Home
Guardian
Installation Guide
Information and resources on how to install Guardian, and the different options and settings that are available.
Additional settings
Turbo capture mode enablement
A description of how to configure the turbo capture mode, in order to handle higher traffic loads.

Guardian
- Introduction
  An overview of Guardian.
- Installation Guide
  Information and resources on how to install Guardian, and the different options and settings that are available.
  - Introduction
  - Physical installation
  - Virtual installation
  - Container installation
  - Basic configuration
  - Additional settings
    - Network requirements
    - Install an SSL certificate
      You need to install a secure sockets layer (SSL) certificate to securely encrypt traffic between client computers and the Nozomi Networks Operating System (N2OS) sensor over hypertext transfer protocol secure (HTTPS).
    - Install a CA certificate
      If an issuing certificate authority (CA) for the hypertext transfer protocol secure (HTTPS) certificate is not immediately trusted, you will need to install a certificate authority (CA) certificate to the Nozomi Networks Operating System (N2OS) sensor.
    - Enable SNMP
      To monitor the health of the Nozomi Networks Operating System (N2OS) sensor, you need to enable the simple network management protocol (SNMP) daemon.
    - Internal firewall configuration
      It is possible to configure the settings of an internal firewall to restrict access to specific items.
    - Configure an internal firewall
      Do this procedure to configure the internal firewall to restrict access to components such as: the management interface, the secure shell (SSH) terminal, the simple network management protocol (SNMP) service, and internet control message protocol (ICMP) of the full stack edition.
    - Management-interface packet-rate protection
      A description of internal packet-rate protection, which is enabled by default.
    - Disable internal packet-rate protection of the management interface
      If necessary, do this procedure to disable internal packet-rate protection in the management interface.
    - Configure IPv6
      You can configure IPv6 to access physical and virtual sensors. This is not possible for container installations.
    - Enable 802.1x on the management interface
      This topic describes how to enable 802.1x support for the management interface. Configuration of the RADIUS server and the creation of possible certificates are not discussed
    - USB port disablement
      The Nozomi Networks Operating System (N2OS) does not support universal service bus (USB) ports.
    - Turbo capture mode enablement
      A description of how to configure the turbo capture mode, in order to handle higher traffic loads.
  - Compatibility Reference
  - Federal Information Processing Standards
- Administrator Guide
  Information and resources about the Administration section of Guardian, and the tasks that you can do in this part of the software.
- User Guide
  Information and resources about the main features of Guardian, and the tasks that you can do from the user interface (UI).
- Maintenance Guide
  Information about the maintenance tasks of Guardian, to help you administer and maintain the solution in a production environment.
- Print format documentation
  A list of all the print-format documentation that is available for Guardian.

Turbo capture mode enablement

A description of how to configure the turbo capture mode, in order to handle higher traffic loads.

The turbo capture mode allows the Nozomi Networks solution to fully leverage all the central processing unit (CPU) cores in the system when capturing traffic from local interfaces. By fully parallelizing all packet processing stages and minimizing the packet data copies in memory, it is possible to handle extremely high loads even if arriving over a few interfaces.

When in turbo capture mode, it is not possible to simultaneously trace traffic into files. Therefore, it is no longer possible to configure continuous traces regardless if scoped (e.g. relating to a specific node) or not. Traces that are triggered by alerts are not affected and are available regardless of turbo capture mode status. However, due to the previous shortcoming, it is recommended that the turbo capture mode is enabled only when the traffic load is expected to exceed 3 Gigabit per second (Gb/s).

In order to enable turbo capture mode, you need to add the following line in the /data/cfg/n2os.conf.user file (after replacing the interfaces array with the ones that are applicable to the specific system):

turbo_capture params { "enabled": true, "pin_cores": true, "interfaces": ["vmx1", "vmx2"] }

The turbo_capture params argument is a JavaScript Object Notation (JSON) object that holds all the configuration options that are relevant for the feature:

enabled: (boolean) configures whether the turbo capture mode should be enabled.
pin_cores: (boolean) configures whether each of the packet processing threads should be pinned to a fixed thread. In systems with high CPU core counts, fixing these threads to run only in specific CPU cores is leading to more efficient resources utilization.
interfaces: (array) List of interfaces that are to be monitored in turbo capture mode. For interfaces that are not present in this array, no monitoring is to be done in turbo capture mode. Note that to be used in this mode, interface names should not contain underscore characters.

After updating the configuration file, the n2osids and n2ostrace services need to be restarted:

service n2osids stop
service n2ostrace stop