manualshive.com logo in svg

Clavister Eagle E7, Быстрый старт, Страница: 41 / 76

Поделиться
Скачать
Clavister Eagle E7 Скачать руководство пользователя страница 41

The empty

main

IP rule set will now appear. Press the Add button at the top left and select IP

Rule from the menu.

The properties for the new IP rule will appear. In this example, we will call the rule

lan_to_wan

.

The rule

Action

is set to

NAT

(this is explained further below) and the

Service

is set to

http-all

which is suitable for most web browsing (it allows both HTTP and HTTPS connections). The
interface and network for the source and destinations are defined in the

Address Filter

section of

the rule.

The destination network in the IP rule is specified as the predefined

IP4 Address

object

all-nets

.

This is used since it cannot be known in advance to which IP address web browsing will be
directed and

all-nets

allows browsing to any IP address. IP rules are processed in a top down

fashion, with the search ending at first matching rule. An

all-nets

rule like this should be placed

towards the bottom or at the end of the rule set since other rules with narrower destination
addresses should trigger before it does.

Only one rule is needed since any traffic controlled by a

NAT

rule will be controlled by the cOS

Core

state engine

. This means that the rule will allow

connections

that originate from the source

network/destination and also implicitly allow any returning traffic that results from those
connections.

In the above, the predefined service called

http-all

is the best service to use for web browsing

(this service includes HTTP and HTTPS but not DNS). It is advisable to always make the service in
an IP rule or IP policy as restrictive as possible to provide the best security possible. Custom
service objects can be created for specific protocols and existing service objects can also be
combined into a new, single service object.

The IP rule

Action

could have been specified as

Allow

, but only if all the hosts on the protected

local network have public IPv4 addresses. By using

NAT

, cOS Core will use the destination

interface's IP address as the source IP. This means that external hosts will send their responses
back to the interface IP and cOS Core will automatically forward the traffic back to the originating
local host. Only the outgoing interface therefore needs to have a public IPv4 address and the
internal network topology is hidden.

Chapter 3: cOS Core Configuration

41

Содержание Eagle E7

Страница 1: ...Clavister Eagle E7 Getting Started Guide Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 www clavister com Published 2013 05 29 Copyright 2013 Clavister AB...

Страница 2: ...avister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes Lim...

Страница 3: ...ion 19 2 5 Connecting Power 21 2 6 Resetting to Factory Defaults 22 3 cOS Core Configuration 24 3 1 Management Workstation Connection 24 3 2 Web Interface and Wizard Setup 27 3 3 Manual Web Interface...

Страница 4: ...List of Figures 1 1 An Unpacked Clavister E7 Appliance 7 1 2 Clavister E7 Connection Ports 9 1 3 The E7 Ethernet Interface Ports 9 2 1 The E7 Console Port 19 2 2 E7 Power Inlet Connector 21 4...

Страница 5: ...subsections are shown in the table of contents at the beginning of the document Notes to the main text Special sections of text which the reader should pay special attention to are indicated by icons...

Страница 6: ...oubleshooting Web links Web links included in the document are clickable For example http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners c...

Страница 7: ...y unpack the contents The delivered product packaging should contain the following The Clavister E7 appliance RS232 null modem cable or micro USB console cable depending on version RJ45 Ethernet cable...

Страница 8: ...nt WEEE directive symbol which is shown below The product and any of its parts should not be discarded of by means of regular refuse disposal At end of life the product and parts should be given to an...

Страница 9: ...connected by a switch fabric There are two versions of the E7 appliance The first generation version provides console connection through an RS232 RJ45 connector port the second generation uses a micr...

Страница 10: ...ace Status LEDs On the E7 there are indicator lights at the top left and top right of each interface which illuminate according to link status and activity The conditions shown are The top left flashe...

Страница 11: ...Chapter 1 Product Overview 11...

Страница 12: ...ower Make sure that the power source circuits are properly grounded and then use the power cord supplied with the appliance to connect it to the power source Using Other Power Cords If your installati...

Страница 13: ...that airflow around the appliance is not restricted Dust Do not expose the appliance to environments with elevated dust levels Note The specifications appendix provide details Detailed information co...

Страница 14: ...rack mounting with PSU mounting space including 2 fitted hex screws 1 x plastic cable tie for securing the PSU to the rack mount The kit is attached to the sides of the E7 unit prior to mounting in t...

Страница 15: ...from the power inlet in the same way This is also secured by screwing the 2 preinstalled screws into the corners of the vents 5 Take the external power supply and place it into the space provided on...

Страница 16: ...g the PSU power cord into the E7 power inlet The E7 with the attached mounting bracket is now ready to be mounted in a rack Following mounting a power cable can be plugged into the E7 PSU Chapter 2 In...

Страница 17: ...Core setup as well as for ongoing system administration The RS 232 console port need not be used if setup is done through a web browser as described in Section 3 2 Web Interface and Wizard Setup If th...

Страница 18: ...232 cable directly to the console port on the E7 3 Connect the other end of the cable to a console terminal or to the serial connector of a computer running console emulation software Connection Usin...

Страница 19: ...Connection Steps To connect a PC to the console port follow these steps 1 Connect a micro USB connector directly to the console port on the E7 2 Connect the other end of the cable to a USB port on a...

Страница 20: ...nt Workstation Connection Note Setting a console password is recommended A console password need not be set If it is not anyone with physical access to the console has full administrator rights Unless...

Страница 21: ...the appliance is ready for configuration from a management workstation using either the Web Interface or the Command Line Interface CLI as the management interface Initial configuration is discussed i...

Страница 22: ...ot sequence begins on the console output the boot menu is entered by typing any key on the console keyboard A complete description of the boot menu and its options can be found in the separate cOS Cor...

Страница 23: ...Chapter 2 Installation 23...

Страница 24: ...ity operating system is preloaded on the E7 and will automatically boot up after power is applied An external management computer workstation can now be used to configure cOS Core The Default Manageme...

Страница 25: ...CLI allows step by step control of setup and should be used by administrators who fully understand both the CLI and setup process CLI access is possible in one of two ways i CLI access can be remote a...

Страница 26: ...though it could be any other unused interface Using Crossover Cables Connection to the management interface from the workstation can be done directly without a switch This is usually done by using a c...

Страница 27: ...rn off popup blocking Make sure the web browser doesn t have a proxy server configured Any popup blocking in the browser should also be temporarily turned off to allow the setup wizard to run If there...

Страница 28: ...After login the Web Interface will appear and the cOS Core setup wizard should begin automatically The first wizard dialog is the wizard welcome screen which should appear as shown below Cancelling t...

Страница 29: ...steps that the wizard goes through after the welcome screen are listed next Wizard step 1 Enter a new username and password You will be prompted to enter a new administration username and password as...

Страница 30: ...hat will be used to connect to an ISP for Internet access Wizard step 4 Select the WAN interface settings This step selects how the WAN connection to the Internet will function It can be one of Manual...

Страница 31: ...ry DNS server field 4B DHCP automatic configuration All required IP addresses will automatically be retrieved from the ISP s DHCP server with this option No further configuration is required for this...

Страница 32: ...ly after connection with PPTP Wizard step 5 DHCP server settings If the Clavister Security Gateway is to function as a DHCP server it can be enabled here in the wizard on a particular interface or con...

Страница 33: ...Core For the default gateway it is recommended to specify the IPv4 address assigned to the internal network interface In this setup this corresponds to 192 168 1 1 The DNS server specified should be...

Страница 34: ...link is provided to open a browser window to complete registration Alternatively this step can be skipped and license installation can be done later in which case cOS Core will run in demonstration m...

Страница 35: ...although their physical capabilities may be different any interface can perform any logical function With the E7 the GESW interface is the default management interface The other interfaces can be use...

Страница 36: ...Configuration Changes To activate any cOS Core configuration changes made so far select the Save and Activate option from the Configuration menu this procedure is also referred to as deploying a conf...

Страница 37: ...since any system outage will result in these edits being lost Automatic Logout If there is no activity through the Web Interface for a period of time the default is 15 minutes cOS Core will automatica...

Страница 38: ...rnet access Now add the gateway IP4 Address object using the address book name wan_gw and assign it the IPv4 address 10 5 4 1 The ISP s gateway is the first router hop towards the public Internet from...

Страница 39: ...nd provide a convenient way to group together related IP address objects The folder name can be chosen to indicate the folder s contents Now click the Add button at the top left of the list and choose...

Страница 40: ...plained in more detail later specifying the Default Gateway also has the additional effect of automatically adding a route for the gateway in the cOS Core routing table At this point the connection to...

Страница 41: ...any traffic controlled by a NAT rule will be controlled by the cOS Core state engine This means that the rule will allow connections that originate from the source network destination and also implic...

Страница 42: ...erface where the network all nets in other words any network will be found If the default main routing table is opened by going to Network Routing Routing Tables main the route needed should appear as...

Страница 43: ...m the ISP via DHCP and cOS Core automatically sets the relevant address objects in the address book with this information For cOS Core to know on which interface to find the public Internet a route ha...

