Home
Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
Installation Guide
Information and resources on how to install Guardian, and the different options and settings that are available.
Additional settings
Internal firewall configuration
It is possible to configure the settings of an internal firewall to restrict access to specific items.

Guardian
Learn how Guardian provides comprehensive asset inventory and network visibility for OT and IoT environments.
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
  - Introduction
  - Physical installation
  - Virtual installation
  - Container installation
  - Basic configuration
  - Additional settings
    - Network requirements
    - Install an SSL certificate
      You need to install a secure sockets layer (SSL) certificate to securely encrypt traffic between client computers and the Nozomi Networks Operating System (N2OS) sensor over hypertext transfer protocol secure (HTTPS).
    - Install a CA certificate
      If an issuing certificate authority (CA) for the hypertext transfer protocol secure (HTTPS) certificate is not immediately trusted, you will need to install a certificate authority (CA) certificate to the Nozomi Networks Operating System (N2OS) sensor.
    - Enable SNMP
      To monitor the health of the Nozomi Networks Operating System (N2OS) sensor, you need to enable the simple network management protocol (SNMP) daemon.
    - Internal firewall configuration
      It is possible to configure the settings of an internal firewall to restrict access to specific items.
    - Configure an internal firewall
      Do this procedure to configure the internal firewall to restrict access to components such as: the management interface, the secure shell (SSH) terminal, the simple network management protocol (SNMP) service, and internet control message protocol (ICMP) of the full stack edition.
    - Management-interface packet-rate protection
      A description of internal packet-rate protection, which is enabled by default.
    - Disable internal packet-rate protection of the management interface
      If necessary, do this procedure to disable internal packet-rate protection in the management interface.
    - Configure IPv6
      You can configure IPv6 to access physical and virtual sensors. This is not possible for container installations.
    - Enable 802.1x on the management interface
      This topic describes how to enable 802.1x support for the management interface. Configuration of the RADIUS server and the creation of possible certificates are not discussed
    - USB port disablement
      The Nozomi Networks Operating System (N2OS) does not support universal service bus (USB) ports.
    - Turbo capture mode enablement
      A description of how to configure the turbo capture mode, in order to handle higher traffic loads.
  - Compatibility Reference
  - Federal Information Processing Standards
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Internal firewall configuration

It is possible to configure the settings of an internal firewall to restrict access to specific items.

You can limit access to the:

Management interface
secure shell (SSH) terminal
simple network management protocol (SNMP) service
internet control message protocol (ICMP)

Note:

It is only possible to do this for physical and virtual installations. It is not possible for container installations.

Note:

To limit access to these services, you must use the command-line interface (CLI) to add the required configurations.

Note:

The default settings permit connections from any internet protocol (IP) address. The system ignores lines with invalid IP addresses.

Important:

You should use caution when changing internal firewall rules. This is because you can lose access to the device administration interface. In the event of an error, console access is required to fix the rules.

The table below gives the configuration settings that let you fine-tune the firewall rules.

Table 1. Internal firewall configuration settings
Parameter	Description
system firewall icmp	Configure acl for icmp protocol
system firewall https	Configure acl for http and https services
system firewall ssh	Configure acl for ssh service
system firewall snmp	Configure acl for snmp service