SunScreen 3.1 Administration Guide

Screen Objects

You need to add a Screen if you are configuring HA or Centralized Management Groups. For the standalone configuration, you may edit the Screen for adding SNMP or modifying miscellaneous properties.

If you are running in stealth or mixed mode, you must modify the Screen object in order to define the stealth network and netmask for the network the Screen is subdividing.

To Add a Screen
  1. Choose Screen in the Type choice list.

  2. Choose New... from the Add New choice list.

    The Miscellaneous area in the Screen dialog window appears.

    Figure 3-10 Screen Dialog Window, Miscellaneous Tab


  3. In the Name field, type the name of the Administrative Interface of the Screen as it appears in the naming service or the host file.

  4. Type a number in the Log Size (MB) field, to set the total size for log files (default is 100 Mb).

  5. The Stealth Network Address and Stealth Netmask (of the network the Screen partitions) fields apply only if the Screen has any Stealth interfaces.

  6. Click the Yes or No radio button to allow or deny Routing Traffic (RIP).

  7. Click a Name Service radio button to choose the name service the Screen will rely on, to define the host address.

    You can use also use both DNS and NIS or no name service at all.

  8. Click the Yes or No radio button for Certificate Discovery.

    This action allows the Screen itself to participate (or not) in a certificate discovery exchange. Selecting Yes does not allow CDP traffic to go through the Screen.

  9. Click the OK button.

SNMP Alert Receivers

You set actions that generate SNMP alerts as part of a security policy.

You use the SNMP tab in the Screen dialog window to:

A management information base (MIB) that describes the SNMP trap is included with the SunScreen CD-ROM, as part of the SUNWicgSA package. It is installed as: /opt/SUNWicg/SunScreenAdmin/etc/sunscreen.mib. Load this MIB into your SNMP manager to enable it to use the SNMP trap generated by the Screen.

Note -

The machine that you want to receive SNMP trap alerts must not be a remote Administration Station. SNMP alert packets are sent in the clear and the communication between the remote Administration Station and Screen is encrypted; any packets sent in the clear are dropped.

The recipients of SNMP messages are controlled on a Screen-by-Screen basis. The Screen object has a place for an optional list of IP addresses, which are the hosts to which it sends the SNMP packets.

Setting SNMP in a packet filtering rule's "Action," or in the default Reject Action of an interface causes the SNMP packets to be sent.

SNMP alerts are described in the SunScreen Reference Manual.

The following information describes using the administration GUI. For the command line interface, see Appendix A.

To Add a New SNMP Alert Receiver
  1. Click the SNMP tab in the Screen dialog window.

    The SNMP area is displayed.

    Figure 3-11 Screen Dialog Window SNMP Area


  2. Type the name or IP address of the recipient of the SNMP trap in the Name field.

  3. Click the Add button.

    A list of SNMP alert receivers appears. You can define up to five receivers. SunScreen sends each generated alert to all receivers.

  4. Click the OK button when you are finished.

To Delete an SNMP Alert Receiver
  1. Click the SNMP tab in the Screen dialog window for the Screen.

    The SNMP area appears.

  2. Choose an entry in the SNMP Receivers field.

    If the name of the SNMP Receiver to delete is not listed (that is, only the IP address is listed), type the name in the Add/Delete field.

  3. Click the Delete button.

    Click the OK button when you are finished with this Screen object.

Timed-Status Indicator Field

You use the SNMP_TIMER field in the SNMP tab to specify the time interval between the health-update packets that are emitted by the Screen. If you do not specify any Alert receivers, no health-update packets are issued.

If you set the SNMP_TIMER field is set to zero (or lesvr it empty) and there are Alert receivers, no health-update packets issued, although other SNMP alerts are sent to the Alert receivers.