Black Box ET0010A User Manual
Troubleshooting Policies
EncrypTight User Guide
247
Do one of the following:
●
In the Appliance Manager view, select the ETEP and choose Tools > Clear Policies.
●
In ETPM, create a bypass policy and deploy it to the PEPs.
●
For distributed key policies: In ETEMS, change the Encryption Policy setting on the Features tab
from Layer 2 to Layer 3 (or vice versa), and push the configuration to the ETEP. Encrypt and drop
policies are removed from the ETEP, and traffic passes in the clear until you create and deploy new
policies.
from Layer 2 to Layer 3 (or vice versa), and push the configuration to the ETEP. Encrypt and drop
policies are removed from the ETEP, and traffic passes in the clear until you create and deploy new
policies.
●
For Layer 2 point-to-point policies: In ETEMS, change the Traffic Handling setting on the Policy tab
to EthClear, and push the configuration to the ETEP.
to EthClear, and push the configuration to the ETEP.
Related Topics:
●
Allowing Local Site Exceptions to Distributed Key Policies
Local site policies allow you to create locally configured policies using CLI commands, without requiring
an ETKMS for key distribution. Using the local-site CLI commands you can create manual key
encryption policies, bypass policies, and discard policies at either Layer 2 or Layer 3.
an ETKMS for key distribution. Using the local-site CLI commands you can create manual key
encryption policies, bypass policies, and discard policies at either Layer 2 or Layer 3.
The primary use for local site policies is to facilitate in-line management in Layer 2 encrypted networks.
These policies supplement existing encryption policies, adding the flexibility to encrypt or pass in the
clear specific Layer 3 routing protocols, or Layer 2 Ethertypes and VLAN IDs.
These policies supplement existing encryption policies, adding the flexibility to encrypt or pass in the
clear specific Layer 3 routing protocols, or Layer 2 Ethertypes and VLAN IDs.
The local-site policy feature gives you the ability to define a set of policies for the in-line management
protocols that need to be passed through the ETEP, such as EIGRP, OSPF, RIPv2, or BGP. These policies
are high priority policies that are not affected when EncrypTight distributed key policies are deployed on
the ETEP.
protocols that need to be passed through the ETEP, such as EIGRP, OSPF, RIPv2, or BGP. These policies
are high priority policies that are not affected when EncrypTight distributed key policies are deployed on
the ETEP.
This feature is similar to the ETEP configuration option that allows TLS traffic to pass through the
ETEPs in the clear, but it provides the additional flexibility of allowing you to specify several protocols
and ports, and to restrict the policy to specific IP addresses. The policy action can be defined as Clear,
Drop or Protect. Protect policies allow the in-line management traffic to be encrypted with user-defined
manual keys.
ETEPs in the clear, but it provides the additional flexibility of allowing you to specify several protocols
and ports, and to restrict the policy to specific IP addresses. The policy action can be defined as Clear,
Drop or Protect. Protect policies allow the in-line management traffic to be encrypted with user-defined
manual keys.
You can use the local-site CLI commands to create a variety of policies:
●
Pass Layer 3 routing protocols in the clear when encrypting traffic at Layer 2
●
Encrypt in-line management traffic that is typically passed in the clear when deploying EncrypTight
policies, such as TLS and ARP packets
policies, such as TLS and ARP packets
●
Create manual key encryption policies for Layer 2 or Layer 3 traffic
●
Create discard policies based on Layer 2 selectors (Ethertype or VLAN ID) or Layer 3 selectors
To learn how to create local site policies to supplement your EncrypTight distributed key policies, see the
ETEP CLI User Guide.
ETEP CLI User Guide.
Expired Policies
Whenever you restore a previous file system on a PEP, it is possible that you could also restore a set of
expired policies, old certificates, and out of date keys inadvertently. This can cause a number of different
policy-related problems and affect communications between the ETKMS and the PEP.
expired policies, old certificates, and out of date keys inadvertently. This can cause a number of different
policy-related problems and affect communications between the ETKMS and the PEP.