Current IP Filters Workspace
The Current IP Filters Workspace displays the currently active IP filters
in use by a monitored TCP/IP stack on a z/OS system image.
One of the ways to display the Current IP Filters workspace is to right-click
the IP Filters navigator item for a specific TCP/IP
stack, select Workspaces and select the Current IP Filters link.
Summary information is displayed in the Current IP Filters In Scan Order summary table.
See Current IP Filters In Scan Order summary table for a list of other workspaces
that can be accessed by clicking the Link icon in the
summary table.
There can be tens of thousands of IP Filters. The query filter implemented
for this workspace retrieves up to 500 IP Filters at a time.
The Tivoli Enterprise Portal displays 100 rows of IPSec Filters at a time.
Use the Tivoli Enterprise Portal scrolling controls or change the page number
at the top right of the table view to see the remaining IP Filters from the
current set of up to 500 IP Filters.
If more than 500 IP Filters exist, a link named Current
IP Filters In Scan Order By Next Page will be provided in the right-click
menu of the Link icons for each row in the Current IP
Filters in Scan Order table view. Use this link to display each successive
group of 500 IP Filters. When no more IP Filters are available for display,
the link will not appear in the right click menu. If you have already used
the Current IP Filters In Scan Order By Next Page link
to display additional IP Filters, another link named Current
IP Filters In Scan Order By Previous Page can be used to return to the
previous set of 500 IP Filters.
The Current IP Filters Workspace contains the following views:
- Five Filters With Most Total Packets Matched: Displays
the five filters that have the highest number of total packets that matched
the filter's condition and action in the Current IP Filters table.
- Five Filters With Most Total Packets Denied By DENY:
Displays the five filters that have the highest number of total packets that
matched the filter's condition and for which the action was DENY.
- Five Filters With Most Total Packets Denied by Mismatch: Displays the five filters that have the highest number of total packets
that matched the filter's condition but did not match the filter's
action (for example, if a packet was sent "in the clear" but the action
was coded as IPSec). This view can provide an indication of a configuration
problem such as packets flowing in the clear when they should be encrypted.
- Current IP Filters In Scan Order summary table: Provides
performance and configuration data about the currently active IP filters.
Current IP Filters In Scan Order summary table
The Current IP Filters In Scan Order summary table provides performance
and configuration data about the currently active IP filters. Each row in
the table represents a single IP filter. The filters are displayed in the
order that they would be scanned by the TCP/IP stack when it compares them
to packets. The first 500 filters are displayed. Additional filters may
be displayed by using the Current IP Filters In Scan Order
By Next Page link defined for each row. For a complete list of the attributes
available in the Current IP Filters In Scan Order summary table, and a brief
description of each, see the Current IP Filters Attributes help panel.
The following additional workspaces can be accessed by clicking the Link icon in the Current IP Filters In Scan Order summary
table:
- Dynamic IP Tunnels by Filter Rule Definition Name Workspace (default).
This link navigates to the Dynamic IP Tunnels workspace and shows tunnels
that have a filter rule definition name that matches the name of the selected
filter. This is a conditional link and is displayed in the list of available
links only if the filter Type is DYNAMIC (4), NATTDYN
(6), or NRF (7).
- Dynamic IP Tunnels by Tunnel ID Workspace:
This is a conditional link displayed in the list of available links only
if the filter Type is DYNAMIC (4) or NATTDYN (6) or
NRF (7). This link navigates to the Dynamic IP Tunnels workspace and shows
tunnels that have a tunnel ID that matches the tunnel ID associated with the
selected filter.
- Manual IP Tunnels by Tunnel ID Workspace:
This is a conditional link displayed in the list of available links only
if the filter Type is MANUAL (2). This link navigates
to the Manual IP Tunnels workspace and shows tunnels that have a tunnel ID
that matches the tunnel ID associated with the selected filter.
- Current IP Filters In Scan Order By Previous Page Workspace: This is a conditional link displayed in the list of available links
only if the page number for the selected link is greater than “0000".
This link navigates to the Current IP Filters in Scan Order Workspace and
shows the IP filters that have a page number that is 1 less than the page
number for the selected filter. If the active filters have changed significantly
between collection intervals (for example, if the filter set in use was switched
or a large number of filters became inactive), this link displays a workspace
with no filters.
- Current IP Filters In Scan Order By Next Page Workspace: This is a conditional link displayed in the list of available links
only if the page number for the selected link is less than the value in the Last Page column of the selected row. This link navigates
to the Current IP Filters in Scan Order Workspace and
shows the IP filters that have a page number that is 1 more than the page
number for the selected filter. If the active filters have changed significantly
between collection intervals (for example, if the filter set in use was switched
or a large number of filters became inactive), this link displays a workspace
with no filters.
- Current IP Filters by Destination Address Workspace:
This link causes a dialog box to be displayed that prompts you for a destination
IP address that is compared to the currently active filters for a TCP/IP stack.
The IP address input field in the dialog box is filled in by default with
the value from the Destination Address column for the
selected filter, but you can change this value to be another IPv4 or IPv6
address found on this TCP/IP stack. Specify an IP address that has the same
IP address version as the selected filter. If you specify an IPv6 address
and the selected filter has an IPv4 address, then the linked-to workspace
will not find any filters to display. With this address as input, this link
navigates to the Current IP Filters By Destination Address Workspace showing
the IP filters that match the destination IP address that you provided. Note
that if the Destination Address column in the summary
table is blank, the IP address input field in the dialog box is filled with
an IP address that has a value of zero (0) for all subnets in the address.
See also: