Solved

Need help configuring 3com switch for websense port mirroring

Posted on 2008-10-31
8
2,600 Views
Last Modified: 2012-05-05
Hi,

I'm having trouble understanding the documentation for a 3com 4500 g switch when it comes to port mirroring.  I'm trying to install websense security suite on it's own box and connect it to this switch.  I assume at least on of the switch ports the websense box uses will mirror network traffic in and out of our sonic wall.  Is this correct?

My problems are:
The documentation I downloaded refers only to the command line interface not the web interface.

Second problem:
I don't know the IP of the switch I need to use!  I know that sounds bad, but I didn't set up the network and it's not documented.  The switch does not appear to have a console port.  Anyone know a piece of freeware that can detect network devices and give me an ip?

thanks for any help, I really need it!

Maureen


0
Comment
Question by:maureen99
  • 4
  • 4
8 Comments
 
LVL 4

Expert Comment

by:TNL_Engr
Comment Utility
I can help with the port mirroring, but you probably don't need it.  There are a couple of different ways to set up WebSense.  One is to have it running on a system with 2 NICs.  Traffic comes in one NIC, is filtered, and goes out the other port.  This is the preferred configuration if you are attempting to do bandwidth throttling.

In the configuration which you are probably trying to use, Websense receives the request for URL filtering from the SonicWall and returns an ALLOW or DENY response to the firewall.  In this case, you do not need to set up port mirroring.  You simply configure the firewall to use URL filtering, and tell it what the IP address of your Websense server is.  The firewall takes care of the rest.  

Let me know if you need any additional help with the firewall or Websense server.  Good luck.
0
 
LVL 4

Accepted Solution

by:
TNL_Engr earned 500 total points
Comment Utility
Here's some additional information for you.  The console port on the 4500G is probably on the front of the switch and looks like a standard RJ45 jack.  To program the switch from the console port requires a special cable.  If you do not have one, the pinouts for this cable can be found in the Getting Started Guide.

Getting Started Guide:  http://support.3com.com/documents/switches/4500G/Switch4500G_Getting_Started2.pdf

This guide also gives you complete information about how to do the initial switch setup.  Below are some additional manuals which might be helpful:

Configuration Guide:  http://support.3com.com/documents/switches/4500G/3Com_10014900-AC_4500G_Config-Guide.pdf
Command Reference:  http://support.3com.com/documents/switches/4500G/3Com_10014901-AB_4500G_Com-Ref.pdf
Quick Reference Guide:  http://support.3com.com/documents/switches/4500G/3Com_Switch4500G_QuickRefGuide.pdf

If the switch is getting its IP address dynamically, then you might be able to figure out which address is being used by looking in the lease tables of your DHCP server.  If the switch was statically assigned, you will need to scan for the address.  GFI makes a great tool called LANguard Network Security Scanner.  The product is not free, but GFI does offer a free trial copy for download.

http://www.gfi.com/lannetscan/

This particular tool is quite comprehensive, and gives you much more than simply IP scanning capabilities.  As I said, it isn't free, but the demo copy should work long enough for you to get an idea about the layout and configuration of your network.

Please let me know if any of this is helpful.
0
 

Author Comment

by:maureen99
Comment Utility
Hi TNL_Engr;

I am still going over your info...so far it looks very helpful.  We are a 2 person IT department so my time is very divided.

thanks so very much!

Maureen
0
 
LVL 4

Expert Comment

by:TNL_Engr
Comment Utility
No problem, I completely understand.  Just let me know if I can be of further assistance.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:maureen99
Comment Utility
Hi again,

I did the GFI scan but was unable to figure out the IP of the switch so I moved the machine to a switch in the closet next door.  Switch goes to a patch panel and is not directly connected to the sonic wall.  I can move it back if necessary.

the only reason I really needed to get the switch IP was to set up port mirroring, but if I don't need to mirror that's ok.  

A few questions if you have time:

Is bandwidth throttling controlling the amount of bandwidth allowed per PC?  

Can you tell me how to set up port mirroring on the switch step by step?  I referred to the manuals but their still pretty cryptic on what commands to use and it only takes you through it in the command line interface.  It gives you a command requiring parameters, but doesn't give the parameters...

Sorry to be so clueless, but how does one configure the sonic wall to use url filtering?
If I can use the sonic wall configuration w/o port mirroring that's great.  meanwhile, I am also hitting sonic wall support.

What I ultimately want to do is find out what pcs are downloading what, who's streaming video or audio and how much, etc.

As always, I greatly appreciate any help because right now I am rather stuck but I'm determined to get this set up.

thanks again,  

Maureen

0
 
LVL 4

Expert Comment

by:TNL_Engr
Comment Utility
Hi Maureen,
Wow!  Lot of questions. :-)  Here goes:
1. You will eventually need to know the IP address of the 3Com switch if you want to make any configuration changes.  You may not have found it in a scan if it does not have an IP address assigned, or if the address is in another range.  In either case, you will probably need to use the console interface to set the new address.

2. What device are you using for bandwidth control?  WebSense will support this if (a) you have the appropriate license, and (b) you set the WebSense server up in line like this:  InsideNet--->WEBSENSE SVR --->SONICWALL --->Internet  As you can see, all of the traffic to the Internet has to go through the WebSense server (in one interface, and out another interface).  In this configuration the server can limit traffic by protocol.  The other way to set up WebSense has the server somewhere on the inside of your network, and the firewall simply sends requests back to the server.  In either case, WebSense reporting provides complete information on where everyone is going.  So, either way you set it up you will get good information about the surfing habits of your users.  Also, in either configuration you can limit which categories of sites your users are accessing.

3. If you need to configure port mirroring, here's all you need to enter from the command prompt:
  <3Com> system-view
  [3Com] mirroring-group 1 local
  [3Com] mirroring-group 1 mirroring-port GigabitEthernet 1/0/1 both
  [3Com] mirroring-group 1 monitor-port GigabitEthernet 1/0/3
In the example above, GigabitEthernet 1/0/1 is the port that you want to collect the traffic from and "both" indicates that you want to collect traffic going in and out of the port.  GigabitEthernet 1/0/3 is the port that the traffic will be transmitted back out of.  I've included this info simply so you know how to do it.  You will not need to do this to configure WebSense.  Be careful if you attempt to mirror traffic.  You need to really understand the process before attempting it.

4. URL filtering on the SonicWall - Exactly how to set this up depends upon which model of SonicWall you have.  I believe that WebSense can be configured on all of their models except the TZ150.  Here's how it's done on a TZ170...Navigate to "Security Services", "Content Filtering".  In the "Content Filter Type" drop down box select "Websense" and click configure.  In the configuration section you will need to enter the IP address of the WebSense server, and maybe enter the type (not sure about that part, but there are only a couple of types that it could be.  You should probably pick the highest number).

Lastly, your best support will come from WebSense.  They have great documentation, and really customer support.  They can help you with any configuration, and any firewall.  SonicWall supports WebSense on most of their firewalls, but since they have a competing product, they may not be quite as knowledgeable (or forthcoming) about configuring third party add-ons.
0
 

Author Comment

by:maureen99
Comment Utility
Thanks for answering all my questions.  I have gotten the port mirroring working, however I have been sidetracked by a virus/trojan spambot:
http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/Email/SMTP/Q_23911594.html#a22989067

0
 

Author Closing Comment

by:maureen99
Comment Utility
Sorry to be so late with this, just too many things on the plate atm but thanks so much again TNL_Engr for your very awesome help!!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now