Clavister ABSjögatan 6JSE-89160 ÖrnsköldsvikSWEDEN
Phone: +46-660-299200Fax: +46-660-12250
www.clavister.com
Page 1: ...lavister SG4500 Series Getting Started Guide Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 Fax 46 660 12250 www clavister com Published 2011 03 24 Copyright 2011 Clavister A...
Page 2: ...Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes...
Page 3: ...Configuration 24 3 1 Management Workstation Connection 24 3 2 Web Interface and Wizard Setup 29 3 3 Manual Web Interface Setup 36 3 4 CLI Setup 51 3 5 Downgrading to 8 nn 59 3 6 Troubleshooting Setup...
Page 4: ...ies Keypad and Display 11 2 1 A Typical SFP SFP Module 17 2 2 An Example of an SFP 1000 Base TX Module 17 2 3 Installing an SFP SFP Module 17 2 4 The SG4500 Series RS 232 Console Port 19 2 5 Rear View...
Page 5: ...hand side of the page followed by a short paragraph in italicized text There are the following types of such sections Note This indicates some piece of information that is an addition to the preceding...
Page 6: ...le For example http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners CorePlus is the trademark of Clavister AB Windows Windows XP Windows Vi...
Page 7: ...pliance Open the packaging box used for shipping and carefully unpack the contents The delivered product packaging should contain the following 1 The Clavister SG4500 Series appliance 2 A mounting kit...
Page 8: ...he SG4500 Series appliance is marked with the European Waste Electrical and Electronic Equipment WEEE directive symbol which is shown below The product and any of its parts should not be discarded of...
Page 9: ...ical interface in the CorePlus software configuration Going from left to right the Ethernet interfaces are A set of 4 interfaces consisting of i 2 x Small Form Pluggable Plus SFP Ethernet interfaces w...
Page 10: ...the link speed and has the following states Not lit dark if the link is 10 Mb Green if the link is 100 Mb Yellow if the link is 1 Gb USB Ports Next to the RS 232 port are 2 USB ports These ports are...
Page 11: ...monstration mode then this is indicated along with how much time is left before timeout If CorePlus is in lockdown mode then this is shown CPU and Connections This shows the CPU load and the total num...
Page 12: ...cal Ethernet interface present The information displayed for each interface is i The logical CorePlus interface name ii The current linkspeed iii If the link is full duplex FD or half duplex HD This i...
Page 13: ...Chapter 1 Product Overview 13...
Page 14: ...nstallation requires a different power cord than the one supplied with the appliance be sure to use a cord displaying the mark of the safety agency that defines the regulations for power cords in your...
Page 15: ...evated dust levels can significantly reduce the operating lifetime of fans Note Detailed information concerning power supply range operating temperature range etc can be found at the end of this publi...
Page 16: ...nces at the rear Important Use rear brackets for rack mounting It is strongly recommended that the rear brackets included with the SG4500 Series are fitted and used to support the appliance from the b...
Page 17: ...d they must be purchased separately Figure 2 1 A Typical SFP SFP Module Figure 2 2 An Example of an SFP 1000 Base TX Module Installation of the different types of modules is usually done in a similar...
Page 18: ...P support Important Cover unused SFP and SFP interfaces with dust caps The SG4500 Series SFP and SFP interfaces are covered with dust caps when the product is unpacked These prevent dust entering thei...
Page 19: ...s done through a web browser as described in Section 3 2 Web Interface and Wizard Setup If the RS 232 port is used for setup no password is initially needed and the CLI commands required are described...
Page 20: ...Connection Steps To connect a terminal to the console port follow these steps 1 Check that the console connection settings are configured as described above 2 Connect one of the connectors on the RS 2...
Page 21: ...not fitted then the second PSU slot must be filled with a special PSU Filler Module component The filler module is necessary to prevent the alarm sounding because the hardware will detect only one act...
Page 22: ...itial configuration is discussed in detail in Section 3 1 Management Workstation Connection Important Protecting Against Power Surges It is strongly recommended that the purchase and use of a separate...
Page 23: ...Chapter 2 Installation 23...
Page 24: ...rs in this manual before continuing Clavister s CorePlus network security operating system is preloaded on the hardware and will automatically boot up after power is supplied The Default Management In...
Page 25: ...ace Alternatively CLI access can be through a console connected directly to the local RS 232 port on the SG4500 Series hardware Direct console connection is described in Section 2 3 Console Port Conne...
Page 26: ...are on the same IP network This means the workstation interface should be first assigned the following static IP addresses IP address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1...
Page 27: ...be entered later To browse the Internet from the management workstation via the security gateway then it is possible to go back to the last step s properties dialog later and enter DNS server IP addr...
Page 28: ...Platforms The following appendixes describe management workstation IP setup for other platforms Appendix C Vista IP Setup Appendix D Windows 7 IP Setup Appendix E Apple Mac IP Setup Chapter 3 CorePlus...
Page 29: ...mporarily turned off to allow the setup wizard to run If there is no response from CorePlus and the reason is not clear refer to the help checklist in Section 3 6 Troubleshooting Setup The CorePlus Se...
Page 30: ...ate screen and run again by choosing the Setup Wizard option from the Web Interface toolbar Once any configuration changes have been made and activated either through the wizard Web Interface or CLI t...
Page 31: ...d as shown below It is recommended that this is always done and the new username password is remembered if these are forgotten restoring to factory defaults will restore the original admin admin combi...
Page 32: ...ould be entered in the next wizard screen All fields need to be entered except for the Secondary DNS server field 4B DHCP automatic configuration All required IP addresses will automatically be retrie...
Page 33: ...ically after connection with PPTP Wizard step 5 DHCP server settings If the Clavister Security Gateway is to function as a DHCP server it can be enabled here in the wizard on a particular interface or...
Page 34: ...ce In this setup this corresponds to 192 168 1 1 The DNS server specified should be the DNS supplied by your ISP When specifying a hostname as a server instead of an IP address the hostname should be...
Page 35: ...er Registration Key to register the key also referred to as the License Number For the SG4500 Series this key can be found written on a label on the underside or back of the appliance The license cent...
Page 36: ...capabilities may be different any interface can perform any logical function With the SG4500 Series the ge1 interface is the default management interface The other interfaces can be used as required F...
Page 37: ...dns Once the values are set correctly we can press the OK button to save the values while we move on to more steps in CorePlus configuration Although changed values like this are saved by CorePlus th...
Page 38: ...s It is up to the administrator to decide how many changes to make before activating a new configuration Sometimes activating configuration changes in small batches can be appropriate in order to chec...
Page 39: ...both belong is 10 5 4 0 24 Note Private IP addresses are used for example only Each installation s IP addresses will be different from these IP addresses but they are used here only to illustrate how...
Page 40: ...IP address objects The folder name can be chosen to indicate the folder s contents Now click the Add button at the top left of the list and choose the IP4 Address option to add a new address to the f...
Page 41: ...inimum of the following two CorePlus configuration objects to exist before it can flow through the Clavister Security Gateway An IP rule defined in a CorePlus IP rule set that explicitly allows traffi...
Page 42: ...make the service in an IP rule as restrictive as possible to provide the best security possible Custom service objects can be created and new service objects can be created which are combinations of...
Page 43: ...d earlier after setting up the required IP4 Address objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default ro...
Page 44: ...oute has to be added to the main CorePlus routing table which specifies that the network all nets can be found on the interface connected to the ISP and this route must also have the correct Default G...
Page 45: ...el since there is no IP rule defined that allows it As was done in option A above we must define an IP rule that will allow traffic from a designated source interface and source network in this exampl...
Page 46: ...lso automatically deleted At this point no traffic can flow through the tunnel since there is no IP rule defined that allows it As was done in option A above we must define an IP rule that will allow...
Page 47: ...m and this is configured in CorePlus Syslog is one of the most common server types First we create an IP4 Address object called for example syslog_ip which is set to the IP address of the server We th...
Page 48: ...ppear and we can add a rule in this case called allow_ping_outbound The IP rule again has the NAT action and this is necessary if the protected local hosts have private IP addresses The ICMP requests...
Page 49: ...gging box All log messages generated by this rule will be given the selected severity and which will appear in the text of the log messages It is up to the administrator to choose the severity and dep...
Page 50: ...ay To do this download a license as described in the last part of Section 3 2 Web Interface and Wizard Setup This license can then be uploaded directly to CorePlus by selecting the License option from...
Page 51: ...l cause CorePlus to respond The response will be a normal CLI prompt if connecting locally through the RS 232 console port and a username password combination will not be required a password for this...
Page 52: ...logically equal for CorePlus and although their physical capabilities may be different any interface can perform any logical function With the SG4500 Series the ge1 interface is the default managemen...
Page 53: ...nitial startup of the SG4500 Series CorePlus automatically creates and fills the InterfaceAddresses folder in the CorePlus address book with the interface related IP address objects When we specify an...
Page 54: ...lic Internet Device main add IPRule name lan_to_wan Action Allow SourceInterface ge3 SourceNetwork InterfaceAddresses ge3_net DestinationInterface ge2 DestinationNetwork all nets Service http all This...
Page 55: ...t Gateway IP address specified This all nets route is added automatically by CorePlus during the DHCP address retrieval process Automatic route generation is a setting for each interface that can be m...
Page 56: ...ute with the PPTP tunnel to allow traffic to flow through it and this is automatically created in the main routing table when the tunnel is defined The destination network for this route is the Remote...
Page 57: ...s case ge3_ip NTP Server Setup Network Time Protocol NTP servers can optionally be configured to maintain the accuracy of the system date and time The command below sets up synchronization with the tw...
Page 58: ...er to gain control over the logging of dropped traffic it is recommended to create a drop all rule as the last rule in the main IP rule set This rule has an Action of Drop with the source and destinat...
Page 59: ...Downgrading to 8 nn The SG4500 Series comes preinstalled with a 9 nn CorePlus version and this cannot be downgraded since the hardware does not support 8 nn versions Chapter 3 CorePlus Configuration...
Page 60: ...correctly 4 Is the management interface properly connected Check the link indicator lights on the management interface If they are dark then there may be a cable problem 5 Check the cable type connec...
Page 61: ...using the console command Device arpsnoop all This will show the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces Cha...
Page 62: ...h combinations of the source destination interface network combined with protocol type By default no IP rules are defined so all traffic is dropped At least one IP rule needs to be defined before traf...
Page 63: ...n Courses For details about classroom and online CorePlus education as well as CorePlus certification visit the Clavister company website at http www clavister com or contact your local sales represen...
Page 64: ...Chapter 3 CorePlus Configuration 64...
Page 65: ...n The SG4500 Series does not need both PSUs fitted The appliance can operate correctly with just one PSU fitted If this is the case the second PSU slot should be filled with a special PSU Filler Modul...
Page 66: ...ower cord is inserted and external power is applied Important Dusty environments reduce PSU fan lifetimes SG4500 Series PSU fans are designed to work in environments with reasonable air quality Elevat...
Page 67: ...e 4 3 The PSU Status LED Swapping a PSU To swap a failed PSU 1 Switch off the power source to the faulty PSU This may be done by simply unplugging the power cable from a wall socket 2 Remove the power...
Page 68: ...er cord into a wall socket 8 The new PSU s green light will illuminate indicating normal operation and the audible alarm will stop if it hasn t already been switched off Tip Having spare PSUs onsite H...
Page 69: ...es fans are designed to work in environments with reasonable air quality Elevated dust levels in the surrounding air can substantially reduce the operating lifetimes of fan modules Identifying Failure...
Page 70: ...fans modules 3 The fans are secured in place by a simple spring mechanism on each module s left and right side and this will release the module if sufficient outward even force is applied Each module...
Page 71: ...he fan will begin to spin immediately 6 Replace the metal grill by locating its two tabs into the locating holes on the left and secure it by screwing back the retaining screw by hand The retaining sc...
Page 72: ...Chapter 4 Product Maintenance 72...
Page 73: ...eplacement Hardware will be warranted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earlier of the product registration d...
Page 74: ...r memory data contained in stored on or integrated with any product returned to Clavister pursuant to this warranty Contacting Clavister Should there be a problem with the online form then Clavister s...
Page 75: ...er serviceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I och...
Page 76: ...elle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wa...
Page 77: ...rna de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta h...
Page 78: ...491 hours Regulatory and Safety Standards Safety UL CE EMC FCC class A CE class A VCCI class A Environmental Humidity 20 to 95 noncondensing Operational Temperature 0 to 45 C Vibration 0 41 Grms2 3 50...
Page 79: ...Appendix B Declarations of Conformity 79...
Page 80: ...Appendix B Declarations of Conformity 80...
Page 81: ...ateway s address of 192 168 1 1 The IP address 192 168 1 30 will be used for this purpose and the steps to set this up with Vista are as follows 1 Press the Windows Start button 2 Select the Control P...
Page 82: ...se the following IP address and enter the following values IP Address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 DNS addresses can be entered later once Internet access is esta...
Page 83: ...ay s address of 192 168 1 1 The IP address 192 168 1 30 will be used for this purpose and the steps to set this up with Windows 7 are as follows 1 Press the Windows Start button 2 Select the Control P...
Page 84: ...the following IP address and enter the following values IP Address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 DNS addresses can be entered later once Internet access is establ...
Page 85: ...ity Gateway To do this a selected Ethernet interface on the Mac must be configured correctly with a static IP The setup steps for this with Mac OS X are 1 Go to the Apple Menu and select System Prefer...
Page 86: ...5 Now set the following values IP Address 192 168 1 30 Subnet Mask 255 255 255 0 Router 192 168 1 1 6 Click Apply to complete the static IP setup Appendix E Apple Mac IP Setup 86...
Page 87: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 Fax 46 660 12250 www clavister com...
