background image

Adding a "Drop All" Policy is Recommended

Scanning of IP rule sets is done in a top-down fashion. If no matching rule set entry is found for
traffic then a hidden, implicit

default rule

is triggered. This rule cannot be changed and its action

is to drop all such traffic as well as generate a log message when it is triggered.

In order to gain more control over dropped traffic and its logging, it is recommended to create
an explicit "drop all" IP policy as the last entry in the

main

IP rule set. This policy has both the

source and destination network set to

all-nets

and both the source and destination interface set

to

any

. The service would be set to

all_services

in order to trigger on all traffic types.

The following command defines an explicit "drop all" policy with logging disabled:

Device:/> add IPPolicy Name=drop_all

SourceInterface=any
SourceNetwork=any
DestinationInterface=any
DestinationNetwork=all-nets
Service=all_services
Action=Deny
LogEnabled=No

A Valid License Should Be Installed

Lastly, a valid license should be installed to remove the cOS Core 2 hour demo mode limitation.
Without a license installed, cOS Core will have full functionality during the 2 hour period
following startup, but after that, only management access will be possible. Installing a license is
described in

Section 4.5, “License Installation”

.

Chapter 4: cOS Core Configuration

66

Содержание NetWall 100 Series

Страница 1: ...Clavister NetWall 100 Series Getting Started Guide...

Страница 2: ...nties of merchantability or fitness for a particular purpose Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation...

Страница 3: ...at Surface Installation 24 3 3 Management Computer Connection 25 3 4 Local Console Port Connection 28 3 5 Connecting Power 30 4 cOS Core Configuration 32 4 1 The NetWall 100 Series Default Configurati...

Страница 4: ...ll 100 Series Interfaces and Ports 10 1 3 NetWall 100 Series Interface Ports 11 1 4 NetWall 100 Series Status Panel View 12 3 1 The NetWall 100 Series Local Console Port 28 3 2 NetWall 100 Series Powe...

Страница 5: ...ft hand side of the page followed by a short paragraph in italicized text There are the following types of such sections Note This indicates some piece of information that is an addition to the preced...

Страница 6: ...ample http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners cOS Core is the trademark of Clavister AB Windows Windows XP Windows Vista Windo...

Страница 7: ...orted The NetWall 100 Series hardware product can run any cOS Core version from 14 00 00 onwards Earlier versions are not supported and a downgrade should not be attempted 1 1 Unpacking Figure 1 1 An...

Страница 8: ...original unit in case of failure with the ability to quickly reassign the original cOS Core license to the standby unit When the faulty unit is returned to Clavister a new cold standby unit is immedia...

Страница 9: ...s should be given to an appropriate service that deals with the disposal of such specialist materials WARNING REPLACE ANY INTERNAL BATTERIES CORRECTLY THERE IS A RISK OF EXPLOSION IF AN INTERNAL BATTE...

Страница 10: ...n IPv4 DHCP server enabled on it so it will automatically hand out IP addresses belonging to the default management network to a connecting client In addition both the WAN1 and WAN2 interfaces have an...

Страница 11: ...ure 1 3 NetWall 100 Series Interface Ports The full connection capabilities of all the NetWall 100 Series Ethernet interfaces are listed at the end of Appendix A NetWall 100 Series Specifications RJ45...

Страница 12: ...100 Series status Upper Green LED This shows power is supplied to the unit Lower Blue LED cOS Core has started and is running The three rows of twin LEDs marked WAN1 WAN2 LAN1 and LAN2 mirror the stat...

Страница 13: ...r This might require an upgrade of the factory installed cOS Core version The cOS Core configuration is in its factory default state Following an upgrade to a version that supports zero touch or any c...

Страница 14: ...replacement hardware is connected to the Internet InControl can automatically install the correct license as well as the correct cOS Core version In addition InControl will upload its copy of the cOS...

Страница 15: ...the cOS Core management interfaces In addition log message alerts can be automatically generated if a sensor reaches a value outside of its normal operational range Configuring this feature as well a...

Страница 16: ...Chapter 1 NetWall 100 Series Overview 16...

Страница 17: ...the wizard will provide a link to the registration page so it can be done while the wizard is running Registration of a NetWall 100 Series Hardware Unit This is mandatory for every hardware unit befo...

Страница 18: ...k 3 The registration page is now presented The required information should be filled in In the example below a user called John Smith is registering 4 When the registration details are accepted an ema...

Страница 19: ...tion has been successful and logging in is now possible 7 After logging in the customer name is displayed with menu options for changing settings and logging out Note also that multi factor authentica...

Страница 20: ...up If the unit does not have Internet access then manual registration is required and this is done using the following steps 8 Now log into the MyClavister website and select the Register License menu...

Страница 21: ...download and installation from Clavister servers This installation can be done automatically through the cOS Core Setup Wizard which is described in Section 4 2 Web Interface and Wizard Setup If the N...

