background image

source interface and source network (in this example, the network

G3_net

and interface G3) to

flow to the destination network

all-nets

and the destination interface which is the PPPoE tunnel

that has been defined.

D. PPTP setup

For PPTP connection, first create the PPTP tunnel interface. It is assumed below that we will
create a PPTP tunnel object called

wan_pptp

with the remote endpoint

10.5.4.1

:

Device:/> add Interface L2TPClient wan_pptp

Network=all-nets
username=pptp_username
Password=pptp_password
RemoteEndpoint=10.5.4.1
TunnelProtocol=PPTP

Your ISP will supply the correct values for

pptp_username

,

pptp_password

and the remote

endpoint.

Your ISP will supply the correct values for

pptp_username

,

pptp_password

and the remote

endpoint. An interface is not specified when defining the tunnel because this is determined by
cOS Core looking up the

Remote Endpoint

IP address in its routing tables.

The PPTP client tunnel interface can now be treated exactly like a physical interface by the
policies defined in cOS Core rule sets.

There also has to be an associated route with the PPTP tunnel to allow traffic to flow through it,
and this is automatically created in the

main

routing table when the tunnel is defined. The

destination network for this route is the

Remote Network

specified for the tunnel and for the

public Internet this should be

all-nets

.

As with all automatically added routes, if the PPTP tunnel object is deleted then this route is also
automatically deleted.

At this point, no traffic can flow through the tunnel since there is no IP rule defined that allows it.
As was done in option above, we must define an IP rule that will allow traffic from a designated
source interface and source network (in this example, the network

G3_net

and interface G3) to

flow to the destination network

all-nets

and the destination interface which is the PPTP tunnel

that has been defined.

Activating and Committing Changes

After any changes are made to a cOS Core configuration, they will be saved as a new
configuration but will not yet be activated. To activate all the configuration changes made since
the last activation of a new configuration, the following command must be issued:

Device:/> activate

Although the new configuration is now activated, it does not become permanently activated
until the following command is issued within 30 seconds following the

activate

:

Device:/> commit

The reason for two commands is to prevent a configuration accidentally locking out the
administrator. If a lock-out occurs then the second command will not be received and cOS Core
will revert back to the original configuration after the 30 second time period (this time period is a
setting that can be changed).

Chapter 3: cOS Core Configuration

56

Summary of Contents for Eagle E7

Page 1: ...Clavister Eagle E7 Getting Started Guide Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 www clavister com Published 2013 05 29 Copyright 2013 Clavister AB...

Page 2: ...avister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes Lim...

Page 3: ...ion 19 2 5 Connecting Power 21 2 6 Resetting to Factory Defaults 22 3 cOS Core Configuration 24 3 1 Management Workstation Connection 24 3 2 Web Interface and Wizard Setup 27 3 3 Manual Web Interface...

Page 4: ...List of Figures 1 1 An Unpacked Clavister E7 Appliance 7 1 2 Clavister E7 Connection Ports 9 1 3 The E7 Ethernet Interface Ports 9 2 1 The E7 Console Port 19 2 2 E7 Power Inlet Connector 21 4...

Page 5: ...subsections are shown in the table of contents at the beginning of the document Notes to the main text Special sections of text which the reader should pay special attention to are indicated by icons...

Page 6: ...oubleshooting Web links Web links included in the document are clickable For example http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners c...

Page 7: ...y unpack the contents The delivered product packaging should contain the following The Clavister E7 appliance RS232 null modem cable or micro USB console cable depending on version RJ45 Ethernet cable...

Page 8: ...nt WEEE directive symbol which is shown below The product and any of its parts should not be discarded of by means of regular refuse disposal At end of life the product and parts should be given to an...

Page 9: ...connected by a switch fabric There are two versions of the E7 appliance The first generation version provides console connection through an RS232 RJ45 connector port the second generation uses a micr...

Page 10: ...ace Status LEDs On the E7 there are indicator lights at the top left and top right of each interface which illuminate according to link status and activity The conditions shown are The top left flashe...

Page 11: ...Chapter 1 Product Overview 11...

Page 12: ...ower Make sure that the power source circuits are properly grounded and then use the power cord supplied with the appliance to connect it to the power source Using Other Power Cords If your installati...

Page 13: ...that airflow around the appliance is not restricted Dust Do not expose the appliance to environments with elevated dust levels Note The specifications appendix provide details Detailed information co...

Page 14: ...rack mounting with PSU mounting space including 2 fitted hex screws 1 x plastic cable tie for securing the PSU to the rack mount The kit is attached to the sides of the E7 unit prior to mounting in t...

Page 15: ...from the power inlet in the same way This is also secured by screwing the 2 preinstalled screws into the corners of the vents 5 Take the external power supply and place it into the space provided on...

Page 16: ...g the PSU power cord into the E7 power inlet The E7 with the attached mounting bracket is now ready to be mounted in a rack Following mounting a power cable can be plugged into the E7 PSU Chapter 2 In...

Page 17: ...Core setup as well as for ongoing system administration The RS 232 console port need not be used if setup is done through a web browser as described in Section 3 2 Web Interface and Wizard Setup If th...

Page 18: ...232 cable directly to the console port on the E7 3 Connect the other end of the cable to a console terminal or to the serial connector of a computer running console emulation software Connection Usin...

Page 19: ...Connection Steps To connect a PC to the console port follow these steps 1 Connect a micro USB connector directly to the console port on the E7 2 Connect the other end of the cable to a USB port on a...

Page 20: ...nt Workstation Connection Note Setting a console password is recommended A console password need not be set If it is not anyone with physical access to the console has full administrator rights Unless...

Page 21: ...the appliance is ready for configuration from a management workstation using either the Web Interface or the Command Line Interface CLI as the management interface Initial configuration is discussed i...

Page 22: ...ot sequence begins on the console output the boot menu is entered by typing any key on the console keyboard A complete description of the boot menu and its options can be found in the separate cOS Cor...

Page 23: ...Chapter 2 Installation 23...

Page 24: ...ity operating system is preloaded on the E7 and will automatically boot up after power is applied An external management computer workstation can now be used to configure cOS Core The Default Manageme...

Page 25: ...CLI allows step by step control of setup and should be used by administrators who fully understand both the CLI and setup process CLI access is possible in one of two ways i CLI access can be remote a...

Page 26: ...though it could be any other unused interface Using Crossover Cables Connection to the management interface from the workstation can be done directly without a switch This is usually done by using a c...

Page 27: ...rn off popup blocking Make sure the web browser doesn t have a proxy server configured Any popup blocking in the browser should also be temporarily turned off to allow the setup wizard to run If there...

Page 28: ...After login the Web Interface will appear and the cOS Core setup wizard should begin automatically The first wizard dialog is the wizard welcome screen which should appear as shown below Cancelling t...

Page 29: ...steps that the wizard goes through after the welcome screen are listed next Wizard step 1 Enter a new username and password You will be prompted to enter a new administration username and password as...

Page 30: ...hat will be used to connect to an ISP for Internet access Wizard step 4 Select the WAN interface settings This step selects how the WAN connection to the Internet will function It can be one of Manual...

Page 31: ...ry DNS server field 4B DHCP automatic configuration All required IP addresses will automatically be retrieved from the ISP s DHCP server with this option No further configuration is required for this...

Page 32: ...ly after connection with PPTP Wizard step 5 DHCP server settings If the Clavister Security Gateway is to function as a DHCP server it can be enabled here in the wizard on a particular interface or con...

Page 33: ...Core For the default gateway it is recommended to specify the IPv4 address assigned to the internal network interface In this setup this corresponds to 192 168 1 1 The DNS server specified should be...

Page 34: ...link is provided to open a browser window to complete registration Alternatively this step can be skipped and license installation can be done later in which case cOS Core will run in demonstration m...

Page 35: ...although their physical capabilities may be different any interface can perform any logical function With the E7 the GESW interface is the default management interface The other interfaces can be use...

Page 36: ...Configuration Changes To activate any cOS Core configuration changes made so far select the Save and Activate option from the Configuration menu this procedure is also referred to as deploying a conf...

Page 37: ...since any system outage will result in these edits being lost Automatic Logout If there is no activity through the Web Interface for a period of time the default is 15 minutes cOS Core will automatica...

Page 38: ...rnet access Now add the gateway IP4 Address object using the address book name wan_gw and assign it the IPv4 address 10 5 4 1 The ISP s gateway is the first router hop towards the public Internet from...

Page 39: ...nd provide a convenient way to group together related IP address objects The folder name can be chosen to indicate the folder s contents Now click the Add button at the top left of the list and choose...

Page 40: ...plained in more detail later specifying the Default Gateway also has the additional effect of automatically adding a route for the gateway in the cOS Core routing table At this point the connection to...

Page 41: ...any traffic controlled by a NAT rule will be controlled by the cOS Core state engine This means that the rule will allow connections that originate from the source network destination and also implic...

Page 42: ...erface where the network all nets in other words any network will be found If the default main routing table is opened by going to Network Routing Routing Tables main the route needed should appear as...

