System Configuration

System Configuration Overview

Most of the information on the System Configuration panel is set via the CLI at installation time.

If you are using Central Management and/or Aggregation, you will need to set the System Shared Secret for all related systems to the same value.

For instructions on how to do this, or to modify any other System Configuration settings, see Modify the System Configuration, below.

About the System Shared Secret

The Guardium administrator defines the System Shared Secret on the System Configuration panel (see System Configuration). The system shared secret is used for two general purposes:

To encrypt files that are exported from the appliance by archive/export activities
To establish secure communications between Central Managers and managed units

The system shared secret value is null at installation time. Depending on a company’s security practices, it may be necessary to change the system shared secret on a periodic basis. Each appliance maintains a shared secret keys file, containing an historical record of all shared secrets defined on that appliance. The same system thus will have no problem at a later date decrypting information that has been encrypted on that system.

When information is exported or archived from one system, and imported or restored on another, the latter must have access to the shared secret used by the former. For these cases, there are CLI commands that can be used to export the system shared secrets from one system, and import them on another. See the following commands in the CLI appendix:

Modify the System Configuration

Select Administration Console > System.
Referring to the System Configuration Panel Reference topic below, make any changes desired.
Click the Apply button to save the updated system configuration when you are done making changes.

Note: The applied changes do not take effect until the unit is restarted. After applying configuration changes, click the Restart button to stop and restart the system (using the new configuration settings).

System Configuration Panel Reference

Field or Control	Description
Unique Global Identifier	This value is used for collation and aggregation of data. The default value is a unique value derived from the MAC address of the machine. It is strongly recommended that you do not change this value after the system begins monitoring operations.
System Shared Secret	Any value you enter here does not display. Each character you type displays as an asterisk. The system shared secret is used for archive/restore operations, and for Central Management and Aggregation operations. When used, its value must be the same for all units that will communicate. This value is null at installation time, and can change over time. The system shared secret is used: When secure connections are being established between a Central Manager and a managed unit. When an aggregated unit signs and encrypts data for export to the aggregator. When any unit signs and encrypts data for archiving. When an aggregator imports data from an aggregated unit. When any unit restores archived data. Depending on your company’s security practices, you may be required to change the system shared secret from time to time. Because the shared secret can change, each system maintains a shared secret keys file, containing an historical record of all shared secrets defined on that system. This allows an exported (or archived) file from a system with an older shared secret to be imported (or restored) by a system on which that same shared secret has been replaced with a newer one. Caution: When used, be sure to save the shared secret value in a safe location. If you lose the value, you will not be able to access archived data.
Retype Secret	When entering or changing the system shared secret (see above), retype the new value a second time. Any value you enter here does not display. Each character you type displays as an asterisk.
License Key	This value is not displayed. It is inserted in the configuration during installation. Do not modify this field unless you are instructed to do so by Guardium Support. You may need to paste a new license key here if optional components are being added. If you install a new license key on a managed unit, when you click the Apply button you will receive a warning message that reads: "Warning: changing the license on a Central Management Unit requires refreshing all managed units." After you click OK to close the message window, you must click Apply a second time to install the new license key. You will know that the new license has been installed when you receive the message: “Data successfully saved."
System Hostname	The resolvable host name for the Guardium appliance. This name must match the DNS host name for the primary System IP Address (see below).
Domain	The name of the DNS domain on which the Guardium appliance resides.
System IP Address	The primary IP address that users and S-TAP or CAS agents use to connect to the Guardium appliance. It is assigned to the network interface labeled ETH0.
SubNet Mask	The subnet mask for the primary System IP Address (above).
Hardware (MAC) Address	The MAC address for the primary network interface (above).
System IP Address (Secondary)	Optional. A secondary IP address that users and S-TAP or CAS agents use to connect to the Guardium appliance. It is assigned to the highest numbered network interface on the unit, for example: ETH5. You might use a secondary IP address to provide access to the appliance from a second network, or to provide additional bandwidth when many S-TAP agents are reporting to the same Guardium appliance. To display the network interfaces installed on the unit, use the show network interface inventory CLI command. For example: guard14.xyz.com> sho net int inv eth0 00:04:23:D4:65:7E eth1 00:04:23:D4:65:7F eth2 00:04:23:D4:65:A2 eth3 00:04:23:D4:65:A3 eth4 00:18:8B:31:3A:A3 eth5 00:18:8B:31:3A:A4 ok guard14.xyz.com> In the example above, the secondary IP address would be assigned to the port labeled ETH5. To locate the ETH5 connector on your appliance, use the show network interface port CLI command, which will blink the orange light on that port, 20 times. For example: guard14.xyz.com> sho net int port 5 The orange light on port eth5 will now blink 20 times. Note: The secondary IP address and its associated port are NOT related to the high availability feature, which provides fail-over support via IP Teaming for the primary connection. For more information about the high-availability option, see the store network interface commands in the CLI Appendix.
SubNet Mask (Secondary)	Optional. The subnet mask for the secondary System IP Address (above).
Default Route	The IP address of the default router for the system.
Primary Resolver Secondary Resolver Tertiary Resolver	The IP address for the Primary Resolver (DNS) is required. The secondary and tertiary are optional.
Test Connection	Click the Test Connection link to test the connection to the corresponding DNS server. This only tests that there is access to port 53 (DNS) on the specified host. It does not verify that this is a working DNS server. You will receive a message box indicating if the DNS server responded.
Stop	Click the Stop button to shut the system down.
Restart	Click the Restart button to stop and then restart the system. You will be prompted to confirm the action.
Apply	Click the Apply button to save the changes. The changes will be applied the next time the system restarts.