manualshive.com logo in svg

Clavister Wolf W30, Getting Started Manual

Get started with the powerful Clavister Wolf W30 firewall by downloading the free Getting Started Manual from our website. This manual provides step-by-step instructions on how to set up and configure your device for optimal security and performance. Download it now from manualshive.com and unleash the full potential of your W30.

Share
Download
background image

The destination network in the IP rule is specified as the predefined

IP4 Address

object

all-nets

.

This is used since it cannot be known in advance to which IP address web browsing will be
directed and

all-nets

allows browsing to any IP address. IP rules are processed in a top down

fashion, with the search ending at first matching rule. An

all-nets

rule like this should be placed

towards the bottom or at the end of the rule set since other rules with narrower destination
addresses should trigger before it does.

Only one rule is needed since any traffic controlled by a

NAT

rule will be controlled by the cOS

Core

state engine

. This means that the rule will allow

connections

that originate from the source

network/destination and also implicitly allow any returning traffic that results from those
connections.

In the above, the predefined service called

http-all

is the best service to use for web browsing

(this service includes HTTP and HTTPS but not DNS). It is advisable to always make the service in
an IP rule or IP policy as restrictive as possible to provide the best security possible. Custom
service objects can be created for specific protocols and existing service objects can also be
combined into a new, single service object.

The IP rule

Action

could have been specified as

Allow

, but only if all the hosts on the protected

local network have public IPv4 addresses. By using

NAT

, cOS Core will use the destination

interface's IP address as the source IP. This means that external hosts will send their responses
back to the interface IP and cOS Core will automatically forward the traffic back to the originating
local host. Only the outgoing interface therefore needs to have a public IPv4 address and the
internal network topology is hidden.

To allow web browsing, DNS lookup also needs to be allowed in order to resolve URLs into IP
addresses. The service

http-all

does not include the

DNS

protocol so a similar IP rule that allows

this is needed. This could be done with a single IP rule or IP policy that uses a custom service
which combines the

HTTP

and

DNS

protocols but the recommended method is to create an

entirely new IP rule that mirrors the above rule but specifies the service as

dns-all

. This method

provides the most clarity when the configuration is examined for any problems. The screenshot
below shows a new IP rule called

lan_to_wan_dns

being created to allow DNS.

Chapter 4: cOS Core Configuration

43

Summary of Contents for Wolf W30

Page 1: ...Clavister Wolf W30 Getting Started Guide Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 www clavister com Published 2015 06 26 Copyright 2015 Clavister AB...

Page 2: ...avister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes Lim...

Page 3: ...ation 26 4 1 Management Workstation Connection 26 4 2 Web Interface and Wizard Setup 29 4 3 Manual Web Interface Setup 37 4 4 CLI Setup 53 4 5 License Installation Methods 61 4 6 Setup Troubleshooting...

Page 4: ...Rear view of the Clavister W30 23 3 3 W30 Power Switch and Power Inlet Socket 23 5 1 An 8 x RJ45 Gigabit Interface Expansion Module for the W30 68 5 2 An 8 x SFP Gigabit Interface Expansion Module fo...

Page 5: ...side of the page followed by a short paragraph in italicized text There are the following types of such sections Note This indicates some piece of information that is an addition to the preceding text...

Page 6: ...or example http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners cOS Core is the trademark of Clavister AB Windows Windows XP Windows Vista...

Page 7: ...2 01 onwards Earlier versions are not supported and a downgrade should not be attempted 1 1 Unpacking the W30 Figure 1 1 An Unpacked Clavister W30 Appliance This section details the unpacking of the W...

Page 8: ...on All documentation and other resources for the W30 including this guide can be downloaded from the W30 product page which can be found at http www clavister com start End of Life Treatment The W30 a...

Page 9: ...dered separately for this slot and the following module options are available i 8 x RJ45 Gigabit Ethernet interfaces ii 8 x SFP Gigabit interfaces iii 2 x SFP 10 Gigabit interfaces Module installation...

Page 10: ...Specifications Chapter 1 W30 Product Overview 10...

Page 11: ...Chapter 1 W30 Product Overview 11...

Page 12: ...OS Core wizard the wizard will provide a link to the registration page so it can be done while the wizard is running Registration of the W30 Hardware Unit This is mandatory for every hardware unit bef...

Page 13: ...n webpage is now presented The required information should be filled in In the example below a user called John Smith registers It is important to enter the administrator s company details as well Wit...

Page 14: ...customer is taken to a webpage to indicate that confirmation has been successful They should now log in to the Clavister website with the credentials they have submitted during registration 7 After l...

Page 15: ...Web Interface when cOS Core starts for the first time 1 Log in to the Clavister website and select the Register License option 2 The registration page is displayed Under the tab Hardware Serial Number...

Page 16: ...download and installation from Clavister servers This installation can be done automatically through the cOS Core Setup Wizard which is described in Section 4 2 Web Interface and Wizard Setup If the...

Page 17: ...e to connect it to the power source Using Other Power Cords If your installation requires a different power cord than the one supplied with the appliance be sure to use a cord displaying the mark of t...

Page 18: ...say the temperature most commonly found in a modern office and in which humans feel comfortable This is usually considered to be between 20 and 25 degrees Celsius 68 to 77 degrees Fahrenheit Special r...

Page 19: ...d cables However the W30 is designed to be rack mounted and installation on a flat surface is not recommended Caution Always leave space around the appliance Always ensure there is adequate space arou...

Page 20: ...must be used for attaching the brackets After attaching a bracket to either side of the unit it is ready for rack mounting using a suitable fastener Rear support is not necessary Rack Mounting Guidel...

Page 21: ...port for both initial cOS Core setup as well as for ongoing system administration The local console port need not be used if setup is done through a web browser as described in Section 4 2 Web Interf...

Page 22: ...console connection settings are configured as described above 2 Connect one of the connectors on the cable directly to the local console port on the W30 3 Connect the other end of the cable to a cons...

Page 23: ...cured by screws Figure 3 2 Rear view of the Clavister W30 Connecting AC Power To connect power follow these steps 1 Plug the end of the power cord into the power inlet socket on the W30 Figure 3 3 W30...

Page 24: ...mmended that the purchase and use of a separate surge protection unit from a third party is considered for the power connection to the W30 hardware This is to ensure that the W30 is protected from dam...

Page 25: ...Chapter 3 W30 Installation 25...

Page 26: ...ld be referred to before continuing Clavister s cOS Core network security operating system is preloaded on the W30 and will automatically boot up after power is applied After boot up is complete an ex...

Page 27: ...a similar to the connection used with the Web Interface and is also done using the default management interface after powering up for the first time ii Alternatively CLI access can be through console...

Page 28: ...e IP network This means the workstation interface should be first assigned the following static IPv4 addresses IP address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 Tip Using a...

Page 29: ...nd turn off popup blocking Make sure the web browser doesn t have a proxy server configured The wizard runs in a browser popup window The popup must be allowed for the setup wizard to run If there is...

Page 30: ...After login the Web Interface will appear and the cOS Core setup wizard should begin automatically The first wizard dialog is the wizard welcome screen which should appear as shown below Cancelling t...

Page 31: ...nfiguring a log server The steps that the wizard goes through after the welcome screen are listed next Wizard step 1 Enter a new username and password You will be prompted to enter a new administratio...

Page 32: ...hat will be used to connect to an ISP for Internet access Wizard step 4 Select the WAN interface settings This step selects how the WAN connection to the Internet will function It can be one of Manual...

Page 33: ...ry DNS server field 4B DHCP automatic configuration All required IP addresses will automatically be retrieved from the ISP s DHCP server with this option No further configuration is required for this...

Page 34: ...on with PPTP Wizard step 5 DHCP server settings If the Clavister Security Gateway is to function as a DHCP server it can be enabled here in the wizard on a particular interface or configured later The...

Page 35: ...Core For the default gateway it is recommended to specify the IPv4 address assigned to the internal network interface In this setup this corresponds to 192 168 1 1 The DNS server specified should be...

Page 36: ...lete registration After registration come back to this step Alternatively this step can be skipped and license installation can be done later in which case cOS Core will run in demo mode with a 2 hour...

Page 37: ...and All cOS Core interfaces are logically equal for cOS Core and although their physical capabilities may be different any interface can perform any logical function With the W30 the G1 interface is t...

Page 38: ...ctivate option from the Configuration menu this procedure is also referred to as deploying a configuration A dialog is then presented to confirm that the new configuration is to become the running con...

Page 39: ...log the user out If they log back in through the same web browser session then they will return to the point they were at before the logout occurred and no saved but not yet activated changes are los...

Page 40: ...e listed and will contain a number of predefined objects automatically created by cOS Core after it scans the interfaces for the first time The screenshot below shows the initial address book for the...

Page 41: ...the ISP s router which acts as the gateway to the public Internet Click the OK button to save the values entered Then set up G2_ip to be 10 5 4 35 This is the IPv4 address of the G2 interface which w...

Page 42: ...ffic to flow from a given source network and source interface to a given destination network and destination interface A route defined in a cOS Core routing table which specifies on which interface cO...

Page 43: ...cts can be created for specific protocols and existing service objects can also be combined into a new single service object The IP rule Action could have been specified as Allow but only if all the h...

Page 44: ...er when setting up the required IP4 Address objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default route for...

Page 45: ...evant address objects in the address book with this information For cOS Core to know on which interface to find the public Internet a route has to be added to the main cOS Core routing table which spe...

Page 46: ...g Tables main we can see this route If the PPPoE tunnel object is deleted this route is also automatically deleted At this point no traffic can flow through the tunnel since there is no IP rule define...

Page 47: ...eted At this point no traffic can flow through the tunnel since there is no IP rule defined that allows it As was done in option A above we must define an IP rule that will allow traffic from a design...

Page 48: ...et for example to be the IPv4 address object dns1_address Syslog Server Setup Although logging may be enabled no log messages are captured unless at least one log server is set up to receive them and...

Page 49: ...the cOS Core will drop any traffic unless an IP rule explicitly allows it Let us suppose that we wish to allow the pinging of external hosts with the ICMP protocol by computers on the internal G3_net...

Page 50: ...is found for a new connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In...

Page 51: ...figuration during editing then these deletes are indicated by a line scored through the list entry while the configuration is still not yet activated The deleted entry only disappears completely when...

Page 52: ...Doing this is described in Section 4 5 License Installation Methods Chapter 4 cOS Core Configuration 52...

Page 53: ...normal CLI prompt if connecting directly through the local console port and a username password combination will not be required a password for this console can be set later Device If connecting remo...

Page 54: ...ce and this can only be changed after initial startup All cOS Core interfaces are logically equal for cOS Core and although their physical capabilities may be different any interface can perform any l...

Page 55: ...mes of IP objects in folders On initial startup of the W30 cOS Core automatically creates and fills the InterfaceAddresses folder in the cOS Core address book with Ethernet interface related IPv4 addr...

Page 56: ...ill have private IPv4 addresses In that case we must use NAT to send out traffic so that the apparent source IP address is the IP of the interface connected to the ISP To do this we simply change the...

Page 57: ...c can flow to or from the Internet since there is no IP rule defined that allows it As was done in the previous option A above we must therefore manually define an IP rule that will allow traffic from...

Page 58: ...ote Network specified for the tunnel and for the public Internet this should be all nets As with all automatically added routes if the PPTP tunnel object is deleted then this route is also automatical...

Page 59: ...NTP Server Setup Network Time Protocol NTP servers can optionally be configured to maintain the accuracy of the system date and time The command below sets up synchronization with the two NTP servers...

Page 60: ...ew connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In order to gain co...

Page 61: ...ster website then press Activate The license is fetched automatically across the public Internet and installed This method is also only available when installing a license for the first time Automatic...

Page 62: ...nse through the Web Interface or the startup wizard the option to restart will be presented When using the CLI or SCP for installation restarting is done in the Web Interface by going to Status Mainte...

Page 63: ...obvious problem is if the IP address of the workstation running the web browser is not configured correctly 4 Is the management interface properly connected Check the link indicator lights on the mana...

Page 64: ...faces and confirm that the correct cables are connected to the correct interfaces To look at the ARP activity only a particular interface follow the command with the interface name Device arpsnoop int...

Page 65: ...ons of the source destination interface network combined with protocol type By default no IP rules are defined so all traffic is dropped At least one IP rule needs to be defined before traffic can tra...

Page 66: ...erence Guide provides a complete listing of the available CLI commands with their options A CLI overview is also provided as part of the cOS Core Administrators Guide cOS Core Education Courses For de...

Page 67: ...Chapter 4 cOS Core Configuration 67...

Page 68: ...pes available and these are purchased separately to the W30 unit Each of the three module types has different capabilities and can be one of the following 8 x RJ45 Gigabit Ethernet interfaces shown be...

Page 69: ...first undoing the two retaining screws on either side of the plate These screws may need loosening with a suitable screwdriver before undoing completely by hand The screws are on springs and will spri...

Page 70: ...thread in the chassis After hand tightening finish by applying minimal extra tightening with a suitable screwdriver to ensure the screws are secure as shown below 7 Now power up the hardware to resta...

Page 71: ...he W30 When cOS Core is started again the configuration will be unchanged However no data will be received or sent on an interface that does not physically exist If another expansion module is then fi...

Page 72: ...Figure 5 5 Insertion of a Gigabit SFP Module Chapter 5 Interface Expansion Modules 72...

Page 73: ...by choosing the boot menu option Enable Console Password Performing a Boot Menu Reset The W30 does not provide a hardware reset button on the hardware unit itself Instead the reset is done by entering...

Page 74: ...f cOS Core that the product left the factory with This means The current cOS Core configuration will be lost but can be restored if a backup is available Any cOS Core upgrades that have been performed...

Page 75: ...ted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earlier of the product registration date OR ninety 90 days following th...

Page 76: ...Clavister is not responsible for any of the purchaser s software firmware information or memory data contained in stored on or integrated with any product returned to Clavister pursuant to this warra...

Page 77: ...rviceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I och har a...

Page 78: ...elle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wa...

Page 79: ...rna de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta h...

Page 80: ...G2 Hz 5 100 Hz 6 dB Oct 100 500 Hz Random vibration IEC 60068 2 64 non operating 0 02 G2 Hz 5 100 Hz 6 dB Oct 100 500 Hz Mechanical Shock Operating 0 5 Grms Non operating 1 91 Grms Power Specificatio...

Page 81: ...For more information about Clavister products go to http www clavister com Appendix A W30 Specifications 81...

Page 82: ...Appendix B Declarations of Conformity 82...

Page 83: ...Appendix B Declarations of Conformity 83...

Page 84: ...192 168 1 0 24 and is different from the security gateway s address of 192 168 1 1 The IPv4 address 192 168 1 30 will be used for this purpose and the steps to set this up with Windows XP are as follo...

Page 85: ...browse the Internet from the management workstation via the security gateway it is possible to go back to the last step s properties dialog later and enter DNS server IP addresses For now they are not...

Page 86: ...ty gateway s address of 192 168 1 1 The IPv4 address 192 168 1 30 will be used for this purpose and the steps to set this up with Vista are as follows 1 Press the Windows Start button 2 Select the Con...

Page 87: ...he following IP address and enter the following values IP Address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 DNS addresses can be entered later once Internet access is establis...

Page 88: ...ay s address of 192 168 1 1 The IPv4 address 192 168 1 30 will be used for this purpose and the steps to set this up with Windows 7 are as follows 1 Press the Windows Start button 2 Select the Control...

Page 89: ...the following IP address and enter the following values IP Address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 DNS addresses can be entered later once Internet access is establ...

Page 90: ...ent from the security gateway s address of 192 168 1 1 The IPv4 address 192 168 1 30 will be used for this purpose and the steps to set this up with Windows 7 are as follows 1 Open the Windows 8 Contr...

Page 91: ...dialog select the option Use the following IP address and enter the following values IP Address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 DNS addresses can be entered later on...

Page 92: ...ity Gateway To do this a selected Ethernet interface on the Mac must be configured correctly with a static IP The setup steps for this with Mac OS X are 1 Go to the Apple Menu and select System Prefer...

Page 93: ...5 Now set the following values IP Address 192 168 1 30 Subnet Mask 255 255 255 0 Router 192 168 1 1 6 Click Apply to complete the static IP setup Appendix G Apple Mac IP Setup 93...

Page 94: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 www clavister com...

Reviews:

No comments

Related manuals for Wolf W30

Check Point W16 Brochure & Specs preview
W16
Brand: Check Point Pages: 4
Check Point Power Sensor 2000 Datasheet preview
Power Sensor 2000
Brand: Check Point Pages: 4
Check Point SMB 1500 Series Reference Manual preview
SMB 1500 Series
Brand: Check Point Pages: 1401
Watchguard XTM 2050 Quick Start Manual preview
XTM 2050
Brand: Watchguard Pages: 22
Fortinet FortiGate 500 Installation And Configuration Manual preview
FortiGate 500
Brand: Fortinet Pages: 276
Draytek Vigor2925 Series Quick Start Manual preview
Vigor2925 Series
Brand: Draytek Pages: 36
Motorola SURFboard SVG2500 Quick Installation Manual preview
SURFboard SVG2500
Brand: Motorola Pages: 32
Fortinet FortiMail-5001A Quick Start Manual preview
FortiMail-5001A
Brand: Fortinet Pages: 2
Fortinet FortiManager-100 Quick Start Manual preview
FortiManager-100
Brand: Fortinet Pages: 2
Fortinet FortiGate FortiGate-5002FB2 Quick Start Manual preview
FortiGate FortiGate-5002FB2
Brand: Fortinet Pages: 2
Fortinet FortiGate ASM-FX2 Quick Start Manual preview
FortiGate ASM-FX2
Brand: Fortinet Pages: 1
Forcepoint V10000 G3 Quick Start Manual preview
V10000 G3
Brand: Forcepoint Pages: 2
Cisco C690 Quick Start Manual preview
C690
Brand: Cisco Pages: 18
Cisco amp threat grid Setup And Configuration Manual preview
amp threat grid
Brand: Cisco Pages: 50
Neoware Firewall User Manual preview
Firewall
Brand: Neoware Pages: 28
AlphaShield 202-5731 User Manual preview
202-5731
Brand: AlphaShield Pages: 12
SonicWALL NSA E6500 Getting Started Manual preview
NSA E6500
Brand: SonicWALL Pages: 78

Brands by name

Popular brands

Load more brands