manualshive.com logo in svg

Clavister NetWall 6000 Series, Getting Started Manual, Page: 12 / 99

Share
Download
Clavister NetWall 6000 Series Getting Started Manual Download Page 12

1.3. Zero Touch Support

The NetWall 6000 Series product is able to support the

Zero Touch

feature in the Clavister

InControl management software product. This means that it is possible to power up a brand new
NetWall 6000 Series, connect it to the Internet, and the NetWall 6000 Series device will
automatically register itself with an InControl server. The device can then be remotely brought
under centralized InControl management and configured remotely, without any local
configuration needing to be done.

However, this feature will only work if the following prerequisites are true:

The version of InControl being used for device management is 2.00.00 or later.

The FQDN or IP address of the management InControl server has been set in the

MyClavister

account associated with the NetWall 6000 Series device. This is done by logging in to the
relevant

MyClavister

account, selecting

Settings

and then selecting the

Zero Touch

tab. Only

one InControl server address can be associated with one

MyClavister

account.

The zero touch feature has been enabled for the license associated with the NetWall 6000
Series device. This in the

MyClavister

account by selecting

Licenses

and then enabling the

Zero

Touch

button next to the relevant license. If the zero touch button is grayed out then the

feature is not available with that device. There is an option in the previous step to always
enable zero touch by default for all new licenses.

The version of cOS Core running on the NetWall 6000 Series must be 12.00.16 or later. This
might require an upgrade of the factory installed cOS Core version.

The cOS Core configuration is in its "factory default" state. Following an upgrade to a version
that supports zero touch or any configuration change, this will require a manual reset to the
default cOS Core configuration. In the Web Interface this is done by going to:

Status > Maintenance > Reset & Restart

And then selecting the following option:

Reset the configuration to current core default

Note that a full hardware reset to factory defaults will undo any cOS Core version upgrade
and this should therefore not be done. Also note that any configuration change that is saved
after a reset to the default configuration will disable the zero touch feature.

The NetWall 6000 Series can be connected to an ISP or other network that can provide
Internet access and that has a DHCP server enabled which can provide a public DNS server
address to the device. Note that physical connection to the Internet should be performed
only after the device is running a zero touch supporting version of cOS Core with the factory
default configuration.

Access is not blocked by surrounding network equipment for TCP traffic on port 998. This
traffic is required for the NetWall 6000 Series to communicate with the InControl server. DNS
traffic between the NetWall 6000 Series and public DNS servers must also not be blocked.

Internet Connection Must Use a Specific Interface for Zero Touch

When the NetWall 6000 Series is running a version of cOS Core that supports the zero touch
feature, the initial connection to the Internet for InControl management must be made via the

G8

interface for the feature to function.

Chapter 1: NetWall 6000 Series Overview

12

Summary of Contents for NetWall 6000 Series

Page 1: ...Clavister NetWall 6000 Series Getting Started Guide...

Page 2: ...anties of merchantability or fitness for a particular purpose Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation...

Page 3: ...lation 25 3 4 Management Computer Connection 26 3 5 RJ45 Console Port Connection 29 3 6 Micro USB Console Port Connection 31 3 7 Connecting Power 33 4 cOS Core Configuration 38 4 1 Web Interface and W...

Page 4: ...35 5 1 A NetWall 6000 Series PSU AC Power 79 5 2 NetWall 6000 Series PSU Alarm Shutoff Button 80 5 3 NetWall 6000 Series PSU Power LED 80 5 4 NetWall 6000 Series PSU Removal 81 6 1 NetWall 6000 Serie...

Page 5: ...ft hand side of the page followed by a short paragraph in italicized text There are the following types of such sections Note This indicates some piece of information that is an addition to the preced...

Page 6: ...xample http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners cOS Core is the trademark of Clavister AB Windows Windows XP Windows Vista Wind...

