ET/BWMGR HTML Interface (GUI) Manual

(Describes v3.3)

Introduction Getting Started Logging In General Administration The Main Menu Configuring Defaults Getting an Authentication Key Starting The ET/BWMGR The Traffic Analysis Tool Viewing and Editing Rules Interface Rules Bandwidth Rules Creating Groups Adding Comments Reverse Rules Name Address Rules URL Rules Time of Day Settings Firewall Rules Priority Rules Reports Setting Up Statistical Gathering Graphing External Devices Graphing A Specific IP Address Notes on SNMP Bandwidth Reports Allowing Customers To View Graphs and Statistics All About Graphs Viewing Historical Data Monthly Graphs Setting Monthly Bandwidth Controls

Introduction

The ET/BWMGR HTML interface provides a graphical interface for managing the ET/BWMGR product as well as a vehicle for viewing statistical analysis. The interface allows non-unix savvy administrators to effectively manage this powerful technology from any host with an HTML browser.

Before you can use the HTML interface you must install the ET/BWMGR product on your system. If you purchased a stand-alone bandwidth manager system or installed from the CD Demo then everything should be installed. If you downloaded the software then you will have to install it yourself. Instructions on installing the ET/BWMGR can be found in ET/BWMGR User Manual.

Another prerequisite is that you READ and UNDERSTAND the command line manual first. The GUI is just a tool that simplifies tasks and, although its easy to do simple things with the GUI without understanding what you are doing, you will not be get the full benefit of the product's most powerful features if you don't understand the inner workings of our bandwidth management techniques, which you can only get from the command line manual. The GUI also assumes that you know the meanings for all of the fields for creating rules

The structure of this manual is as a guide to utilizing the graphical interface with an expectation that you understand the options and settings available on the command line. The GUI is, after all, just a tool for entering commands in a more intuitive manner.

Getting Started

If you are using one of our appliances or a CD appliance, you can skip this section and go to the Main Menu Section.

The installation process will put the components of the ET/BWMGR HTML interface in place. If you have problems running it, you should make certain that the following setup had been properly implemented:

• bwadmin.htm (bwadmin.html in linux) should be in a directory accessible by an HTML browser (document root)
• bwcmd should be in subdirectory /cgi-bin/et of your HTTP server's cgi directory. Its permissions must be rwx for root and it also must run as root (chmod 4755 bwcmd). If you have problems with graphics you can also try to rename bwcmd.static to bwcmd and use that. On ET/BWMGR appliances, you will also have bwcmd.cgi in /usr/local/webmin/bwmgr. This is a version of bwcmd that does not have password authentication.
• bwmgrd must be in /usr/local/sbin and must be executable
• the directory /var/log/bwsessions must exist
• the directories /usr/local/etc/bwmgr/data and /usr/local/etc/bwmgr/config must exist
• the file /usr/local/etc/bwmgr/config/bwmgr.cfg must have the root directory of your http document root

an additional setup note is that you will want to run a file named rc.bwmgr on system boot. Typically this is put in /etc/rc.local at the end of the file as follows:

sh rc.bwmgr

/etc/rc.bwmgr will be created/updated by the ET/BWMGR HTML interface whenever a change is made. This file will contain the command line representation of your bandwidth manager configuration that is necessary to recreate your environment upon reboot.

Logging In

The ET/BWMGR GUI implements security in the form of "session IDs", which are created when a user successfully logs into the system. The start-up page provided is a page named bwadmin.htm which has 2 fields, a user name and password. The system uses unix system names and passwords to authenticate rather than implementing a separate mechanism. Currently, only users that are members of the "wheel" group or the "bwadmin" group will be granted access to the bandwidth manager administration pages.

Simply enter your unix user ID and password and press the "Log In" button.

Once you have been authenticated, you will be assigned a "Session ID" that will expire after some period of inactivity. This id is stored in the HTML pages and is automatically checked whenever you do something. You can set the "Session Timeout" in the defaults menu which is described later in this document.

The first page you will see is the ET/BWMGR Administration Menu as below:

The Main Menu

The main menu provide details about your system and a "watch" graph of your choice.

The Settings column

This column shows the status of internal protocol detection. Under normal circumstances, the first 4 leds should be "on" (or green). The first 4 leds are links, so you can enable or disable each type of protocol tracking from the screen. Selecting Protocol Watch will enable all 4. The only reason to disable these would be if your system if overloaded and you are using a per-IP method of management. On very high capacity gigabit systems, you may not have enough cpu to "sniff" for protocols.

This section also has status-only leds for Compression and AutoMgr functions. If you don't have these features enabled in your Defaults section, then they will not be shown. In order to enable or disable AutoMgr or Compression, you have to go into those sections (links on the top menu).

Setting Defaults

The first thing to do is to view your "defaults". For most systems, these settings can be used without modification, but it is a good idea to familiarize yourselve with them: You can view and edit them by clicking the "Edit Defaults" button. Below is a screen shot of a typical setup.

The defaults menu allows you to coordinate the bandwidth manager environment to your system environment. Following is a description of each variable.

Default Root	This is the DocumentRoot that your http server is using. This might be /usr/local/www/htdocs on an Apache system, and the default is /usr/local/webmin on ET/ADMIN.
Default Graph Directory	The default directory to use for graphs as an offset of the Default Root. So if the Default Root was /usr/local/www and /graphs was in this field, graphs would be placed in /usr/local/www/graphs.
Session Timeout	This is the inactivity timer after which a user will have to log in again. This has no effect in the ET/ADMIN GUI.
SNMP Community	This replaces "public" as a prefix to snmp strings. It won't work with all communities.
Graph Period	The statistics gathering period used by bwmgrd
Default Interface	The Interface to use by default in the main menu.
Rules Per Page	Number of rules to display per page.
Default Email	Notification Email Address
Save Zero Entries	When enabled, zero data entries are stored in the DB. This will make your database much larger but will graph zero instead of no data
Database Host	If your mySQL database is on a remote system, this is the address. Can be host+domain or numeric.
Swap Graph Entries	Swaps incoming and outgoing data, useful if you have your rules on the inside interface
Show Controls	Wnen disabled, Controls will not be shown in the menu
Show AutoMgr	Wnen disabled, AutoMgr will not be shown in the menu
Show Compression	When disabled, Compression will not be shown in the menu
Auto Rebuild	When selected, the startup script will not be built automatically
Database Name	Must be etbmgr. If this is blank, then bwmgrd will assume that mySQL is not to be used.
Database User	The User name for access to the mySQL database.
Database Password	The Password for the User to access the mySQL database.
Daily Graph Title	The title for the 1 day and 2 day graphs
Weekly Graph Title	The title for the weekly graphs
Monthly Graph Title	The title for the monthly graphs
Data Colors	Default plot colors for graphs
Show Grid Lines	Enable or disable grid lines on graphs
Graph Access	When set to public, graphs can be accessed without a password (see custgrph.htm for interface details)
Graph Password	Default graph password for accessing graphs
Default Graph	The graph displayed in the main menu

Once you have set your defaults, you are ready to start the bwmgr on your machine. As you can see from the menu above, both the bandwidth manager and the bwmgrd daemon are shown to be "not running". If you previously were using the ET/BWMGR then your existing configuration will be shown here and the bwmgr should be "running". In this case, the daemon may still show "not running". In either case, you should click on the "Start BWMGR" button to display the following screen:

If you have previously started the bwmgr your startup interface and license key will be displayed in the form fields. If you are running the ET/BWMGR for the first time then you will see a screen similar to the above. The fields in the startup menu allow you to tune your system, but be careful changing these settings before you understand their impact. Following is an explanation of the settings:

Status	The Status of the Bandwidth Manager.
Stats Period	The Stats Period is the time period (in seconds) in which maximum and minimum thresholds are calculated, and is also the time period over which instantaneous statistical values are displayed. This setting should not be set to be less than 10 seconds.
Max Buffer Usage	Max Buffer Usage allows the system to drop traffic when this threshold is reached, which can help keep your system from running out of memory and also help from distressing a machine under attack. For FreeBSD, this should be less than your NMB_CLUSTERS setting by 10% or so.
Key Interface	This is the ethernet interface used to generate your serial number for your license.
Key	This is your license key.

Once your have reviewed your settings, you can start the bwmgr by clicking the "Start BWMGR" key. When you do this, /etc/rc.bwmgr will be created/updated with the information provided and will also insert the necessary command to start the daemon. The bandwidth manager will be started, and will also attempt to start the bwmgrd daemon. If the daemon doesnt show "running" afterwards, check /var/log/bwmgrd.log for information, and you may also try to start it manually.

Getting an Authentication Key

Once you have run the demo and decide you want to purchase the ET/BWMGR, you will have to obtain a key from Emerging Technologies. From this Start-up screen, the pull-down field will contain all of the interfaces that can be used in this machine. For example:

the above shows that there is an ethernet card (em0) with serial number 41:50:93:30:ae:99, and an ethernet card (em1) with a serial number of 41:50:92:30:ae:99. When requesting your key, you may provide ET with either of these numbers, however we recommend using the first interface (ie your primary interface). You will only use your key to start the bandwidth manager, after which it will operate on any interface. The only requirement is that the card with the serial number that you give us MUST be in the PC when you start it. If you change the order of your cards in your PC your "key" card's designation may change (say from fxp0 to fxp1), but your serial number will be the same. You must start the ET/BWMGR on the card with the serial number you provided to get your license.

When you get your key, select the interface with the serial number that you gave us and replace "demo" with the key provided. If you have a new key, or you are setting up a new disk, you'll need to register your key with the Register BWMGR button. Note that you cannot register keys for versions before v3.2. You must register you license key before you can use the ET/BWMGR software. See the ET/BWMGR License FAQ for specific information.

Starting the ET/BWMGR

Next, click "Start BWMGR" and to start the bandwidth manager. If both the bwmgr and bwmgrd are shown to be "running' in the main menu, they you are ready to go! Normally you will not start the software from the GUI, but from a startup script. Make sure you review the section on "saving your rules" in the user manual.

When you start the bandwidth manager, your license information is written to /usr/local/etc/bwmgr/LICENSE. This information will be used with "bwmgr rebuild" or when the GUI builds your script when making a change with the HTML interface.

Once the bandwidth manager and bwmgrd are running, you need to add rules to tell it what traffic to manage and what parameters to use. You should, at this point, have a screen that looks like this:

Note that the bwmgr and bwmgrd are both "running". Additional info provided is as follows:

Stats Period:	This is the statistical period used for reporting instantaneous statistics of ET/BWMGR rules, and also the reporting period of "usage" when using the "Sort By Usage" feature.
Buffers:	number of buffers in use / high usage / maximum available

Viewing and Editing Rules

The Bandwidth Management row is the entry point for creating and viewing your rules. Bandwidth, Firewall and Global Priorities are separate rulesets and each has its own viewing and editing area (specified by a button for each). If you have specified a default interface in your Defaults settings, the default interface will be shown in the Interface pulldown menu. You can select other interface in the system with this pulldown. The "Start" field specifies which rule to display first. Initially this may seem silly, but if you have 5000 rules you'll appreciate it. You can either put a rule number (in which case that rule number or the first one after it will be shown first), or the name of a rule.

Using the defaults above, if you clicked on the "Bandwith" button, you would see a screen like the following:

The configuration above represents a "null" configuration, that is there are no bandwidth limits on the interface, no rules (and hence processing on the interface is Disabled), the burst manager is disabled and there is no statistical gathering enabled. It also shows the current rule indexing level and whether or not bridging is enabled. On top of the page are links that will take you back to the main menu or allow you to go directly to other rulesets. All ruleset pages have a link back to the main menu.

Interface Rules

The top 2 rows show the settings for the interface, with the ruleset below. To edit the interface settings (ie the -ifac option on the command line), click on the Ifac link, which in the above case is em0. To enable statistical gathering and graphics for the entire interface, click the Stats link marked Enable. To edit any of the interface settings, click on the em0 link. First you will see the interface rule in detail along with current statistical information:

As you can see, above is an interface summary for an active interface. Note that the bandwidth settings are set to T1 speed and that 32,000bps of bandwidth is "Allocated". Allocated bandwidth is the sum of the minimum bandwidth settings for the interface. Allocated bandwidth is not shared, so you need to be careful not to allocate too much bandwidth if you don't have to, because you could starve other users or applications if you do. Also note that the above interface shows a value of 40 in the "Streams" field. This is the number of "tracked streams", not the total number of connections or sessions being controlled. "Tracked Streams" are data streams that are either not running on their standard ports, such as FTP transfers and p2p sessions, or that are virtual hosts or url rules and must be "watched" in a special manner. This number represents system overhead, so it is important in understanding how your ruleset may be affecting performance of the system.

Underneath the interface summary is the statistical information for the interface. "Last" in and out represents the throughput in the last completed stats period (set in Defaults). This is an actual number for a full time period. The "Current" in and out is a snapshot of the current stats period, with a granularity of 1 second. Unless the snapshot occured at exactly as a second lapsed, there will be some error. The smaller the stats period, the larger the potential error.

To edit the rule, Click the Edit Interface button.

Adding and/or Editing an Interface Rule

After clicking the link to add an interface rule, you will see a screen as below:

Below is a description of each field. Leaving a field blank leaves the default setting. Please refer to the command line manual for a more detailed explanation of these settings.

Statistics Only Mode:	Check to set interface to "Stats Only" Mode
Bridging:	Enable Bridging on the Interface
Primary Bridge:	Check to set this interface to the Primary interface for its group
Bridge Group	The bridge group this interface is in.
Filters:	Check to set the associated filter
Index Level:	Set the Index Level of the interface
TCP Window	Set the default minimum TCP window for all traffic on the interface
Bandwidth In (bps)	The Bandwidth Limit in the incoming (into the interface) direction.
Bandwidth Out (bps)	The Bandwidth Limit in the outgoing (out of the interface) direction.
Combine	Use the Bandwidth In setting as the Limit for Total Bandwidth In and Out (ie -bwboth)
Auto-Shaping Threshold (bps)	The Auto-Shaping threshold
Auto-Shaping Period	The time period over which to average usage to determine the Auto-Shaping threshold.
Burst Threshold (bps)	The burst threshold for rules that use this interface as its burst trigger.
Burst Period	The time period over which to average usage to determine the burst level.

Adding Bandwidth Rules

The main function of the ET/BWMGR is that it can manage bandwidth. The key to doing this requires that you create rules (ie policies) to enact your goals. Adding rules is done on a per interface basis. If your bandwidth management box is acting only as a filter (that is, you are using it just to limit traffic and not as a server also), then you can enter your rules on either interface, as all traffic that passes through one interface will also pass through the other. If you are, for example, running a web server on the same PC that has the bandwidth manager, AND you have multiple ethernet cards in the box, then you will have to know which interface is connected to the outside world in order to set your rules properly. The bandwidth manager can only control traffic if the traffic passes through the interface on which the rule is set. Assuming that the interface you have selected is the correct interface, you can now add a rule that will limit traffic to a particular host on the network. To add a rule, enter a number in the input field and click the "Add New Rule" button:

Note that rules are enforced in low to high rule# order. There is currently no way to renumber rules (without deleting and adding them again), so be careful to leave index number room between rules for changes that you may make in the future. We recommend numbering in increments of 100 and then using the binary half (that is 50, then 25, etc) when inserting rules in between later.

Enter a rule number in the Rule: field, and then select a rule type from the rule-type pulldown menu:

Select the type of rule you would like to create, and then hit the "Add Rule" button. Supposing that you selected "Bandwidth", After making your selection, you will see some subset of the following:

To add a rule, fill in the fields with the appropriate info and click the "ADD RULE" button. Below is a description of each field and checkbox as they relate to command line options. Note that some of the fields (like "useprot" and "reverse timeout") are not shown above, as they only apply to reverse rules. Only fields relating to the type of rule selected will be displayed in the GUI. For an explanation of the command line option, see the ET/BWMGR User Manual.

Rule#:	Rule index number. (-x)
Logging:	Check to enable logging for this rule. (-l)
Name:	Label the rule with a name (-name)
Group:	The group this rule should be a member of
Reverse Timeout:	The idle timeout for dynamic learned rules
Max Links:	Maximum dynamic rules to allow
Use Prot	Create reverse rules including the protocol of the triggering packet
Use Address	Create reverse rules using the selected IP addresses of the triggering packet
Use Port	Create reverse rules using the selected port of the triggering packet
Balanced Bandwidth:	The bandwidth for this reverse rule should be balanced among active dynamic rules. (-rb)
Bandwidth Ceiling:	The bandwidth specified for this reverse rule should be shared up to this amount. (-rc)
Direction	Check In for Incoming Rule, Out for Outgoing, both for both directions (-i -o)
When Enable:	The time of day to enable this rule (blank for always)
When Disable:	The time of day to enable this rule (blank for always)
MAC Protocol:	Hex MAC Protocol (ie 0x800 for IP) to Match. ARP, IP, VLAN and IPX text allowed. (-mprot)
MAC Address:	MAC addresses, colon separated. Match All by default (-maddr), or source MAC (-smaddr) by selecting SRC radio button
Dest. MAC Address	Destination MAC address, colon separated. (-dmaddr)
VLAN:	vlan tag (or vlan number) in decimal.
IP Protocol:	Set to the IP protocol to Match (tcp, udp, etc) (-ipprot)
TOS	Hex mask for tos field in IP header to Match (-tos)
Port	Set to tcp or udp port. Default is all (-port), use Dst, Src buttons to select -dport or -sport
Port Range	Match ports in A to B range (-portrange). When src or dst is selected, only match the source or destination port range.
IP Address	Match IP address / subnet bits. Match All by default (-addr), or select source address (-saddr) with SRC radio button. When the Do Range checkbox is selected, this field is transformed to mean the start address and the number of rules to create. See Do Range below.
Do Range	When selected, the IP address field indicated the start address / number of rules to create. See Do Range below.
Dest. IP Address	The destination IP address / subnet bits. (-daddr)
Name Address	Virtual Host Name (-nameaddr) or URL with URL box checked.
Bandwidth In	Incoming Bandwidth Limit in bits/second (-bwin). Check "combine" box for (-bwboth)
Bandwidth Out	Outgoing Bandwidth Limit in bits/second (-bwout)
Guaranteed BW	Minimum (guaranteed) Bandwidth in bits/second (-bwmin)
Burst BW	Allow Bursts to this value in bits/second when interface is under the burstlimit (-bwburst)
Burst Max	The maximum allowed time to burst before bursing is terminated (-burstmax)
Burst Trigger	Burst trigger to use as criteria for Burst BW (-bursttrig)
Burst Threshold	The threshold to use if this rule is to be used as a burst trigger.
TCP Window	The default TCP window for each TCP connection. Overrides internal settings.
Priority	The priority (1-10, pass-thru, FW-Deny) or rule type (stats-only, Group) (-priority) of this rule.
Diffserv Tagging	Check this box to enable automatic diffserve tagging for this rule.
Enable Gathering	Enable statistics gathering for this rule. (-stats)
Combine with	Combine stats for this rule with another rule. Enter the other rules name.
SNMP Interface	The name of the physical stats interface if this is to be exported via SNMP. (-statsifac)

After adding the rule, you will see a screen which shows the detail of the rule that you just added:

Note that host addresses are displayed without a mask. If you had selected a mask for the address, it would be displayed in address/maskbits notation. You should now check the rule and make certain that it is displayed the way that you want it to be implemented. If it is not correct, you can click the "Edit Rule" button and make any changes necessary. When you are done, you can click the Bandwidth link at the top of the page to display all of the interface settings, which should at this point look similar to the following:

Above is a listing of all of the rule we just added on em0.

Creating Groups

We have created a group with our HTML interface called "Group1":

 

To refresh your memory, a "group" is a named group of rules linked together with some common properties. The purpose of this group is to limit all of the members in the group to an aggregate of 128000, and to balance the bandwidth between active members of the group. As you can see, group members 200 and 400 are both active, and each show a bandwidth allocation of 64000bps (as do non-active members, in case they become active). Also note that some of the rules are showing "Hits", which indicate that a data frame has been filtered using that rule. If you don't see any hits on a rule that should have hits, then you may have have it entered incorrectly, or there may be a rule with a lower index that also matches the traffic. Note the importance of the order of the rules. Rule 400 is a less specific rule than rules 200 and 300, so it must come after those rules. If a data frame with an address on the 100.1.1 network comes in, first rules 200 and 300 will be tested, and if there is no match it will fall to rule 400.

To view the just the group (which may have dynamic members, members on different interfaces, etc), just click on the Group link and only the group members will be displayed:

Adding Comments

Comment rules allow you to document your ruleset so others can better understand why certain rules exist (or so you can remember why you did things long after doing them). To create a comment, chose "Comment" as the rule type from the pulldown, and enter an index for the positioning of the rule. Then enter the text you want, and add the rule. Make certain that you don't use quotes or apostrophies as these may be misinterpreted by the command line utility when rebuilding your ruleset the next time you reboot. Here's an example of what a comment rule looks like:

Reverse Rules

Reverse rules are unique in that they work backwards when compared to other rules. The way reverse rules work is that when a data frame Matches your match criteria, a new dynamic rule is created and linked to the reverse rule. The original reverse rule is actually a "target" rule, which signifies an event which causes the source address (the host on which the target hit) to then be subject to a bandwidth rule. For more details, see the ET/BWMGR user manual.

To create a reverse rule, enter the index as you did with the previous bandwidth rule example, and select "Reverse Bandwidth" as the rule type. The following is an example of a rule that will limit each p2p "user" to 128000bps:

Notice that the bandwidth ceiling box is checked, as well as "use SRC address" and "Use Prot", indicating that all hosts accessing this site will be have the p2p protocol limited to a total of 128000bps. This rule works nicely, because regardless of what port or how many sessions the host has active, the traffic will be limited because the entire "p2p" realm is managed as a single entity. Notice that the rule display has the "RC" flag (for reverse ceiling), and the IP address is showing a (D), indicating a destination address.

 

Notice above in the Address/Mask Field, the address is displayed with some info in parenthesis. The first items (SA PR) indicates that the source address and protocol are being used to create dynamic rules. The second item (t:300) indicates that dynamic entries will be deleted after being idle for 300 seconds (the default is 30). You may want to set this to a shorter or longer value. The number after it shows the number of dynamic links currently allocated, optionally with a second parameter which indicates the maximum number of links allowed. As you can see above, rule 100 has 0 links and no maximum setting. If there are links to the rule, the (t:300 #) will be shown as a link which can be used to view the dynamic group associated with the rule. If there were links, you would not see the "Learned" rules on the main screen, but if you selected the link you would see the entire group:

Notice that the "learned" entries begin at 499 and move downward (group members will be displayed in the order they are added, so they may not be sequentially indexed). Also in the flags field, there is a number in parenthesis, which represents the time that the rule has been idle. When the idle time matches the timeout parameter (300 in this case), the rule will be deleted.

Name Addresses

Name addresses are reverse rules that can be used to manage or gather statistics for virtual name hosts. Note that this only works for HTTP traffic (it cannot be used to limit all traffic of a domain, for example), as it uses the HTTP header to track the appropriate sessions. For detailed information on the application of name addresses, please refer the the ET/BWMGR Online Manual.

To enter a name address rule, do the same as with a reverse rule except enter the host or domain name in the Name Address field. Suppose you entered "etinc.com". Whenever an http request is made for a URL with a host part containing "etinc.com", the requestor's IP address will be added dyanamically and the host will be limited (optionally including the port number, if you put "use" into the port field).

One caveat of the name address mechanism is that hosts that access the site by IP address (if that is possible) will not be limited by the name rule. In order to stop accesses from circumventing the limits, you can add a rule which prohibits accesses directly to the IP address. Name address rules do work with addresses, so that using a name of "10.1.1.1" will limit hosts that access the address directly, however typically this is not possible with virtual hosts anyway, as many hosts are on the same address and it is ambiguous.

Name address rules are viewed in the same way as other reverse rules. The address field will show (N) to indicate that the address is a name Rule

URL Rules

A URL rule can be created in the same way as a name rule by simply checking the URL checkbox under the Name Address field. URL rules "look into" HTTP and FTP packets for GET, PUT and POST operations. If any part of the URL matches what you specify in the URL field, a Match will occur.

Time of Day Settings

Each rule can optionally have a time of day element, which controls whether the rule is enabled or disabled at any given time of day. For changing bandwidth settings, profile transitions can be used. But if you want a rule to only be in force during a particular time, then you will need to give it the approproiate setting. Each rule has an "Enable" and "Disable" setting, as well as a modifier which can further indicate which days it is in place. For example:

The above settings would set this rule to be "enabled" between 8AM and 8PM. The modifier pulldown menu allows you to specify whether the it should be enabled every day, on weekends or just during the week.

Adding Firewall Rules

Adding firewall rules is similar to adding bandwidth rules, except that you will see fewer choices.

You'll notice that the fields for adding bandwidth limits and statistics are not present, and that there are extra fields for entering policy routes and packets per second rules. Please refer to the ET/BWMGR user manual for specific info on these. Also worthy of note is that the Priority field is labeled "Action" (which is more appropriate for Firewall rules, and that the only choices are FW-Allow, FW-Deny and log-only. "log-only" rules should be placed at the beginning of your ruleset and can be used to log specific actions. The Match algorithm will not stop when log-only rules are encountered, so they can be used without concern that they will interfere with other policies.

Adding Priority Rules

The Priority Ruleset section allows you to add global priorities (-gpriority command line option). The only options allowed are for Matching and the priority. The operation of global priorities are outlined in the ET/BWMGR user manual.

Adding Multiple Rules with Do Range

Many times you want to add the same rule over a range of IP addresses. The most obvious example is if you want to set a default policy for each device on your network. You can use the "Do Range" checkbox to add multiple rules over a range of IP addresses. When you check the Do Range box, the address/bits fields are interpreted as "First Address / number of addresses". So if you were to enter 10.1.1.1/254 it would create 254 rules as 10.1.1.1, 10.1.1.2, 10.1.1.3, etc. The rules are added with consecutive rule numbers starting at the current rule. Its suggested that you gain experience with adding 2 or 3 rules at first, as there is no automatic way to undo or delete all of the rules that were created if you make a mistake.

Statistics and Graphing