Страница 22: ...ance to connect it to the power source Using Other Power Cords If your installation requires a different power cord than the one supplied with the appliance be sure to use a cord displaying the mark o...

Страница 23: ...That is to say the temperature most commonly found in a modern office and in which humans feel comfortable This is usually considered to be between 20 and 25 degrees Celsius 68 to 77 degrees Fahrenhe...

Страница 24: ...be wall mounted by sliding the two brackets on the underside of the unit onto suitably located mounting screws Important Always leave space around the appliance Always ensure there is adequate space a...

Страница 25: ...standalone management computer sometimes referred to as the management workstation can be used to access the cOS Core Web Interface This provides an intuitive graphical interface for cOS Core managem...

Страница 26: ...for Internet Access For access to the public Internet another 100 Series Ethernet interface should be selected for connection to an ISP In this guide it will be assumed that the interface WAN1 will be...

Страница 27: ...y enables a DHCP server on the firewall s LAN1 interface and this will allocate the relevant IP address to the management computer using DHCP If the management computer is configured manually the foll...

Страница 28: ...J45 RS 232 port on the far right hand side of the NetWall 100 Series s front panel Figure 3 1 The NetWall 100 Series Local Console Port Requirements for NetWall 100 Series Local Console Connection To...

Страница 29: ...access via the management Ethernet interface Username admin Password admin It is recommended to change the password for this user during initial cOS Core configuration Remote Console Connection Using...

Страница 30: ...ess of the boot up can be seen on a CLI console connected to the local console port 4 After a brief period of time cOS Core will be fully initialized and the NetWall 100 Series is then ready for confi...

Страница 31: ...Chapter 3 Installation 31...

Страница 32: ...Configuration This section described the predefined entries in the default cOS Core configuration that are unique to the NetWall 100 Series Ethernet Interface DHCP settings The NetWall 100 Series appl...

Страница 33: ...nternet through WAN1 or alternatively WAN2 if WAN1 is not available The Predefined all nets Routes There is a predefined all nets route for both the WAN1 and WAN2 interfaces The WAN1 route has a lower...

Страница 34: ...tion window as shown in the example below Note HTTP access is disabled HTTP management access is disabled in the default cOS Core configuration and HTTPS must be used Unencrypted HTTP access can be en...

Страница 35: ...itial login dialog page as shown below The available Web Interface language options are selectable at the bottom of this dialog This defaults to the language set for the browser if cOS Core supports t...

Страница 36: ...nterfaces is Already Enabled It should be noted that the following will already be configured The LAN1 interface has a DHCP server enabled so a management computer or clients on the connected network...

Страница 37: ...is recommended to leave this option enabled which means that the default admin password must be changed to a conforming strong password before the wizard can move on to the next step Note that restori...

Страница 38: ...ally set up transparent mode interfaces in the startup wizard is only available with cOS Core version 11 04 or later Also the available interface list shown above will vary according to the platform o...

Страница 39: ...ry DNS server field 5B DHCP automatic configuration All required IP addresses will automatically be retrieved from the ISP s DHCP server with this option No further configuration is required for this...

Страница 40: ...on with PPTP Wizard step 6 DHCP server settings If the Clavister Next Generation Firewall is to function as a DHCP server it can be enabled here in the wizard on a particular interface or configured l...

Страница 41: ...twork Time Protocol servers keep the system date and time accurate Syslog servers can be used to receive and store log messages sent by cOS Core By selecting the Clavister option the current time will...

Страница 42: ...registration has not been previously been done a link is provided to open a browser window to complete registration After registration come back to this step Alternatively this step can be skipped and...

Страница 43: ...nterface To describe manual Internet setup it is assumed here that the LAN2 interface will be used for connection to a protected internal client network and the WAN2 interface will be used for connect...

Страница 44: ...et correctly To do this select System Device Date and Time The current system time is displayed and this can be changed by selecting the date and time fields then manually entering the desired figures...

Страница 45: ...current and active configuration Doing this is discussed next Activating Configuration Changes To activate any cOS Core configuration changes made so far select the Save and Activate option from the...

Страница 46: ...eave changes uncommitted for long periods of time such as overnight since any system outage will result in the pending changes being lost Automatic Logout If there is no activity through the Web Inter...

Страница 47: ...and will contain a number of predefined objects automatically created by cOS Core after it scans the interfaces for the first time The screenshot below shows the initial address book for the NetWall...

Страница 48: ...h will connect to the ISP s gateway Lastly set the IP4 Address object WAN2_net to be 203 0 113 0 24 Both the address objects and wan_gw must belong to the same network in order for the interface to co...

Страница 49: ...defined in a cOS Core routing table which specifies on which interface cOS Core can find the traffic s destination IP address If multiple matching routes are found cOS Core uses the route that has th...

