SSLv Initial Configuration and Setup
search cancel

SSLv Initial Configuration and Setup

book

Article ID: 258777

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

How to perform Initial Configuration and Setup on SSL Visibility Appliance.

Resolution

When the system first boots, an administrator user account is available via a serial connection to the appliance for initial configuration and setup. Refer to the SSL Visibility Quick Start Guide poster that came with your appliance (also available as a PDF).

Power On the Appliance 
The first time you plug the appliance in, it will start up automatically. After that, how an appliance behaves when power is restored after an outage varies with the model, as described in the following table.

S550 Power On Behavior  
State Before Power was Lost     State After Power is Restored
Booted and operational Booted and operational
Powered down using the WebUI halt option Powered down
Powered down using the WebUI reboot option Booted and operational
Powered down using the CLI halt command Booted and operational
Powered down using the CLI shutdown command Powered down
Powered down using the power button

Powered down

If the appliance is powered down when power is restored, use the physical power button to power it back on.

Bootup Behavior
When booted the first time, SSL Visibility 5.x provides a default administrator user. You will use the administrator user to access the appliance for the first time and configure management IP address access. Before booting, establish a serial connection to the appliance, either directly or through a terminal server connection.

  1. Power on the appliance. When the console window displays, press Enter three times to activate the console.
  2. Enter “2” (Setup console) to launch the Initial Configuration Wizard (ICW). You will use the ICW menus to configure the management IP address, default gateway, and DNS server, and to set access
  3. Press Enter to access the ICW commands.
  4. Enter the IP address/netmask, IP gateway, and DNS addresses. IPv6 and IPv4 addresses are supported. Enter either an IPv4 or IPv6 address, but not both in the same command.
  5. Set the console user password and the CLI enable password.

  6. (Optional) Secure the serial port.
  7. When done, you can access the SSL Visibility WebUI management interface and the CLI. To access the WebUI, use port 8082, for example, “https://<IP_address>:8082” and log on with the user password. Access the CLI commands using the enable password.

Once the appliance is through the initial configuration phase (including setting up the management interface IP address), you can access the WebUI with a browser. You will want to complete the following tasks, setting the date and time, verifying or editing the management network settings, installing the license, and setting up one or more additional users.

Configure System Date/Time and Timezone
To configure the system date and time use the Date/Time option on the Platform Management (system name) menu.

Note
If you artificially change the system's time and record a session in a log that already contains sessions with a Start Time later than the system's current time, the recorded sessions will not appear in the Session Log. For example, if you move the system time ahead by 1 month for testing, process some sessions, and then move the system time back to the actual time, the sessions with the future date will not be visible.

If NTP is enabled, the Date and Time fields will be disabled as these values are being set by the Network Time Protocol (NTP). If NTP is not enabled, click Edit  to edit these settings. You can change the Timezone whether NTP is enabled or not. Configure the settings, then click OK to save the settings, and then Apply the changes. The screen will refresh.

See Configure Date and Time for details on setting the date and time, and for using NTP servers.

Note
If you have changed the date, time, NTP, or timezone, you must click Apply to save your changes.

Configure Management Network Settings
To configure or change system settings, use the Platform Management (system name) > Management Network menu (see Set Up the Management Network for more information on all of the settings). The management network supports IPv4 and IPv6 addresses.

Note
The Management Network interface does not support DHCP in this release.

The SSL Visibility appliance supports simultaneous access by both IPv4 and IPv6. The next figure shows an active IPv4 configuration dialog on top of the Management Network panel.

Note
Changes to any IP network settings require an appliance restart.

Configure a Static IP Address

  1. Click Edit  on the IPv4 Settings or IPv6 Settings panel; the Edit dialog opens.

  2. Enter the required data. Use the IP address/mask bits (CIDR) format to enter the IP address and netmask, such as192.0.2.1/24. If you are configuring an IPv6 address, enable IPv6. The IPv6 Link Local address shown in the IPv6 Settings panel is derived automatically and presented for IPv6 settings; you cannot edit it.
  3. Click OK. The Edit dialog closes.
  4. Click Apply to save and apply the changes. The changes to the network settings will only take place once a reload has occurred.

Note 
After you click Apply, you must reload the appliance. Click Reload on the banner at the top of the screen.

Use Access Control Lists to control incoming connections on the management interface. You can create denylists (never allow a connection) and allowlists (always allow the connection). See Access Control Lists for detailed configuration information.

Configure Users
SSL Visibility 5.x is configured with an administrator user the first time you start the system. After initial configuration is complete, you can add more users with specific roles and capabilities. You can also configure remote authentication with LDAP or TACACS+ servers.

Note
The default administrator user (admin) cannot be edited or removed.

To create new user accounts on the system:

  1. From the ( Platform Management ) menu, select Authentication .
  2. In the Authentication panel, click Local Users to display the User Management panel.
  3. Click Add to add a new user to the system. The Add User dialog opens.
  4. User ID: Enter a descriptive name for the user, up to 64 alphanumeric characters. The only special characters allowed are: . (dot) - (dash) _ (underscore). The ID must begin and end with an alphanumeric character.
  5. Roles: Assign one or more roles to the user being created. To assign more than one role click the first role, which will highlight the role, then hold down the CTRL key (Command key, for Mac users) and select additional roles until all the roles you wish the new user to have are highlighted.
  6. Enter and confirm a user Password. See Create Password Policy for password requirements and how to change them.
  7. Click OK to add the new user to the system.

For information about the privileges of different roles, see Local User Management.
Users can change their own passwords at any time by logging on to the system and using the Change Password option on the user menu. See Change Password.

Users with the Manage Appliance role or the default administrator (admin) can create users or edit user accounts to change roles or passwords.

Licensing
Each SSL Visibility appliance requires a license to activate inspection policy. The license is associated with an individual SSL Visibility appliance serial number.

Note 
See SSL Visibility Licenses for further information on the License feature.

Determine the Type of License
View the license status on the front LCD panel and on the License panel.
Perpetual: A license that does not expire.
Subscription: A license that is valid for a set period of time.

License Expiration
At the end of a subscription license period, the license expires. A license expiration notification message is logged in the System Log (see Monitor System Log Entries).
SSL Visibility supports automatic license updates. To enable this feature, click Edit  in the License Settings panel to enable Auto Update License, click OK, and then Apply the change.

If a valid SSL Visibility appliance license is not present, the following message will appear when a user logs in; it doesn’t appear for add-on licenses, such as Host Categorization:

When the SSL Visibility appliance license expiration is within 30 days, a "Pending License Expiration" message will appear on logging in.
The status of the SSL Visibility appliance license is always visible in the header of the WebUI, shown next.

The License status can be one of the following:

  • Green check mark : The appliance has a valid license installed and is not expiring within 30 days.
  • Yellow warning : The installed valid SSL Visibility appliance license expires within 30 days, or an add-on license has expired.
  • Red error : No valid SSL Visibility appliance license is installed, or has expired.

You can still perform WebUI configuration tasks when there is no valid SSL Visibility appliance license installed. However, the SSL Visibility appliance will force all activated segments into fail-to-wire mode. Segments might be marked for activation, but the activation will not complete until a valid license is installed. When a valid license is installed, the appliance will automatically complete segment activation, and unfail the appropriate external interfaces.

Note
Interfaces that are not configured on a segment will not be unfailed when a valid SSL Visibility appliance license is installed.

License the SSL Visibility Appliance
Before you can license your SSL Visibility appliance, you must have the following:

  • The serial number of your appliance. To locate the serial number, go to (Platform Management) > Information. View the serial number under Chassis FRU Info. The serial number can also be found on the front panel LCD screen.
  • A myBroadcom account. For instructions on setting up an account, refer to the Getting Started web page.

Download a License
For more information on downloading a license, refer to the Getting Started web page.

  1. Log in to your myBroadcom account.
  2. Download your license from the My Entitlements webpage.
  3. Save the license file on a system that you can access from the SSL Visibility appliance.

Install a License
The following image depicts an appliance that does not have a license installed.

To install a license:

  1. Select (Platform Management) > License.
  2. Click Add.The Install License dialog opens.
  3. To install the license, use one of the following methods:
  • On the Upload License tab, click Browse to browse to the file location.
  • On the Paste License tab, paste in text copied from an exported license.
  • On the License from URL tab, supply the URL to download the file from a web server.
  • On the BTO Install tab, install the license directly from the portal.

    4. Click Add. You will see a confirmation message, and the specific appliance platform model. The license is now installed. All standard SSL Visibility appliance features are now operational.
If you have difficulty installing a license, verify that the license file is valid, that it is for the correct appliance, and that the appliance is configured with the correct date and time. Contact Customer Support if you require assistance.
You can also configure automatic updating for licenses. Click Edit  in the License Settings panel to enable or disable this option.

System Status
To view the overall status of the appliance, select Monitor > System Status ( Monitor the System Status ).

Status details shown here feed into the summary status indicators for System, Load, Network, and License that appear in the status bar in the banner. The appliance uptime is also indicated (for example, Up for less than an hour, 0:37:27)