Blue Coat® Systems
SG™ Appliance
Volume 9: Managing the Blue Coat SG Appliance
SGOS Version 5.2.2
Contents
Setting up Director and SG Appliance Communication......................................................................11
Viewing System Environment Sensors...................................................................................................13
Setting Up Event Logging and Notification..................................................................................................15
Configuring Which Events to Log...........................................................................................................15
Setting Event Log Size...............................................................................................................................16
About Health Monitoring Notification...................................................................................................26
About the Status Metrics...........................................................................................................................27
Changing Threshold and Notification Properties.................................................................................28
Viewing Health Monitoring Statistics.....................................................................................................30
iii
Volume 9: Managing the Blue Coat SG Appliance
Clearing the Byte Cache................................................................................................................................... 37
Troubleshooting Tip.................................................................................................................................. 37
Troubleshooting Tip.................................................................................................................................. 40
Locking and Unlocking SG Appliance Systems.................................................................................... 42
Multi-Disk SG Appliances........................................................................................................................ 43
Managing the Bandwidth for Service Information............................................................................... 47
Diagnostic Reporting (Heartbeats)................................................................................................................. 58
Understanding Chart Data....................................................................................................................... 63
iv
Contents
Understanding Chart Data....................................................................................................................... 67
Viewing the ADN History............................................................................................................................... 68
Viewing Bandwidth Management Statistics................................................................................................. 68
Resources Statistics.................................................................................................................................... 70
Contents Statistics...................................................................................................................................... 74
Filtering the Display.................................................................................................................................. 83
Filtering the Display.................................................................................................................................. 86
Viewing HTML and XML Views of Bypassed Connections Data...................................................... 87
Viewing Health Check Statistics..................................................................................................................... 87
v
Volume 9: Managing the Blue Coat SG Appliance
vi
Chapter 1: About Managing the SG Appliance
Volume 9: Managing the Blue Coat SG Appliance describes how to monitor the SG
appliance with SNMP (a brief introduction to Director is provided), event logging, or
health monitoring. It also describes common maintenance and troubleshooting tasks.
Discussed in this volume:
❐
❐
❐
❐
❐
Document Conventions
The following section lists the typographical and Command Line Interface (CLI) syntax
conventions used in this manual.
Table 1-1. Document Conventions
Conventions
Italics
Definition
The first use of a new or Blue Coat-proprietary term.
Command line text that appears on your administrator workstation.
Courier font
Courier Italics
A command line variable that is to be substituted with a literal name or
value pertaining to the appropriate facet of your network system.
Courier Boldface
A Blue Coat literal to be entered as shown.
{ }
[ ]
|
One of the parameters enclosed within the braces must be supplied
An optional parameter or parameters.
Either the parameter before or after the pipe character can or must be
selected, but not both.
7
Volume 9: Managing the Blue Coat SG Appliance
8
Chapter 2: Monitoring the SG Appliance
This chapter describes the methods you can use to monitor your SG appliances,
including event logging, SNMP, and health monitoring. A brief introduction to Director
is also provided.
This chapter contains the following sections:
❐
❐
❐
❐
❐
Using Director to Manage SG Systems
Blue Coat Director allows you to manage multiple SG appliances, eliminating the need
to configure and control the appliances individually.
Director allows you to configure an SG appliance and then push that configuration out
to as many appliances as required. Director also allows you to delegate network and
content control to multiple administrators and distribute user and content policy across
a Content Delivery Network (CDN). With Director, you can:
❐
❐
❐
Reduce management costs by centrally managing all Blue Coat appliances.
Eliminate the need to manually configure each remote SG appliance.
Recover from system problems with configuration snapshots and recovery.
Automatically Registering the SG Appliance with Director
You can use the Blue Coat Director registration feature to automatically register the SG
appliance with a Blue Coat Director, thus enabling that Director to establish a secure
administrative session with the appliance. During the registration process, Director can
“lock out” all other administrative access to the appliance so that all configuration
changes are controlled and initiated by Director. This is useful if you want to control
access to the appliance or if you want to ensure that appliances receive the same
configuration.
The registration process is fully authenticated; the devices use their Blue Coat
appliance certificate or a shared secret (a registration password configured on Director)
to confirm identities before exchanging public keys. If the SG appliance has an
appliance certificate, that certificate is used to authenticate the SG appliance to Director
as an SSL client. If the SG appliance does not have an appliance certificate, you must
configure a registration secret on Director and specify that secret on the SG appliance.
Refer to the Blue Coat Director Configuration and Management Guide for more information
about specifying the shared secret.
9
Volume 9: Managing the Blue Coat SG Appliance
Note: The Blue Coat appliance certificate is an X.509 certificate that contains the
hardware serial number of a specific SG device as the Common Name (CN) in the
subject field. Refer to the device authentication information in Volume 5: Advanced
Networking for more information about appliance certificates.
Director Registration Requirements
To register the appliance with Director, the SSH-Console service must be enabled. Director
registration will fail if the ssh-console has been disabled or deleted, or if the SSHv2 host
key has been removed.
Registering the SG Appliance with Director
Though usually initiated at startup (with the serial console setup), you can also configure
Director registration from the Management Console, as described in the following
procedure.
To register the appliance with a Director:
1. Select Maintenance > Director Registration.
2. In the Director IP address field, enter the Director IP address.
3. In the Director serial number field, enter the Director serial number or click Retrieve
S/N from Director. If you retrieve the serial number from the Director, verify that the
serial number matches the one specified for your Director.
4. Optional—In the Appliance name field, enter the SG appliance name.
5. If your appliance does not have an appliance certificate, enter the Director shared
secret in the Registration password field.
Note: Refer to the Blue Coat Director Configuration and Management Guide for more
information about configuring the shared secret. For information about appliance
certificates, refer to Volume 5: Advanced Networking.
6. Click Register.
Related CLI Commands for Director Registration
SGOS# register-with-director dir_ip_address [appliance_name
dir_serial_number]
10
Chapter 2: Monitoring the SG Appliance
Setting up Director and SG Appliance Communication
Director and the SG appliance use SSHv2 as the default communication mode. SSHv1 is
not supported.
For Director to successfully manage multiple appliances, it must be able to communicate
with an appliance using SSH/RSA and the Director’s public key must be configured on
each system that Director manages.
When doing initial setup of the SG appliance from Director, Director connects to the
device using the authentication method established on the device: SSH with simple
authentication or SSH/RSA. SSH/RSA is preferred, and must also be set up on Director
before connecting to the SG appliance.
Director can create an RSA keypair for an SG appliance to allow connections. However,
for full functionality, Director’s public key must be configured on each appliance. You can
configure the key on the system using the following two methods:
❐
❐
Use Director to create and push the key.
Use the import-director-client-keyCLI command from the SG appliance.
Using Director to create and push client keys is the recommended method. The CLI
command is provided for reference.
Complete the following steps to put Director’s public key on the SG appliance using the
CLI of the appliance. You must complete this procedure from the CLI. The Management
Console is not available.
Note: For information on creating and pushing a SSH keypair on Director, refer to the
Blue Coat Director Installation Guide.
Log in to the SG appliance you want to manage from Director.
1. From the (config) prompt, enter the ssh-console submode:
SGOS#(config) ssh-console
SGOS#(config ssh-console)
2. Import Director’s key that was previously created on Director and copied to the
clipboard.
Important: You must add the Director identification at the end of the client key. The
example shows the username, IP address, and MAC address of Director. “Director”
(without quotes) must be the username, allowing you access to passwords in clear
text.
SGOS#(config services ssh-console) inline director-client-key
Paste client key here, end with "..." (three periods)
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvJIXt1ZausE9qrcXem2IK/mC4dY8Cxxo1/
B8th4KvedFY33OByO/pvwcuchPZz+b1LETTY/zc3SL7jdVffq00KBN/
ir4zu7L2XT68ML20RWa9tXFedNmKl/iagI3/QZJ8T8zQM6o7WnBzTvMC/
ZElMZZddAE3yPCv9+s2TR/[email protected]
...
ok
To view the fingerprint of the key:
SGOS#(config sshd) view director-client-key clientID
83:C0:0D:57:CC:24:36:09:C3:42:B7:86:35:AC:D6:47
11
Volume 9: Managing the Blue Coat SG Appliance
To delete a key:
SGOS#(config sshd) delete director-client-key clientID
Monitoring the System and Disks
The System and disks page in the Management Console has the following tabs:
❐
Summary
Provides configuration information and a general status information about the device.
❐
Tasks
Enables you to perform systems tasks, such as restarting the system and clearing the
about these tasks.
❐
❐
❐
Environment
Displays hardware statistics.
Disks
Displays details about the installed disks and enables you take them offline.
SSL Cards
Displays details about any installed SSL cards.
These statistics are also available in the CLI.
Note: The SG 400 appliances do not have an Environment tab.
System Summary
The device provides a variety of information on its status. The fields on the Summary tab
are described below:
❐
Disks Installed—the number of disk drives installed in the device. The Disks tab
displays the status of each drive.
❐
❐
❐
❐
❐
❐
Memory installed—the amount of RAM installed in the device.
CPUs installed—the number of CPUs installed in the device.
Software image—the version and release number of the device image.
Serial number—the serial number of the machine, if available.
System started—the time and date the device was started.
CPU utilization—the current percent utilization of the device CPU.
To view the system summary statistics:
Select Maintenance > System and disks > Summary.
12
Chapter 2: Monitoring the SG Appliance
Viewing System Environment Sensors
The icons on the Environment tab are green when the related hardware environment is
within acceptable parameters, and red when an out-of-tolerance condition exists. If an
icon is red, click View Sensors to view detailed sensor statistics to learn more about the
out-of-tolerance condition.
Note: The health monitoring metrics on the Statistics > Health page also show the state
information.
Note: You cannot view environment statistics on an SG 400 appliance.
To view the system environment statistics:
1. Select Maintenance > System and disks > Environment.
Note: This tab varies depending on the type of SG appliance that you are using.
2. Click View Sensors to see detailed sensor values; close the window when you are
finished.
13
Volume 9: Managing the Blue Coat SG Appliance
Viewing Disk Status
You can view the status of each of the disks in the system and take a disk offline if needed.
To view disk status or take a disk offline:
1. Select Maintenance > System and disks > Environment.
The default view provides information about the disk in slot 1.
Note: The name and appearance of this tab differs, depending on the range of disks
available to the SG appliance model you use.
2. Select the disk to view or to take offline by clicking the appropriate disk icon.
3. (Optional) To take the selected disk offline, click the Take disk x offline button (where x
is the number of the disk you have selected); click OK in the Take disk offline dialog
that displays.
14
Chapter 2: Monitoring the SG Appliance
Viewing SSL Accelerator Card Information
Selecting the Maintenance > System and disks > SSL Cards tab allows you to view
information about any SSL accelerator cards in the system. If no accelerator cards are
installed, that information is stated on the pane.
To view SSL accelerator cards:
Note: You cannot view statistics about SSL accelerator cards through the CLI.
Select Maintenance > System and disks > SSL Cards.
Setting Up Event Logging and Notification
You can configure the SG appliance to log system events as they occur. Event logging
allows you to specify the types of system events logged, the size of the event log, and to
configure Syslog monitoring. The appliance can also notify you by e-mail if an event is
logged.
Configuring Which Events to Log
The event level options are listed from the most to least important events. Because each
event requires some disk space, setting the event logging to log all events fills the event
log more quickly.
To set the event logging level:
1. Select Maintenance > Event Logging > Level.
2. Select the events you want to log.
When you select an event level, all levels above the selection are included. For
example, if you select Verbose, all event levels are included.
3. Click Apply.
15
Volume 9: Managing the Blue Coat SG Appliance
Related CLI Commands for Setting the Event Logging Level
SGOS#(config event-log) level {severe | configuration | policy |
informational | verbose}
Table 2-1. Event Logging Level Options
severe
Writes only severe error messages to the event log.
configuration
policy
Writes severe and configuration change error messages to the event log.
Writes severe, configuration change, and policy event error messages to
the event log.
informational
verbose
Writes severe, configuration change, policy event, and information error
messages to the event log.
Writes all error messages to the event log.
Setting Event Log Size
You can limit the size of the appliances’s event log and specify what the appliance should
do if the log size limit is reached.
To set event log size:
1. Select Maintenance > Event Logging > Size.
2. In the Event log size field, enter the maximum size of the event log in megabytes.
3. Select either Overwrite earlier events or Stop logging new events to specify the desired
behavior when the event log reaches maximum size.
4. Click Apply.
Related CLI Commands to Set the Event Log Size
SSGOS#(config event-log) log-size megabytes
SGOS#(config event-log) when-full {overwrite | stop}
Enabling Event Notification
The SG appliance can send event notifications to Internet e-mail addresses using SMTP.