Страница 50: ...n for clarity By using NAT cOS Core will use the destination interface s IP address as the source IP This means that external hosts will send their responses back to the interface IP and cOS Core will...

Страница 51: ...ing up the required IP4 Address objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default route for this interfa...

Страница 52: ...is information For cOS Core to know on which interface to find the public Internet a route has to be added to the main cOS Core routing table which specifies that the network all nets can be found on...

Страница 53: ...source interface to flow to the destination network all nets and the destination interface Here the destination interface is the PPPoE tunnel that has been defined D PPTP setup For PPTP connections a...

Страница 54: ...s interface is to have a DHCP server enabled on it first create an IP4 Address object which defines the address range to be handed out Here it is assumed that this has the name dhcp_range It is also a...

Страница 55: ...dialog will appear Specify a name for example my_syslog and specify the address as the syslog_ip object Tip Address book object naming The cOS Core address book is organized alphabetically so when cho...

Страница 56: ...uch traffic as well as generate a log message when it is triggered In order to gain more control over dropped traffic and its logging it is recommended to create an explicit drop all IP policy as the...

Страница 57: ...icense should be installed to remove the cOS Core 2 hour demo mode limitation Without a license installed cOS Core will have full functionality during the 2 hour period following startup but after tha...

Страница 58: ...nce connection is made to the CLI pressing the Enter key will cause cOS Core to respond The response will be a normal CLI prompt if connecting directly through the local console port and a username pa...

Страница 59: ...an only be changed after initial startup All cOS Core interfaces are logically equal for cOS Core and although their physical capabilities may be different any interface can perform any logical functi...

Страница 60: ...ally creates and fills the InterfaceAddresses folder in the cOS Core address book with Ethernet interface related IPv4 address objects Note that when an IP address object which is located in a folder...

Страница 61: ...e manually created to allow Internet access for clients on LAN2 via interface WAN2 The following command will add an IP policy called lan_to_wan to allow HTTP and HTTPS traffic through to the public I...

Страница 62: ...from the ISP s DHCP server by enabling DHCP on the interface connected to the ISP Note that the 100 Series DHCP is already enabled on the WAN1 interface by default If DHCP needs to be enabled on any o...

Страница 63: ...PPTP connection first define the PPTP tunnel interface The following command will create a PPTP tunnel object called wan_pptp with the remote endpoint 203 0 113 1 Device add Interface L2TPClient wan_p...

Страница 64: ...hat if activation fails because of a weak password the old admin password must be reset anyway even if the new value is the same as the old DHCP Server Setup Any interface on the NetWall 100 Series ca...

Страница 65: ...send logs to an external Syslog server a log receiver object must be configured For example the following command will send logs to a Syslog server at the IP address 192 0 2 10 Device add LogReceiver...

Страница 66: ...urce and destination interface set to any The service would be set to all_services in order to trigger on all traffic types The following command defines an explicit drop all policy with logging disab...

Страница 67: ...Mbps Installation Methods The following methods can be used for installing the first cOS Core license in the 100 Series unit Automatically through the Setup Wizard As described in Section 4 2 Web Int...

Страница 68: ...ough the Web Interface or when using the startup wizard the options to restart or reconfigure are presented to the administrator With the CLI and SCP these options are not presented and restart must b...

Страница 69: ...product which is used for managing cOS Core configurations This method can also be used to install the first license Licenses and license installation are described further in the separate cOS Core Ad...

Страница 70: ...ss of the management computer is not configured correctly 4 Is the management interface properly connected Check the link indicator lights on the management interface If they are dark then there may b...

Страница 71: ...the command Device arpsnoop none 7 Check the management access rules for a network connection If connecting to the default management interface using the Web Interface or an SSH client check that the...

Страница 72: ...Chapter 4 cOS Core Configuration 72...

Страница 73: ...The current cOS Core configuration will be lost but can be restored if a backup is available With the NetWall 100 Series a reset can be done in one of the following ways Using the Web Interface A fact...

Страница 74: ...tedly pressing the Esc key while cOS Core is starting up The resetting of Ethernet interface IP addresses will not affect the local console connection The complete procedure is performed with the foll...

Страница 75: ...roduct or any other misuse Any replacement Hardware will be warranted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earli...

Страница 76: ...ndling charge in addition to mailing and or shipping costs Note that the procedures for swapping any NetWall hardware model with an identical or different model type are described in the separate NetW...

Страница 77: ...user serviceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I oc...

Страница 78: ...elle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wa...

Страница 79: ...rna de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta h...

Страница 80: ...torage Humidity 0 to 95 non condensing Operating Temperature 5 to 35 C Vibration shock 10 500 Hz 2G 10min 1 cycle period for 60min each along X Y Z Power Specifications Power Supply AC 100 240 VAC 50...

Страница 81: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Head office Sales 46 0 660 299200 Customer support 46 0 660 297755 www clavister com...

Отзывы: