Current IP Filters Workspace
The Current IP Filters Workspace displays the currently active
IP filters in use by a monitored TCP/IP stack on a z/OS(R) system image.
One of the ways to display the Current IP Filters workspace is
to right-click the IP Filters navigator item
for a specific TCP/IP stack, select Workspaces and
select the Current IP Filters link.
Summary information is displayed in the Current IP Filters In Scan Order Summary Table. See Current IP Filters In Scan Order Summary Table for a list of other workspaces that
can be accessed by clicking the Link icon in
the summary table.
There can be tens of thousands of IP Filters. The query filter
implemented for this workspace retrieves up to 500 IP Filters at a
time.
The Tivoli Enterprise Portal displays 100 rows of IPSec Filters
at a time. Use the Tivoli Enterprise Portal scrolling controls or
change the page number at the top right of the table view to see the
remaining IP Filters from the current set of up to 500 IP Filters.
If more than 500 IP Filters exist, a link named Current
IP Filters In Scan Order By Next Page will be provided in the
right-click menu of the Link icons for
each row in the Current IP Filters in Scan Order table view. Use this
link to display each successive group of 500 IP Filters. When no more
IP Filters are available for display, the link will not appear in
the right click menu. If you have already used the Current
IP Filters In Scan Order By Next Page link to display additional
IP Filters, another link named Current IP Filters
In Scan Order By Previous Page can be used to return to the previous
set of 500 IP Filters.
The Current IP Filters Workspace contains the following views:
- Five Filters With Most Total Packets Matched:
Displays the five filters that have the highest number of total packets
that matched the filter's condition and action in the Current
IP Filters table.
- Five Filters With Most Total Packets Denied By
DENY: Displays the five filters that have the highest number
of total packets that matched the filter's condition and for
which the action was DENY.
- Five Filters With Most Total Packets Denied
by Mismatch: Displays the five filters that have the highest
number of total packets that matched the filter's condition but
did not match the filter's action (for example, if a packet was
sent "in the clear" but the action was coded as IPSec). This
view can provide an indication of a configuration problem such as
packets flowing in the clear when they should be encrypted.
- Current IP Filters In Scan Order Summary Table:
Provides performance and configuration data about the currently active
IP filters.
Current IP Filters In Scan Order Summary Table
The Current IP Filters In Scan Order Summary Table provides performance
and configuration data about the currently active IP filters. Each
row in the table represents a single IP filter. The filters are displayed
in the order that they would be scanned by the TCP/IP stack when it
compares them to packets. The first 500 filters are displayed. Additional
filters may be displayed by using the Current IP
Filters In Scan Order By Next Page link defined for each row.
For a complete list of the attributes available in the Current IP
Filters In Scan Order Summary Table, and a brief description of each,
see the Current IP Filters Attributes help panel.
The following additional workspaces can be accessed by clicking
the Link icon in the Current IP Filters In Scan
Order Summary Table:
- Dynamic IP Tunnels by Filter Rule Definition Name Workspace (default).
This link navigates to the Dynamic IP Tunnels workspace and shows
tunnels that have a filter rule definition name that matches the name
of the selected filter. This is a conditional link and is displayed
in the list of available links only if the filter Type is
DYNAMIC (4), NATTDYN (6), or NRF (7).
- Dynamic IP Tunnels by Tunnel ID Workspace:
This is a conditional link displayed in the list of available links
only if the filter Type is DYNAMIC (4) or NATTDYN
(6) or NRF (7). This link navigates to the Dynamic IP Tunnels workspace
and shows tunnels that have a tunnel ID that matches the tunnel ID
associated with the selected filter.
- Manual IP Tunnels by Tunnel ID Workspace:
This is a conditional link displayed in the list of available links
only if the filter Type is MANUAL (2). This
link navigates to the Manual IP Tunnels workspace and shows tunnels
that have a tunnel ID that matches the tunnel ID associated with the
selected filter.
- Current IP Filters In Scan Order By Previous
Page Workspace: This is a conditional link displayed in the
list of available links only if the page number for the selected link
is greater than “0000". This link navigates to the Current IP Filters in Scan Order Workspace and
shows the IP filters that have a page number that is 1 less than the
page number for the selected filter. If the active filters have changed
significantly between collection intervals (for example, if the filter
set in use was switched or a large number of filters became inactive),
this link displays a workspace with no filters.
- Current IP Filters In Scan Order By Next Page
Workspace: This is a conditional link displayed in the list
of available links only if the page number for the selected link is
less than the value in the Last Page column
of the selected row. This link navigates to the Current IP Filters in Scan Order Workspace and shows the IP filters
that have a page number that is 1 more than the page number for the
selected filter. If the active filters have changed significantly
between collection intervals (for example, if the filter set in use
was switched or a large number of filters became inactive), this link
displays a workspace with no filters.
- Current IP Filters by Destination Address Workspace:
This link causes a dialog box to be displayed that prompts you for
a destination IP address that is compared to the currently active
filters for a TCP/IP stack. The IP address input field in the dialog
box is filled in by default with the value from the Destination
Address column for the selected filter, but you can change this
value to be another IPv4 or IPv6 address found on this TCP/IP stack.
Specify an IP address that has the same IP address version as the
selected filter. If you specify an IPv6 address and the selected filter
has an IPv4 address, then the linked-to workspace will not find any
filters to display. With this address as input, this link navigates
to the Current IP Filters By Destination Address Workspace showing
the IP filters that match the destination IP address that you provided.
Note that if the Destination Address column
in the summary table is blank, the IP address input field in the dialog
box is filled with an IP address that has a value of zero (0) for
all subnets in the address.
See also: