Resources
- Release Notes
  Access the release notes for release-based products.
- N2OS Configuration
  The N2OS Configuration - Reference Guide.
- N2OS Software Development Kit
  The N2OS Software Development Kit (SDK).
- Integration Guides
  Integration guides to help you use applications that integrate with Nozomi Networks products.
- Reference Guides
  Additional reference guides with information on items such as Alerts and Incidents and Federal Information Processing Standards (FIPS).
- Quick Start Guides
  Hardware Quick Start Guides.
- Security
  Stay up-to-date with the most recent information and solutions for all vulnerabilities that affect Nozomi Networks products.
- Print format documentation
  A list of all the technical documentation that is available in print format.
- Documentation archive
  Access previous versions of the technical documentation.

Basic configuration rules

Set traffic filter


Product	Guardian
Syntax	`conf.user configure bpf_filter <bpf_expression>`
Description	Set the Berkeley Packet Filter (BPF) filter to apply on incoming traffic to limit the type and amount of data processed by the sensor.
Parameters	`bpf_expression`: the Berkeley Packet Filter expression to apply on incoming traffic. A BPF syntax reference can be accessed on the sensor at `https://<sensor_ip>/#/bpf_guide`
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable or disable management filters


Product	Guardian
Syntax	`conf.user configure mgmt_filters [on\|off]`
Description	With this rule you can switch off the filters on packets that come from/to N2OS itself. Choose 'off' if you want to disable the management filters (default: on).
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Enable or disable TCP/UDP deduplication


Product	Guardian
Syntax	`conf.user configure probe deduplication enabled [true\|false]`
Description	It can enable or disable the deduplication analysis that N2OS does on TCP/UDP packets. it can be either true, to enable the feature, or false, to disable it. (default: true)
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set TCP deduplication time delta


Product	Guardian
Syntax	`conf.user configure probe deduplication tcp_max_delta <delta>`
Description	Set the desired maximum time delta, in milliseconds, to consider a duplicated TCP packet.
Parameters	`delta`: The value of the maximum time delta (default: 1)
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set UDP deduplication time delta


Product	Guardian
Syntax	`conf.user configure probe deduplication udp_max_delta <delta>`
Description	Set the desired maximum time delta, in milliseconds, to consider a duplicated UDP packet.
Parameters	`delta`: The value of the maximum time delta (default: 1)
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Rename fallback zones


Product	Guardian
Syntax	`conf.user configure vi zones default [private\|public] <zone_name>`
Description	Set the private or public fallback zone name, for nodes not matching any zone. Details on zones feature can be viewed in the Graph page in Network.Remark: zones can be configured through the GUI, which is the preferred way. Refer to Zone configurations, in the Administrator Guide.
Parameters	`zone_name`: the name of the private or public fallback zone
Where	CLI
To apply	It is applied automatically
Note	You can also change this configuration from the Web UI.

Add Zone


Product	Guardian
Syntax	`ids configure vi zones create <subnet>[,<subnet>] <zone_name>`
Description	Add a new zone containing all the nodes in one or more specified subnetworks. More subnetworks can be concatenated using commas. The subnetworks can be specified using the CIDR notation (`<ip>/<mask>`) or by indicating the end IPs of a range (both ends are included: `<low_ip>-<high_ip>`). Remark: zones can be configured through the GUI, which is the preferred way. Refer to Zone configurations, in the Administrator Guide.
Parameters	`subnet`: The subnetwork or subnetworks assigned to the zone; both IPv4 and IPv6 are supported `zone_name`: The name of the zone
Where	CLI
To apply	It is applied automatically
Note	You can also change this configuration from the Web UI.

Assign a level to a zone


Product	Guardian
Syntax	`ids configure vi zones setlevel <level> <zone_name>`
Description	Assigns the specified level to a zone. All nodes pertaining to the given zone will be assigned the level. Remark: zones can be configured through the GUI, which is the preferred way. Refer to Zone configurations, in the Administrator Guide
Parameters	`level`: The level assigned to the zone `zone_name`: The name of the zone
Where	CLI
To apply	It is applied automatically
Note	You can also change this configuration from the Web UI.

Set the nodes ownership for a zone


Product	Guardian
Syntax	`ids configure vi zones setis_public [true\|false] <zone_name>`
Description	Sets the specified nodes ownership for a zone. It can be either true, for public ownership, or false, for private ownership. All nodes belonging to the given zone are overwritten inheriting the value. Remark: zones can be configured through the GUI, which is the preferred way. Refer to Zone configurations, in the Administrator Guide
Parameters	`zone_name`: The name of the zone
Where	CLI
To apply	It is applied automatically
Note	You can also change this configuration from the Web UI.

Assign a security profile to a zone


Product	Guardian
Syntax	`ids configure vi zones setsecprofile [low\|medium\|high\|paranoid] <zone_name>`
Description	Assigns the specified security profile to a zone. The visibility of the alerts generated within the zone will follow the configured security profile. Refer to Security profile, in the Administrator Guide.
Parameters	`zone_name`: The name of the zone
Where	CLI
To apply	It is applied automatically
Note	You can also change this configuration from the Web UI.

Add custom protocol


Product	Guardian
Syntax	`conf.user configure probe custom-protocol <name> [tcp\|udp] <port>`
Description	Add a new protocol specifying a port and a transport layer. Names shall always be unique, so when defining a custom protocol both for udp and tcp, use two different names.
Parameters	`name`: The name of the protocol, it will be displayed through the user interface; DO NOT use a protocol name already used by N2OS. E.g. one can use MySNMP, or Myhttp `port`: The transport layer port used to identify the custom protocol
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Disabling a protocol


Product	Guardian
Syntax	`conf.user configure probe protocol <name> enable false`
Description	Completely disables a protocol. This can be useful to fine tune the sensor for specific needs.
Parameters	`name`: The name of the protocol to disable
Where	CLI
To apply	It is applied automatically

Set IP grouping


Product	Guardian
Syntax	`conf.user configure probe ipgroup <ip>/<mask>`
Description	This command permits to group multiple ip addresses into one single node. This command is particularly useful when a large network of clients accesses the SCADA/ICS system. To provide a clearer view and get an effective learning phase, you can map all clients to a unique node simply by specifying the netmasks (one line for each netmask). Configure trace will still show the raw IPs in the provided trace files. Warning: This command merges all nodes information into one in an irreversible way, and the information about original nodes is not kept.
Parameters	`ip`/`mask`: The subnetwork identifier used to group the IP addresses
Where	CLI
To apply	In a shell console, execute both: `service n2osids stop` AND `service n2ostrace stop`

Set IP grouping for Public Nodes


Product	Guardian
Syntax	`conf.user configure probe ipgroup public_ips <ip>`
Description	This command permits to group all public IP addresses into one single node (for instance, use 0.0.0.0 as the 'ip' parameter). This command is particularly useful when the monitored network includes nodes that have routing to the Internet. The Configure trace, will still show the raw IPs in the provided trace files. Warning: This command merges all nodes information into one in an irreversible way, and the information about original nodes is not kept.
Parameters	`ip`: The ip to map all Public Nodes to
Where	CLI
To apply	In a shell console, execute both: `service n2osids stop` AND `service n2ostrace stop`

Skip Public Nodes Grouping for a subnet


Product	Guardian
Syntax	`conf.user configure probe ipgroup public_ips_skip <ip>/<mask>`
Description	This is useful when the monitored network has a public addressing that has to be monitored (i.e. public addressing used as private or public addresses that are in security denylists).
Parameters	`ip`/`mask`: The subnetwork identifier to skip
Where	CLI
To apply	In a shell console, execute both: `service n2osids stop` AND `service n2ostrace stop`

Set special Private Nodes allowlist


Product	Guardian
Syntax	`conf.user configure vi private_ips <ip>/<mask>`
Description	This rule will set the is_public property of nodes matching the provided mask to false. This is useful when the monitored network has a public addressing used as private (e.g. violation of RFC 1918).
Parameters	`ip`/`mask`: The subnetwork identifier to treat as private; both IPv4 and IPv6 are supported
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Set GUI logout timeout


Products	CMC, Guardian
Syntax	`conf.user configure users max_idle_minutes <timeout_in_minutes>`
Description	Change the default inactivity timeout of the GUI. This timeout is used to decide when to log out the current session when the user is not active.
Parameters	`timeout_in_minutes`: amount of minutes to wait before logging out. The default is 10 minutes.
Where	CLI
To apply	It is applied automatically

Enable Syslog capture feature


Product	Guardian
Syntax	`conf.user configure probe protocol syslog capture_logs [true\|false]`
Description	With this configuration rule you can enable (option true) the passively capture of the syslog events. It is useful when you want to forward them to a SIEM, for more details see Syslog forwarder integration in the Administrator Guide.
Where	CLI
To apply	It is applied automatically

Enable Guardian HA


Product	Guardian
Syntax	`conf.user configure guardian replica-of <other_guardian_id>`
Description	With this configuration rule you can enable the Guardian HA mode for two Guardians that sniff the same traffic and are connected to the same CMC. During normal operations, only the primary Guardian syncs with the CMC; if it stops synchronizing the secondary Guardian will start synchronize the records from the last primary Guardian update. This rule should only be configured on the secondary sensor.
Parameters	`other_guardian_id`: The id of the other Guardian, it can be found on the CMC with the query `appliances \| where host == <appliance_hostname> \| select id`
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Disabling Vulnerability Assessment for some nodes


Product	Guardian
Syntax	`conf.user configure va_notification matching [id\|label\|zone\|type\|vendor]=<value> discard`
Description	With this configuration rule you can disable Vulnerability Assessment for node matching the specified rules. The effect of this configuration rule is to discard the matching of CVE identifiers. The types are as follows. `id`: the id of a node, it can be an IP address, a netmask in the CIDR format or a MAC address. `label`: the label of a node. `zone`: the zone in which a node is located. `type`: the type of a node. `vendor`: the vendor of a node.
Parameters	`value`: If a simple string is specified the match will be performed with an "equal to" case-sensitive criterion. The matching supports two operators: `^`: starts with '[': contains These operators must be specified right after the `=` symbol and their match is case-insensitive. Examples: `va_notification matching id=192.168.1.123 discard` `va_notification matching id=192.168.1.0/24 discard` `va_notification matching label=^abc discard`
Where	CLI
To apply	In a shell console execute: `service n2osva stop`

Enabling IPv6 Assets


Product	Guardian
Syntax	`conf.user configure vi ipv6_assets [enabled\|disabled]`
Description	With this configuration rule you can enable assets generation also when nodes are IPv6. By default, this feature is disabled.
Where	CLI
To apply	It is applied automatically
Note	You can also change this configuration from the Web UI.

Change the maximum percentage of Variables in the Network Elements pool


Product	Guardian
Syntax	`conf.user configure vi machine_limits_variables_quota <n>`
Description	With this configuration rule you can change the maximum percentage of Variables in the Network Elements pool, the default is 0.6 meaning that no more than 60% of Network Elements can be Variables.
Parameters	`n`: the percentage of variables expressed as a number from 0.0 to 1.0, e.g. `vi machine_limits_variables_quota 0.7`
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Tuning Backend Web Server workers


Products	CMC, Guardian
Syntax	`conf.user configure http_workers <n>`
Description	With this configuration rule you can change the number of Ruby Web Server workers. With a higher workers count the CMC/Guardian can handle more Web UI requests concurrently, at the expense of increased memory footprint.
Parameters	`n`: The new number of workers
Where	CLI
To apply	In a shell console execute: `service webserver stop`

Configure how Threat Intelligence contents are handled


Product	Guardian
Syntax	`conf.user configure vi contents <json_value>`
Description	This command configures how Threat Intelligence contents are to be loaded. The JSON object can have the following attributes: `load_contents` - this can be true/false to enable/disable the loading of contents; `stix_backend_provider` - selects the engine to be used for STIX indicators: 'memory' (indicators are stored in memory - default) or 'db' (indicators are stored in the system database). With 'db', the application memory requirements become lower, but STIXv1 (XML) indicators are not supported; `loaded_content_types` - this is a JSON array of contents to be loaded. Contents available are: `stix_indicators` As an example, the following command will completely disable contents loading: `conf.user configure vi contents { "load_contents": false }` As a further example, the following command will allow only stix_indicators rules to be loaded: `conf.user configure vi contents { "loaded_content_types": [ "stix_indicators" ] }` As another example, the following command will configure the usage of the system database for storing STIX indicators related information, reducing the application memory footprint: `conf.user configure vi contents { "stix_backend_provider": "db" }`
Parameters	`json_value`: A JSON object to configure how Threat Intelligence contents are loaded
Where	CLI
To apply	In a shell console execute: `service n2osids stop`

Configure which files detected on the networks are sent to sandbox


Product	Guardian
Syntax	conf.user configure vi sandbox_extraction <json_value>
Description	The json object can have the following attributes: * disabled_protocols - A JSON array of protocol that are disabled with regards files detection * enabled_protocols - A JSON array of protocol that are enabled with regards files detection * disabled_file_extensions - A JSON array of file extensions that are disabled with regards files detection * enabled_file_extensions - A JSON array of file extensions that are enabled with regards files detection
Parameters	json_value: A json object to configure the handling of the detected files.
Where	CLI
To apply	In a shell console execute: service n2osids stop