Page 43: ...m the ISP via DHCP and cOS Core automatically sets the relevant address objects in the address book with this information For cOS Core to know on which interface to find the public Internet a route ha...

Page 44: ...Routing Tables main we can see this route If the PPPoE tunnel object is deleted this route is also automatically deleted At this point no traffic can flow through the tunnel since there is no IP rule...

Page 45: ...leted At this point no traffic can flow through the tunnel since there is no IP rule defined that allows it As was done in option A above we must define an IP rule that will allow traffic from a desig...

Page 46: ...dns1_address Syslog Server Setup Although logging may be enabled no log messages are captured unless at least one log server is set up to receive them and this is configured in cOS Core Syslog is one...

Page 47: ...the cOS Core will drop any traffic unless an IP rule explicitly allows it Let us suppose that we wish to allow the pinging of external hosts with the ICMP protocol by computers on the internal G3_net...

Page 48: ...is found for a new connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In...

Page 49: ...nfiguration during editing then these deletes are indicated by a line scored through the list entry while the configuration is still not yet activated The deleted entry only disappears completely when...

Page 50: ...limitation Doing this is described in Section 3 5 Installing a License Chapter 3 cOS Core Configuration 50...

Page 51: ...normal CLI prompt if connecting directly through the local console port and a username password combination will not be required a password for this console can be set later Device If connecting remo...

Page 52: ...can only be changed after initial startup All cOS Core interfaces are logically equal for cOS Core and although their physical capabilities may be different any interface can perform any logical funct...

Page 53: ...ualifying the names of IP objects in folders On initial startup of the E7 cOS Core automatically creates and fills the InterfaceAddresses folder in the cOS Core address book with the interface related...

Page 54: ...ill have private IPv4 addresses In that case we must use NAT to send out traffic so that the apparent source IP address is the IP of the interface connected to the ISP To do this we simply change the...

Page 55: ...c can flow to or from the Internet since there is no IP rule defined that allows it As was done in the previous option A above we must therefore manually define an IP rule that will allow traffic from...

Page 56: ...ote Network specified for the tunnel and for the public Internet this should be all nets As with all automatically added routes if the PPTP tunnel object is deleted then this route is also automatical...

Page 57: ...NTP Server Setup Network Time Protocol NTP servers can optionally be configured to maintain the accuracy of the system date and time The command below sets up synchronization with the two NTP servers...

Page 58: ...w connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In order to gain con...

Page 59: ...e iv The license file is uploaded to the security gateway through the cOS Core Web Interface by going to Status Maintenance License and pressing the Upload button to select the license file Following...

Page 60: ...arameters may come into effect although this does not disrupt traffic When installing a license through the Web Interface or when using the startup wizard the option to reboot or reconfigure are prese...

Page 61: ...rrectly 4 Is the management interface properly connected Check the link indicator lights on the management interface If they are dark then there may be a cable problem 5 Check the cable type connected...

Page 62: ...ts being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces To look at the ARP activity only a particular interface follow the command wit...

Page 63: ...needs to be defined before traffic can traverse the Clavister Security Gateway An alternative to IP Rule objects is to use IP Policy objects These have essentially the same function but simplify the...

Page 64: ...ions A CLI overview is also provided as part of the cOS Core Administrators Guide cOS Core Education Courses For details about classroom and online cOS Core education as well as cOS Core certification...

Page 65: ...Chapter 3 cOS Core Configuration 65...

Page 66: ...ted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earlier of the product registration date OR ninety 90 days following th...

Page 67: ...tegrated with any product returned to Clavister pursuant to this warranty Contacting Clavister Should there be a problem with the online form then Clavister support can be contacted by email at suppor...

Page 68: ...viceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I och har an...

Page 69: ...elle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wa...

Page 70: ...rna de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta h...

Page 71: ...mounting kit Regulatory and Safety Standards Safety UL CE EMC CE class A Environmental Humidity 5 to 95 noncondensing Operational Temperature 0 to 35 C Vibration 0 41 Grms2 3 500 Hz Shock 30 G Power...

Page 72: ...Appendix B Declarations of Conformity 72...

Page 73: ...Appendix B Declarations of Conformity 73...

Page 74: ...re connected via a common switch fabric For example the 8 GESW interfaces could be divided so that the first 2 GESW interfaces could be on one VLAN the next 3 interfaces could be on a second VLAN and...

Page 75: ...e E7 Port Based VLAN Issues There some issues which the adminstrator should be aware of when setting up port based VLAN s Port Based VLANs Cannot be Mixed with VLAN Trunks When the port based VLAN fea...

Page 76: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 www clavister com...

Reviews: