System Configuration

Most of the information on the System Configuration panel is set by using the CLI at installation time.

For instructions on how to configure the system, or to modify any other System Configuration settings, see Modify the System Configuration.

There must be a valid license to use various functions within the appliance. When a license is entered after the system starts, a restart of the GUI is needed.

About System Shared Secret

The Guardium® administrator defines the system shared secret in the System Configuration window. The system shared secret is used for two general purposes:
  • To sign and encrypt files for export or archive, and for importing or restoring data exports and data archives.
  • To establish secure communications between Central Managers and managed units.

If you are using Central Management and/or aggregation, you must set the System Shared Secret for all related systems to the same value.

The system shared secret value is null at installation time. Depending on a company’s security practices, it may be necessary to change the system shared secret on a periodic basis. Each appliance maintains a shared secret keys file, containing an historical record of all shared secrets defined on that appliance. The same system thus will have no problem at a later date decrypting information that has been encrypted on that system.

When information is exported or archived from one system, and imported or restored on another, the latter must have access to the shared secret used by the former. For these cases, there are CLI commands that can be used to export the system shared secrets from one Guardium system, and import them on another.

See the following commands in the CLI appendix:
  • aggregator backup keys file
  • aggregator restore keys file

Modifying the System Configuration

  1. Click Setup > Tools and Views > System to open System Configuration.
  2. Make your changes.
  3. Click Apply to save the updated system configuration.
Note: The applied changes do not take effect until the Guardium system is restarted. After you apply configuration changes, click Restart to stop and restart the system.
Table 1. System Configuration Panel Reference
Field or Control Description
Unique Global Identifier

This value is used for collation and aggregation of data. The default value is a unique value that is derived from the MAC address of the machine. Do not change this value after the system begins monitoring operations.

System Shared Secret Any value that you enter here is not displayed. Each character you type is masked.

The system shared secret is used for archive/restore operations, and for Central Management and aggregation operations. When used, its value must be the same for all units that will communicate. This value is null at installation time, and can change over time.

The system shared secret is used:
  • When secure connections are being established between a Central Manager and a managed unit.
  • When an aggregated unit signs and encrypts data for export to the aggregator.
  • When any unit signs and encrypts data for archiving.
  • When an aggregator imports data from an aggregated unit.
  • When any unit restores archived data.

Depending on your company’s security practices, you might be required to change the system shared secret from time to time. Because the shared secret can change, each system maintains a shared secret keys file, containing a historical record of all shared secrets defined on that system. This allows an exported (or archived) file from a system with an older shared secret to be imported (or restored) by a system on which that same shared secret has been replaced with a newer one.

Caution: When used, be sure to save the shared secret value in a safe location. If you lose the value, you will not be able to access archived data.

Retype Secret

When you enter or change the system shared secret, retype the new value a second time. Any value that you enter here is not displayed. Each character you type is displayed as an asterisk.

License Key The license key is inserted in the configuration during installation. Do not modify this field unless you are instructed to do so by Technical Support. You might need to paste a new product key here if optional components are being added.

If you install a new product key on the central management unit, when you click Apply, you will receive a warning message that reads: Warning: changing the license on a Central Management Unit requires refreshing all managed units. After you click OK to close the message window, you must click Apply a second time to install the new product key. You will know that the new license has been installed when you receive the message: Data successfully saved.

If you install a new product key on a Central Management Unit, you might get a warning that states the license applied to the CM must be refreshed on the managed unit. This requires a refresh done from the Central Manager and is done by pressing the refresh icon from the Central Manager to each of the collectors listed.

License entitles user to access products and the corresponding features.

License can be appended or overridden.

Active license is stored in LICENSE_KEY in ADMINCONSOLE_PARAMETER

Product types DAM; FAM; VA

Edition for product types: Express; Standard; Advanced

Number of Datasources If a limited license is applied, the maximum number of datasources permitted per datasource license is displayed.
Metered Scans Left If a limited license is applied, the number of vulnerability assessment scans permitted (datasource metering) per metering license is displayed. Each time a vulnerability assessment is triggered, the scan counter decreases by one.
License valid until If a limited license is applied, a fixed date when the license will be disabled is displayed.
# of Licenses This value indicates the number of licenses remaining.
Note: Configure Network Address, Secondary Management Interface and Routing settings using the CLI
These settings cannot configured through the GUI and appear grayed-out on the System Configuration user interface.
System Hostname The resolvable host name for the Guardium system. This name must match the DNS host name for the primary System IP Address.
Domain The name of the DNS domain on which the Guardium system resides.
System IP Address The primary IP address that users and S-TAP® or CAS agents use to connect to the Guardium system. It is assigned to the network interface labeled ETH0.
SubNet Mask The subnet mask for the primary System IP Address.
Hardware (MAC) Address The MAC address for the primary network interface.
System IP Address (Secondary) Optional: A port can also be configured to team with the primary interface in order to provide high-availability failover IP teaming.

Alternatively, a port on the device can be configured as a secondary management interface with a different IP address, network mask, and gateway from the primary.

These two options are mutually exclusive.

There are two different, and mutually exclusive, kinds of secondary management connections, both controlled by options to the same CLI command:
Bonding or teaming
Turns the primary interface and another specified network interface card (NIC) into a bonded pair with standby failover. To implement this option, use the CLI command store network interface high-availability on <nic>, where nic is an available NIC.
Secondary interface
Allows the GUI and CLI to be accessible from another NIC in the Guardium system. To implement this option, use the CLI command store network interface secondary on <nic> <ip> <mask> <gateway> to specify the secondary NIC, its IP address and network mask, and optionally a gateway.

BOTH physical and VM systems have the same capabilities. dependent on the number of NICs installed on the Guardium system or VM.

To display the network interfaces installed on the unit, use the show network interface inventory CLI command. For example:

show network interface inventory
Current network card configuration:
Device     | Mac Address        | Member of
--------------------------------------------
eno3       | 08:94:EF:28:AA:F9  | br2
eno1       | 08:94:EF:28:AA:F7  |
eno2       | 08:94:EF:28:AA:F8  | br1
eno4       | 08:94:EF:28:AA:FA  | br3
ens2f0     | 00:21:5E:E2:9F:0C  | br7
ens2f1     | 00:21:5E:E2:9F:0E  | br8
ens1f1     | 40:F2:E9:1E:40:18  | br6
ens1f0     | 40:F2:E9:1E:40:19  | br5
ens3f1     | 90:E2:BA:D8:50:3D  | br10
ens3f0     | 90:E2:BA:D8:50:3C  | br9
Note: The Member of will show which NICs are in a bond pair, if a bonding exists.

To locate the eth connectors on your appliance, use the show network interface port CLI command, which will blink the orange light on that port, 20 times. For example:

guard14.xyz.com> sho net int port 3

The orange light on port eth5 now blinks 20 times.

Note: The secondary IP address and its associated port are NOT related to the high availability feature, which provides fail-over support via IP Teaming for the primary connection. For more information about the high-availability option, see the store network interface commands in the CLI Appendix.  

SubNet Mask (Secondary) Optional. The subnet mask for the secondary System IP Address.
Default Route/ Secondary Route The IP address of the default router for the system./ The IP address of the Secondary Router.
Primary Resolver Secondary Resolver Tertiary Resolver The IP address for the Primary Resolver (DNS) is required. The secondary and tertiary are optional.
Test Connection Click Test Connection to test the connection to the corresponding DNS (Domain Name System) server. This only tests that there is access to port 53 (DNS) on the specified host. It does not verify that this is a working DNS server. You will receive a message box indicating if the DNS server responded.
Stop Click Stop to shut down the system.
Restart Click Restart to stop and then restart the system. You will be prompted to confirm the action.
Apply Click Apply to save the changes. The changes are applied the next time the system restarts.