You can also send event notifications directly to Blue Coat for support purposes. For
16
Chapter 2: Monitoring the SG Appliance
Note: The SG appliance must know the host name or IP address of your SMTP mail
gateway to mail event messages to the e-mail address(es) you have entered. If you do not
have access to an SMTP gateway, you can use the Blue Coat default SMTP gateway to
send event messages directly to Blue Coat.
The Blue Coat SMTP gateway only sends mail to Blue Coat. It will not forward mail to
other domains.
To enable event notifications:
1. Select Maintenance > Event Logging > Mail.
2. Click New to add a new e-mail address; click OK in the Add list item dialog that
appears.
3. In the SMTP gateway name field, enter the host name of your mail server; or in the
SMTP gateway IP field, enter the IP address of your mail server.
4. (Optional) If you want to clear one of the above settings, select the radio button of the
setting you want to clear. You can clear only one setting at a time.
5. Click Apply.
Related CLI Commands to Enable Event Notifications
SGOS#(config event-log) mail add email_address
Syslog Event Monitoring
Syslog is an event-monitoring scheme that is especially popular in UNIX environments.
Sites that use syslog typically have a log host node, which acts as a sink (repository) for
several devices on the network. You must have a syslog daemon operating in your
network to use syslog monitoring. The syslog format is: Date Time Hostname Event.
Most clients using syslog have multiple devices sending messages to a single syslog
daemon. This allows viewing a single chronological event log of all of the devices
assigned to the syslog daemon. An event on one network device might trigger an event on
other network devices, which, on occasion, can point out faulty equipment.
17
Volume 9: Managing the Blue Coat SG Appliance
To enable syslog monitoring:
1. Select Maintenance > Event Logging > Syslog.
2. In the Loghost field, enter the domain name or IP address of your loghost server.
3. Select Enable Syslog.
4. Click Apply.
Related CLI Commands to Enable Syslog Monitoring
SGOS#(config event-log) syslog {disable | enable}
Viewing Event Log Configuration and Content
You can view the system event log, either in its entirety or selected portions of it.
Viewing the Event Log Configuration
You can view the event log configuration, from showor from viewin the event-log
configuration mode.
To view the event log configuration:
At the prompt, enter the following command:
❐
From anywhere in the CLI
SGOS> show event-log configuration
Settings:
Event level: severe + configuration + policy + informational
Event log size: 10 megabytes
If log reaches maximum size, overwrite earlier events
Syslog loghost: <none>
Syslog notification: disabled
Syslog facility: daemon
Event recipients:
SMTP gateway:
mail.heartbeat.bluecoat.com
-or-
❐
From the (config)prompt:
SGOS#(config) event-log
SGOS#(config event-log) view configuration
Settings:
Event level: severe + configuration + policy + informational
Event log size: 10 megabytes
If log reaches maximum size, overwrite earlier events
Syslog loghost: <none>
18
Chapter 2: Monitoring the SG Appliance
Syslog notification: disabled
Syslog facility: daemon
Event recipients:
SMTP gateway:
mail.heartbeat.bluecoat.com
Viewing the Event Log Contents
Again, you can view the event log contents from the showcommand or from the event-log
configuration mode.
The syntax for viewing the event log contents is
SGOS# show event-log
-or-
SGOS# (config event-log) view
[start [YYYY-mm-dd] [HH:MM:SS]] [end [YYYY-mm-dd] [HH:MM:SS]] [regex
regex | substring string]
Pressing <Enter> shows the entire event log without filters.
The order of the filters is unimportant. If startis omitted, the start of the recorded event
log is used. If endis omitted, the end of the recorded event log is used.
If the date is omitted in either startor end, it must be omitted in the other one (that is, if
you supply just times, you must supply just times for both startand end, and all times
refer to today). The time is interpreted in the current timezone of the appliance.
Understanding the Time Filter
The entire event log can be displayed, or either a starting date/time or ending date/time
can be specified. A date/time value is specified using the notation ([YYYY-MM-DD]
[HH:MM:SS]). Parts of this string can be omitted as follows:
❐
❐
❐
If the date is omitted, today's date is used.
If the time is omitted for the starting time, it is 00:00:00
If the time is omitted for the ending time, it is 23:59:59
At least one of the date or the time must be provided. The date/time range is inclusive of
events that occur at the start time as well as dates that occur at the end time.
Note: If the notation includes a space, such as between the start date and the start time,
the argument in the CLI should be quoted.
Understanding the Regex and Substring Filters
A regular expression can be supplied, and only event log records that match the regular
expression are considered for display. The regular expression is applied to the text of the
event log record not including the date and time. It is case-sensitive and not anchored.
You should quote the regular expression.
Since regular expressions can be difficult to write properly, you can use a substring filter
instead to search the text of the event log record, not including the date and time. The
search is case sensitive.
Regular expressions use the standard regular expression syntax as defined by policy. If
both regex and substring are omitted, then all records are assumed to match.
19
Volume 9: Managing the Blue Coat SG Appliance
Example
SGOS# show event-log start "2004-10-22 9:00:00" end "2004-10-22
9:15:00"
2004-10-22 09:00:02+00:00UTC "Snapshot sysinfo_stats has fetched /
sysinfo-stats " 0 2D0006:96 ../Snapshot_worker.cpp:183
2004-10-22 09:05:49+00:00UTC "NTP: Periodic query of server
ntp.bluecoat.com, system clock is 0 seconds 682 ms fast compared to NTP
time. Updated system clock. " 0 90000:1 ../ntp.cpp:631
Configuring SNMP
You can view an SG appliance using a Simple Network Management Protocol (SNMP)
management station. The appliance supports MIB-2 (RFC 1213), Proxy MIB, and the
RFC2594 MIB, and can be downloaded at the following URL: https://
download.bluecoat.com/release/SGOS5/index.html (The SNMP link is in the lower
right-hand corner.).
Enabling SNMP
To view an SG appliance from an SNMP management station, you must enable and
configure SNMP support on the appliance.
To enable and configure SNMP:
1. Select Maintenance > SNMP > SNMP General.
2. Select Enable SNMP.
3. (Optional) To reset the SNMP configuration to the defaults, click Reset SNMP settings.
This erases any trap settings that were set as well as any community strings that had
been created. You do not need to reboot the system after making configuration
changes to SNMP.
4. In the sysLocation field, enter a string that describes the appliance’s physical location.
5. In the sysContact field, enter a string that identifies the person responsible for
administering the appliance.
Related CLI Commands to Enable and Configure SNMP
SGOS#(config snmp) {disable | enable}
SGOS #(config snmp) sys-contact string
SGOS#(config snmp) sys-location string
20
Chapter 2: Monitoring the SG Appliance
Configuring SNMP Community Strings
Use community strings to restrict access to SNMP data. To read SNMP data on the SG
appliance, specify a read community string. To write SNMP data to the appliance, specify a
write community string. To receive traps, specify a trap community string. By default, all
community string passwords are set to public.
Note: If you enable SNMP, make sure to change all three community-string passwords to
values that are difficult to guess. Use a combination of uppercase, lowercase, and numeric
characters. An easily-guessed community-string password makes it easier to gain
unauthorized access to the SG appliance and network.
To set or change community strings:
1. Select Maintenance > SNMP > Community Strings.
2. Click the community string button you want to change.
The Change Read/Write/Trap Community dialog displays.
3. Enter and confirm the community string; click OK.
4. Click Apply.
To set or change community strings:
You can set the community strings in either cleartext or encrypted form.
To set them in cleartext:
SGOS#(config) snmp
SGOS#(config snmp) enable
SGOS#(config snmp) read-community password
SGOS#(config snmp) write-community password
21
Volume 9: Managing the Blue Coat SG Appliance
SGOS#(config snmp) trap-community password
To set them as encrypted:
SGOS#(config) snmp
SGOS#(config snmp) enable
SGOS#(config snmp) encrypted-read-community encrypted-password
SGOS#(config snmp) encrypted-write-community encrypted-password
SGOS#(config snmp) encrypted-trap-community encrypted-password
Configuring SNMP Traps
The SG appliance can send SNMP traps to a management station as they occur. By default,
all system-level traps are sent to the address specified. You can also enable authorization
traps to send notification of attempts to access the Management Console. Also, if the
system crashes for whatever reason, a cold start SNMP trap is issued on power up. No
configuration is required.
Note: The SNMP trap for CPU utilization is sent only if the CPU continues to stay up for
32 or more seconds.
To enable SNMP traps:
Note: You cannot configure SNMP traps to go out through a particular interface. The
interface that is configured first is used until it fails and is used to identify the device.
1. Select Maintenance > SNMP > Traps.
2. In the Send traps to fields, enter the IP address(es) of the workstation(s) where traps
are to be sent.
3. To receive authorization traps, select Enable authorization traps.
4. Select Apply to commit the changes to the SG appliance.
Related CLI Commands for Enabling SNMP Traps
SGOS#(config snmp) trap-address {1 | 2 | 3} ip_address
Indicates which IP address(es) can receive traps and in which priority.
SGOS#(config snmp) authorize-traps
22
Chapter 2: Monitoring the SG Appliance
Configuring Health Monitoring
The health monitoring feature tracks key hardware and software metrics so that you can
can quickly discover and diagnose potential problems. Director (and other third-party
network management tools) also use these metrics to remotely display the current state of
the SG appliance. By monitoring these key hardware and software metrics, Director can
display a variety of health-related statistics—and trigger notification if action is required.
Figure 2-1. Health Monitoring Configuration and Notification Process
As shown in the preceding figure, health monitoring metrics can be remotely configured
and queried from Director. The metrics are also configurable on the SG appliance itself.
To facilitate prompt corrective action, notification can be configured for threshold
“events.” For example, an administrator can configure a threshold so that an e-mail or
SNMP trap is generated when the threshold state changes. Additionally, many of the
threshold levels are configurable so that you can adjust the thresholds to meet your
specific requirements.
Health Monitoring Requirements
Before using the health monitoring feature you must ensure that the e-mail addresses of
all persons that should be notified of health monitoring alerts are listed in the Event log
information.
23
Volume 9: Managing the Blue Coat SG Appliance
About the Health Monitoring Metric Types
The SG appliance monitors the following types of health metrics:
❐
❐
❐
❐
❐
Hardware
Environmental
ADN
System resource
Licensing metrics
The system resource and licensing thresholds are user-configurable, meaning that you can
specify the threshold level that will trigger an alert.
The hardware, environmental, and ADN metrics are not configurable and are preset to
optimal values. For example, on some platforms, a Warning is triggered when the CPU
temperature reaches 55 degrees Celsius.
These health monitoring metrics are logically grouped as General, Licensing, or Status
metrics.
About Health Monitoring
Health Monitoring allows you to set notification thresholds on various internal metrics
that track the health of a monitored system or device. Each metric has a value and a state.
The value is obtained by periodically measuring the monitored system or device. In some
cases, the value is a percentage or a temperature measurement; in other cases, it is a status
like "Disk Present" or "Awaiting Approval".
The state indicates the severity of the metric as a health issue:
❐
❐
OK—The monitored system or device is behaving normally.
WARNING—The monitored system or device is outside typical operating parameters
and may require attention.
❐
CRITICAL—The monitored system or device is either failing, or is far outside normal
parameters, and requires immediate attention.
The current state of a metric is determined by the relationship between the value and its
monitoring thresholds. The Warning and Critical states have thresholds, and each
threshold has a corresponding interval.
All metrics begin in the OK state. If the value crosses the Warning threshold and remains
there for the threshold's specified interval, the metric transitions to the Warning state.
Similarly, if the Critical threshold is exceeded for the specified interval, the metric
transitions to the Critical state. Later (for example, if the problem is resolved), the value
may drop back down below the Warning threshold. If the value stays below the Warning
threshold longer than the specified interval, the state returns to OK.
Every time the state changes, a notification occurs. If the value fluctuates above and below
a threshold, no state change occurs until the value stays above or below the threshold for
the specified interval.
This behavior helps to ensure that unwarranted notifications are avoided when values
vary widely without having any definite trend. You can experiment with the thresholds
and intervals until you are comfortable with the sensitivity of the notification settings.
24
Chapter 2: Monitoring the SG Appliance
Health Monitoring Example
The following picture shows an example. The lower horizontal line represents the
Warning threshold; the upper horizontal line is the Critical threshold. Note how they
divide the graph into bands associated with each of the three possible states. Assume both
thresholds have intervals of 20 seconds, and that the metric is currently in the OK state.
1. At time 0, the monitored value crosses the Warning threshold. No transition occurs
yet. Later, at time 10, it crosses the critical threshold. Still, no state change occurs,
because the threshold interval has not elapsed.
2. At time 20, the value has been above the warning threshold for 20 seconds--the
specified interval. The state of the metric now changes to Warning, and a notification
is sent. Note that even though the metric is currently in the critical range, the State is
still Warning, because the value has not exceeded the Critical threshold long enough
to trigger a transition to Critical.
