Metrics via CLI

You can retrieve the value of an object manually via CLI with a command snmpget or snmpwalk
on the monitored host IP address.

In the following example, we execute the command snmpget via SNMP v2c with the community
string public to retrieve the OID .1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 (the status of the first
power supply) and the value 3 (the status ok). This OID is described the IDRAC-MIB:

snmpget -v2c -c public -On<host-IP-address>

.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 =
INTEGER: 3

You can also use the command snmpwalk to search and list information of all the objects in a
particular subset. Here, requesting .1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1 returns the status of
two power supplies:

snmpwalk -v2c -c public -On<host-IP-address>

.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.1 = INTEGER:
3.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.2 = INTEGER: 3

Note that for OIDs followed by an asterisk *:

• To execute an snmpget command on a subset, you must specify the number of the object
you are requesting. The default value of the first object can be 0 or 1.
• To execute an snmpwalk command on a subset, specify the OID without the .* characters.

1435
 SNMP Metrics

Monitoring the Hardware

Note that the metrics in this section only apply to hardware appliances. They provide inform-
ation on physical hardware components to ensure they are perfectly running and maximize hosted
service availability. To monitor virtual and software SOLIDserver appliances, refer to the other
sections.

A Nagios compatible plug-in is available on Github: https://github.com/dangmocrang/check_idrac.

Power Unit
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.2. Power unit

.1.3.6.1.4.1.674.10892.5.4.600.10.1.8
Variable name: powerUnitStatus Type: integer
Description: The status of the power unit.
Expected values: ok (i.e. 3)

Power Redundancy
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.3. Power redundancy

.1.3.6.1.4.1.674.10892.5.4.600.10.1.5
Variable name: powerUnitRedundancyStatus Type: integer
Description: The redundancy status of the power unit.
Expected values: full or notRedundant (i.e. 3 or 6)

Power Supply
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.4. Power supply

.1.3.6.1.4.1.674.10892.5.4.600.12.1.5.1.*
Variable name: powerSupplyStatus Type: integer
Description: The status of the power supply.
Expected value: ok (i.e. 3)
.1.3.6.4.1.674.10892.5.4.600.12.1.9.1.*
Variable name: PowerSupplyInputVoltage Type: integer
Description: The current power supply input in Volts.

CPU
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.5. CPU

.1.3.6.1.4.1.674.10892.5.4.600.50.1.5.1.*
Variable name: ProcessorDeviceStatus Type: integer

1436
 SNMP Metrics

Description: The status of the CPU socket.

Expected values: ok (i.e. 3)

Memory
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.6. Memory

.1.3.6.1.4.1.674.10892.5.4.1100.50.1.5.1.*
Variable name: MemoryDeviceStatus Type: integer
Description: The status of the memory slot.
Expected values: ok (i.e. 3)

Virtual Disk
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.7. Virtual disk

.1.3.6.1.4.1.674.10892.5.5.1.20.140.1.1.4.*
Variable name: VirtualDiskState Type: integer
Description: The status of the RAID Controller Status for the virtual disk.
Expected values: online (i.e. 3)

Physical Disk
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.8. Physical disk

.1.3.6.1.4.1.674.10892.5.5.1.20.130.4.1.4.*
Variable name: PhysicalDiskState Type: integer
Description: The status of the physical disk.
Expected values: online (i.e. 3)

Temperature
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.9. Temperature

.1.3.6.1.4.1.674.10892.5.4.700.20.1.5.1.*
Variable name: TemperatureProbeStatus Type: integer
Description: The status of the temperature probe.
Expected values: ok (i.e. 3)
.1.3.6.1.4.1.674.10892.5.4.700.20.1.6.1.*
Variable name: TemperatureProbeReading Type: integer
Description: The current temperature in tenths of degrees Centigrade.

1437
 SNMP Metrics

Fan
All the OIDs described in this section are part of the MIB extension IDRAC-MIB.

Table K.10. Fan

.1.3.6.1.4.1.674.10892.5.4.700.12.1.5.1.*
Variable name: CoolingDeviceStatus Type: integer
Description: The status of the fan.
Expected values: ok (i.e. 3)

Monitoring the System

SOLIDserver relies on common SNMP embedded MIB extensions. Many plug-ins on GitHub,
2
developed for Centreon, are Nagios compatible and can be used with SOLIDserver :

• CPU load: loadaverage.pm

• Memory usage: memory.pm
• Swap usage: swap.pm
• Disk usage: check_disk_snmp.pl - Note that diskusage.pm plug-in is not compatible with
SOLIDserver embedded MIB.
• Network traffic: interfaces.pm
• Running processes: processcount.pm

These metrics should be graphed over time for troubleshooting purposes.

CPU Core Usage

All the OIDs described in this section are part of the MIB extension HOST-RESOURCES-MIB.

Table K.11. CPU Core Usage Average 1 min

.1.3.6.1.2.1.25.3.3.1.2.*
Variable name: hrProcessorLoad Type: integer
Description: The average percentage of time the CPU core was not idle over the last minute.

CPU(s) Load
All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.

Table K.12. CPU(s) Load Average 5 min

.1.3.6.1.4.1.2021.10.1.6.2.*
Variable name: laLoadInt Type: integer
Description: The load of all the system's CPUs on an average of 5 min.
Expected values: Value should remain below the number of CPU cores
.1.3.6.1.4.1.2021.10.1.6.2
Variable name: CPUcount Type: integer
Description: The number of CPU cores is equal to the number of entries returned by an snmpwalk command
on this OID.

2
https://github.com/centreon/centreon-plugins

1438
 SNMP Metrics

Memory Usage
All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.

Table K.13. Memory usage

.1.3.6.1.4.1.2021.4.5.0
Variable name: memTotalReal Type: integer
Description: The total amount of physical memory in bytes.
.1.3.6.1.4.1.2021.4.6.0
Variable name: memAvailReal Type: integer
Description: The amount of physical available memory in bytes.
.1.3.6.1.4.1.2021.4.15.0
Variable name: memCached Type: integer
Description: The amount of cached memory in bytes.
.1.3.6.1.4.1.2021.4.14.0
Variable name: memBuffer Type: integer
Description: The amount of buffer memory in bytes.

Swap Usage
All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.

Table K.14. Swap usage

.1.3.6.1.4.1.2021.4.3.0
Variable name: memTotalSwap Type: integer
Description: The total amount of swap space in bytes.
.1.3.6.1.4.1.2021.4.4.0
Variable name: memAvailSwap Type: integer
Description: The amount of swap space currently unused or available in bytes.
.1.3.6.1.4.1.2021.4.16
Variable name: memUsedSwapTXT Type: integer
Description: The amount of swap space currently in use in bytes.

Disk IO
SOLIDserver is deployed on top of the physical RAID controller. In the ucdDiskIOMIB, diskIOTable
lists all available devices.

The RAID virtual drive should be identified by the following names: ad[0-9], ada[0-9], mfid[0-9].*.
Other listed devices should be ignored.

Any sudden and persistent increase in the metrics should be noticed.

All the OIDs described in this section are part of the MIB extension UCD-SNMP-MIB.

Table K.15. Disk IO

.1.3.6.1.4.1.2021.13.15.1.1.2.*
Variable name: diskIODevice Type: octetstring

1439
 SNMP Metrics

Description: The name of the device(s).

.1.3.6.1.4.1.2021.13.15.1.1.5.*
Variable name: diskIOReads Type: integer
Description: The number of read accesses from the device(s) since boot.
.1.3.6.1.4.1.2021.13.15.1.1.6.*
Variable name: diskIOWrites Type: integer
Description: The number of write accesses to the device(s) since boot.

Disk Usage
Usage should remain under 80% for each mount point's total disk size entry, i.e. the system paths
/, /dev, /tmp, /var, /proc or /data1.

Any sudden and rapid increase in the metrics should be noticed.

All the OIDs described in this section are part of the MIB extension HOST-RESOURCES-MIB.

Table K.16. Disk usage

.1.3.6.1.2.1.25.2.3.1.3.*
Variable name: hrStorageDescr Type: octetstring
Description: A description of the type and instance of the storage described by this entry.
.1.3.6.1.2.1.25.2.3.1.4.*
Variable name: hrStorageAllocationUnits Type: integer
Description: The size of the data objects allocated from this pool in bytes. If this entry is monitoring sectors,
blocks, buffers, or packets, for example, this number will commonly be greater than one. Otherwise this
number will typically be one.
.1.3.6.1.2.1.25.2.3.1.5.*
Variable name: hrStorageSize Type: integer
Description: The size of the storage represented by this entry, in units of hrStorageAllocationUnits. This
object is writable to allow remote configuration of the size of the storage area in the cases where such an
operation makes sense and is possible on the underlying system. For example, the amount of main memory
allocated to a buffer pool might be modified or the amount of disk space allocated to virtual memory might
be modified.
.1.3.6.1.2.1.25.2.3.1.6.*
Variable name: hrStorageUsed Type: integer
Description: The amount of the storage represented by this entry that is allocated, in units of hrStorageAl-
locationUnits.

Network Traffic
Any NIC with ifAdminStatus set to up (i.e. 1) should also have an ifOperStatus set to up (i.e. 1).
Any sudden and rapid increase in the metrics of discard or error packet count should be noticed.

All the OIDs described in this section are part of the MIB extension IF-MIB.

Table K.17. Network traffic

.1.3.6.1.2.1.2.2.1.7.*
Variable name: ifAdminStatus Type: integer
Description: The NIC admin status, i.e. the desired state of the interface. The testing state (i.e. 3) indicates
that no operational packets can be passed.

1440
 SNMP Metrics

Expected values: up (i.e. 1) or down (i.e. 2). When the system initializes, all interfaces should be down
(i.e. 2) until explicit notice from the system to set it up (i.e. 1).
.1.3.6.1.2.1.2.2.1.8.*
Variable name: ifOperStatus Type: integer
Description: The NIC operational status, i.e. the current operational state of the interface.
Expected values: up (i.e. 1), down (i.e. 2), testing (i.e. 3), dormant (i.e. 5) or notPresent (i.e. 6).
It should be up (i.e. 1), if ifAdminStatus is up (i.e. 1), when the interface is ready to transmit or receive network
traffic.
It should be down (i.e. 2) if ifAdminStatus is down (i.e. 2) or if there is a fault that prevents it from being up
(i.e. 1).
It remains in the state testing (i.e. 3) if no operational packets can be passed.
It should be up dormant (i.e. 5) when the interface is waiting for external actions, such as a serial line
waiting for an incoming connection.
It should be notPresent (i.e. 6) if the interface is missing, usually hardware, components.
.1.3.6.1.2.1.2.2.1.10.*
Variable name: ifInOctets Type: integer
Description: The total traffic received through the interface, including framing characters, in bytes.
.1.3.6.1.2.1.2.2.1.16.*
Variable name: ifOutOctets Type: integer
Description: The total traffic transmitted out of the interface, including framing characters, in bytes.
.1.3.6.1.2.1.2.2.1.13.*
Variable name: ifInDiscards Type: integer
Description: The number of inbound packets which were chosen to be discarded even though no errors
had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for
discarding such a packet could be to free up buffer space.
.1.3.6.1.2.1.2.2.1.19.*
Variable name: ifOutDiscards Type: integer
Description: The number of outbound packets which were chosen to be discarded even though no errors
had been detected to prevent their being transmitted. One possible reason for discarding such a packet
could be to free up buffer space.
.1.3.6.1.2.1.2.2.1.14.*
Variable name: ifInErrors Type: integer
Description: The number of inbound packets that contained errors preventing them from being deliverable
to a higher-layer protocol. For character- oriented or fixed-length interfaces, the number of inbound trans-
mission units that contained errors preventing them from being deliverable to a higher-layer protocol.
.1.3.6.1.2.1.2.2.1.20.*
Variable name: ifOutErrors Type: integer
Description: The number of outbound packets that could not be transmitted because of errors. For char-
acter-oriented or fixed-length interfaces, the number of outbound transmission units that could not be
transmitted because of errors.

Running Processes
SOLIDserver relies on several processes to operate:

• IPMServer, Postgres and HTTPd should always be running on the monitored SOLIDserver.
• DHCPd should be listed in the hrSWRunName table when running the DHCP service on the
monitored SOLIDserver.

1441
 SNMP Metrics

• Named should be listed in the hrSWRunName table when running the DNS service on the
monitored SOLIDserver. Exception is made for the Hybrid DNS engine where Named (both
authoritative and recursive) can be replaced by NSD (authoritative) or Unbound (recursive).

All the OIDs described in this section are part of the MIB extension HOST-RESOURCES-MIB.

Table K.18. Running processes

.1.3.6.1.2.1.25.4.2.1.2.<PID>
Variable name: hrSWRunName Type: octetstring
Description: The process name, i.e. a textual description of the process, including the manufacturer, revision,
and the name by which it is commonly known.
.1.3.6.1.2.1.25.4.2.1.4.<PID>
Variable name: hrSWRunPath Type: octetstring
Description: The process binary path, i.e. a description of the location on long-term storage, e.g. a disk
drive, from which the process was loaded.

Monitoring the DHCP Service

SOLIDserver relies on DHCPd to provide its DHCP service and metrics on the number of inform,
decline, release, request and discover messages received as well as ack, nack and offer answers
sent.

The EfficientIP proprietary MIB EIP-STATS references values as Integers, yet, they represent
counters. As in any counter, when the previous value is greater than the current one, this means
that the counter has either looped or has been reset. Therefore, itâ  s necessary to interpret
these values properly:

• Value > 0 : correct value = Value

3 4
• Value < 0 : correct value = MAXSIGNEDINT + (1 + ABS(MINSIGNEDINT ) + value)

These metrics should be graphed over time for troubleshooting purposes.

DHCP service
All the OIDs described in this section are part of the MIB extension EIP-STATS.

Table K.19. DHCP service

.1.3.6.1.4.1.2440.1.3.2.22.1.2.3.97.99.107
Variable name: ack Type: integer
Description: The number of ACK answers sent.
.1.3.6.1.4.1.2440.1.3.2.22.1.3.4.110.97.99.107
Variable name: nack Type: integer
Description: The number of NACK answers sent.
.1.3.6.1.4.1.2440.1.3.2.22.1.3.5.111.102.102.101.114
Variable name: offer Type: integer
Description: The number of OFFER answers sent.
.1.3.6.1.4.1.2440.1.3.2.22.1.3.6.105.110.102.111.114.109
Variable name: inform Type: integer

3
MAX Signed INT = 2147483647
4
MIN Signed INT = -2147483648

1442
 SNMP Metrics

Description: The number of INFORM messages received.

.1.3.6.1.4.1.2440.1.3.2.22.1.3.7.100.101.99.108.105.110.101
Variable name: decline Type: integer
Description: The number of DECLINE messages received.
.1.3.6.1.4.1.2440.1.3.2.22.1.3.7.114.101.108.101.97.115.101
Variable name: release Type: integer
Description: The number of RELEASE messages received.
.1.3.6.1.4.1.2440.1.3.2.22.1.3.7.114.101.113.117.101.115.116
Variable name: request Type: integer
Description: The number of REQUEST messages received.
.1.3.6.1.4.1.2440.1.3.2.22.1.3.8.100.105.115.99.111.118.101.114
Variable name: discover Type: integer
Description: The number of DISCOVER messages received.

Monitoring the DNS Service

SOLIDserver relies on BIND to provide its DNS service and metrics on the number of requests
over udp or tcp. The metrics also include IPv4 and IPv6 requests received by named or sent to
forwarder/authoritative servers as well as recursion.

The EfficientIP proprietary MIB EIP-STATS references values as Integers, yet, they represent
counters. As in any counter, when the previous value is greater than the current one, this means
that the counter has either looped or has been reset. Therefore, itâ  s necessary to interpret
these values properly:

• Value > 0 : correct value = Value

5 6
• Value < 0 : correct value = MAXSIGNEDINT + (1 + ABS(MINSIGNEDINT ) + value)

These metrics should be graphed over time for troubleshooting purposes.

General Name Server Statistics

All the OIDs described in this section are part of the MIB extension EIP-STATS.

Table K.20. General name server statistics

.1.3.6.1.4.1.2440.1.4.2.3.1.3.3.117.100.112
Variable name: udp Type: integer
Description: The number of queries received through UDP.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.3.116.99.112
Variable name: tcp Type: integer
Description: The number of queries received through TCP.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.114.101.113.117.101.115.116.118.52
Variable name: requestv4 Type: integer
Description: The number of queries received through IPv4.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.114.101.113.117.101.115.116.118.54
Variable name: requestv6 Type: integer

5
MAX Signed INT = 2147483647
6
MIN Signed INT = -2147483648

1443
 SNMP Metrics

Description: The number of queries received through IPv6.

.1.3.6.1.4.1.2440.1.4.2.3.1.3.11.114.101.115.95.113.117.101.114.121.118.52
Variable name: res_queryv4 Type: integer
Description: The number of queries sent to external forwarder or authoritative servers using IPv4 for res-
olution.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.11.114.101.115.95.113.117.101.114.121.118.54
Variable name: res_queryv6 Type: integer
Description: The number of queries sent to external forwarder or authoritative servers using IPv6 for res-
olution.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.114.101.99.117.114.115.105.111.110
Variable name: recursion Type: integer
Description: The number of queries requiring recursion.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.10.114.101.99.117.114.115.101.114.101.106
Variable name: recurserej Type: integer
Description: The number of rejected queries requiring recursion.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.100.117.112.108.105.99.97.116.101
Variable name: duplicate Type: integer
Description: The number of duplicate queries received.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.100.114.111.112.112.101.100
Variable name: dropped Type: integer
Description: The number of dropped queries.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.9.114.101.115.95.114.101.116.114.121
Variable name: res_retry Type: integer
Description: The number of queries retried on external forwarder or authoritative servers.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.8.114.101.115.112.111.110.115.101
Variable name: response Type: integer
Description: The number of responses sent.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.14.114.101.115.95.114.101.115.112.111.110.115.101.118.52
Variable name: res_responsev4 Type: integer
Description: The number of responses from external forwarder or authoritative servers using IPv4.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.14.114.101.115.95.114.101.115.112.111.110.115.101.118.54
Variable name: res_responsev6 Type: integer
Description: The number of responses from external forwarder or authoritative servers using IPv6.

DNS Resolution Queries Statistics

All the OIDs described in this section are part of the MIB extension EIP-STATS.

Table K.21. DNS resolution queries statistics

.1.3.6.1.4.1.2440.1.4.2.3.1.3.13.114.101.115.95.113.117.101.114.121.114.116.116.48
Variable name: res_queryrtt0 Type: integer
Description: The number of recursive queries with latency < 10ms.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.13.114.101.115.95.113.117.101.114.121.114.116.116.49
Variable name: res_queryrtt1 Type: integer
Description: The number of recursive queries with latency >= 10ms & < 100ms.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.13.114.101.115.95.113.117.101.114.121.114.116.116.50

1444
 SNMP Metrics

Variable name: res_queryrtt2 Type: integer

Description: The number of recursive queries with latency >= 100ms & < 500ms.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.13.114.101.115.95.113.117.101.114.121.114.116.116.51
Variable name: res_queryrtt3 Type: integer
Description: The number of recursive queries with latency >= 500ms & < 800ms.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.13.114.101.115.95.113.117.101.114.121.114.116.116.52
Variable name: res_queryrtt4 Type: integer
Description: The number of recursive queries with latency >= 800ms & < 1600ms.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.13.114.101.115.95.113.117.101.114.121.114.116.116.53
Variable name: res_queryrtt5 Type: integer
Description: The number of recursive queries with latency >= 1600ms.

DNS Answers Statistics

All the OIDs described in this section are part of the MIB extension EIP-STATS.

Table K.22. DNS answers statistics

.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.115.117.99.99.101.115.115
Variable name: success Type: integer
Description: The number of queries completed successfully, returning the message NOERROR (RCODE:
0).
.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.102.111.114.109.101.114.114
Variable name: formerr Type: integer
Description: The number of queries with a wrong format, returning the message FORMERR (RCODE: 1).
.1.3.6.1.4.1.2440.1.4.2.3.1.3.8.115.101.114.118.102.97.105.108
Variable name: servfail Type: integer
Description: The number of queries the server failed to complete, returning the message SERVFAIL
(RCODE: 2).
.1.3.6.1.4.1.2440.1.4.2.3.1.3.8.110.120.100.111.109.97.105.110
Variable name: nxdomain Type: integer
Description: The number of queries where the domain name does not exist, returning the message
NXDOMAIN (RCODE: 3).
.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.110.120.114.114.115.101.116
Variable name: nxrrset Type: integer
Description: The number of queries for which the RR set should exist but does not, returning the message
NXRRSET (RCODE: 8).
.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.102.97.105.108.117.114.101
Variable name: failure Type: integer
Description: The number of queries failed for which the device sent another RCODE.

DNS Transfer Requests Statistics

All the OIDs described in this section are part of the MIB extension EIP-STATS.

Table K.23. DNS transfer requests statistics

.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.120.102.114.100.111.110.101
Variable name: xfrdone Type: integer

1445
 SNMP Metrics

Description: The number of transfer queries successfully completed.

.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.102.111.114.109.101.114.114
Variable name: xfrrej Type: integer
Description: The number of transfer queries rejected.

DNSSEC Validation Statistics

All the OIDs described in this section are part of the MIB extension EIP-STATS.

Table K.24. DNSSEC validation statistics

.1.3.6.1.4.1.2440.1.4.2.3.1.3.7.114.101.115.95.118.97.108
Variable name: res_val Type: integer
Description: The total number of DNSSEC validation attempts.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.14.114.101.115.95.118.97.108.115.117.99.99.101.115.115
Variable name: res_valsuccess Type: integer
Description: The total number of DNSSEC validation successfully completed.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.17.114.101.115.95.118.97.108.110.101.103.115.117.99.99.101.115
Variable name: res_valnegsuccess Type: integer
Description: The total number of DNSSEC NX validation successfully completed.
.1.3.6.1.4.1.2440.1.4.2.3.1.3.11.114.101.115.95.118.97.108.102.97.105.108
Variable name: res_valfail Type: integer
Description: The total number of DNSSEC validation failures.

Monitoring DNS Guardian

DNS Guardian provides advanced security through real time DNS traffic analysis and various
SNMP metrics relative to the cache, clients, queries, answers, protection modes, filters and network
traffic in general. For more details, refer to the part Guardian.

Each section describes OIDs regarding DNS Guardian cache and the cache of the its views. The
only way of monitoring DNS Guardian views is to know their identifier (ID). In the tables below
we provide the OIDs until the <view-ID> that you must provide as it depends on your configuration.
<view-ID> is an integer between 0 and 7.

Note that you can display additional statistics thanks to:

• The command help stats .
• The command help stats view=<view-ID> .

DNS Guardian metrics should be graphed over time for troubleshooting purposes.

Cache Size
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.25. Cache size

.1.3.6.1.4.1.2440.1.11.2.4.5.0
Variable name: eipDNSGUARDIANStatCacheSize Type: gauge32
Description: The total number of entries in the cache.
.1.3.6.1.4.1.2440.1.11.2.3.1.5.<view-ID>

1446
 SNMP Metrics

Variable name: eipDNSGUARDIANViewStatCacheSize Type: gauge32

Description: The total number of entries in the cache of the specified view.

Client Size
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.26. Client size

.1.3.6.1.4.1.2440.1.11.2.4.45.0
Variable name: eipDNSGUARDIANStatClientsSize Type: gauge32
Description: The total number of tracked client IP addresses.
.1.3.6.1.4.1.2440.1.11.2.3.1.45.<view-ID>
Variable name: eipDNSGUARDIANViewStatClientsSize Type: gauge32
Description: The total number of tracked client IP addresses in the specified view.

Cache Statistics
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.27. Cache statistics

.1.3.6.1.4.1.2440.1.11.2.4.3.0
Variable name: eipDNSGUARDIANStatCacheHit Type: counter64
Description: The total number of cache hits (including hits in Quarantine and Rescue modes).
. 1.3.6.1.4.1.2440.1.11.2.3.1.3.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheHit Type: counter64
Description: The total number of cache hits (including hits in Quarantine and Rescue modes) in the cache
of the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.4.0
Variable name: eipDNSGUARDIANStatCacheMiss Type: counter64
Description: The total number of cache misses (including misses in Quarantine and Rescue modes).
.1.3.6.1.4.1.2440.1.11.2.3.1.4.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMiss Type: counter64
Description: The total number of cache misses (including misses in Quarantine and Rescue modes) in
the cache of the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.10.0
Variable name: eipDNSGUARDIANStatCacheMissExist Type: counter64
Description: The total number of queries that did not hit the cache because the related entry has expired.
.1.3.6.1.4.1.2440.1.11.2.3.1.10.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissExist Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry has expired.
.1.3.6.1.4.1.2440.1.11.2.4.11.0
Variable name: eipDNSGUARDIANStatCacheMissNotExist Type: counter64
Description: The total number of queries that did not hit the cache because the related entry doesn't exist.
.1.3.6.1.4.1.2440.1.11.2.3.1.11.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissNotExist Type: counter64

1447
 SNMP Metrics

Description: The total number of queries that did not hit the cache because the related entry doesn't exist
in the cache of the specified view.

Quarantine Mode Cache Statistics

All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.28. Quarantine mode cache statistics

.1.3.6.1.4.1.2440.1.11.2.4.37.0
Variable name: eipDNSGUARDIANStatCacheHitQuarantine Type: counter64
Description: The total number of cache hits in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.37.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheHitQuarantine Type: counter64
Description: The total number of cache hits in Quarantine mode in the cache of the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.34.0
Variable name: eipDNSGUARDIANStatCacheMissQuarantine Type: counter64
Description: The total number of cache misses in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.34.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissQuarantine Type: counter64
Description: The total number of cache misses in Quarantine mode in the cache of the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.35.0
Variable name: eipDNSGUARDIANStatCacheMissExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache because the related entry has expired
in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.35.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry has expired in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.4.36.0
Variable name: eipDNSGUARDIANStatCacheMissNotExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache because the related entry doesn't exist
in Quarantine mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.36.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissNotExistQuarantine Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry doesn't exist in Quarantine mode.

Rescue Mode Cache Statistics

All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.29. Rescue mode cache statistics

.1.3.6.1.4.1.2440.1.11.2.4.43.0
Variable name: eipDNSGUARDIANStatCacheHitRescue Type: counter64
Description: The total number of cache hits in Rescue mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.43.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheHitRescue Type: counter64
Description: The total number of cache hits in Rescue mode in the cache of the specified view.

1448
 SNMP Metrics

.1.3.6.1.4.1.2440.1.11.2.4.40.0
Variable name: eipDNSGUARDIANStatCacheMissRescue Type: counter64
Description: The total number of cache misses in Rescue mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.40.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissRescue Type: counter64
Description: The total number of cache misses in Rescue mode in the cache of the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.41.0
Variable name: eipDNSGUARDIANStatCacheMissExistRescue Type: counter64
Description: The total number of queries that did not hit the cache because the related entry has expired
in Rescue mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.41.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissExistRescue Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry has expired in Rescue mode.
.1.3.6.1.4.1.2440.1.11.2.4.42.0
Variable name: eipDNSGUARDIANStatCacheMissNotExistRescue Type: counter64
Description: The total number of queries that did not hit the cache because the related entry doesn't exist
in Rescue mode.
.1.3.6.1.4.1.2440.1.11.2.3.1.42.<view-ID>
Variable name: eipDNSGUARDIANViewStatCacheMissNotExistRescue Type: counter64
Description: The total number of queries that did not hit the cache of the specified view because the related
entry doesn't exist in Rescue mode.

Filters Statistics
All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.30. Filters statistics

.1.3.6.1.4.1.2440.1.11.2.4.47.0
Variable name: eipDNSGUARDIANStatRatelimitedQuery Type: counter64
Description:The number of queries per second dropped because source clients have reached the configured
query limit rate of 100 queries/s.
.1.3.6.1.4.1.2440.1.11.2.3.1.47.<view-ID>
Variable name: eipDNSGUARDIANViewStatRatelimitedQuery Type: counter64
Description: The number of queries per second dropped because source clients matching the specified
view have reached the configured query limit rate of 100 queries/s.
.1.3.6.1.4.1.2440.1.11.2.4.44.0
Variable name: eipDNSGUARDIANStatBlockedQuery Type: counter64
Description: The number of queries per second that were blocked once a trigger configured with the action
Block on the related sources has reached its threshold.
.1.3.6.1.4.1.2440.1.11.2.3.1.44.<view-ID>
Variable name: eipDNSGUARDIANViewStatBlockedQuery Type: counter64
Description: The number of queries per second that were blocked once a trigger configured with the action
Block on the related sources of the view has reached its threshold.
.1.3.6.1.4.1.2440.1.11.2.4.2<trigger-ID>.0
Variable name: eipDNSGUARDIANStatTrigger<trigger-ID>Armed Type: counter64

1449
 SNMP Metrics

Description: The number of times each specified trigger has been armed. Note that <trigger-ID> identifies
each of the 64 available triggers, in the Variable name it is an integer between 0 and 63 and in the OID it
is an integer between 00 and 63.
.1.3.6.1.4.1.2440.1.11.2.3.1.2<trigger-ID>.<view-ID>
Variable name: eipDNSGUARDIANViewStatTrigger<trigger-ID>Armed Type: counter64
Description: The number of times each specified trigger has been armed in the specified view.

Invalid Queries Statistics

All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.31. Invalid queries statistics

.1.3.6.1.4.1.2440.1.11.2.4.14.0
Variable name: eipDNSGUARDIANStatRecvInvalidDNSPacket Type: counter64
Description: The total number of invalid queries that were dropped.
.1.3.6.1.4.1.2440.1.11.2.3.1.14.<view-ID>
Variable name: eipDNSGUARDIANViewStatRecvInvalidDNSPacket Type: counter64
Description: The total number of invalid queries matching the specified view that were dropped.
.1.3.6.1.4.1.2440.1.11.2.4.15.0
Variable name: eipDNSGUARDIANStatRecvInvalidDNSByte Type: counter64
Description: The total traffic of invalid queries dropped in bytes.
.1.3.6.1.4.1.2440.1.11.2.3.1.15.<view-ID>
Variable name: eipDNSGUARDIANViewStatRecvInvalidDNSByte Type: counter64
Description: The total traffic of invalid queries matching the specified view dropped in bytes.

DNS Traffic Statistics

All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.32. DNS traffic statistics

.1.3.6.1.4.1.2440.1.11.2.4.8.0
Variable name: eipDNSGUARDIANStatRecvDNSPacket Type: counter64
Description: The total number of received queries.
.1.3.6.1.4.1.2440.1.11.2.3.1.8.<view-ID>
Variable name: eipDNSGUARDIANViewStatRecvDNSPacket Type: counter64
Description: The total number of received queries matching the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.6.0
Variable name: eipDNSGUARDIANStatSendDNSPacket Type: counter64
Description: The total number of sent queries.
.1.3.6.1.4.1.2440.1.11.2.3.1.6.<view-ID>
Variable name: eipDNSGUARDIANViewStatSendDNSPacket Type: counter64
Description: The total number of sent queries matching the specified view.
.1.3.6.1.4.1.2440.1.11.2.4.9.0
Variable name: eipDNSGUARDIANStatRecvDNSByte Type: counter64
Description: The total incoming traffic in bytes.
.1.3.6.1.4.1.2440.1.11.2.3.1.9.<view-ID>
Variable name: eipDNSGUARDIANViewStatRecvDNSByte Type: counter64

1450
 SNMP Metrics

Description: The total incoming traffic matching the specified view in bytes.
.1.3.6.1.4.1.2440.1.11.2.4.7.0
Variable name: eipDNSGUARDIANStatSendDNSByte Type: counter64
Description: The total outgoing traffic in bytes.
.1.3.6.1.4.1.2440.1.11.2.3.1.7.<view-ID>
Variable name: eipDNSGUARDIANViewStatSendDNSByte Type: counter64
Description: The total outgoing traffic matching the specified view in bytes.

DNS Resolution Queries Statistics

All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.33. DNS resolution queries statistics

.1.3.6.1.4.1.2440.1.11.2.4.48.0
Variable name: eipDNSGUARDIANStatRTT10 Type: counter64
Description: The number of queries with a latency < 10ms.
.1.3.6.1.4.1.2440.1.11.2.3.1.48.<view-ID>
Variable name: eipDNSGUARDIANViewStatRTT10 Type: counter64
Description: The number of queries matching the specified view with a latency < 10ms.
.1.3.6.1.4.1.2440.1.11.2.4.49.0
Variable name: eipDNSGUARDIANStatRTT100 Type: counter64
Description: The number of queries with a latency >= 10ms & < 100ms.
.1.3.6.1.4.1.2440.1.11.2.3.1.49.<view-ID>
Variable name: eipDNSGUARDIANViewStatRTT100 Type: counter64
Description: The number of queries matching the specified view with a latency >= 10ms & < 100ms.
.1.3.6.1.4.1.2440.1.11.2.4.50.0
Variable name: eipDNSGUARDIANStatRTT500 Type: counter64
Description: The number of recursive queries with a latency >= 100ms & < 500ms.
1.3.6.1.4.1.2440.1.11.2.3.1.50.<view-ID>
Variable name: eipDNSGUARDIANViewStatRTT500 Type: counter64
Description: The number of recursive queries matching the specified view with a latency >= 100ms & <
500ms.
.1.3.6.1.4.1.2440.1.11.2.4.51.0
Variable name: eipDNSGUARDIANStatRTT800 Type: counter64
Description: The number of queries with a latency >= 500ms & < 800m.
.1.3.6.1.4.1.2440.1.11.2.3.1.51.<view-ID>
Variable name: eipDNSGUARDIANViewStatRTT800 Type: counter64
Description: The number of queries matching the specified view with a latency >= 500ms & < 800m.
.1.3.6.1.4.1.2440.1.11.2.4.52.0
Variable name: eipDNSGUARDIANStatRTT1600 Type: counter64
Description: The number of queries with a latency >= 800ms & < 1600ms.
.1.3.6.1.4.1.2440.1.11.2.3.1.52.<view-ID>
Variable name: eipDNSGUARDIANViewStatRTT1600 Type: counter64
Description: The number of queries matching the specified view with a latency >= 800ms & < 1600ms.
.1.3.6.1.4.1.2440.1.11.2.4.53.0
Variable name: eipDNSGUARDIANStatRTTMax Type: counter64

1451
 SNMP Metrics

Description: The number of queries with a latency >= 1600ms.

.1.3.6.1.4.1.2440.1.11.2.3.1.53.<view-ID>
Variable name: eipDNSGUARDIANViewStatRTTMax Type: counter64
Description: The number of queries matching the specified view with a latency >= 1600ms.

DNS Answers Statistics

All the OIDs described in this section are part of the MIB extension EIP-DNSGUARDIAN.

Table K.34. DNS answers statistics

.1.3.6.1.4.1.2440.1.11.2.4.101.0
Variable name: eipDNSGUARDIANStatReplyNOERROR Type: counter64
Description: The number of successful queries, returning the message NOERROR (RCODE: 0).
.1.3.6.1.4.1.2440.1.11.2.3.1.101.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOERROR Type: counter64
Description: The number of successful queries matching the specified view, returning the message NO-
ERROR (RCODE: 0).
.1.3.6.1.4.1.2440.1.11.2.4.102.0
Variable name: eipDNSGUARDIANStatReplyFORMERR Type: counter64
Description: The number of queries with a wrong format, returning the message FORMERR (RCODE: 1).
.1.3.6.1.4.1.2440.1.11.2.3.1.102.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyFORMERR Type: counter64
Description: The number of queries matching the specified view with a wrong format, returning the message
FORMERR (RCODE: 1).
.1.3.6.1.4.1.2440.1.11.2.4.103.0
Variable name: eipDNSGUARDIANStatReplySERVFAIL Type: counter64
Description: The number of queries the server failed to complete, returning the message SERVFAIL
(RCODE: 2).
.1.3.6.1.4.1.2440.1.11.2.3.1.103.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplySERVFAIL Type: counter64
Description: The number of queries matching the specified view the server failed to complete, returning
the message SERVFAIL (RCODE: 2).
.1.3.6.1.4.1.2440.1.11.2.4.104.0
Variable name: eipDNSGUARDIANStatReplyNXDOMAIN Type: counter64
Description: The number of queries where the domain name does not exist, returning the message
NXDOMAIN (RCODE: 3).
.1.3.6.1.4.1.2440.1.11.2.3.1.104.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNXDOMAIN Type: counter64
Description: The number of queries matching the specified view where the domain name does not exist,
returning the message NXDOMAIN (RCODE: 3).
.1.3.6.1.4.1.2440.1.11.2.4.105.0
Variable name: eipDNSGUARDIANStatReplyNOTIMP Type: counter64
Description: The number of queries for which the server did not implement the function, returning the
message NOTIMP (RCODE: 4).
1.3.6.1.4.1.2440.1.11.2.3.1.105.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOTIMP Type: counter64
Description: The number of queries matching the specified view for which the server did not implement
the function, returning the message NOTIMP (RCODE: 4).

1452
 SNMP Metrics

.1.3.6.1.4.1.2440.1.11.2.4.106.0
Variable name: eipDNSGUARDIANStatReplyREFUSED Type: counter64
Description: The number of queries the server refused to answer, returning the message REFUSED
(RCODE: 5).
1.3.6.1.4.1.2440.1.11.2.3.1.106.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyREFUSED Type: counter64
Description: The number of queries matching the specified view the server refused to answer, returning
the message REFUSED (RCODE: 5).
.1.3.6.1.4.1.2440.1.11.2.4.107.0
Variable name: eipDNSGUARDIANStatReplyYXDOMAIN Type: counter64
Description: The number of queries for which the name exists when it should not, returning the message
YXDOMAIN (RCODE: 6).
.1.3.6.1.4.1.2440.1.11.2.3.1.107.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyYXDOMAIN Type: counter64
Description: The number of queries matching the specified view for which the name exists when it should
not, returning the message YXDOMAIN (RCODE: 6).
.1.3.6.1.4.1.2440.1.11.2.4.108.0
Variable name: eipDNSGUARDIANStatReplyYXRRSET Type: counter64
Description: The number of queries for which the RR set exists when it should not, returning the message
YXRRSET (RCODE: 7).
.1.3.6.1.4.1.2440.1.11.2.3.1.108.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyYXRRSET Type: counter64
Description: The number of queries matching the specified view for which the RR set exists when it should
not, returning the message YXRRSET (RCODE: 7).
.1.3.6.1.4.1.2440.1.11.2.4.109.0
Variable name: eipDNSGUARDIANStatReplyNXRRSET Type: counter64
Description: The number of queries for which the RR set should exist but does not, returning the message
NXRRSET (RCODE: 8).
.1.3.6.1.4.1.2440.1.11.2.3.1.109.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNXRRSET Type: counter64
Description: The number of queries matching the specified view for which the RR set should exist but
does not, returning the message NXRRSET (RCODE: 8).
.1.3.6.1.4.1.2440.1.11.2.4.120.0
Variable name: eipDNSGUARDIANStatReplyNOTAUTH Type: counter64
Description: The number of queries for which the server is not authoritative for the zone, returning the
message NOTAUTH (RCODE: 9).
.1.3.6.1.4.1.2440.1.11.2.3.1.120.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOTAUTH Type: counter64
Description: The number of queries matching the specified view for which the server is not authoritative
for the zone, returning the message NOTAUTH (RCODE: 9).
.1.3.6.1.4.1.2440.1.11.2.4.121.0
Variable name: eipDNSGUARDIANStatReplyNOTZONE Type: counter64
Description: The number of queries for which the name is not in the zone, returning the message NOTZONE
(RCODE: 10).
.1.3.6.1.4.1.2440.1.11.2.3.1.121.<view-ID>
Variable name: eipDNSGUARDIANViewStatReplyNOTZONE Type: counter64
Description: The number of queries matching the specified view for which the name is not in the zone,
returning the message NOTZONE (RCODE: 10).

1453
Appendix L. Class Studio Pre-defined
Variables
This appendix details how to configure a class with pre-defined variables. For more details re-
garding classes and all other class objects, refer to the chapter Configuring Classes.

Before adding a pre-defined variable keep in mind that:

• The class object pre-defined variable gathers several pre-defined variables that you must select
via the drop-down list Name.
• Each pre-defined variable is applied only when added in classes dedicated to specific
resources. To know which resource they should be configured for, refer to the tables below.

To add a pre-defined variable

Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Customization, click on Class Studio. The page Class Studio opens.
3. In the column Name, click on the class you want to edit. Class Editor opens.
4. In the search bar, type in Pre-defined variable.
5. In the class object list, click on Pre-defined variable or drag and drop it among the class objects.
The wizard Pre-defined variable opens.
6. In the drop-down list Name, select the pre-defined variable of your choice:
• USER_SOURCE_TYPE
• USER_HIDE_PARAM
• IP_MANDATORY_MAC_ADDR
• IP_NOT_EDITABLE_MAC_ADDR
• DHCP_STATIC_NOT_EDITABLE_MAC_ADDR
• WORKFLOW_REQUEST_HIDE_ACTION
• WORKFLOW_REQUEST_HIDE_ATTACH_TO
• WORKFLOW_ADD_TICKET_SPACE
• WORKFLOW_ADD_TICKET_BLOCK
• WORKFLOW_ADD_TICKET_SUBNET
• WORKFLOW_ADD_TICKET_POOL
• WORKFLOW_ADD_TICKET_ADDRESS
• WORKFLOW_ADD_TICKET_DNSZONE
• FORCE_SUBNET_PREFIX
• HIDE_IP_ALIAS
• HOSTDEV_IS_SWITCH
• NO_SPACE_FATHER_VLSM
• NO_VLSM_SUBNET
• BLOCK_TYPE
7. In the field Value, specify the value of your choice. All expected values, and potential extra
fields, are detailed below.
8. In the drop-down list Expert mode, you can select Yes to further configure the class object.

1454
 Class Studio Pre-defined Variables

a. In the field Show if..., you can condition the display of the class object in the wizard in
the form of an "if" statement, like $object_value > 0 or $city=="Washington" that allows
to only display the class object if your condition is matched.
Note that the condition can only be taken into account if the value of the class object
has already been saved in the wizard, either via inheritance or because it is located
after a Jump to page. You can set multiple conditions but they must be separated by
boolean connectors.
PNG

9. Click on OK to complete the operation. The object is now displayed in the left section and
part of the class content.
original

10. Click on to save the class configuration. If you exit without saving, your changes are
lost.
11. Click on to close Class Editor.

All pre-defined variables are detailed in tables as follows.

Table L.1. Pre-defined variable

The purpose of the pre-defined variable.
Module The Module selected for the class where you should add the pre-defined variable.
Type The Type selected for the class where you should add the pre-defined variable.
Configuration details
<Field name> The expected or accepted values in the field.

Each pre-defined variable Name is described in a dedicated table.

Table L.2. USER_SOURCE_TYPE

This variable allows to specify the user source of your choice in the column Origin of the page Users.
Module Rights & Delegation
Type User
Configuration details
Value local, param, pam or rule.

Table L.3. USER_HIDE_PARAM

This variable allows to hide most user configuration fields and only display the fields Login, First name, Last
name and Pseudonym in the user addition wizard.
Module Rights & Delegation
Type User
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.4. IP_MANDATORY_MAC_ADDR

This variable allows to make the field MAC address a required one in the IP address addition and edition wizards.
You can configure it for IPv4 and/or IPv6 addresses.
Module IPAM
Type Address, Address (v6)
Configuration details
Value 1 to enable the variable, 0 to disable it.

1455
 Class Studio Pre-defined Variables

Table L.5. IP_NOT_EDITABLE_MAC_ADDR

This variable allows to prevent from editing the field MAC address in the IP address addition and edition wizards.
You can configure it for IPv4 and/or IPv6 addresses.
Module IPAM
Type Address, Address (v6)
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.6. DHCP_STATIC_NOT_EDITABLE_MAC_ADDR

This variable allows to prevent from editing the field MAC address in the DHCP static addition and edition wizards.
You can configure it for DHCPv4 and/or DHCPv6 statics.
Module DHCP
Type DHCP static, DHCPv6 static
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.7. WORKFLOW_REQUEST_HIDE_ACTION

This variable allows to hide the field Action requested in the outgoing requests addition wizard.
Module Workflow
Type Request
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.8. WORKFLOW_REQUEST_HIDE_ATTACH_TO

This variable allows to hide the drop-down list Attach to in the outgoing requests addition wizard.
Module Workflow
Type Request
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.9. WORKFLOW_ADD_TICKET_SPACE

This variable allows to display the field Request in the space addition and edition wizards to associate a Workflow
request with a space.
Module IPAM
Type Space
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.10. WORKFLOW_ADD_TICKET_BLOCK

This variable allows to display the field Request in the network addition and edition wizards to associate a
Workflow request with a block-type network. The field is displayed on the page Associated request, the last page
of the wizard.
Module IPAM
Type Network. Only for IPv4 block-type networks.
Configuration details
Value 1 to enable the variable, 0 to disable it.

1456
 Class Studio Pre-defined Variables

Table L.11. WORKFLOW_ADD_TICKET_SUBNET

This variable allows to display the field Request in the network addition and edition wizards to associate a
Workflow request with a subnet-type network. The field is displayed on the page Associated request, the last
page of the wizard.
Module IPAM
Type Network. Only for IPv4 subnet-type networks.
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.12. WORKFLOW_ADD_TICKET_POOL

This variable allows to display the field Request in the pool addition and edition wizards to associate a Workflow
request with a pool. The field is displayed on the page Associated request, the last page of the wizard.
Module IPAM
Type Pool. Only in IPv4.
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.13. WORKFLOW_ADD_TICKET_ADDRESS

This variable allows to display the field Request in the IP address addition and edition wizards to associate a
Workflow request with an IP address. The field is displayed on the page Associated request, the last page of the
wizard.
Module IPAM
Type Address. Only in IPv4.
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.14. WORKFLOW_ADD_TICKET_DNSZONE

This variable allows to display the field Request in the zone addition and edition wizards to associate a Workflow
request with a zone. The field is displayed on the page Associated request, the last page of the wizard.
Module DNS
Type DNS zone
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.15. FORCE_SUBNET_PREFIX

This variable allows to force the value of the field Prefix in the addition wizard of a terminal network. You can
force this prefix at the network level of your choice. For more details, refer to the section Force prefix in the
chapter Configuring Classes.
Note that if you set this variable on a non-terminal subnet-type network, it only applies to the network itself, it
does not apply to the networks it contains.
Module IPAM
Type Network, Network (v6). Only for subnet-type networks.
Configuration details
Network level Select a value between 0 (block-type networks) and 15 (subnet-type networks). It defines
at which level of network organizations you force the prefix set in the Value.
Value <number> to specify the prefix of your choice, 0 to disable it.

Table L.16. HIDE_IP_ALIAS

This variable allows to hide the page Aliases configuration in the IP address addition wizard. For more details,
refer to the section Configuring and Managing IP Address Aliases.

1457
 Class Studio Pre-defined Variables

Module IPAM
Type Address, Address (v6)
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.17. HOSTDEV_IS_SWITCH

This variable allows to specify that a Device manager device is a switch.
Module Device Manager
Type Device
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.18. NO_SPACE_FATHER_VLSM

This variable allows to prevent a space from being affiliated with a VLSM parent space in the space addition
wizard.
Module IPAM
Type Space
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.19. NO_VLSM_SUBNET

This variable allows to prevent the addition of non-terminal networks. It allows to tick and hide the box Terminal
network in the subnet-type network addition wizard. You cannot add the class object Force VLSM if you add this
variable.
Module IPAM
Type Network, Network (v6). Only for subnet-type networks.
Configuration details
Value 1 to enable the variable, 0 to disable it.

Table L.20. BLOCK_TYPE

This variable allows to display the fields Start address and End address in the block-type network addition wizard
instead of the fields Address, Netmask and Prefix.
Module IPAM
Type Network. Only for IPv4 block-type networks.
Configuration details
Value range to enable the variable, 0 to disable it.

1458
Appendix M. Configuring RADIUS
This appendix details the following configurations for RADIUS authentication:
• Configuring FreeRadius.
• Configuring RADIUS with Cisco ACS.
• Configuring OneTime Password with Token Authentication.

Configuring FreeRADIUS
If you intend to authenticate users via RADIUS, you can configure FreeRadius to retrieve your
groups of users. Once FreeRadius is configured, do not forget to add the RADIUS users authen-
tication rule as detailed in the section Adding RADIUS Authentication Rules.

Configuring the RADIUS Server

To start with, your RADIUS server must be configured with the following information:
• The addresses of the SOLIDserver appliance (the RADIUS 'clients') that might connect to it.
• The EfficientIP vendor number: 2440.
• The dictionary efficientip, it must be configured to send back the following attributes:

Table M.1. Efficientip dictionary: attributes to be returned

Attribute Code Type
efficientip-version 1 integer
efficientip-service-class 2 integer
efficientip-identity-type 3 integer
efficientip-first-name 16 string
efficientip-last-name 17 string
efficientip-pseudonym 18 string
efficientip-ip-host 19 string
efficientip-email 20 string
efficientip-first-login-path 32 string
efficientip-maintainer-group 33 string
efficientip-groups 34 string
efficientip-admin-group 35 string
efficientip-extra-blob 64 string

Configuring a FreeRadius server with SOLIDserver

To send group of users to SOLIDserver and complete the configuration, your FreeRadius server
needs three files: dictionary.efficientip, clients.conf and users.

These files should at least contain the following information:

dictionary.efficientip
#Dictionnary for efficientip

VENDOR efficientip 2440

1459
 Configuring RADIUS

BEGIN-VENDOR efficientip

ATTRIBUTE efficientip-version 1 integer

ATTRIBUTE efficientip-service-class 2 integer
ATTRIBUTE efficientip-identity-type 3 integer
ATTRIBUTE efficientip-first-name 16 string
ATTRIBUTE efficientip-last-name 17 string
ATTRIBUTE efficientip-pseudonym 18 string
ATTRIBUTE efficientip-ip-host 19 string
ATTRIBUTE efficientip-email 20 string
ATTRIBUTE efficientip-first-login-path 32 string
ATTRIBUTE efficientip-maintainer-group 33 string
ATTRIBUTE efficientip-groups 34 string
ATTRIBUTE efficientip-admin-group 35 string
ATTRIBUTE efficientip-extra-blob 64 string

END-VENDOR efficientip

clients.conf
client SDS-1000 {
ipaddr = 192.168.100.100
secret = abc123
}

users
localuser Cleartext-Password := "Password123"
efficientip-groups = "mygroup",

Configuring RADIUS with Cisco ACS

You can configure the RADIUS authentication rule to authenticate users against a Cisco Secure
Access Control Server (ACS). To do so, define the EfficientIP RADIUS vendor and VSA set in a
RADIUS vendor/VSA import file named efficientip.ini, then follow the procedure below.

To configure Cisco ACS with RADIUS

1. On the computer running ACS, open an MS-DOS command prompt.
2. Change directories until you get to the directory containing the file CSUtil.exe. For more
details regarding its location, refer to the Cisco ACS documentation.
3. Once you are in the right directory, execute the command below:
CSUtil.exe -addUDV 5 efficientip.ini

In this command, the number 5 is an unused ACS RADIUS vendor slot number and efficien-
tip.ini is the name of the EfficientIP RADIUS vendor/VSA import file you created earlier.
4. Press Enter. A CSUtil.exe confirmation prompt appears.
5. Confirm that you want to add the RADIUS vendor and halt all ACS services during the pro-
cess, type in Y and press Enter. CSUtil.exe halts ACS services, parses the vendor/VSA input
file, and adds the new RADIUS vendor and VSAs to ACS. This process may take a few
minutes. After it is complete, CSUtil.exe restarts ACS services.

Example of an import file "efficientip.ini" for RADIUS vendor/VSA where EfficientIP is set
as a vendor and 2440 is the IETF code number:
[User Defined Vendor] Name=EfficientIP IETF Code=2440
VSA 1=efficientip-version
VSA 2=efficientip-service-class

1460
 Configuring RADIUS

VSA 3=efficientip-identity-type
VSA 16=efficientip-first-name
VSA 17=efficientip-last-name
VSA 18=efficientip-pseudonym
VSA 19=efficientip-ip-host
VSA 20=efficientip-email
VSA 32=efficientip-first-login-path
VSA 33=efficientip-maintainer-group
VSA 34=efficientip-groups
VSA 35=efficientip-admin-group
VSA 64=efficientip-extra-blob

[efficientip-version]
Type=INTEGER
Profile=OUT

[efficientip-service-class]
Type=INTEGER
Profile=OUT

[efficientip-identity-type]
Type=INTEGER
Profile=OUT

[efficientip-first-name]
Type=STRING
Profile=OUT

[efficientip-last-name]
Type=STRING
Profile=OUT

[efficientip-pseudonym]
Type=STRING
Profile=OUT

[efficientip-ip-host]
Type=STRING
Profile=OUT

[efficientip-email]
Type=STRING
Profile=OUT

[efficientip-first-login-path]
Type=STRING
Profile=OUT

[efficientip-maintainer-group]
Type=STRING
Profile=OUT

[efficientip-groups]
Type=STRING
Profile=MULTI OUT

[efficientip-admin-group]
Type=STRING
Profile=OUT

[efficientip-extra-blob]
Type=STRING
Profile=OUT

1461
 Configuring RADIUS

Configuring OneTime Password with Token Authentication

You can set up OneTime Password (OTP) based on a token authentication to secure user ses-
sions. OTP associates a user session with a unique password valid for a limited period of time.

SOLIDserver caches the credentials to authenticate every user operation. When the cache expires,
SOLIDserver uses the cached credentials to generate and send a new authentication request to
the RADIUS server. If this request fails, the user is disconnected.

To control when the client is disconnected, a set of registry database entries allow to define for
how long SOLIDserver should cache the data:
1. You can either define for how long SOLIDserver should cache passwords, as detailed in the
section Caching OTP Credentials For a Certain Time.
2. Or you can make sure that the cache does not expire while the user is active, as detailed in
the section Renewing Cached OTP Credentials for Logged Users.

Prerequisites
• Configuring RADIUS authentication rule. For more details, refer to the section Adding RADIUS
Authentication Rules.
• Belonging to a group admin, the only group that can access to the page Registry database.

Caching OTP Credentials For a Certain Time

Once you met the prerequisites, you can configure a registry database key to define for how long
SOLIDserver should cache your OTP credentials. To ensure that the user is not disconnected
while SOLIDserver is still open, we recommend that you also configure the key that determines
the duration of SOLIDserver user sessions.

If you would rather edit one key and ensure your users are not disconnected while their session
is active, refer to the section Renewing Cached OTP Credentials for Logged Users.

To define for how long passwords should be cached

Only users of the group admin can perform this operation.
1. Adding the registry key that defines for how long OTP credentials are cached
a. In the sidebar, click on Administration or Admin Home. The page Admin Home
opens.
b. In the section Expert, click on Registry database. The page Registry database opens.
c. In the menu, click on Add. The wizard Registry database Add an item opens.
d. In the field Name, type in ipmserver.login.password_cache_time .
e. In the field Value, specify the value of your choice, in seconds. The recommended value
is 900.
f. Click on OK to complete the operation.The report opens and closes.The page refreshes
and the new key is listed.
2. Editing the key that sets SOLIDserver user session time
a. In the search engine of the column Name, type in www.login.session_timeout . Only
this key is listed.
b. In the column Value, click on the value listed. The wizard Registry database Edit a
value opens.

1462
 Configuring RADIUS

c. In the field Value, specify the value of your choice, in seconds. By default, it is set to
1800, the minimal accepted value is 300.
It should be shorter than the value set for the key ipmserver.login.password_cache_time
to ensure the user OTP credentials do not expire before SOLIDserver session ends.
d. Click on OK to complete the operation.The report opens and closes.The page refreshes
and the new value is displayed.
e. Hit F5 to refresh the web page and take into account your changes. Each user is auto-
matically logged out if no actions are performed above the specified number of seconds.

Renewing Cached OTP Credentials for Logged Users

Once you met the prerequisites, you can add the registry database key that ensures that logged
users authenticated using OTP are not disconnected while their SOLIDserver session is running.
This key renews cached credentials as long as the user is active.

To edit the registry key that renews cached credentials while the session is active
Only users of the group admin can perform this operation.
1. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
2. In the section Expert, click on Registry database. The page Registry database opens.
3. In the menu, click on Add. The wizard Registry database Add an item opens.
4. In the field Name, type in ipmserver.login.password_cache_time_renew .
5. In the field Value, type in 1 to enable the protection of OTP authenticated .
6. Click on OK to complete the operation. The report opens and closes. The page refreshes
and the new key is listed.

1463
Appendix N. Using Remote
Authentication for SSH Connections to
SOLIDserver
This appendix details how to enable Secure Shell (SSH) connections for remote authentications:
• Configuring LDAP Authentication for SSH Connections.
• Configuring RADIUS Authentication for SSH Connections.

This configuration allows to grant existing users access to as many SOLIDserver appliances as
you want.

Configuring LDAP Authentication for SSH Connections

To configure the LDAP authentication for SSH connections to SOLIDserver, you must:
1. Understand the Specificities and Prerequisites.
2. Edit the LDAP configuration file. For more details, refer to the section Editing the LDAP Con-
figuration File.
3. Edit the Name Service Switch configuration file. For more details, refer to the section Editing
the Name Service Switch Configuration File.
4. Edit the PAM configuration for SSH daemon. For more details, refer to the section Editing the
PAM Configuration for SSH Daemon.
5. If you use an SSL certificate self-signed by Windows, you must also edit the LDAP communic-
ation settings. For more details, refer to the section Editing the LDAP Communication Settings.

Prerequisites
• An LDAP server must be properly configured and running.
• The LDAP server and SOLIDserver must be set at the same time:
• Make sure the LDAP server is on time.
• Configure NTP servers on SOLIDserver. If you want LDAP authentication for several
SOLIDserver appliances, the NTP must be configured on every appliance. For more details,
refer to the section Configuring NTP Servers.
• To set up the LDAP authentication for several appliances, you must:
1. Configure the authentication from the managing SOLIDserver.
2. Once the configuration is complete, apply it the remote appliance(s).

Specificities
The configuration of LDAP authentication for SSH connections:
• Must be done via CLI.
• Must be done locally from a SOLIDserver Management appliance. When the configuration is
complete, you can apply it to the remote SOLIDserver appliance(s) you manage.
On appliances configured in High Availability, the Hot Standby automatically replicates the
configuration.

1464
 Using Remote Authentication for
SSH Connections to SOLIDserver

• Allows to grant access to SOLIDserver to existing LDAP users, there is no need to edit
SOLIDserver local user or group of users database. That way, if your LDAP server is not re-
sponding, local users with sufficient rights can still access the appliance via SSH.

Editing the LDAP Configuration File

You must first edit the LDAP configuration file to specify the class of users you want to grant SSH
access to. During that edition you must also define the type of permissions you grant to the users
of the class specified.

To edit the file ldap.conf

1. Open a shell session.
2. Connect to a SOLIDserver management appliance using the credentials of the account admin.
3. Edit the file /data1/etc/ldap.conf using the following command:
% emacs /data1/etc/ldap.conf

The edited file should include the following:

# Specify the FQDN or IP address of the LDAP server.
host <IP-address-or-hostname>
# Set the base search that suits your needs: cn=BaseSearch, dc=EXAMPLE, dc=COM.
base <your-base-search>
# Set an existing user among the following: cn=admin, cn=BaseSearch, dc=EXAMPLE,
dc=COM.
# This parameter cannot be empty otherwise you will not be able to list users.
rootbinddn <user>

# Enable LDAPS if need be. Valid values: on, off.

ssl <status>

# Specify for the following attributes the name of the LDAP user class that can access
SOLIDserver.
pam_filter objectclass=<userclass>
nss_map_objectclass posixAccount <userclass>
# Specify for the following attributes the name of the attribute of the selected user
class
# that contains the user login.
pam_login_attribute <login-attribute>
nss_map_attribute uid <login-attribute>

# If the specified user class is not already set with the attributes: uidNumber,
gidNumber,
# loginShell, homeDirectory.
# You must specify for the following attributes the name of the attribute of the
selected user
# class that contains the users uidNumber and gidNumber.
nss_map_attribute uidNumber <UnixUID-attribute>
nss_map_attribute gidNumber <UnixGID-attribute>
# You can specify for the following attributes the name of the attribute of the
selected user
# that contains the loginShell and homeDirectory used to connect to your appliance.
# These attributes are optional, so if you do not want to set them either comment
the lines or
# do not include them at all. These attributes cannot be declared without value.
nss_map_attribute loginShell <attribute-containing-the-shell-you-connect-to>
nss_map_attribute homeDirectory <attribute-containing-the-path-to-the-directory-"home">

# Set the level of permissions of the LDAP users accessing SOLIDserver via SSH.
# If you set the value of the example below, you grant administrative rights to all
the users
# belonging to the classes specified with "pam_filter" and "nss_map_objectclass".
nss_override_attribute_value uidNumber 1001

1465
 Using Remote Authentication for
SSH Connections to SOLIDserver

nss_override_attribute_value gidNumber 1000

nss_override_attribute_value homeDirectory /data1/users/admin
nss_override_attribute_value loginShell /bin/csh

4. Edit the file /data1/etc/ldap.secret to insert your own LDAP password for the account root-
binddn using the following command:
% emacs /data1/etc/ldap.secret

Editing the Name Service Switch Configuration File

Once you edited the file ldap.conf, you must edit the name service switch configuration file to
edit where the authentication information must be retrieved.

To edit the file nsswitch.conf

1. Open a shell session.
2. Connect to a SOLIDserver management appliance using the credentials of the account admin.
3. Edit the file /data1/etc/nsswitch.conf using the following command:
% emacs /data1/etc/nsswitch.conf

4. The edited file should include the following:

#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: releng/10.2/etc/nsswitch.conf 224765 2011-08-10 20:52:02Z dougb $
#
# Edit the value of "group" to retrieve LDAP data. Initial value: "group: compat"
group: files ldap
# Comment the line "group_compat: nis"
# group_compat: nis

hosts: files dns

networks: files

# Edit the value of "passwd" to retrieve LDAP data. Initial value: "passwd: compat"
passwd: files ldap
# Comment the line "passwd_compat: nis"
# passwd_compat: nis

shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

Editing the PAM Configuration for SSH Daemon

Once you edited the files ldap.conf and nsswitch.conf, you must edit the PAM configuration of
SSH daemon to include LDAP settings.

To edit the file pam.d/sshd

1. Open a shell session.
2. Connect to a SOLIDserver management appliance using the credentials of the account admin.
3. Edit the file /data1/etc/pam.d/sshd using the following command:
% emacs /data1/etc/pam.d/sshd

1466
 Using Remote Authentication for
SSH Connections to SOLIDserver

4. The edited file should include the following:

# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
# Add the following line to specify that LDAP is used for authentication.
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth sufficient pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
# Add the following line to specify that you want the credentials to be verified via
LDAP.
account sufficient /usr/local/lib/pam_ldap.so no_warn
ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so

# session
#session optional pam_ssh.so want_agent
session required pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

Editing the LDAP Communication Settings

If you use a self-signed certificate generated on MS Windows, you have to edit the LDAP com-
munication settings: the file openldap.conf that defines the options to communicate with LDAP.

Once you edited the files ldap.conf, nsswitch.conf and pam.d/sshd, follow the procedure below.

To edit the file openldap.conf

1. Open a shell session.
2. Connect to a SOLIDserver management appliance using the credentials of the account admin.
3. Edit the file /data1/etc/openldap.conf using the following command:
% emacs /data1/etc/openldap.conf

4. The edited file should include the following:

#
# LDAP Defaults
#

# See ldap.conf(5) for details

# This file should be world readable but not world writable.

#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT 12
#TIMELIMIT 15

1467
 Using Remote Authentication for
SSH Connections to SOLIDserver

#DEREF never

# Add the following line to disable the CA check.

TLS_REQCERT never

#Dictionnary for efficientip

VENDOR efficientip 2440

BEGIN-VENDOR efficientip

ATTRIBUTE efficientip-version 1 integer

ATTRIBUTE efficientip-service-class 2 integer
ATTRIBUTE efficientip-identity-type 3 integer
ATTRIBUTE efficientip-first-name 16 string
ATTRIBUTE efficientip-last-name 17 string
ATTRIBUTE efficientip-pseudonym 18 string
ATTRIBUTE efficientip-ip-host 19 string
ATTRIBUTE efficientip-email 20 string
ATTRIBUTE efficientip-first-login-path 32 string
ATTRIBUTE efficientip-maintainer-group 33 string
ATTRIBUTE efficientip-groups 34 string
ATTRIBUTE efficientip-admin-group 35 string
ATTRIBUTE efficientip-extra-blob 64 string

END-VENDOR efficientip

Once you edited the LDAP communication settings, you need to make sure the configuration is
properly set.

Making Sure the Configuration is Properly Set

Once your configuration is complete, there are two ways of making sure it is properly set:
1. Use the command getent to list all the users with SSH access, make sure your LDAP users
are listed and that you did not grant access to the unwanted users.
2. Try to connect to SOLIDserver via SSH using the credentials of an LDAP user to which you
granted access. They were listed in the command result.

To check the list of users allowed to connect via SSH

1. Open a shell session.
2. Connect to SOLIDserver using the credentials of the account admin.
3. Use the following command:
% getent passwd

This command returns the list of all the users that can connect via SSH. All local, LDAP
and/or RADIUS users are listed as follows:
<username>:*:1001:1000:admin:/data1/users/admin:/bin/csh

4. Grant or deny access to the users of your choice.

Once the configuration is properly set, you need to apply the configuration to remote appliances.

1468
 Using Remote Authentication for
SSH Connections to SOLIDserver

Applying the Configuration to Remote Appliances

If you manage several SOLIDserver appliances from the page Centralized Management, once
you configured the LDAP authentication for SSH connections on the management appliance you
can push your configuration, i.e. apply it, to remote appliances.

Before applying the configuration, refer to the section Making Sure the Configuration is Properly
Set to ensure you are not pushing an erroneous configuration on your network. If the configuration
is incorrect, pushing it might prevent you from connecting to the remote appliance(s) via SSH.

To apply the local LDAP authentication configuration for SSH to remote appliances
1. Open a browser.
2. Connect to the SOLIDserver management appliance you configured using its IP address or
hostname.
3. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
4. In the section System, click on the button Centralized Management. The page Centralized
Management opens.
5. Tick the remote appliance(s) to which you want to apply the local LDAP authentication.
6. In the menu, select Tools > Push local LDAP/RADIUS configuration. The wizard Push
the local LDAP/RADIUS authentication opens.
7. Click on OK to complete the operation. The report opens and closes.

Configuring RADIUS Authentication for SSH Connections

To configure the RADIUS authentication for SSH connections to SOLIDserver, you must:
1. Follow the procedures described in the appendix Configuring RADIUS.
2. Understand the Specificities and Prerequisites.
3. Edit the RADIUS configuration file. For more details, refer to the section Editing the LDAP
Configuration File.
4. Edit the PAM configuration for SSH daemon. For more details, refer to the section Editing the
RADIUS Configuration for SSH Daemon.
5. Edit the list of RADIUS users. For more details, refer to the section Editing the RADIUS Users
List.

Prerequisites
• A RADIUS server properly configured and running.
• The RADIUS server and SOLIDserver must be set at the same time.
• To set up the RADIUS authentication for several appliances, you must:
1. Configure the authentication from the managing SOLIDserver.
2. Apply it to the remote appliance(s).
• The user must exist on SOLIDserver.

Specificities
The configuration of RADIUS authentication for SSH connections:
• Must be done via CLI.

1469
 Using Remote Authentication for
SSH Connections to SOLIDserver

• Must be done locally from a SOLIDserver Management appliance. When the configuration is
complete, you can apply it to the remote SOLIDserver appliance(s) you manage.
On appliances configured in High Availability, the Hot Standby automatically replicates the
configuration.
• If your RADIUS server is not responding, local users with sufficient rights can still access the
appliance via SSH.

Editing the RADIUS Configuration File

1
You must first edit the RADIUS configuration file to specify the class of users you want to grant
SSH access to. During that edition you must also define the type of permissions you grant to the
users of the class specified.

To edit the file radius.conf

1. Open a shell session.
2. Connect to a SOLIDserver management appliance using the credentials of the account admin.
3. Edit the file /data1/etc/radius.conf using the following command:
% emacs /data1/etc/radius.conf

The edited file should include the RADIUS server IP address, secret key, timeout in seconds
and the maximum number of attempts, as follows: <radius_server_ip>:<port> <secret_key>
<timeout> <maximum_attempts>. Not indicating the port, as in the example below, automat-
ically sets it to the default RADIUS port:
#radius_server_ip:port secret_key timeout maximum_attempts
1.2.3.4 RadiusSecretKey 3

Editing the RADIUS Configuration for SSH Daemon

Once you edited the file radius.conf, you must edit the PAM configuration of SSH daemon to in-
clude RADIUS settings.

To edit the file pam.d/sshd

1. Open a shell session.
2. Connect to a SOLIDserver management appliance using the credentials of the account admin.
3. Edit the file /data1/etc/pam.d/sshd using the following command:
% emacs /data1/etc/pam.d/sshd

4. The edited file should include the following:

#
# $FreeBSD: releng/10.2/etc/pam.d/sshd 197769 2009-10-05 09:28:54Z des $
#
# PAM configuration for the "sshd" service
#

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
# Radius authentication

1
For more details, refer to the radius.conf Linux man page available at https://linux.die.net/man/5/radius.conf.

1470
 Using Remote Authentication for
SSH Connections to SOLIDserver

auth sufficient pam_radius.so

auth required pam_unix.so no_warn try_first_pass

# account
account required pam_nologin.so
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so

# session
#session optional pam_ssh.so want_agent
session required pam_permit.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass

Editing the RADIUS Users List

Once you edited the files radius.conf and pam.d/sshd, you need to add the users for which you
want to allow RADIUS authentication.

If you want a user to connect in SSH only via RADIUS authentication, make sure that his password
is empty. Such user cannot log in using SSH any other way than using RADIUS since, by default,
the server does not allow login to accounts with an empty password.

Any user added to the list will be able to connect SOLIDserver using the secret key configured
in the section Editing the RADIUS Configuration for SSH Daemon.

To add a RADIUS user

1. Open a shell session.
2. Connect to a SOLIDserver management appliance using the credentials of the account admin.
3. Add a user using the following command:
% pw useradd -n <username> -u <uid> -m

Note that, as a best practice, setting a uid above 10000 allows to easily identify "Radius-only
users".

Once you edited the RADIUS users list, you need to make sure the configuration is properly set.

Making Sure the Configuration is Properly Set

Once your configuration is complete, there are two ways of making sure it is properly set:
1. Use the command getent to list all the users with SSH access and make sure your RADIUS
users are listed and that you did not grant access to the unwanted users.
2. Try to connect to SOLIDserver via SSH using the credentials of a RADIUS user to which you
granted access. They were listed in the command result.

To check the list of users allowed to connect via SSH

1. Open a shell session.
2. Connect to SOLIDserver using the credentials of the account admin.
3. Use the following command:
% getent passwd

1471
 Using Remote Authentication for
SSH Connections to SOLIDserver

This command returns the list of all the users that can connect via SSH. All local, LDAP
and/or RADIUS users are listed as follows:
<username>:*:1001:1000:admin:/data1/users/admin:/bin/csh

4. Grant or deny access to the users of your choice.

Once your configuration is properly set, you need to apply the configuration to remote appliances.

Applying the Configuration to Remote Appliances

If you manage several SOLIDserver appliances from the page Centralized Management, once
you configured the RADIUS authentication for SSH connections on the management appliance
you can push your configuration, i.e. apply it, to remote appliances.

Before applying the configuration, refer to the section Making Sure the Configuration is Properly
Set to ensure you are not pushing an erroneous configuration on your network. If the configuration
is incorrect, pushing it might prevent you from connecting to the remote appliance(s) via SSH.

To apply the local RADIUS authentication configuration for SSH to remote

appliances
1. Open a browser.
2. Connect to the SOLIDserver management appliance you configured using its IP address or
hostname.
3. In the sidebar, click on Administration or Admin Home. The page Admin Home opens.
4. In the section System, click on the button Centralized Management. The page Centralized
Management opens.
5. Tick the remote appliance(s) to which you want to apply the local RADIUS authentication.
6. In the menu, select Tools > Push local LDAP/RADIUS configuration. The wizard Push
the local LDAP/RADIUS authentication opens.
7. Click on OK to complete the operation. The report opens and closes.

1472
Appendix O. Configuring Non-Supported
Options
Via CLI, administrators can incorporate non-supported options, i.e. configurations or settings,
that cannot be configured from SOLIDserver GUI.

Before configuring any non-supported configuration, keep in mind that:

• These configurations must be set at your own risk. No support help can be expected after
setting any of the non-supported configuration described in this appendix.
• These configurations are very advanced and must be carefully implemented.

Before going further, you must take into account prerequisites and limitations.

This appendix includes procedures for:

• Configuring Non-Supported Firewall Rules.
• Configuring Non-Supported Apache Options.
• Configuring Non-Supported Unbound Settings.
• Configuring Non-Supported NSD Settings.
• Configuring Non-Supported BIND Options.
• Configuring Non-Supported SNMP Settings.
• Configuring Non-Supported DHCP Configurations.
• Configuring Non-Supported NTP Settings.
• Configuring Non-Supported syslog-ng Options.
• Configuring Non-Supported PostgreSQL Settings.
• Configuring Non-Supported OpenSSH Settings.

Prerequisites
• Configuring local servers, DHCP EfficientIP servers, DNS EfficientIP servers or Hybrid DNS
servers.
• The service you want to configure must be running.
• The user configuring the non-supported options must have:
• Administrative rights over SSH connections to SOLIDserver.
• A good understanding of the environment and of the services configuration file, syntax and
options.
• Checking the changes before applying them to the production environment.

1473
 Configuring Non-Supported Options

Limitations
• All changes must be performed via SSH, you cannot configure or display non-supported options
from the GUI.
• The configuration of non-supported options can only be done in a specific sections of the files
and nowhere else.
• You can only configure locally non-supported options.
• You can only configure non-supported options on physical servers EfficientIP DNS or DHCP
servers, you cannot set them on a smart architecture.
If you want to add non-supported options on several physical servers managed via the same
architecture, you must set them on each server configuration file individually.
• The non-supported options that you configure overwrite the current configuration. So make
sure that the options you incorporate are not already set in the configuration because the GUI
might not reflect these changes. Besides, configuring options twice may prevent the service
from running properly.

1474
 Configuring Non-Supported Options

Configuring Non-Supported Firewall Rules

You can configure non-supported firewall rules that the ipfw files automatically incorporate:
• In restricted mode, non-supported rules can be incorporated in the file /ipfw/ipfw.rules.
• In open mode, non-supported rules can be incorporated in the /ipfw/ipfw_open.rules.

By default, both files exist in the directory /ipfw. Note that the current firewall mode of your appli-
ance, Restricted and Open, is visible in the GUI on the page Network configuration, for more
details refer to the section Setting the Firewall.

Before configuring non-supported rules, keep in mind that there is no validation check for these
files, so if you misconfigure either you can lose access to your appliance, via SSH or other-
wise.

Configuring Non-Supported Firewall Configurations in Restricted

Mode
By default, the directory /ipfw contains a file ipfw.rules that can be edited to configure the non-
supported firewall rules of your choice if you are in restricted mode.

ipfw.rules
#!/bin/sh

/sbin/ipfw -q flush

if [ -f /etc/ipfw.rules.stats ]; then
. /etc/ipfw.rules.stats
fi
if [ -f /etc/ipfw.rules.sourcerouting ]; then
. /etc/ipfw.rules.sourcerouting
fi

/sbin/ipfw -q add 10 allow ip from any to any via lo0

/sbin/ipfw -q add 14 allow carp from any to any
/sbin/ipfw -q add 20 check-state
...
/sbin/ipfw -q add 59999 deny ip from any to any
/sbin/ipfw -q add 61000 allow ip from any to any

## Include file for customizations

## USE WITH CAUTION
incfile=/usr/local/nessy2/etc/ipfw/ipfw.rules.inc ipfw.rules.inc
if [ -f $incfile ]; then
. $incfile
fi
/sbin/ipfw -q add 5 deny icmp from any to any
echo "PING requests are blocked"

Figure O.1. Example of non-supported firewall rules in restricted mode

Before configuring non-supported rules, keep in mind that there is no validation check for these
files, so if you misconfigure either you can lose access to your appliance, via SSH or other-
wise.

To incorporate non-supported firewall rules in restricted mode

1. Meet the prerequisites and take into account the limitations.

1475
 Configuring Non-Supported Options

2. Connect to your appliance using an SSH session or a console port.

3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. In the directory /usr/local/nessy2/etc/ipfw/, edit the file ipfw.rules.inc to incorporate the non-
supported firewall rules of your choice.
Keep in mind that if you misconfigure this file you can lose access to your appliance.
6. Restart the firewall daemon to take into account your changes with the command:
service ipfw restart

Configuring Non-Supported Firewall Configurations in Open Mode

By default, the directory /ipfw contains a file ipfw_open.rules that can be edited to configure the
non-supported firewall rules of your choice if you are in open mode.

ipfw_open.rules
#! /bin/sh
/sbin/ipfw -q flush

if [ -f /etc/ipfw.rules.stats ]; then
. /etc/ipfw.rules.stats
fi
if [ -f /etc/ipfw.rules.sourcerouting ]; then
. /etc/ipfw.rules.sourcerouting
fi

/sbin/ipfw -q add 00100 allow ip from any to any

/sbin/ipfw -q add 00100 allow ip6 from any to any
/sbin/ipfw -q add 00101 allow icmp6 from any to any

## Include file for customizations

## USE WITH CAUTION
incfile=/usr/local/nessy2/etc/ipfw/ipfw_open.rules.inc ipfw_open.rules.inc
if [ -f $incfile ]; then
. $incfile
fi
/sbin/ipfw -q add 5 deny icmp from any to any
echo "PING requests are blocked"

Figure O.2. Example of non-supported firewall rules in open mode

Before configuring non-supported rules, keep in mind that there is no validation check for these
files, so if you misconfigure either you can lose access to your appliance, via SSH or other-
wise.

To incorporate non-supported firewall rules in open mode

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:

1476
 Configuring Non-Supported Options

sudo -s

5. In the directory /usr/local/nessy2/etc/ipfw/, edit the file ipfw_open.rules to incorporate the

non-supported firewall rules of your choice.
Keep in mind that if you misconfigure this file you can lose access to your appliance.
6. Restart the firewall daemon to take into account your changes with the command:
service ipfw restart

1477
 Configuring Non-Supported Options

Configuring Non-Supported Apache Settings

You can configure non-supported Apache settings that the configuration file httpd automatically
incorporates:
• Before any existing configuration, thanks to the settings specified in the file(s) in the directory
/pre .
• After all the existing configurations, thanks to the settings specified in the file(s) in the directory
/post .

By default, each directory contains a file httpd.conf.inc that you can edit to specify the settings
of your choice.

Note that you can add as many *.inc files as you need in the directories /pre and /post.

httpd.conf
## Include files for customizations
## USE WITH CAUTION
IncludeOptional /usr/local/nessy2/etc/httpd/pre/*.inc myhttpconf.inc

#
# This is the main Apache HTTP server configuration file. It contains the Listen 81
# configuration directives that give the server its instructions.
...
ServerRoot "/usr/local"
...
Listen 80

LoadModule authn_file_module libexec/apache24/mod_authn_file.so

LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
...

# Secure (SSL/TLS) connections

#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include etc/apache24/Includes/*.conf

## Include files for customizations

## USE WITH CAUTION
IncludeOptional /usr/local/nessy2/etc/httpd/post/*.inc httpd.conf.inc

<VirtualHost 10.10.10.10:81>
DocumentRoot /data1/customer-portal
ServerName portal.customer.com
ErrorLog "/var/log/httpd-portal_error_log"
<Directory /data1/customer-portal>
AllowOverride All
Order deny,allow
allow from all
</Directory>
</VirtualHost>

Figure O.3. Example of non-supported Apache settings

1478
 Configuring Non-Supported Options

Before configuring non-supported settings, keep in mind that there is a validation check for these
files but any invalid configuration may prevent the service from running properly or prevent
you from accessing the GUI altogether.

To incorporate non-supported Apache settings

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. Incorporate non-supported configurations in the file that suits your needs:

• Before any other instructions, edit the file httpd.conf.inc according to your needs. The full
path to the file is /usr/local/nessy2/etc/httpd/pre/httpd.conf.inc
You can also add any .inc file in the directory.
• After all instructions, edit the file httpd.conf.inc according to your needs. The full path to
the file is /usr/local/nessy2/etc/httpd/post/httpd.conf.inc
You can also add any .inc file in the directory.
6. Make sure the whole configuration file is still viable using the command:
apachectl configtest

If no errors are returned and the file syntax is OK, go to the next step. If not, you must edit
the content of the included file(s) because you might no longer be able to access or GUI or
prevent the service from running.
7. Once the configuration is OK, restart the Apache daemon to take into account your changes
with the command:
apachectl restart

8. Make sure the daemon is running with the command:

apachectl status

1479
 Configuring Non-Supported Options

Configuring Non-Supported Unbound Settings

You can configure non-supported Unbound settings that the configuration file unbound automat-
ically incorporates:
• In the section server of the configuration file.
• In the section remote-control of the configuration file.

unbound.conf
server:
verbosity: 1
interface: 0.0.0.0
interface: ::0
port: 53
do-ip4: yes
do-ip6: yes
do-udp: yes
do-tcp: yes
chroot: ""
directory: "/etc/unbound/"
pidfile: "/var/run/unbound/unbound.pid"
hide-identity: yes
hide-version: yes
msg-cache-size: 128m
username: named
# include: /usr/local/nessy2/etc/unbound/global_include.conf global_include.conf

remote-control:
log-time-ascii: yes
control-enable: yes
control-interface: 127.0.0.1
server-key-file: /etc/unbound/unbound_server.key
server-cert-file: /etc/unbound/unbound_server.pem
control-key-file: /etc/unbound/unbound_control.key
control-cert-file: /etc/unbound/unbound_control.pem
# include: /usr/local/nessy2/etc/unbound/remote_include.conf remote_include.conf

control-interface: 192.168.3.4

Figure O.4. Example of non-supported Unbound settings

Before configuring non-supported settings, keep in mind any invalid option is ignored.

To incorporate non-supported Unbound settings

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. Incorporate non-supported options in the file that suits your needs:

• To configure non-supported server settings, edit the file global_include.conf according to
your needs. The full path to the file is /usr/local/nessy2/etc/unbound/global_include.conf
• To configure non-supported remote management settings, edit the file remote_include.conf
according to your needs.The full path to the file is /usr/local/nessy2/etc/unbound/remote_in-
clude.conf

1480
 Configuring Non-Supported Options

6. Make sure the whole configuration file is still viable using the command:
unbound-checkconf /etc/unbound/unbound.conf

If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the Unbound daemon to take into account your changes
with the command:
service ipmdns.sh restart

8. Make sure the daemon is running with the command:

service ipmdns.sh status

1481
 Configuring Non-Supported Options

Configuring Non-Supported NSD Settings

You can configure non-supported Unbound settings that the configuration file nsd automatically
incorporates:
• In the section remote-control of the configuration file.
• In the section server of the configuration file.

nsd.conf
remote-control:
control-enable: "yes"
control-interface: ::1
control-interface: 127.0.0.1
control-port: 8953
server-key-file: "/data1/etc/nsd/nsd_server.key"
server-cert-file: "/data1/etc/nsd/nsd_server.pem"
control-key-file: "/data1/etc/nsd/nsd_control.key"
control-cert-file: "/data1/etc/nsd/nsd_control.pem"
# include: /usr/local/nessy2/etc/nsd/remote_include.conf remote_include.conf

server:
control-interface: 192.168.3.4
include: /data1/etc/nsd/ip-address.conf
database: "/data1/etc/nsd/nsd.db"
pidfile: "/var/run/nsd/nsd.pid"
difffile: "/data1/etc/nsd/ixfr.db"
xfrdfile: "/data1/etc/nsd/xfrd.state"
server-count: 4
zonesdir: "/data1/etc/namedb/zones"
port: 53
hide-version: yes
verbosity: 0
username: named
ipv4-edns-size: 4096
ipv6-edns-size: 4096
# include: /usr/local/nessy2/etc/nsd/global_include.conf global_include.conf

identity: "myserver"

Figure O.5. Example of non-supported NSD settings

Before configuring non-supported settings, keep in mind any invalid option is ignored.

To incorporate non-supported NSD settings

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. Incorporate non-supported options in the file that suits your needs:

• To configure non-supported remote management settings, edit the file remote_include.conf
according to your needs. The full path to the file is /usr/local/nessy2/etc/nsd/remote_in-
clude.conf
• To configure non-supported server settings, edit the file global_include.conf according to
your needs. The full path to the file is /usr/local/nessy2/etc/nsd/global_include.conf

1482
 Configuring Non-Supported Options

6. Make sure the whole configuration file is still viable using the command:
nsd-checkconf /etc/nsd/nsd.conf

If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the NSD daemon to take into account your changes
with the command:
service ipmdns.sh restart

8. Make sure the daemon is running with the command:

service ipmdns.sh status

1483
 Configuring Non-Supported Options

Configuring Non-Supported BIND Settings

You can configure non-supported BIND options that the configuration file named automatically
incorporates:
• At server level, non-supported settings can be incorporated in the sections global and options
of the configuration file.
• At view level, non-supported settings must be manually incorporated in the clause of each view
declared in the server configuration file.

Before configuring non-supported settings, keep in mind any invalid option is ignored.

Configuring Non-Supported BIND Settings on a Server

At server level, you can incorporate non-supported settings and parameters to a BIND configur-
ation file thanks to two files:
global_include.conf
Allows to incorporate statements like logging, masters, server, trusted-keys or managed-
keys. In this file, you must specify each statement and its value.
options_include.conf
Allows to incorporate options. In this file, no need to specify the statement "options", only
its values.

named.conf

include "/usr/local/nessy2/etc/named/global_include.conf"; global_include.conf

key "rndc_key" {
statistics-channels {
algorithm hmac-md5;
inet 10.0.0.11 port 8053;
secret "c3Ryb25nIGVub3VnaCBmb34gYnV0IG1hZGUgZm9yIGEgd29tYW4K" };
;}

controls {
inet 127.0.0.1 port 953 allow {
localhost;
};
};

acl "admin" {
any;
};

options {
listen-on-v6 { any; };
directory "/etc/namedb";
...
include "/usr/local/nessy2/etc/named/options_include.conf"; options_include.conf

};
check-sibling yes;
zone "mycorp.com"{ transfers-in 100;
tcp-client 400;
type slave;
file "zones/slave/mycorp.com/mycorp.com";
masters {
10.0.3.30;
};
};

Figure O.6. Example of non-supported BIND settings configured for a server

1484
 Configuring Non-Supported Options

Before configuring non-supported settings, keep in mind any invalid option is ignored.

To incorporate non-supported BIND settings on a server

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance or Linux server using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions. The default admin user is only available on your appliance.
4. Get root access using the following command:
sudo -s

5. Incorporate non-supported BIND settings for the server in the file that suits your needs:
• To configure settings in the section global, edit the file global_include.conf according to
your needs. The full path to the file is /usr/local/nessy2/etc/named/global_include.conf
• To configure settings in the section options, edit the file options_include.conf according
to your needs. The full path to the file is /usr/local/nessy2/etc/named/options_include.conf
6. Make sure the whole configuration file is still viable using the command:
/usr/local/nessy2/bin/named-checkconf /etc/namedb/named.conf

If no errors are returned and the configuration file is OK, go to the next step. If not, you must
edit the content of the included file because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DNS daemon to take into account your changes
with the command:
service ipmdns.sh restart

If you installed Linux packages, you must stop and start the daemon using the commands:
service ipmdns stop service ipmdns start

8. Make sure the DNS daemon is running with the command:

service ipmdns.sh status

If you installed Linux packages, you must use the following command:
service ipmdns status

1485
 Configuring Non-Supported Options

Configuring Non-Supported BIND Settings on a View

At view level, you can incorporate non-supported settings and parameters to a BIND configuration
file if you create the file:
view_<dnsview-name>_include.conf
Allows to incorporate statements like empty-zones-enable or cleaning-interval to a clause
"view". In this file, no need to specify the statement "view", only its values.

named.conf
key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb34gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

controls {
inet 127.0.0.1 port 953 allow {
localhost;
};
};

acl "admin" {
any;
};

view "intranet" {
match-clients {
key myview;
192.168.0.0/24;
};
match-destinations {
!external;
!42.42.42.0/24;
192.168.100.15
};

zone "mycorp.com"{
type slave;
file "zones/slave/mycorp.com/mycorp.com";
masters {
10.0.3.30;
};

include "/data1/etc/named/view_intranet_include.conf"; view_intranet_include.conf

};
cleaning-interval 120;
max-journal-size 1m;
empty-zones-enable no;

Figure O.7. Example of non-supported BIND settings configured for a view called "intranet"

Before configuring non-supported settings, keep in mind any invalid option is ignored.

To incorporate non-supported BIND settings on a view

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance or Linux server using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions. The default admin user is only available on your appliance.
4. Get root access using the following command:
sudo -s

1486
 Configuring Non-Supported Options

5. In the directory /data1/etc/namedb/, create the file view_<dnsview-name>_include.conf,

where <dnsview-name> is the name of one of your existing views, and incorporate the non-
supported BIND settings of your choice for the view.
6. Make sure the whole configuration file is still viable using the command:
/usr/local/nessy2/bin/named-checkconf /etc/namedb/named.conf

If no errors are returned and the configuration file is OK, go to the next step. If not, you must
edit the content of the included file because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DNS daemon to take into account your changes
with the command:
service ipmdns.sh restart

If you installed Linux packages, you must stop and start the daemon using the commands:
service ipmdns stop service ipmdns start

8. Make sure the DNS daemon is running with the command:

service ipmdns.sh status

If you installed Linux packages, you must use the following command:
service ipmdns status

Keep in mind that if any option is invalid, the included configuration is ignored until you correct
what needs to be changed. As for conflicting options, they overwrite your configuration.

1487
 Configuring Non-Supported Options

Configuring Non-Supported SNMP Settings

You can configure non-supported SNMP settings that the configuration file snmpd automatically
incorporates after all the directives of the configuration file.

By default, the directory /snmpd contains a file custom.conf that you can edit to specify the settings
of your choice.

Note that you can add as many files as you need in the directory /snmpd.

snmpd.conf
sysDescr EfficientIP SOLIDserver
sysObjectID .1.3.6.1.4.1.2440
sysServices 72
sysContact EfficientIP Support <[email protected]>
sysLocation Unknown
master agentx
agentaddress udp:161
com2sec secu0 default 'public'
group MyROGroup v1 secu0
group MyROGroup v2c secu0
view all included .1 80
access MyROGroup "" any noauth exact all none none
access MyRWGroup "" any noauth exact all none none

## EIP specific conf

includeFile /data1/share/snmp/eip-snmpd.conf
includeFile /data1/share/snmp/eip-traps.conf

agentXPerms 0775 0775 root agentx

## Include file for customizations
## USE WITH CAUTION
includeDir /usr/local/nessy2/etc/snmpd custom.conf

trapcommunity public
trapsess -v 2c -c public 10.0.11.3
authtrapenable 1

Figure O.8. Example of non-supported SNMP settings

Before configuring non-supported settings, keep in mind that there is no validation check for
this file. Any invalid configuration may prevent the service from running properly.

To incorporate non-supported SNMP settings

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. In the directory /usr/local/nessy2/etc/snmpd, edit the file custom.conf according to your needs
or create a file to incorporate the non-supported SNMP options of your choice.
6. Once the configuration is OK, restart the SNMP daemon to take into account your changes
with the command:

1488
 Configuring Non-Supported Options

service snmpd restart

7. Make sure the daemon is running with the command:

service snmpd status

1489
 Configuring Non-Supported Options

Configuring Non-Supported DHCP Configurations

You can configure non-supported DHCP configurations that the configuration files dhcpd and
dhcpd6 automatically incorporates.

Before configuring non-supported options, keep in mind any invalid option is ignored.

Configuring Non-Supported DHCP Configurations in IPv4

By default, the directory /dhcp contains a file global_include.conf that can de edited to specify
the configurations of your choice.

dhcpd.conf
include "/usr/local/nessy2/etc/dhcp/global_include.conf"; global_include.conf
ddns-update-style none;
ddns-updates off; if (exists host-name) {
option server.log-facility local7; log (info,concat("We have host-name:", option host-name));
authoritative; }
option server.min-lease-time 60;

option Avaya-96xxx code 242 = text;

...

subnet 10.254.239.0 netmask 255.255.255.0 {

pool {
range 110.254.239.10 10.254.239.30;
}
}

Figure O.9. Example of a non-supported DHCP configuration

Before configuring non-supported options, keep in mind any invalid option is ignored.

To incorporate non-supported DHCP configurations

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. In the directory /usr/local/nessy2/etc/dhcp, edit the file global_include.conf according to your

needs to incorporate the non-supported DHCP configurations of your choice.
6. Make sure the whole configuration file is still viable using the command:
/usr/local/nessy2/bin/dhcpd -t -cf /data1/etc/dhcpd.conf

If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DHCP daemon to take into account your changes
with the command:
service ipmdhcp.sh restart

8. Make sure the daemon is running with the command:

service ipmdhcp.sh status

1490
 Configuring Non-Supported Options

Configuring Non-Supported DHCP Configurations in IPv6

By default, the directory /dhcp6 contains a file global_include.conf that can de edited to specify
the configurations of your choice.

dhcpd6.conf
include "/usr/local/nessy2/etc/dhcp6/global_include.conf"; global_include.conf

authoritative;
ddns-update-style none; if (exists host-name) {
option server.omapi-port 7912; log (info,concat("We have client-id:", option dhcp6.client-id));
}
...

subnet6 2001:db8:0:1::/64 {
range6 2001:db8:0:1::129 2001:db8:0:1::254;
}

Figure O.10. Example of a non-supported DHCPv6 configuration

Before configuring non-supported options, keep in mind any invalid option is ignored.

To incorporate non-supported DHCPv6 configurations

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. In the directory /usr/local/nessy2/etc/dhcp6, edit the file global_include.conf according to

your needs to incorporate the non-supported DHCP configurations of your choice.
6. Make sure the whole configuration file is still viable using the command:
/usr/local/nessy2/bin/dhcpd -6 -t -cf /data1/etc/dhcpd6.conf

If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations are ignored.
7. Once the configuration is OK, restart the DHCPv6 daemon to take into account your changes
with the command:
service ipmdhcp6.sh restart

8. Make sure the daemon is running with the command:

service ipmdhcp6.sh status

1491
 Configuring Non-Supported Options

Configuring Non-Supported NTP Settings

You can configure non-supported NTP settings that the configuration file ntp automatically incor-
porates.

By default, the directory /etc contains a file ntp.conf.inc that can de edited to specify the settings
of your choice.

ntp.conf
# By default, exchange time with everybody, but dont allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.

restrict 127.0.0.1
restrict ::1

## Include file for customizations

## USE WITH CAUTION
includefile /usr/local/nessy2/etc/ntp.conf.inc ntp.conf.inc

peer 192.168.5.6 key 11

peer 2001:db8:1:100 key 33
keys /data1/exports/ntp.keys
trustedkey 11 33

Figure O.11. Example of non-supported NTP settings

Before configuring non-supported settings, keep in mind that there is no validation check for
this file. Any invalid configuration may prevent the service from running properly.

To incorporate non-supported NTP settings

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. In the directory /usr/local/nessy2/etc/, edit the file ntp.conf.inc according to your needs to
incorporate the non-supported NTP options of your choice.
6. Once the configuration is OK, restart the NTP daemon to take into account your changes
with the command:
service ntpd restart

7. Make sure the daemon is running with the command:

service ntpd status

1492
 Configuring Non-Supported Options

Configuring Non-Supported syslog-ng Settings

You can configure non-supported syslog-ng settings that the configuration file syslog-ng
automatically incorporates.

By default, the directory /include can contain any file that you can configure with the settings of
your choice.

syslog.conf
@version:3.7
@define allow-config-dups 1
@include "scl.conf"

@include "eip_syslog-ng.conf"
@include "syslog-ng.d/eip_redirect.conf"

## Include file for customizations

## USE WITH CAUTION
@include "syslog-ng.d/include/*" custom.conf

log {
destination{ file("/tmp/test.log"); };
flags(catchall);
};

Figure O.12. Example of non-supported syslog-ng settings

Before configuring non-supported options, keep in mind that:

• There is no validation check for these files. Any invalid configuration may prevent the service
from running properly.
• The user definitions can override the default configuration.

To incorporate non-supported syslog-ng settings

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. In the directory /usr/local/nessy2/etc/syslog-ng.d/include/, edit the file custom.conf according

to your needs to incorporate the non-supported syslog-ng settings of your choice.
6. Reload the configuration file to take into account the changes using the command:
syslog-ng-ctl reload

If no errors are returned, go to the next step. If not, you must edit the content of the included
files because incorrect configurations are ignored.
7. Make sure the daemon is running with the command:
service syslog-ng status

1493
 Configuring Non-Supported Options

Configuring Non-Supported PostgreSQL Settings

You can configure non-supported NTP settings that the configuration file postgresql automat-
ically incorporates.

postgresql.conf
log_destination = 'syslog'
autovacuum = on
max_connections = 100
maintenance_work_mem = 64MB
update_process_title = off
wal_level = hot_standby
max_wal_senders = 2
listen_addresses = '*'
hot_standby = on
wal_keep_segments = 256
log_min_duration_statement = -1
synchronous_commit = off
commit_delay = 50000
commit_siblings = 5
wal_writer_delay = 2000
geqo_threshold = 9

## Include file for customizations

## USE WITH CAUTION
include_if_exists '/usr/local/nessy2/etc/postgresql.conf.inc' postgresql.conf.inc

shared_preload_libraries = 'auto_explain'
auto_explain.log_min_duration = '1000ms'

Figure O.13. Example of non-supported PostgreSQL settings

Before configuring non-supported options, keep in mind that there is no validation check for
these files. Any invalid configuration may prevent the service from running properly.

To incorporate non-supported PostgreSQL settings

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. In the directory /usr/local/nessy2/etc/, edit the file postgresql.conf.inc according to your needs
to incorporate the non-supported PostgreSQL options of your choice.
6. Restart the PostgreSQL daemon to take into account your changes with the command:
service postgresql restart

7. Make sure the daemon is running with the command:

service postgresql status

1494
 Configuring Non-Supported Options

Configuring Non-Supported OpenSSH Settings

You can customize OpenSSH to:
• Configure non-supported OpenSSH settings that the configuration file sshd_config automat-
ically incorporates.
• Configure a pre-authentication banner message for SSH connections to the appliance, displayed
between the login and password prompts, via the file banner.txt.

sshd_config
## Include file for customizations
## USE WITH CAUTION
Include /usr/local/nessy2/etc/ssh/sshd_config.inc sshd_config.inc
Include /usr/local/nessy2/etc/ssh/sshd_eip_default_config.inc
PermitEmptyPasswords yes
#Port 22 PrintLastLog no
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /usr/local/etc/ssh/ssh_host_rsa_key
#HostKey /usr/local/etc/ssh/ssh_host_ecdsa_key
#HostKey /usr/local/etc/ssh/ssh_host_ed25519_key

# Ciphers and keying

#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
...

Banner /usr/local/nessy2/etc/ssh/banner.txt banner.txt

# override default of no subsystems SSH connection to

Subsystem sftp /usr/local/libexec/sftp-server ddi.mycorp.com, welcome!

# Example of overriding settings on a per-user basis

#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
IPQoS 0x00
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa

Figure O.14. Example of non-supported OpenSSH settings and SSH banner customization

1495
 Configuring Non-Supported Options

Before configuring non-supported options, keep in mind that there is no validation check for these
files, so if you misconfigure sshd_config.inc you can lose access to your appliance via
SSH.

To incorporate non-supported OpenSSH settings and/or edit the SSH banner

1. Meet the prerequisites and take into account the limitations.
2. Connect to your appliance using an SSH session or a console port.
3. Log in as the default admin user, the default password is admin, or using the credentials of
a user with sudo permissions.
4. Get root access using the following command:
sudo -s

5. Edit the file that suits your needs:

• To configure non-supported OpenSSH settings, edit the file sshd_config.inc according to
your needs. The full path to the file is /usr/local/nessy2/etc/ssh/sshd_config.inc .
Keep in mind that if you misconfigure this file you can lose SSH access to your appliance.
• To configure a pre-authentication banner message for the appliance, create a file banner.txt
containing the message of your choice. The file content is displayed between the login
prompt and the password prompt whenever a user connects to the appliance via SSH.
The full path to the file is /usr/local/nessy2/etc/ssh/banner.txt .
6. Make sure the whole configuration file is still viable using the command:
sshd -t

If no errors are returned, go to the next step. If not, you must edit the content of the included
file(s) because incorrect configurations can prevent you from connecting with SSH.
7. Once the configuration is OK, restart the OpenSSH daemon to take into account your changes
with the command:
service sshd restart

1496

Index
A Administration
ACL (DHCP), 423
adding, 425
adding ACL entries, 430
adding an ACL based on option 82, 455
copying (DHCPv4), 426
deleting, 428
deleting ACL entries, 430
editing, 426
granting access to known clients, 425
retrieving lease "domain-name" (DHCPv4), 427
ACL (DNS)
configuring on a server, 572
editing a view match clients list, 597
editing a view match destination list, 597
Active Directory
authenticating users, 1158
domain controllers (see Identity Manager)
dynamic update authentication, 691
hosting AD domain zones, 630
addresses
device addresses (see NetChange)
IP addresses (see addresses (IPAM))
addresses (IPAM), 256
adding, 258
adding by search, 261
adding manually, 258
aliases (see aliases (IPAM))
assigning, 258
automating IPv4 to IPv6 transition, 804
cleaning invalid addresses, 273
cloud addresses (see cloud synchronization)
deleting, 273
DNA synchronization, 1400
editing, 262
editing the network/broadcast address, 262
finding Identity Manager sessions, 270
importing
NetID data, 177
VitalQIP data, 176
importing via CSV, 142
migrating IPv4 addresses properties, 269
moving IPv4 addresses across networks, 268
moving IPv4 addresses across spaces, 269
moving IPv4 addresses across the VLSM, 303
pinging an address, 270
raw data export/import, 276
renaming IPv4 addresses massively, 267
restoring deleted IP addresses, 274
statuses and types, 257
1497
updating
Device Manager interfaces, 1066
updating from
NetChange discovered items, 1005
Alerts (see alerts)
All licenses (see license)
Backup & Restore (see backup)
Centralized Management (see centralized manage-
ment)
Certificates and keys
certificates (see SSL)
database keys (see database encryption)
GSS-TSIG keys (see GSS-TSIG)
Class Studio (see Class Studio)
Custom DB (see Custom DB)
custom packages (see Packager)
customization (see Customization)
exporting data (see exports)
Firewall rules (see firewall rules)
importing via CSV, 171
Internal module setup, 33
Local files listing (see local files listing)
maintenance (see maintenance)
monitoring (see monitoring)
Network capture (see troubleshooting)
Network configuration (see network configuration)
Network devices & SNMP profiles
Network devices connection profiles (see ver-
sioning (NetChange))
SNMP profiles configuration (see SNMP)
Reboot the system, 1264
Services configuration (see services configuration)
Session tracking (see tracking)
Shutdown the system, 1265
Syslog (see logs)
System statistics (see statistics)
Time & Date configuration, 92
Troubleshooting dump (see troubleshooting)
Upgrade (see upgrade)
User tracking (see tracking)
Users, Groups & Rights, 1136
Authentication rules (see authentication rules)
Groups (see groups of users)
Resources (see groups of users)
Rights (see groups of users)
Users (see users)
advanced properties, 778
configuring DHCP properties
to update the DNS, 806
to update the IPAM, 806
configuring DNS properties
to update the IPAM, 810
configuring IPAM properties
 Index

to update Device Manager, 794 RPZ data, 758

to update the DHCP, 780 answerlog
to update the DNS, 780 DNS, 766
to update VLAN Manager, 784 Guardian, 918
within the IPAM, 780 anycast, 575
Internal module setup, 33 for BGP, 580
reconciling the inheritance, 776 for IS-IS, 585
setting on several objects parameters, 812 for OSPF, 576
alerts, 1219 appliance
adding, 1221 default gateway, 97
checking state, 1225 high availability (see high availability management)
dismissing, 1225 hostname, 99
editing, 1223 reboot, 1264
enabling/disabling, 1224 remote management, 1173
exporting, 191 shutdown, 1265
aliases (IPAM) SNMP agent, 123
configuring on an IP address, 264 space synchronization between appliances, 1284
deleting, 266 time and date configuration, 92
editing, 265 troubleshooting, 1256
restoring deleted aliases, 274 upgrading (see upgrade)
allow-notify Application, 814
at server level, 552 applications, 819
at view level, 602 adding and deploying, 820
at zone level, 652 associating with GSLB servers, 823
allow-query deleting, 824
at server level, 553 dissociating from GSLB servers, 823
at view level, 606 editing, 823
at zone level, 655 configuring the module, 816
allow-query-cache IP address labels (see labels in IPv6)
at server level, 554 limitations, 816
at view level, 607 nodes, 829
allow-recursion, 550 adding, 831
allow-transfer deleting, 835
at server level, 556 editing, 834
at view level, 608 managing/unmanaging, 834
at zone level, 656 pools, 825
allow-update, 657 adding, 826
also-notify deleting, 828
at server level, 552 editing, 827
at view level, 602 prerequisites, 816
alt-transfer-source rights and resources, 1138
at server level, 568 service configuration, 122
at view level, 612 traffic policies, 819
at zone level, 660 adding and deploying, 821
alt-transfer-source-v6 AS numbers (see SPX)
at server level, 568 aut-nums (see SPX)
at view level, 612 authentication rules, 1156
at zone level, 660 Active Directory, 1158
Amazon Route 53 adding, 1157
DNS servers, 526 deleting, 1168
analytics editing, 1167
DHCP data, 467 enabling/disabling, 1167
DNS data, 758 LDAP, 1160
Guardian data, 857 OpenID, 1163

1498
 Index

RADIUS, 1162 duplicating, 1325

AWS editing, 1324
Amazon Route 53 DNS servers, 526 enabling, 1326
synchronizing data in the IPAM, 313 moving, 1326
Azure renaming, 1325
Azure DNS servers, 538 using another or no class, 1327
synchronizing data in the IPAM, 317 editing meta-data, 1324
rights and resources, 1138
B cloud synchronization, 312
backup, 1258 AWS data in the IPAM, 313
archiving on FTP/SFTP server, 1261 Azure data in the IPAM, 317
creating an instant backup, 1260 configuring, 312
downloading backup file, 1262 disabling, 324
editing backup frequency and settings, 1260 GCP data in the IPAM, 320
restoring, 1263 monitoring, 323
uploading, 1262 configuration file
BGP (anycast), 580 BIND (named.conf), 125
BIND DHCP (dhcpd.conf), 125
DNS server packages on Linux, 514 DHCPv6 (dhcpd6.conf), 125
importing DNS data, 187 NSD (nsd.conf), 125
blackhole, 557 Unbound (unbound.conf), 125
Configuring SOLIDserver
network (see network configuration)
C services (see services configuration)
CARP (Common Address Redundancy Protocol),
time and date configuration, 92
107
Custom DB, 1376
centralized management
custom data
high availability (see high availability management)
adding, 1378
license management (see license)
deleting, 1379
remote appliances (see remote management)
editing, 1379
certificate
exporting, 191
changing the HTTPS certificate, 120
importing via CSV, 173
managing certificates (see SSL)
custom database
Cisco DNA synchronization, 1400
adding, 1376
class parameters
deleting, 1377
configuring advanced properties, 778
editing, 1377
configuring class objects, 1328
exporting, 191
configuring inheritance property, 772
Customization, 1302
configuring propagation property, 774
classes (see Class Studio)
reconciling the inheritance, 776
databases (see Custom DB)
setting on several objects, 775
graphical interface (see customizing the GUI)
Class Studio, 1318
IP address labels (see labels in IPv6)
class objects, 1328
packages (see Packager)
adding, 1330
Smart Folders (see Smart Folders)
deleting, 1375
customizing the GUI, 1304
editing, 1373
adding a background image on login page, 1304
reconciling the inheritance, 776
adding a disclaimer on login page, 1306
reordering, 1374
adding an image on welcome banner, 1308
setting on several objects parameters, 775
editing welcome banner message, 1308
classes, 1328
hiding welcome banner, 1308
adding, 1322
removing the image from welcome banner, 1309
applying, 1323
setting your own field names, 1309
deleting, 1327
disabling, 1326

1499
 Index

D renaming, 1060
managing IPAM interaction, 1066
Dashboards, 202
using the link option, 1069
dashboards, 204
using the MAC address, 1066
adding, 205
ports, 1052
deleting, 208
adding manually, 1056
displaying/hiding, 205
deleting, 1065
editing, 206
discovering, 1054
ordering, 205
editing, 1061
gadgets, 209
managing/unmanaging, 1053
adding, 215
renaming, 1060
assigning, 221
rights, 1140
default gadgets, 1397
tracking changes, 1064
deleting, 226
updating from
displayed by default, 211
IPAM addresses automatically, 1048
displaying/hiding, 223
IPAM addresses manually, 1066
editing, 223
NetChange discovered items, 1047
enabling/disabling, 225
NetChange network devices, 1047
setting visibility, 225
devices
database encryption, 1277
devices (see Device Manager)
activating, 1278
network devices (see network devices
adding database keys, 1278
(NetChange))
deactivating, 1281
DHCP, 325
deleting database keys, 1281
ACL (see ACL (DHCP))
downloading database keys, 1280
delegated prefixes (v6), 463
importing database keys, 1280
exporting data (see exports)
DDNS
failover (see failover channels)
Dynamic DNS (see dynamic update)
groups (see groups (DHCP))
scavenging, 642
importing data (see imports)
secure Dynamic DNS (see secure dynamic up-
IP address labels (see labels in IPv6)
date)
IP helper, 401
delegated prefixes (DHCPv6), 463
ISC server packages on Linux, 377
Device Manager, 1041
leases (see leases)
configuring Device Manager, 1044
monitoring
devices, 1043
audit, 466
adding automatically, 1045
from the page Analytics, 467
adding from DHCP lease/static, 1071
from the properties page, 465
adding manually, 1048
lease statistics, 465
deleting, 1050
server analytics, 465
duplicating, 1049
state log, 466
editing, 1049
using rules, 473
managing/unmanaging, 1044
options (see DHCP options)
merging, 1050
prefix delegations (see DHCPv6 prefix delegations)
dual stack (see dual stack)
preventing IP address duplication, 453
exporting data (see exports)
ranges (see ranges (DHCP))
importing data via CSV, 159
reporting (see reports)
interfaces, 1052
rights and resources, 1138
adding automatically, 1055
scopes (see scopes)
adding from DHCP lease/static, 1071
servers (see servers (DHCP))
adding manually, 1058
shared networks (see shared networks)
deleting, 1065
smart architectures (see smart architectures)
discovering, 1054
statics (see statics)
editing, 1062
DHCP options, 445
managing/unmanaging, 1053
all available options, 1404

1500
 Index

at group level DNSCrypt, 588

configuring options, 433 EDNS (see EDNS options)
at range level (DHCPv4) exporting data (see exports)
configuring options, 410 Guardian (see Guardian)
setting on several ranges, 411 Hybrid (see Hybrid)
at scope level importing data (see imports)
configuring options, 396 monitoring
setting on several scopes, 397 answerlog, 766
at server level audit, 757
aggregating range options, 388 from the page Analytics, 758
aggregating static options, 388 from the properties page, 756
configuring options, 388 queries and answers, 765
at static level query statistics, 757
configuring options, 441 querylog, 765
setting on several statics, 442 state log, 757
configuring, 447 reporting (see reports)
configuring option definitions resource records (see resource records)
adding to a DHCPv4 server, 448 Response Policy Zone (see RPZ)
adding to a DHCPv6 server, 448 rights and resources, 1138
importing servers (see servers (DNS))
Infoblox data, 182 smart architectures (see smart architectures)
ISC data, 179 views (see views)
MetaIP data, 183 zones (see zones)
Microsoft data, 181 DNS firewall (see RPZ)
NetID data, 184 DNS Security Extensions (see DNSSEC)
VitalQIP data, 180 DNS64, 563
preventing duplication (ping check), 453 configuring/disabling, 566
PXE, 451 supported substatements, 564
relay agent information (option 82), 454 DNSSEC, 733
relay agent information in DHCPv6, 456 chain of trust, 750
vendor class identifier, 454 KSK, 741
vendor specific information (option 43), 456 generation, 744
DHCPv6 delegated prefixes, 463 rollover, 743
DHCPv6 prefix delegations, 460 on authoritative servers, 734
adding, 461 on recursive servers, 750
deleting, 462 records
limitations, 461 DNSKEY, 734
prerequisites, 460 DS, 735
specificities, 460 NSEC/NSEC3, 735
discovered items (NetChange), 1003 NSEC3PARAM, 735
purging, 1006 RRSIG, 735
refreshing, 1005 resolvers, 750
tracking the history, 1006 signing keys, 741
updating cleaning expired signing key, 749
Device Manager interfaces, 1047 deleting, 748
IPAM addresses, 1005 disabling, 747
DNA synchronization (Cisco), 1400 enabling, 748
DNS, 476 trust anchor, 752
BIND server packages on Linux, 514 validation, 750
configuring the appliance resolver, 100 zones
DDNS (see dynamic update) publishing the DS, 739
DNS keys, 574 signing, 735
DNS Security Extensions (see DNSSEC) signing with an additional KSK, 749
DNS64 (see DNS64) unsigning, 749

1501
 Index

ZSK, 741 raw data (IPAM), 276

rollover, 742 scheduled exports
dual stack managing configuration details, 200
in Device Manager managing generated exports, 199
interfaces, 1052
interfaces interacting with the IPAM, 1066 F
ports, 1052 failover
in NetChange between appliances, 1183
addresses, 1001 configuring a virtual IP, 107
discovered items, 1003 setting an Ethernet port failover, 105
routes, 967 failover channels, 356
on a default gateway, 97 safe failover principles, 356
on a loopback interface, 112 states
on a static route, 98 communications-interrupted, 358
on a virtual interface (VIF), 110 normal, 357
on a virtual IP address (VIP), 107 partner-down, 358
on a VLAN interface, 103 switching to partner-down, 362
on an Ethernet port failover, 105 Farm
on an interface, 96 DNS (see smart architectures)
duplication file transfer
preventing IP duplication (DHCP), 453 using SFTP/SCP/RSYNC, 118
dynamic update, 691 firewall (DNS) (see RPZ)
configuring dynamic update, 691 firewall rules, 100
secure Dynamic DNS (see secure dynamic up- adding, 101
date) deleting, 103
setting allow-update on a zone, 657 editing, 102
setting zone authorizations on a server, 570 enabling/disabling, 100
forwarding
E logs, 1228
Ecosystem (see cloud synchronization) security events, 1238
EDNS options user tracking events, 1234
at server level, 559 forwarding (DNS)
at view level, 610 at server level, 547
EfficientIP at view level, 601
DHCP package servers, 377 at zone level, 651
DHCP servers, 366
DNS package servers, 514 G
DNS servers, 505 GCP
encrypting the database (see database encryption) synchronizing data in the IPAM, 320
exports, 190 Generic
available objects, 191 DNS servers, 523
configuring exports, 193 Global Policies, 768
database, 192 advanced properties (see advanced properties)
export templates, 200 inheritance (see inheritance property)
exporting to reimport, 195 propagation (see propagation property)
Administration data, 199 groups (DHCP), 432
Device Manager data, 198 adding, 433
DHCP data, 196 configuring options, 433
DNS data, 197 deleting, 434
IPAM data, 195 importing
NetChange data, 197 Infoblox data, 182
VLAN Manager data, 198 ISC data, 179
VRF data, 198 MetaIP data, 183

1502
 Index

groups of users, 1138 rights and resources, 1138

adding, 1139 service configuration, 121
deleting, 1147 setting the configuration, 844
editing, 1146 available parameters, 845
enabling/disabling, 1147 capturing the traffic, 852
exporting, 191 editing, 848
importing via CSV, 171 statistics, 864
managing resources, 1141 client statistics, 874
managing rights, 1140 server statistics, 864
managing users as resource, 1145 triggers, 902
users (see users) adding, 904
GSS-TSIG, 691 configuring the quarantine redirect, 849
configuring on a server, 695 deleting, 921
configuring on a zone, 696 editing, 920
generating a GSS-TSIG key, 694 enabling querylog/answerlog, 918
uploading a GSS-TSIG key, 694 managing/unmanaging, 921
Guardian, 836 views, 922
analytics, 857 configuring the quarantine redirect, 849
cache, 884 enabling/disabling, 923
activation status, 850 filtering using lists, 927
clearing automatically, 893 identifying clients, 924
clearing manually, 891 logging client activity, 932
displaying, 884 setting a transparent DNS proxy, 933
forcing entries expiration, 890 GUI, 36
resetting, 889 bookmarks, 79
restoring, 890 charts, 81
saving, 890 columns management, 53
sending, 896 contextual menu, 68
sharing, 895 customizing
configuring the module, 839 login page, 1304
limitations, 839 names and fields, 1309
lists, 934 welcome banner, 1307
clearing, 945 Global search, 44
configuring, 938 Home, 37
defining the type, 937 IPv6 labels, 70
identifying clients, 942 listing pages, 53
renaming, 937 modules, 38
resetting the counter, 945 Multi-status column, 69
saving, 944 My account, 48
monitoring from the GUI, 853 navigation, 36
analytics, 857 notifications, 46
statistics, 853 properties pages, 71
policies, 898 quick wizards, 85
adding, 899 Smart Folders, 43
deleting, 901 Tree view, 41
deploying, 899 wizards, 72
duplicating, 900
editing, 900 H
prerequisites, 839 hardware appliances
Rescue mode, 946 first configuration, 19
configuring, 947 SOLIDserver-1100, 15
disabling, 950 SOLIDserver-1170, 5
forcing, 949 SOLIDserver-2200, 15
prerequisites, 946

1503
 Index

SOLIDserver-2270, 5 directories, 1127

SOLIDserver-260, 13 adding, 1128
SOLIDserver-270, 4 deleting, 1130
SOLIDserver-3300, 16 editing, 1129
SOLIDserver-3370, 7 statuses, 1128
SOLIDserver-50, 16 synchronizing, 1129
SOLIDserver-550, 16 identities, 1131
SOLIDserver-570, 5 rights, 1140
SOLIDserver-7070, 12 service configuration, 121
SOLIDserver-Blast Series (4th gen), 13 sessions, 1133
SOLIDserver-Blast Series (5th gen), 3 finding sessions from the IPAM, 1134
high availability management, 1183 purging, 1135
adding a remote appliance, 1177 imports
appliances role, 1174 data via CSV file, 128
configuring the high availability, 1183 Administration, 171
disabling the high availability, 1199 Device Manager, 159
managing remote network and services, 1179 DHCP, 145
managing the configuration, 1186 DNS, 153
frequently asked questions, 1197 IPAM, 130
switching the appliances role, 1187 NetChange, 157
updating the Hot Standby database, 1187 SPX, 167
monitoring logs/statistics/time drift, 1180 VLAN Manager, 161
replacing an appliance, 1198 VRF, 165
setting advanced options, 1188 from
anticipating network disruption, 1190 BIND DNS, 187
checking the automatic switch status, 1188 Infoblox DHCP, 182
controlling the automatic switch, 1188 ISC DHCP, 179
editing the re-enrollment settings, 1190 MetaIP DHCP, 183
statuses, 1176 Microsoft DHCP, 181
troubleshooting the configuration, 1192 NetID DHCP, 184
disabling without loosing the database, 1195 NetID IPAM data, 177
troubleshooting a split-brain, 1194 VitalQIP DHCP, 180
troubleshooting the messages, 1193 VitalQIP DNS, 188
HTTPS VitalQIP IPAM data, 176
changing the certificate, 120 import templates, 174
Hybrid, 724 raw data (IPAM), 277
checking compatibility, 724 Imports and Exports, 126
forcing compatibility, 730 Infoblox
generating incompatibilities report, 725 importing DHCP data, 182
managing backup and restoration, 732 inheritance property
NSD, 728 configuring, 772
switching back to BIND, 731 reconciling, 776
switching to Hybrid, 727 setting on advanced properties, 812
Unbound, 729 setting on several objects parameters, 775
interfaces
I configuring the speed/duplex, 114
Identity Manager, 1120 default interface, 96
configuring the module, 1122 Device Manager interfaces (see Device Manager)
AD domain controller, 1124 dual stack (see dual stack)
directory synchronization frequency, 1126 loopback interface, 112
limitations, 1122 network interfaces (see network configuration)
prerequisites, 1122 virtual interface, 110
SOLIDserver, 1122 Internal module setup, 33
IP addresses (see addresses)

1504
 Index

IPAM, 227 lame-ttl

addresses (see addresses) at server level, 558
APNIC management (see SPX) at view level, 609
automating IPv4 to IPv6 transition, 800 LDAP
DNA synchronization, 1400 authenticating users, 1160
ecosystem (see cloud synchronization) configuring authentication via SSH, 1464
exporting data (see exports) leases, 413
importing data (see imports) blacklisting (DHCPv4), 418
IP address labels (see labels in IPv6) converting to statics (DHCPv4), 417
IP addresses (see addresses (IPAM)) defining leases duration, 416
networks (see networks (IPAM)) deleting (DHCPv4), 422
pools (see pools (IPAM)) displaying relay agent information, 419
provisioning (see templates (IPAM)) enabling ping check, 453
rights and resources, 1138 importing
RIPE management (see SPX) Infoblox data, 182
spaces (see spaces (IPAM)) ISC data, 179
SPX management (see SPX) MetaIP data, 183
templates (see templates (IPAM)) purging leases history, 420
updating repairing at server level, 387
Device Manager with addresses, 1066 tracking all leases, 413
updating from license, 1202
NetChange discovered items, 1005 activating, 1208
VLSM (see VLSM) exporting metrics, 191
IPLocator (see NetChange) exporting remote license keys, 1206
IS-IS (anycast), 585 refreshing the metrics, 1204
ISC renewing, 1205
DHCP server packages on Linux, 377 requesting a license key, 1205
importing DHCP data, 179 statuses, 1204
Linux
K DHCP ISC server packages, 377
keys DNS BIND server packages, 514
database keys, 1277 list templates, 63
GSS-TSIG, 691 local files listing, 1248
KSK (see DNSSEC) Config files, 1249
signing keys (see DNSSEC) Custom images, 1249
SSH keys for SFTP backups, 1261 Custom WSDL (see WSDL files)
trust anchor, 752 deleting, 1250
TSIG downloading, 1250
for dynamic update at server level, 570 Local, 1249
for dynamic update at zone level, 657 Logs, 1249
to secure a server, 544 TFTP, 1249
ZSK (see DNSSEC) uploading, 1250
Locked synchronization
on a DHCP smart architecture, 353
L on a DNS smart architecture, 501
labels in IPv6, 1315
logs
adding, 1315
configuring redirection, 1228
Application, 1315
displaying, 1226
deleting, 1317
exporting, 191
DHCP, 1315
sending user operations to syslog, 1233
displaying/hiding, 1316
loopback interface, 112
editing, 1316
IPAM, 1315
NetChange, 1315

1505
 Index

M configuration files (see versioning (NetChange))

discovered items (see discovered items
maintenance
(NetChange))
backup (see backup)
displaying statistics, 1008
clearing SOLIDserver cache, 1255
dual stack (see dual stack)
local files listing (see local files listing)
exporting data (see exports)
maintenance mode, 1255
importing data via CSV, 157
reboot appliance, 1264
IP address labels (see labels in IPv6)
shutdown appliance, 1264
keeping the database up to date, 1010
troubleshooting (see troubleshooting)
network devices (see network devices
updating macros and rules, 1255
(NetChange))
Master/Slave
ports (see ports (NetChange))
DNS (see smart architectures)
rights and resources, 1138
match-clients, 594
routes (see routes (NetChange))
match-destinations, 594
versioning (see versioning (NetChange))
max-cache-size
VLANs (see VLANs (NetChange))
at server level, 558
NetID
at view level, 609
importing DHCP data, 184
meta-data
importing IPAM data, 177
editing, 1324
netstat, 1246
reconciling the inheritance, 776
network configuration, 95
setting on several objects, 775
adding a specific route, 98
MetaIP
appliance hostname, 99
importing DHCP data, 183
basic interface configuration, 96
Microsoft
default gateway, 97
Azure DNS servers, 538
default interface IPv4/IPv6, 96
importing DHCP data, 181
DNS resolver, 100
Windows DHCP server, 371
dual stack (see dual stack)
Windows DNS servers, 511
Ethernet port failover, 105
minimal-responses, 560
firewall (see firewall rules)
monitoring
interface speed/duplex, 114
alerts (see alerts)
interface trunking (802.1q), 103
DHCP data, 465
loopback interface, 112
DNS data, 756
static route, 98
forwarding events, 1233
VHID, 107
security events, 1238
virtual interface, 110
user tracking events, 1234
virtual IP (VIP), 107
high availability appliances, 1180
VLAN interface, 103
logs, 1226
network devices (NetChange), 955
netstat, 1246
adding, 957
remote appliances, 1180
automatically adding as group resource, 965
reports (see reports)
automating devices synchronization, 1011
sizing database tables, 1246
connecting via web/SSH/telnet, 964
SNMP (see SNMP)
customizing the devices type, 1012
system statistics, 1229
deleting, 966
tracking sessions, 1231
discovering, 958
tracking users, 1231
displaying statistics, 1008
Multi-Master
editing SNMP properties, 961
DNS (see smart architectures)
enabling/disabling 802.1X authentication, 960
making a snapshot, 964
N refreshing, 962
NetChange, 951 scheduling a refresh, 963
addresses, 1001 updating
available licenses, 952 Device Manager devices, 1047

1506
 Index

network flows NSD (see Hybrid)

DHCP, 1389 NTP, 92
DNS, 1391 configuring the NTP server, 92
High Availability, 1396 forcing an NTP update, 94
Identity Manager, 1395
IPAM, 1388 O
NetChange, 1394 One-to-Many
Remote Management, 1396 DHCPv4 (see smart architectures)
SOLIDserver, 1387 One-to-One
networks (IPAM), 235 DHCPv4 (see smart architectures)
automating IPv4 to IPv6 transition, 802 OpenID
block-type authenticating users, 1163
accessing network map, 246 options
adding, 238 DHCP (see DHCP options)
deleting, 250 EDNS (see EDNS options)
DNA synchronization, 1400 on DNS servers, 547
editing, 243 on DNS views, 601
finding Identity Manager sessions, 248 OSPF (anycast), 576
moving, 245
splitting, 244
cloud networks (see cloud synchronization)
P
Packager, 1381
importing
creating packages, 1382
NetID data, 177
deleting, 1385
VitalQIP data, 176
downloading, 1385
importing via CSV, 132
installing/uninstalling, 1384
raw data export/import, 276
replacing, 1384
subnet-type
uploading, 1382
accessing network map, 246
ping
adding By search, 240
addresses, 270
adding manually, 238
leases, 453
creating from NetChange routes, 970
terminal networks (IPv4 only), 246
deleting, 250
pools (IPAM), 252
discovering assigned IPv4 addresses, 246
adding, 253
DNA synchronization, 1400
deleting, 255
editing, 243
importing via CSV, 139
editing the network/broadcast address, 262
raw data export/import, 276
finding available terminal networks, 240
reserving, 254
finding Identity Manager sessions, 248
resizing (IPv4 only), 254
managing/unmanaging, 248
templates (see templates (IPAM))
merging, 244
port-security (see ports (NetChange))
moving, 245
ports
splitting, 244
Device Manager ports (see Device Manager)
statuses, 237
NetChange ports (see ports (NetChange))
templates (see templates (IPAM))
on hardware appliances, 3
notify
ports (NetChange), 975
at server level, 552
associating a port with a VLAN, 985
at view level, 602
configuring tagging mode, 984
at zone level, 652
displaying statistics, 1008
notify-source
editing interconnection, 977
at server level, 568
editing speed and duplex, 978
at view level, 612
enabling/disabling, 977
notify-source-v6
enabling/disabling 802.1X authentication, 979
at server level, 568
limiting edition rights, 983
at view level, 612

1507
 Index

restricting access with port-security, 980 configuring the management appliance, 1177
updating description, 978 deleting remote appliances, 1199
prefetch, 560 editing remote appliances, 1186
prefix delegations (see DHCPv6 prefix delegations) managing remote network and services, 1179
propagation property monitoring logs/statistics/time drift, 1180
configuring, 774 replacing an appliance, 1198
setting on advanced properties, 812 statuses, 1176
setting on several objects parameters, 775 upgrading remote appliances, 1292
PXE, 452 reports, 1210
available reports, 1211
Q downloading and displaying, 1218
query-source generating, 1216
at server level, 567 managing scheduled reports, 1219
at view level, 611 on DHCP scopes, 1212
query-source-v6 on DHCP servers, 1211
at server level, 568 on DNS servers, 1212
at view level, 612 on DNS views, 1214
querylog on DNS zones, 1214
DNS, 765 on NetChange network devices, 1215
Guardian, 918 on system statistics, 1216
on users, 1155
scheduling, 1217
R resource records, 663
RADIUS
adding, 665
authenticating users, 1162
A, 667
configuring a FreeRadius server, 1459
AAAA, 667
configuring authentication via SSH, 1469
AFSDB, 668
configuring OneTime Password, 1462
CAA, 669
configuring with Cisco RADIUS ACS, 1460
CERT, 669
ranges (DHCP), 404
CNAME, 670
adding, 405
DHCID, 671
configuring options, 410
DNAME, 671
deleting, 412
DNSKEY, 672
editing, 408
DS, 740
importing
HINFO, 673
Infoblox data, 182
MINFO, 674
ISC data, 179
MX, 674
MetaIP data, 183
NAPTR, 675
Microsoft data, 181
NS, 676
NetID data, 184
NSAP, 677
VitalQIP data, 180
OPENPGPKEY, 677
importing via CSV, 148
PTR, 678
replicating in the IPAM, 409
SRV, 680
resizing, 409
SSHFP, 679
raw data (IPAM)
TLSA, 680
exporting objects as raw data, 276
TXT, 681
importing objects as raw data, 277
URI, 682
records (see resource records)
WKS, 682
recursion
changing hostname convention, 688
at server level, 549
copying, 687
at view level, 604
delegation, 686
recursive-clients, 551
deleting, 690
remote management, 1173
DNSSEC records (see DNSSEC)
adding remote appliances, 1177
editing, 683

1508
 Index

importing via CSV, 155 statuses, 704

load balancing, 688 synchronizing, 707
moving, 687 RR (see resource records)
scavenging (DDNS), 642 RRL, 562
SOA, 665 RSYNC password, 118
resetting, 630
SPF, 689 S
supported records, 665 scavenging (DDNS), 642
Response Policy Zone (see RPZ) scopes, 393
Response Rate Limiting (RRL), 562 adding, 394
rights management, 1136 configuring a relay agent, 401
groups (see groups of users) configuring options, 396
rights (see groups of users) copying (DHCPv4), 401
rules (see authentication rules) defining a failover for, 398
user profiles (see groups of users) defining a space for, 398
users (see users) deleting, 403
Route Target (see VRF) editing, 395
routes importing
adding a specific route, 98 Infoblox data, 182
dual stack (see dual stack) ISC data, 179
NetChange routes (see routes (NetChange)) MetaIP data, 183
static route, 98 Microsoft data, 181
routes (NetChange), 967 NetID data, 184
creating in the IPAM, 970 VitalQIP data, 180
enabling the registry key to display VRF routes, importing via CSV, 146
969 moving (DHCPv4), 401
RPZ, 702 replicating in the IPAM, 399
rules (records), 712 setting a shared network, 400
adding for a domain name, 714 SCP password, 118
adding for a name server domain name, 718 secure dynamic update, 691
adding for a name server IP address, 718 configuring the AD domain zone, 696
adding for an IP address, 716 configuring the local server, 695
adding for specific resources, 720 generating a GSS-TSIG key, 694
deleting, 722 preparing the AD server, 692
importing via CSV, 156 uploading a GSS-TSIG key, 694
monitoring from the page Analytics, 758 securing
NODATA policies, 712 access via SSL, 1268
NXDOMAIN policies, 712 encrypting the database (see database encryption)
overriding, 721 security
PASSTHRU policies, 712 firewall, 100
REDIRECT policies, 712 forwarding security events, 1238
zones, 703 saving a backup of the appliance, 1258
adding, 705 SSH password, 117
configuring, 649 servers (DHCP), 364
converting, 709 adding
deleting, 712 EfficientIP servers, 366
disabling/enabling, 711 ISC DHCP servers, 384
editing, 707 Microsoft servers, 373
force-notify, 709 configuring options, 387
force-refresh, 710 deleting, 389
force-retransfer, 710 editing, 386
forcing a full synchronization, 707 importing
monitoring from the page Analytics, 758 Infoblox data, 182
ordering, 708

1509
 Index

ISC data, 179 shared networks, 390

MetaIP data, 183 adding, 391
Microsoft data, 181 deleting, 392
NetID data, 184 editing, 391
VitalQIP data, 180 importing
importing content via CSV, 145 Microsoft data, 181
repairing leases, 387 Single-Server
statuses, 365 DHCPv4/DHCPv6 (see smart architectures)
synchronizing, 386 DNS (see smart architectures)
servers (DNS) smart architectures
adding DHCPv4, 330
Amazon Route 53 servers, 526 managing, 336
Azure servers, 538 One-to-Many, 339
BIND servers, 514 One-to-One, 337
EfficientIP servers, 505 Single-Server, 343
Generic servers, 523 Split-Scope, 341
Microsoft servers, 511 DHCPv6, 330
appliance resolver, 100 managing, 336
authenticating zones dynamic update, 570 Single-Server, 344
configuring, 547 Split-Scope, 346
deleting, 546 Stateless, 347
editing, 543 DNS, 481
flushing the cache, 545 Farm, 494
forwarding the original query IP address, 591 managing, 485
importing Master/Slave, 487
BIND data, 187 Multi-Master, 488
VitalQIP data, 188 Single-Server, 492
importing content via CSV, 153 Stealth, 490
integrating Cisco Umbrella, 588 locked synchronization (DHCP), 353
securing with TSIG, 544 locked synchronization (DNS), 501
statuses, 504 Smart Folders, 1311
synchronizing, 542 adding, 1312
services configuration, 115 deleting, 1314
DNS Guardian, 121 editing, 1313
downloading DHCP/DNS configuration files, 125 sharing with other users, 1313
enabling/disabling a service, 116 SMTP, 119
GSLB server, 122 SNMP, 123
HTTPS certificate, 120 configure the local agent, 123
NTP server (time and date), 92 metrics, 1434
SMTP relay, 119 monitoring, 1245
SNMP server, 123 DHCP, 1442
SSH admin account, 117 DNS, 1443
starting/stopping a service, 116 Guardian, 1446
TFTP upload authorizations, 118 hardware, 1436
Windows Events Collector, 121 prerequisites, 1434
xfer account (SFTP/SCP/RSYNC), 118 system, 1438
sessions profiles, 1243
changing your password, 89 SOLIDserver
configuring user session time, 1153 clearing SOLIDserver cache, 1255
configuring your settings, 88 dual stack (see dual stack)
exporting, 191 first configuration, 19
redirecting after log out/expiration, 1154 GUI, 36
tracking, 1231 hardware appliances front/back panel, 3
SFTP password, 118 high availability (see high availability management)

1510
 Index

incorporating non-supported options, 1473 registering changes, 1113

network configuration, 95 validating a new assignment window, 1113
services configuration, 115 persons, 1101
space synchronization between appliances, 1284 adding, 1102
time and date configuration, 92 deleting, 1103
upgrading (see upgrade) displaying dedicated columns, 1101
user access configuration, 1136 editing, 1102
using for the first time, 31 registering changes, 1103
requesting and activating a license, 32 rights, 1140
sortlist SSH, 117
at DNS level, 561 enable/disable, 116
at view level, 611 login, 117
sources password, 117
at server level, 567 password security level, 117
at view level, 611 SSL
at zone level, 659 certificate, 120
space synchronization between appliances, 1284 creating, 1272
disabling, 1288 deleting, 1277
exposing, 1285 downloading, 1276
monitoring, 1288 importing, 1269
synchronizing, 1286 CSR
spaces (IPAM), 231 creating, 1274
adding, 231 deleting, 1277
automating IPv4 to IPv6 transition, 801 downloading, 1276
deleting, 233 importing, 1271
editing, 232 private key
external spaces (see space synchronization creating, 1276
between appliances) deleting, 1277
importing downloading, 1276
VitalQIP data, 176 importing, 1271
importing via CSV, 131 Stateless
raw data export/import, 276 DHCPv6 (see smart architectures)
templates (see templates (IPAM)) statics, 435
VLSM spaces (see VLSM) adding, 437
Split-Scope configuring options, 441
DHCPv4/DHCPv6 (see smart architectures) copying statics without IP (DHCPv4), 443
SPX, 1094 deleting, 444
AS numbers (aut-num), 1116 editing, 440
adding, 1117 importing
deleting, 1119 Infoblox data, 182
displaying dedicated columns, 1116 ISC data, 179
editing, 1118 MetaIP data, 183
exporting, 191 Microsoft data, 181
configuring the module, 1096 VitalQIP data, 180
configuring the connection to the RIR, 1096 importing via CSV, 151
editing the connection to the RIR, 1099 MAC address types, 1418
enabling classes, 1096 replicating in the IPAM, 440
enabling rules, 1096 statistics
importing data via CSV, 167 appliance, 1230
networks, 1105 DHCP physical server, 465
adding, 1106 DNS physical server, 756
deleting, 1114 Guardian clients, 874
displaying dedicated columns, 1105 Guardian server, 864
editing, 1111 reports on system statistics, 1230

1511
 Index

services and traffic, 1230 preventing duplication (DHCP leases), 453

Stealth update-policy, 691
DNS (see smart architectures) upgrade, 1290
syslog (see logs) prerequisites, 1290
recommendations, 1290
T troubleshooting the upgrade
templates (IPAM), 280 of a management appliance, 1295
adding template classes, 281 of a remote appliance, 1295
at network level, 284 of a standalone appliance, 1295
at pool level, 287 of HA appliances, 1297
at space level, 284 upgrading an appliance, 1291
configuring, 282 upgrading HA appliances, 1293
deploying, 288 upgrading remote appliances, 1292
Templates management use-alt-transfer-source
export templates at server level, 568
adding, 193 at view level, 612
deleting, 200 at zone level, 660
renaming, 200 users, 1148
import templates changing your password, 89
adding, 129 configuring your settings, 88
deleting, 174 managing users
renaming, 174 adding, 1149
list templates, 63 changing password, 1151
adding, 64 configuring login session time, 1153
deleting, 68 configuring password complexity, 1151
editing, 67 configuring users connection parameters, 1152
renaming, 67 deleting, 1155
tracking editing, 1150
sessions, 1231 enabling/disabling, 1154
users, 1231 exporting, 191
transfer-source exporting user operations, 191
at server level, 568 granting access to changes from all users, 1232
at view level, 612 importing via CSV, 172
at zone level, 660 redirecting after log out/session expires, 1154
transfer-source-v6 sending user operations to syslog, 1233
at server level, 568 tracking, 1232
at view level, 612 remote authentication, 1156
at zone level, 660 user profiles (see groups of users)
transition in the IPAM (IPv4 to IPv6), 800
troubleshooting, 1256 V
guidelines, 1256 Variable Length Subnet Masking (see VLSM)
network capture, 1257 versioning (NetChange), 988
troubleshooting dump, 1258 comparing configuration files, 995
TSIG keys, 574 configuring
adding, 574 on one device, 993
deleting, 575 on several devices, 993
editing, 574 configuring advanced options, 998
disabling, 999
U downloading configuration data, 997
Unbound (see Hybrid) managing connection profiles, 990
undo monitoring configuration files, 996
restoring deleted addresses and aliases, 274 refreshing configuration files, 994
uniqueness of IP address views, 593

1512
 Index

adding, 595 deleting, 1090

configuring, 601 editing, 1090
deleting, 599 VRF Route Targets, 1091
editing, 597 adding, 1091
getting rid of all views, 599 deleting, 1092
Guardian views (see Guardian) VRRP (Virtual Router Redundancy Protocol), 107
ordering, 598 VXLAN (see VLAN)
VIF (virtual interface), 110
VIP (virtual IP), 107 W
Virtual Local Area Network (see VLAN) Windows
Virtual Routing and Forwarding (see VRF) DHCP server, 371
VitalQIP DNS server, 511
importing DHCP data, 180 Windows Events Collector, 121
importing DNS data, 188 Workflow, 1014
importing IPAM data, 176 customizing the requests administration, 1034
VLAN adding statuses, 1038
NetChange VLANs (see VLANs (NetChange)) editing status best practices, 1039
setting up a VLAN using a VIF, 103 editing the email notification, 1037
VLAN Manager VLANs (see VLAN Manager) editing the statuses, 1035
VLAN Manager, 1073 executing requests, 1030
exporting data (see exports) using classes, 1031
importing data via CSV, 161 using the execute option, 1030
rights and resources, 1138 exporting data (see exports)
VLAN/VXLAN domains, 1075 granting access to the module, 1016
adding, 1075 incoming requests, 1025
automatically adding as group resource, 1077 accepting, 1027
deleting, 1078 administrating using default settings, 1026
editing, 1076 administrating using your own settings, 1029
VLAN/VXLAN ranges, 1079 archiving, 1028
adding, 1079 deleting, 1028
deleting, 1081 finishing, 1028
editing, 1080 handling, 1027
resizing, 1081 managing content, 1025
VLANs/VXLANs, 1083 rejecting, 1028
adding, 1084 outgoing requests, 1017
creating from NetChange VLANs, 973 adding creation requests, 1017
deleting, 1086 adding deletion requests, 1020
editing, 1085 adding edition requests, 1019
VLANs (NetChange), 972 canceling, 1023
adding, 973 editing, 1022
deleting, 974 rights, 1140
editing, 973 WSDL files, 1251
VLSM, 290 adding, 1251
choosing the proper method, 290 deleting, 1254
moving IPv4 addresses across the VLSM, 303 downloading, 1254
network-based organization, 304 editing and dumping, 1252
reparenting subnet-type networks, 306
space-based organization, 294
VRF, 1087
X
X.509
exporting data (see exports)
certificate, 1268
importing data via CSV, 165
rights, 1140
Virtual Routing and Forwarding, 1089 Z
adding, 1089 zones, 615

1513
 Index

adding, 616
adding or removing an NS record, 636
classless in-addr.arpa delegation, 650
configuring, 649
configuring name servers, 649
converting, 635
copying, 636
delegation, 649
delegation-only zones, 628
deleting, 647
disabling/enabling, 647
editing, 630
force-notify, 645
force-refresh, 646
force-retransfer, 646
forcing a full synchronization, 630
forward zones, 622
forwarding, 651
hint zones, 627
hosting active directory domain zones, 630
importing
BIND data, 187
VitalQIP data, 188
importing via CSV, 154
master zones, 617
moving, 636
RPZ zones (see RPZ)
scavenging (DDNS), 642
setting authorizations on multiple zones, 637
setting forwarders, 641
setting master servers, 642
setting space, 637
slave zones, 620
statuses, 616
stub zones, 624
synchronizing, 630

1514