Page 7: ...product can run any cOS Core version from 14 00 00 onwards Earlier versions are not supported and a downgrade should not be attempted 1 1 Unpacking Figure 1 1 An Unpacked NetWall 6000 Series Unit This...

Page 8: ...available from Clavister as an addition to certain cOS Core support agreements This service allows a second identical NetWall 6000 Series unit to be purchased at a discount so that it can quickly subs...

Page 9: ...should be given to an appropriate service that deals with the disposal of such specialist materials WARNING REPLACE ANY INTERNAL BATTERIES CORRECTLY THERE IS A RISK OF EXPLOSION IF AN INTERNAL BATTER...

Page 10: ...ts have sequential logical cOS Core interface names from G1 to G8 They all support 10BaseT 100BaseTx and 1000BaseT The G1 interface is the default interface for management access over a network Howeve...

Page 11: ...DHCP client enabled in the default cOS Core configuration This means it can automatically receive a DHCP lease from an ISP if used for connection to the Internet However note that this interface must...

Page 12: ...ter This might require an upgrade of the factory installed cOS Core version The cOS Core configuration is in its factory default state Following an upgrade to a version that supports zero touch or any...

Page 13: ...replacement hardware is connected to the Internet InControl can automatically install the correct license as well as the correct cOS Core version In addition InControl will upload its copy of the cOS...

Page 14: ...the cOS Core management interfaces In addition log message alerts can be automatically generated if a sensor reaches a value outside of its normal operational range Configuring this feature as well a...

Page 15: ...Chapter 1 NetWall 6000 Series Overview 15...

Page 16: ...the wizard will provide a link to the registration page so it can be done while the wizard is running Registration of a NetWall 6000 Series Hardware Unit This is mandatory for every hardware unit befo...

Page 17: ...rst time click the Create Account link 3 The registration page is now presented The required information should be filled in In the example below a user called John Smith is registering 4 When the reg...

Page 18: ...vister website to show that confirmation has been successful and logging in is now possible 7 After logging in the customer name is displayed with menu options for changing settings and logging out No...

Page 19: ...up If the unit does not have Internet access then manual registration is required and this is done using the following steps 8 Now log into the MyClavister website and select the Register License menu...

Page 20: ...download and installation from Clavister servers This installation can be done automatically through the cOS Core Setup Wizard which is described in Section 4 1 Web Interface and Wizard Setup If the N...

Page 21: ...s These are specified in multiple languages Caution Noise levels can be elevated from fans The NetWall 6000 Series can emit elevated levels of fan noise and caution should be taken to protect hearing...

Page 22: ...ecting Power Temperature Do not install the appliance in an environment where the ambient temperature during operation might fall outside the specified operating range This range is documented in Appe...

Page 23: ...in Section 3 3 Rack Installation The NetWall 6000 Series can emit elevated levels of fan noise and caution should be taken to protect hearing when spending time in proximity to the appliance if it is...

Page 24: ...ll 6000 Series into a rack In the product packaging the following should be included A front bracket kit A side rail kit Installing these kits is described in the following two subsections The orderin...

Page 25: ...a suitable screwdriver and the screws provided attach a rail to both sides of the NetWall 6000 Series unit There are pre drilled holes in the unit for this Figure 3 2 NetWall 6000 Series Side rail At...

Page 26: ...for cOS Core management When this interface is accessed for the first time a setup wizard runs automatically to guide a new user through key setup steps The wizard can be closed if the administrator...

Page 27: ...crossover cable is not necessary Connection to an ISP for Internet Access For access to the public Internet another 6000 Series Ethernet interface should be selected for connection to an ISP In this g...

Page 28: ...address assigned to the management computer s Ethernet interface could be any address from the 192 168 1 0 24 network However the IP chosen must be different from 192 168 1 1 which is used by cOS Cor...

Page 29: ...000 Series RJ45 Local Console Port Connection Note that the NetWall 6000 Series has both an RJ45 console port and a micro USB port described in Section 3 6 Micro USB Console Port Connection Both can b...

Page 30: ...fied by the predefined admin user and are the same as the credentials for initial network access via the management Ethernet interface Username admin Password admin It is recommended to change the pas...

Page 31: ...e NetWall 6000 Series Micro USB Local Console Port Connection Steps To connect a computer to the local console port perform the following steps 1 Connect a micro USB connector directly to the local co...

Page 32: ...setup as well as for ongoing system administration Remote Console Connection Using SSH An alternative to using the local console port for CLI access is to connect over a network via a physical Etherne...

Page 33: ...PSU installed and a second can be added if required When two PSUs are installed the 6000 Series runs using power from only one of the PSUs and the other delivers power only in the case of a failure b...

Page 34: ...luminate to show that the PSU has power and is functioning correctly 6 The NetWall 6000 Series will boot up as soon as power is applied and cOS Core will start The progress of the boot up can be seen...

Page 35: ...e end of the ground wire and fasten it to the chassis with the power supply retaining screw Important The power feed ground and chassis ground must be connected to the same earth point at an installat...

Page 36: ...rt the 6000 Series and reinitialize cOS Core so that it boots up again This process can also be initiated through cOS Core For example using the CLI shutdown command Important Protecting against power...

Page 37: ...Chapter 3 Installation 37...

Page 38: ...upgrading are described in the separate cOS Core Administration Guide 4 1 Web Interface and Wizard Setup This section describes the setup when accessing cOS Core for the first time through a web brows...

Page 39: ...a proxy server configured for the cOS Core management IP address The cOS Core Self signed Certificate When responding to the first https request in a browser session cOS Core will send a self signed c...

Page 40: ...uld begin automatically as a popup window If the wizard is blocked by the browser it can be started manually by pressing the Setup Wizard button in the Web Interface toolbar shown below Once the wizar...

Page 41: ...for the admin user The admin username can also be changed if required as shown in the screenshot below The Enforce Strong Passwords option is present in cOS Core versions from 11 05 onwards This is a...

Page 42: ...ransparent mode interfaces can be configured at any time later outside of the wizard Note This step is only available with version 11 04 or later The step to optionally set up transparent mode interfa...

Page 43: ...tion to the Internet will function It can be one of Manual configuration DHCP PPPoE or PPTP as shown below These four different connection options are discussed next in the subsections 5A to 5D that f...

Page 44: ...ISP for PPPoE connection should be entered The Service field should be left blank unless the ISP supplies a value for it DNS servers are set automatically after connection with PPPoE 5D PPTP settings...

Page 45: ...particular interface or configured later The range of IPv4 addresses that can be handed out must be specified in the form n n n n n n n n where n is a number between 0 and 255 and n n n n is a valid...

Page 46: ...re By selecting the Clavister option the current time will be updated over the Internet from Clavister s own timeserver When specifying a hostname as a server instead of an IP address the hostname sho...

Page 47: ...ck to this step Alternatively this step can be skipped and license installation can be done later in which case cOS Core will run in demo mode with a 2 hour time limit After the 2 hour period only man...

Page 48: ...forehand All Ethernet interfaces are logically equal for cOS Core and although their physical capabilities may be different any interface can perform any logical function The NetWall 6000 Series uses...

Page 49: ...et correctly To do this select System Device Date and Time The current system time is displayed and this can be changed by selecting the date and time fields then manually entering the desired figures...

Page 50: ...current and active configuration Doing this is discussed next Activating Configuration Changes To activate any cOS Core configuration changes made so far select the Save and Activate option from the...

Page 51: ...ge will result in the pending changes being lost Automatic Logout If there is no activity through the Web Interface for a period of time the default is 15 minutes cOS Core will automatically log the u...

Page 52: ...dress book will be listed and will contain a number of predefined objects automatically created by cOS Core after it scans the interfaces for the first time The screenshot below shows the initial addr...

Page 53: ...teway to the public Internet Click the OK button to save the values entered Then set up G2_ip to be 203 0 113 35 This is the IPv4 address of the G2 interface which will connect to the ISP s gateway La...

Page 54: ...route for the gateway in the cOS Core routing table At this point the connection to the Internet is configured but no traffic can flow to or from the Internet since all traffic needs a minimum of the...

Page 55: ...Note that the default source translation value for an IP policy is Auto and this would also provide NAT translation between a private and public IP address but NAT is specified explicitly in this sect...

Page 56: ...one earlier when setting up the required IP4 Address objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default r...

Page 57: ...formation For cOS Core to know on which interface to find the public Internet a route has to be added to the main cOS Core routing table which specifies that the network all nets can be found on the i...

Page 58: ...source interface to flow to the destination network all nets and the destination interface Here the destination interface is the PPPoE tunnel that has been defined D PPTP setup For PPTP connections a...

Page 59: ...which is the PPTP tunnel DHCP Server Setup If a NetWall 6000 Series interface is to have a DHCP server enabled on it first create an IP4 Address object which defines the address range to be handed out...

Page 60: ...log will appear Specify a name for example my_syslog and specify the address as the syslog_ip object Tip Address book object naming The cOS Core address book is organized alphabetically so when choosi...

Page 61: ...uch traffic as well as generate a log message when it is triggered In order to gain more control over dropped traffic and its logging it is recommended to create an explicit drop all IP policy as the...

Page 62: ...icense should be installed to remove the cOS Core 2 hour demo mode limitation Without a license installed cOS Core will have full functionality during the 2 hour period following startup but after tha...

Page 63: ...nce connection is made to the CLI pressing the Enter key will cause cOS Core to respond The response will be a normal CLI prompt if connecting directly through the local console port and a username pa...

Page 64: ...nes which interfaces are available and allocates their names One interface is chosen as the initial default management interface and this can only be changed after initial startup All cOS Core interfa...

Page 65: ...cated in a folder is specified in the CLI the object name must be qualified with the name of its parent folder For example to reference the address G2_ip it must be qualified with the folder name Inte...

Page 66: ...n can be specified explicitly For this the previous IP policy definition with explicit NAT translation becomes the following Device main add IPPolicy Name lan_to_wan SourceInterface G1 SourceNetwork I...

Page 67: ...generation is a setting for each interface that can be manually enabled and disabled After all IP addresses are set via DHCP and an all nets route is added the connection to the Internet is configure...

Page 68: ...ated in the main routing table when the tunnel is defined The destination network for this route is the remote network specified for the tunnel and for the public Internet this should be all nets As w...

Page 69: ...In this case we will call the created DHCP server object my_dhcp_server Device add DHCPServer my_dhcp_server IPAddressPool dhcp_range Interface G1 Netmask 255 255 255 0 DefaultGateway InterfaceAddress...

Page 70: ...P Responding hosts will send back ICMP responses to this single IP and cOS Core will then forward the traffic to the correct private IP address Adding a Drop All Policy is Recommended Scanning of IP r...

Page 71: ...ut is reduced to a maximum limit of 1 Mbps Installation Methods The following methods can be used for installing the first cOS Core license in the 6000 Series unit Automatically through the Setup Wiza...

Page 72: ...e parameters When installing a license through the Web Interface or when using the startup wizard the options to restart or reconfigure are presented to the administrator With the CLI and SCP these op...

Page 73: ...product which is used for managing cOS Core configurations This method can also be used to install the first license Licenses and license installation are described further in the separate cOS Core Ad...

Page 74: ...ss of the management computer is not configured correctly 4 Is the management interface properly connected Check the link indicator lights on the management interface If they are dark then there may b...

Page 75: ...the command Device arpsnoop none 7 Check the management access rules for a network connection If connecting to the default management interface using the Web Interface or an SSH client check that the...

Page 76: ...ined with protocol type By default no IP rules are defined so all traffic is dropped At least one IP rule needs to be defined before traffic can traverse the Clavister Next Generation Firewall An alte...

Page 77: ...to them and at what severity The cOS Core Log Reference Guide provides a complete listing of the log messages that cOS Core is capable of generating The CLI Reference Guide The CLI Reference Guide pro...

Page 78: ...Chapter 4 cOS Core Configuration 78...

Page 79: ...SU is fitted into the second PSU slot after taking out the dummy slot filler Each PSU module is secured by a lock which is internal to the PSU and this is opened with a black sliding locking lever The...

Page 80: ...nt PSU status and therefore failure can be detected by using the cOS Core Hardware Monitoring feature and this is fully described in the separate cOS Core Administration Guide This feature can confirm...

Page 81: ...ore hardware monitoring should also indicate the presence and positive status of the new PSU 6 Move the PSU s hinged metal retaining bracket back so that it covers the cable connector to prevent it be...

Page 82: ...capabilities and can be one of the following 8 x RJ45 Gigabit Ethernet interfaces 8 x RJ45 Gigabit Ethernet interfaces with PoE PoE installation is discussed further in Chapter 7 Power over Ethernet S...

Page 83: ...Series 8 x SFP Gigabit Interface Module Figure 6 3 NetWall 6000 Series 4 x SFP 10 Gigabit Expansion Module Figure 6 4 NetWall 6000 Series 4 x SFP 10 Gigabit Expansion Module with QAT Chapter 6 Interfa...

Page 84: ...screwdriver before undoing completely by hand The screws are on springs and will spring out when they are no longer held by the thread in the chassis 3 Attach an earthed anti static wrist strap to the...

Page 85: ...ill have the name E1 2 For the NetWall 6000 Series the slot numbers go from left to right when looking at the front of the device In other words slot number 1 is the left hand slot cOS Core will also...

Page 86: ...ly pressing it inwards as illustrated below Figure 6 7 Insertion of an Ethernet Module Caution Insert SFP SFP modules in the correct sockets An SFP module must not be inserted in an SFP socket Similar...

Page 87: ...eters An uninstalled PoE capable 6000 Series expansion module is shown below Figure 7 1 NetWall 6000 Series 8 x RJ45 Gigabit with PoE PoE Expansion Module The above image shows a small LED at the cent...

Page 88: ...that power is applied to the NetWall 6000 Series appliance and the module s interfaces appear in cOS Core s interface list All interface ports on the expansion module will have the PoE feature enable...

Page 89: ...2 3at Type 2 The total loading across all Ethernet ports should never exceed 120 Watts and a maximum load distribution across the ports should ideally follow one of the patterns shown in the table bel...

Page 90: ...The current cOS Core configuration will be lost but can be restored if a backup is available With the NetWall 6000 Series a reset can be done in one of the following ways Using the Web Interface A fac...

Page 91: ...t the local console connection The complete procedure is performed with the following steps 1 Make sure a separate management computer running as a console is attached to the local console port of the...

Page 92: ...nking stops the reset is being performed 4 If a console was connected in step 1 the console output will indicate that the hardware has successfully been reset to its factory defaults 5 After completio...

Page 93: ...product or any other misuse Any replacement Hardware will be warranted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earl...

Page 94: ...ndling charge in addition to mailing and or shipping costs Note that the procedures for swapping any NetWall hardware model with an identical or different model type are described in the separate NetW...

Page 95: ...user serviceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I o...

Page 96: ...lle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wan...

Page 97: ...na de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta ha...

Page 98: ...W for each PSU AC 100 W PoE to external devices 802 3at and 802 3af from expansion module Ethernet Interface Support Gigabit RJ45 interfaces Automatic MDI X 1000BASE T copper RJ45 100m 100BASE TX cop...

Page 99: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Head office Sales 46 0 660 299200 Customer support 46 0 660 297755 www clavister com...

Reviews:

No comments