Страница 44: ...Routing Tables main we can see this route If the PPPoE tunnel object is deleted this route is also automatically deleted At this point no traffic can flow through the tunnel since there is no IP rule...

Страница 45: ...leted At this point no traffic can flow through the tunnel since there is no IP rule defined that allows it As was done in option A above we must define an IP rule that will allow traffic from a desig...

Страница 46: ...dns1_address Syslog Server Setup Although logging may be enabled no log messages are captured unless at least one log server is set up to receive them and this is configured in cOS Core Syslog is one...

Страница 47: ...the cOS Core will drop any traffic unless an IP rule explicitly allows it Let us suppose that we wish to allow the pinging of external hosts with the ICMP protocol by computers on the internal G3_net...

Страница 48: ...is found for a new connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In...

Страница 49: ...nfiguration during editing then these deletes are indicated by a line scored through the list entry while the configuration is still not yet activated The deleted entry only disappears completely when...

Страница 50: ...limitation Doing this is described in Section 3 5 Installing a License Chapter 3 cOS Core Configuration 50...

Страница 51: ...normal CLI prompt if connecting directly through the local console port and a username password combination will not be required a password for this console can be set later Device If connecting remo...

Страница 52: ...can only be changed after initial startup All cOS Core interfaces are logically equal for cOS Core and although their physical capabilities may be different any interface can perform any logical funct...

Страница 53: ...ualifying the names of IP objects in folders On initial startup of the E7 cOS Core automatically creates and fills the InterfaceAddresses folder in the cOS Core address book with the interface related...

Страница 54: ...ill have private IPv4 addresses In that case we must use NAT to send out traffic so that the apparent source IP address is the IP of the interface connected to the ISP To do this we simply change the...

Страница 55: ...c can flow to or from the Internet since there is no IP rule defined that allows it As was done in the previous option A above we must therefore manually define an IP rule that will allow traffic from...

Страница 56: ...ote Network specified for the tunnel and for the public Internet this should be all nets As with all automatically added routes if the PPTP tunnel object is deleted then this route is also automatical...

Страница 57: ...NTP Server Setup Network Time Protocol NTP servers can optionally be configured to maintain the accuracy of the system date and time The command below sets up synchronization with the two NTP servers...

Страница 58: ...w connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In order to gain con...

Страница 59: ...e iv The license file is uploaded to the security gateway through the cOS Core Web Interface by going to Status Maintenance License and pressing the Upload button to select the license file Following...

Страница 60: ...arameters may come into effect although this does not disrupt traffic When installing a license through the Web Interface or when using the startup wizard the option to reboot or reconfigure are prese...

Страница 61: ...rrectly 4 Is the management interface properly connected Check the link indicator lights on the management interface If they are dark then there may be a cable problem 5 Check the cable type connected...

Страница 62: ...ts being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces To look at the ARP activity only a particular interface follow the command wit...

Страница 63: ...needs to be defined before traffic can traverse the Clavister Security Gateway An alternative to IP Rule objects is to use IP Policy objects These have essentially the same function but simplify the...

Страница 64: ...ions A CLI overview is also provided as part of the cOS Core Administrators Guide cOS Core Education Courses For details about classroom and online cOS Core education as well as cOS Core certification...

Страница 65: ...Chapter 3 cOS Core Configuration 65...

Страница 66: ...ted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earlier of the product registration date OR ninety 90 days following th...

Страница 67: ...tegrated with any product returned to Clavister pursuant to this warranty Contacting Clavister Should there be a problem with the online form then Clavister support can be contacted by email at suppor...

Страница 68: ...viceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I och har an...

Страница 69: ...elle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wa...

Страница 70: ...rna de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta h...

Страница 71: ...mounting kit Regulatory and Safety Standards Safety UL CE EMC CE class A Environmental Humidity 5 to 95 noncondensing Operational Temperature 0 to 35 C Vibration 0 41 Grms2 3 500 Hz Shock 30 G Power...

Страница 72: ...Appendix B Declarations of Conformity 72...

Страница 73: ...Appendix B Declarations of Conformity 73...

Страница 74: ...re connected via a common switch fabric For example the 8 GESW interfaces could be divided so that the first 2 GESW interfaces could be on one VLAN the next 3 interfaces could be on a second VLAN and...

Страница 75: ...e E7 Port Based VLAN Issues There some issues which the adminstrator should be aware of when setting up port based VLAN s Port Based VLANs Cannot be Mixed with VLAN Trunks When the port based VLAN fea...

Страница 76: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 www clavister com...

Отзывы:

Нет отзывов