3. At time 25, the value drops below the Critical threshold, having been above it for only
15 seconds. The state remains at Warning.
4. At time 30, it drops below the Warning threshold. Again the state does not change. If
the value remains below the warning threshold until time 50, then the state will
change back to OK.
20 seconds above the Warning threshold a Warning notification is sent
0
5
10
15
20
25
30
35
40
45
50
55
60
Time
Figure 2-2. Relationship between the threshold value and threshold interval
About License Expiration Metrics
The threshold values for license expiration metrics are set in days until expiration. In this
context, a "critical" threshold indicates that license expiration is imminent. This is the only
configurable metric in which the Critical threshold value should be smaller than the
Warning threshold value. For example, if you set the Warning threshold to 45, an alert is
sent when there are 45 days remaining in the license period. The Critical threshold would
be less than 45 days, for example 5 days.
25
Volume 9: Managing the Blue Coat SG Appliance
For the license expiration metrics, the threshold interval is irrelevant and is set by default
to 0. You should set the Warning Threshold to a value that will give you ample time to
renew your license. By default, all license expiration metrics have a Warning Threshold of
30 days. By default, the Critical Threshold is configured to 0, which means that a trap is
immediately sent upon license expiration.
About Health Monitoring Notification
By default, the Director polls the SG appliances to determine their current state. If the state
has changed, Director updates the device status. Other types of notification are also
available. Any or all of the following types of notification can be set:
❐
❐
❐
SNMP trap: Sends an SNMP trap to all configured management stations.
E-mail: Sends e-mail to all persons listed in the Event log properties.
Log: Inserts an entry into the Event log. See “Setting Up Event Logging and
About the General Metrics
The following table lists the metrics displayed in the Maintenance > Health Monitoring >
All threshold intervals are in seconds.
Table 2-2. General Health Monitoring Metrics
Metric
Units
Default
Notes
Thresholds/Intervals
CPU Utilization
Percentage
Critical: 95%/120 seconds
Measures the value of CPU 0
on multi-processor systems--
not the average of all CPU
activity.
Warning: 80%/120
seconds
Memory Pressure
Percentage
Percentage
Critical: 95%/120 seconds
Memory pressure occurs
when memory resources
become limited, causing new
connections to be delayed.
Warning: 90%/120
seconds
Interface Utilization
Critical: 90%/120 seconds
Measures the traffic (in and
out) on the interface to
determine if it is
approaching the bandwidth
maximum.
Warning: 60%/120
seconds
About the Licensing Metrics
The following table lists the metrics displayed in the Maintenance > Health Monitoring >
Licensing page. You can monitor User License utilization metrics and the following license
expiration metrics:
❐
❐
❐
SGOS Base License: Licenses not listed here are part of the SGOS base license.
SSL Proxy
SG Client
26
Chapter 2: Monitoring the SG Appliance
See “About License Expiration Metrics” on page 25 for information licensing thresholds.
Metric
Units
Default
Notes
Thresholds/Intervals
License Utilization
Percentage
Critical: 100%/0
Warning: 90%/0
For licenses that have user
limits, monitors the number
of users.
License Expiration
Days
Critical: 0 days/0
Warns of impending license
expiration.
Warning: 30 days/0
For license expiration
metrics, intervals are
ignored. See “About the
page 26 for more
information.
About the Status Metrics
The following table lists the metrics displayed in the Maintenance > Health Monitoring >
Status page. The thresholds for these metrics are not user-configurable.
Table 2-3. Status Health Monitoring Metrics
Metric
Threshold States and Corresponding
Values
Disk status
Critical:
Bad
Warning:
Removed
Offline
OK:
Not Present
Present
Temperature
Critical:
Bus temperature
CPU temperature
High-critical
Warning:
High-warning
Fan
Critical:
(The fan metric differs by hardware model, for
example, CPU fan, chassis fan)
Low-critical
Warning:
Low-warning
27
Volume 9: Managing the Blue Coat SG Appliance
Table 2-3. Status Health Monitoring Metrics (Continued)
Voltage
Bus Voltage
Critical:
Critical
CPU voltage
Power Supply voltage
High-critical
Low-critical
Warning:
High-warning
Low-warning
ADN Connection Status
OK:
Connected
Connecting
Connection Approved
Disabled
Not Operational
Warning:
Approval Pending
Mismatching Approval Status
Partially Connected
Critical:
Not Connected
Connection Rejected
See Volume 5: Advanced Networking for
more information about the ADN
metrics.
ADN Manager Status
OK:
No Approvals Pending
Not Applicable
Warning:
Approvals Pending
Changing Threshold and Notification Properties
The health monitoring threshold and notification properties are set by default. Use the
following procedure to modify the current settings.
To change the threshold and notification properties:
1. Select Maintenance > Health Monitoring.
2. Do one of the following:
•
•
To change the system resource metrics, select General.
To change the hardware/environmental/ADN metrics, select Status.
Note: You cannot change the threshold values for metrics in the Status tab.
•
To change the licensing metrics, select Licensing.
3. Select the metric you want to modify.
28
Chapter 2: Monitoring the SG Appliance
4. Click Edit to modify the threshold and notification settings. The Edit Health Monitor
Setting dialog displays. (hardware, environmental, and ADN thresholds cannot be
modified.)
5a
5b
5c
5d
6
5. Modify the threshold values:
a. To change the critical threshold, enter a new value in the Critical Threshold
field.
b. To change the critical interval, enter a new value in the Critical Interval field.
c. To change the warning threshold, enter a new value in the Warning Threshold
field.
d. To change the warning interval, enter a new value in the Warning Interval
field.
6. Modify the notification settings.
•
•
•
Log adds an entry to the Event log.
Trap sends an SNMP trap to all configured management stations.
Email sends an e-mail to the addresses listed in the Event log properties. See
7. Click OK to close the Edit Metric dialog.
8. Click Apply.
Related CLI Syntax to Modify Threshold and Notification Properties
#(config) alert threshold metric_name warning_threshold
warning_interval critical_threshold critical_interval
#(config) alert notification metric_name notification_method
where metric_namerefers to cpu-utilization, license-utilization, license-
expiration, memory-pressure, or network-utilization.
Getting A Quick View of the SG Appliance Health
The Management Console uses the health monitoring metrics to display a visual
representation of the overall health state of the SG appliance. The health icon is located in
the upper right corner of the Management Console and is always visible.
29
Volume 9: Managing the Blue Coat SG Appliance
System health is determined by calculating the “aggregate” health status of the following
metrics:
❐
❐
❐
❐
❐
❐
❐
CPU Utilization
Memory Pressure
Network interface utilization
Disk status (for all disks)
License expiration
License “user count” utilization (when applicable)
ADN status
The possible health states are OK, Warning, or Critical.
Clicking the health icon displays the Statistics > Health page, which lists the current
condition of the system’s health monitoring metrics, as described in the next section.
Viewing Health Monitoring Statistics
While the health icon presents a quick view of the appliance health, the Statistics > Health
Monitoring page enables you to get more details about the current state of the health
monitoring metrics.
To review the health monitoring statistics:
1. From the Management Console, select Statistics > Health Monitoring.
2
3
2. Select a health monitoring statistics tab:
•
General: Lists the current state of CPU utilization, interface utilization, memory
pressure, and disk status metrics.
•
•
Licensing: Lists the current state of license utilization and expiration metrics.
Status: Lists the current state of all metrics.
3. To get more details about a metric, highlight the metric and click View. The View
Metrics Detail dialog displays.
30
Chapter 2: Monitoring the SG Appliance
4
4. Click Close to close the View Metrics Detail dialog.
5. Optional—If you want to modify a metric, highlight the metric and click Set
Thresholds. The Maintenance > Health Monitoring page displays. To modify the metric,
follow the procedure describe in “Changing Threshold and Notification Properties”
Related CLI Syntax to View Health Monitoring Statistics
SGOS#(config) show system-resource-metrics
The show system-resource-metrics command lists the state of the current system resource
metrics.
Notification varies by platform. If you try to set notification for a metric that does not
support notification, you will see the following error message:
Sensor not supported on this platform
Depending on the platform, the metrics displayed by the show system-resource-
metricscommand might differ from the metric names listed in the alertcommand
output. For example, the bus-temperaturemetric can be shown as motherboard
temperaturein the show system-resources-metricsoutput. If you are setting
notification from the Management Console, you can verify the category by clicking the
Preview button to view the CLI output.
Troubleshooting
If you continue to receive alerts, contact Blue Coat Technical Support. For licensing
|