How do I configure device system security settings?

Steps
 

Choose Administration→Security→NE System Security from the NFM-P main menu. The Select Site form opens.


Select a managed device and click OK. The NE System Security (Edit) form opens.

Note: Items that appear on the NE System Security (Edit) form are device-dependent. Not all configuration form tabs and parameters in this procedure apply to all devices.


To configure the FTP, Telnet, or SSH server parameters, click on the Servers Configuration tab.

Note: The 7705 SAR may become temporarily unreachable when enabling SSH and starting the SSH server on the device.


To configure allowed SSH ciphers, perform the following.

  1. Click on the SSH Cipher List tab.

  2. Click Create in the Client tab. The SSH Client Cipher List (Create) form opens.

  3. Configure the required parameters.

  4. Save and close the form.

  5. Click on the Server tab and click Create. The SSH Server Cipher List (Create) form opens.

  6. Configure the required parameters.

  7. Save and close the form.


To configure SSH key regeneration, perform the following.

  1. Click on the SSH Key Re Exchange tab.

  2. Click on the Client tab and configure the required parameters.

  3. Click on the Server tab and configure the required parameters.


To configure the CPM hardware queueing for BGP or T-LDP peers, click on the CPM Per-Peer-Queuing tab.


To configure user profiles, click on the System User Template tab. Otherwise, go to Step 20 .

The default System User radius_default and tacplus_default templates are listed.


Select the appropriate default template and click Properties. The System User Template (Edit) form opens.


Configure the required parameters.


10 

If you intend to use the default Template Profile, go to Step 20 .


11 

Click Select in the Template Profile panel to choose a template profile.


12 

If you choose the administrative template, go to Step 20 .


13 

Click Create. The Site User Profile (Create) form opens.


14 

Configure the required parameters.


15 

Click on the Entries tab.


16 

Perform the following steps.

  1. Click Create. The Site User Profile Match Entry (Create) form opens.

  2. Configure the required parameters.

    The Match String parameter value is a CLI command prefix that defines the scope of the user profile. For example, when you set the match string to “config” and specify the deny action, the user profile cannot use any CLI commands that begin with the word “config”.


17 

Repeat Step 16 to specify an additional match entry, if required.


18 

Save your changes and close the form.


19 

Close the System User Template (Edit) form.


20 

To configure global DoS protection, click on the NE DoS Protection tab.


21 

Configure the required parameters.

Note: PIM in an MVPN on the egress DR does not switch traffic from the (*,G) to the (S,G) tree if protocol protection is enabled, and if PIM is not enabled on the ingress network interface. Enable the Block PIM Tunneled parameter to enable extraction and processing of PIM packets that arrive from a tunnel, for example, an MPLS or GRE tunnel, on a network interface.


22 

Click on the following child tabs, as required, to view the DoS violations.

  • Per MAC Source Violations

  • Per IP Source Violations

  • Link Specific Port Violations

  • Network Interface Violations

  • SAP Violations

  • SDP Violations

  • Video Router Context Violations

  • Video Service Violations


23 

Click on the VPRN Network Exceptions tab to configure rate limits for VPRN network exceptions.


24 

Configure the required parameters.


25 

Save your changes and close the NE System Security (Edit) form.


26 

Close the NE System Security form.

End of steps