manualshive.com logo in svg

Clavister NetWall 6000 Series, Руководство по началу работы, Страница: 55 / 99

Поделиться
Скачать
Clavister NetWall 6000 Series Скачать руководство пользователя страница 55

To add an IP policy, go to

Policies > Firewalling > Main IP Rules

. The

main

IP rule set will now

be displayed. Press the

Add

button and select

IP Policy

from the menu.

The properties for the new object will appear. In this example, the policy will be called

lan_to_wan

. The

Service

is set to

http-all

which is suitable for web browsing (it allows HTTP and

HTTPS connections).

The destination network is specified as the predefined

IP4 Address

object

all-nets

. This is used

since it cannot be known in advance to which IP address web browsing will be directed and

all-nets

allows browsing to any IP address. IP rule sets are processed in a top down fashion, with

the search ending at the first matching entry. An

all-nets

entry like this should be placed towards

the end of the rule set since other rules with narrower destination addresses should trigger first.

In addition to entering the above for the policy, the

Source Translation

should be set to NAT and

the

Address Action

left as

Outgoing Interface IP

. Note that the default source translation value for

an IP policy is

Auto

and this would also provide NAT translation between a private and public IP

address but NAT is specified explicitly in this section for clarity.

By using

NAT

, cOS Core will use the destination interface's IP address as the source IP. This means

that external hosts will send their responses back to the interface IP and cOS Core will
automatically forward the traffic back to the originating local host. Only the outgoing interface
therefore needs to have a public IPv4 address and the internal network topology is hidden.

For web browsing, public DNS lookup also needs to be allowed in order to resolve URIs into IP
addresses. The service

http-all

does not include the

DNS

protocol so a similar IP rule set entry that

allows this is needed. This could be done with a single IP policy that uses a custom service which
combines the

HTTP

and

DNS

protocols. However, the recommended method is to create an

entirely new IP set entry that specifies the service as

dns-all

. This provides more clarity when the

configuration is examined for problems. The screenshot below shows a new IP policy called

Chapter 4: cOS Core Configuration

55

Содержание NetWall 6000 Series

Страница 1: ...Clavister NetWall 6000 Series Getting Started Guide...

Страница 2: ...anties of merchantability or fitness for a particular purpose Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation...

Страница 3: ...lation 25 3 4 Management Computer Connection 26 3 5 RJ45 Console Port Connection 29 3 6 Micro USB Console Port Connection 31 3 7 Connecting Power 33 4 cOS Core Configuration 38 4 1 Web Interface and W...

Страница 4: ...35 5 1 A NetWall 6000 Series PSU AC Power 79 5 2 NetWall 6000 Series PSU Alarm Shutoff Button 80 5 3 NetWall 6000 Series PSU Power LED 80 5 4 NetWall 6000 Series PSU Removal 81 6 1 NetWall 6000 Serie...

Страница 5: ...ft hand side of the page followed by a short paragraph in italicized text There are the following types of such sections Note This indicates some piece of information that is an addition to the preced...

Страница 6: ...xample http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners cOS Core is the trademark of Clavister AB Windows Windows XP Windows Vista Wind...

Страница 7: ...product can run any cOS Core version from 14 00 00 onwards Earlier versions are not supported and a downgrade should not be attempted 1 1 Unpacking Figure 1 1 An Unpacked NetWall 6000 Series Unit This...

Страница 8: ...available from Clavister as an addition to certain cOS Core support agreements This service allows a second identical NetWall 6000 Series unit to be purchased at a discount so that it can quickly subs...

Страница 9: ...should be given to an appropriate service that deals with the disposal of such specialist materials WARNING REPLACE ANY INTERNAL BATTERIES CORRECTLY THERE IS A RISK OF EXPLOSION IF AN INTERNAL BATTER...

Страница 10: ...ts have sequential logical cOS Core interface names from G1 to G8 They all support 10BaseT 100BaseTx and 1000BaseT The G1 interface is the default interface for management access over a network Howeve...

Страница 11: ...DHCP client enabled in the default cOS Core configuration This means it can automatically receive a DHCP lease from an ISP if used for connection to the Internet However note that this interface must...

Страница 12: ...ter This might require an upgrade of the factory installed cOS Core version The cOS Core configuration is in its factory default state Following an upgrade to a version that supports zero touch or any...

Страница 13: ...replacement hardware is connected to the Internet InControl can automatically install the correct license as well as the correct cOS Core version In addition InControl will upload its copy of the cOS...

Страница 14: ...the cOS Core management interfaces In addition log message alerts can be automatically generated if a sensor reaches a value outside of its normal operational range Configuring this feature as well a...

Страница 15: ...Chapter 1 NetWall 6000 Series Overview 15...

Страница 16: ...the wizard will provide a link to the registration page so it can be done while the wizard is running Registration of a NetWall 6000 Series Hardware Unit This is mandatory for every hardware unit befo...

Страница 17: ...rst time click the Create Account link 3 The registration page is now presented The required information should be filled in In the example below a user called John Smith is registering 4 When the reg...

Страница 18: ...vister website to show that confirmation has been successful and logging in is now possible 7 After logging in the customer name is displayed with menu options for changing settings and logging out No...

Страница 19: ...up If the unit does not have Internet access then manual registration is required and this is done using the following steps 8 Now log into the MyClavister website and select the Register License menu...

Страница 20: ...download and installation from Clavister servers This installation can be done automatically through the cOS Core Setup Wizard which is described in Section 4 1 Web Interface and Wizard Setup If the N...

Страница 21: ...s These are specified in multiple languages Caution Noise levels can be elevated from fans The NetWall 6000 Series can emit elevated levels of fan noise and caution should be taken to protect hearing...

Страница 22: ...ecting Power Temperature Do not install the appliance in an environment where the ambient temperature during operation might fall outside the specified operating range This range is documented in Appe...

Страница 23: ...in Section 3 3 Rack Installation The NetWall 6000 Series can emit elevated levels of fan noise and caution should be taken to protect hearing when spending time in proximity to the appliance if it is...

Страница 24: ...ll 6000 Series into a rack In the product packaging the following should be included A front bracket kit A side rail kit Installing these kits is described in the following two subsections The orderin...

Страница 25: ...a suitable screwdriver and the screws provided attach a rail to both sides of the NetWall 6000 Series unit There are pre drilled holes in the unit for this Figure 3 2 NetWall 6000 Series Side rail At...

Страница 26: ...for cOS Core management When this interface is accessed for the first time a setup wizard runs automatically to guide a new user through key setup steps The wizard can be closed if the administrator...

Страница 27: ...crossover cable is not necessary Connection to an ISP for Internet Access For access to the public Internet another 6000 Series Ethernet interface should be selected for connection to an ISP In this g...

Страница 28: ...address assigned to the management computer s Ethernet interface could be any address from the 192 168 1 0 24 network However the IP chosen must be different from 192 168 1 1 which is used by cOS Cor...

Страница 29: ...000 Series RJ45 Local Console Port Connection Note that the NetWall 6000 Series has both an RJ45 console port and a micro USB port described in Section 3 6 Micro USB Console Port Connection Both can b...

Страница 30: ...fied by the predefined admin user and are the same as the credentials for initial network access via the management Ethernet interface Username admin Password admin It is recommended to change the pas...

Страница 31: ...e NetWall 6000 Series Micro USB Local Console Port Connection Steps To connect a computer to the local console port perform the following steps 1 Connect a micro USB connector directly to the local co...

Страница 32: ...setup as well as for ongoing system administration Remote Console Connection Using SSH An alternative to using the local console port for CLI access is to connect over a network via a physical Etherne...

Страница 33: ...PSU installed and a second can be added if required When two PSUs are installed the 6000 Series runs using power from only one of the PSUs and the other delivers power only in the case of a failure b...

Страница 34: ...luminate to show that the PSU has power and is functioning correctly 6 The NetWall 6000 Series will boot up as soon as power is applied and cOS Core will start The progress of the boot up can be seen...

Страница 35: ...e end of the ground wire and fasten it to the chassis with the power supply retaining screw Important The power feed ground and chassis ground must be connected to the same earth point at an installat...

Страница 36: ...rt the 6000 Series and reinitialize cOS Core so that it boots up again This process can also be initiated through cOS Core For example using the CLI shutdown command Important Protecting against power...

Страница 37: ...Chapter 3 Installation 37...

Страница 38: ...upgrading are described in the separate cOS Core Administration Guide 4 1 Web Interface and Wizard Setup This section describes the setup when accessing cOS Core for the first time through a web brows...

Страница 39: ...a proxy server configured for the cOS Core management IP address The cOS Core Self signed Certificate When responding to the first https request in a browser session cOS Core will send a self signed c...

Страница 40: ...uld begin automatically as a popup window If the wizard is blocked by the browser it can be started manually by pressing the Setup Wizard button in the Web Interface toolbar shown below Once the wizar...

Страница 41: ...for the admin user The admin username can also be changed if required as shown in the screenshot below The Enforce Strong Passwords option is present in cOS Core versions from 11 05 onwards This is a...

Страница 42: ...ransparent mode interfaces can be configured at any time later outside of the wizard Note This step is only available with version 11 04 or later The step to optionally set up transparent mode interfa...

Страница 43: ...tion to the Internet will function It can be one of Manual configuration DHCP PPPoE or PPTP as shown below These four different connection options are discussed next in the subsections 5A to 5D that f...

Страница 44: ...ISP for PPPoE connection should be entered The Service field should be left blank unless the ISP supplies a value for it DNS servers are set automatically after connection with PPPoE 5D PPTP settings...

Страница 45: ...particular interface or configured later The range of IPv4 addresses that can be handed out must be specified in the form n n n n n n n n where n is a number between 0 and 255 and n n n n is a valid...

Страница 46: ...re By selecting the Clavister option the current time will be updated over the Internet from Clavister s own timeserver When specifying a hostname as a server instead of an IP address the hostname sho...

Страница 47: ...ck to this step Alternatively this step can be skipped and license installation can be done later in which case cOS Core will run in demo mode with a 2 hour time limit After the 2 hour period only man...

Страница 48: ...forehand All Ethernet interfaces are logically equal for cOS Core and although their physical capabilities may be different any interface can perform any logical function The NetWall 6000 Series uses...

Страница 49: ...et correctly To do this select System Device Date and Time The current system time is displayed and this can be changed by selecting the date and time fields then manually entering the desired figures...

Страница 50: ...current and active configuration Doing this is discussed next Activating Configuration Changes To activate any cOS Core configuration changes made so far select the Save and Activate option from the...

Страница 51: ...ge will result in the pending changes being lost Automatic Logout If there is no activity through the Web Interface for a period of time the default is 15 minutes cOS Core will automatically log the u...

Страница 52: ...dress book will be listed and will contain a number of predefined objects automatically created by cOS Core after it scans the interfaces for the first time The screenshot below shows the initial addr...

Страница 53: ...teway to the public Internet Click the OK button to save the values entered Then set up G2_ip to be 203 0 113 35 This is the IPv4 address of the G2 interface which will connect to the ISP s gateway La...

Страница 54: ...route for the gateway in the cOS Core routing table At this point the connection to the Internet is configured but no traffic can flow to or from the Internet since all traffic needs a minimum of the...

Страница 55: ...Note that the default source translation value for an IP policy is Auto and this would also provide NAT translation between a private and public IP address but NAT is specified explicitly in this sect...

Страница 56: ...one earlier when setting up the required IP4 Address objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default r...

Страница 57: ...formation For cOS Core to know on which interface to find the public Internet a route has to be added to the main cOS Core routing table which specifies that the network all nets can be found on the i...

Страница 58: ...source interface to flow to the destination network all nets and the destination interface Here the destination interface is the PPPoE tunnel that has been defined D PPTP setup For PPTP connections a...

Страница 59: ...which is the PPTP tunnel DHCP Server Setup If a NetWall 6000 Series interface is to have a DHCP server enabled on it first create an IP4 Address object which defines the address range to be handed out...

Страница 60: ...log will appear Specify a name for example my_syslog and specify the address as the syslog_ip object Tip Address book object naming The cOS Core address book is organized alphabetically so when choosi...

Страница 61: ...uch traffic as well as generate a log message when it is triggered In order to gain more control over dropped traffic and its logging it is recommended to create an explicit drop all IP policy as the...

Страница 62: ...icense should be installed to remove the cOS Core 2 hour demo mode limitation Without a license installed cOS Core will have full functionality during the 2 hour period following startup but after tha...

Страница 63: ...nce connection is made to the CLI pressing the Enter key will cause cOS Core to respond The response will be a normal CLI prompt if connecting directly through the local console port and a username pa...

Страница 64: ...nes which interfaces are available and allocates their names One interface is chosen as the initial default management interface and this can only be changed after initial startup All cOS Core interfa...

Страница 65: ...cated in a folder is specified in the CLI the object name must be qualified with the name of its parent folder For example to reference the address G2_ip it must be qualified with the folder name Inte...

Страница 66: ...n can be specified explicitly For this the previous IP policy definition with explicit NAT translation becomes the following Device main add IPPolicy Name lan_to_wan SourceInterface G1 SourceNetwork I...

Страница 67: ...generation is a setting for each interface that can be manually enabled and disabled After all IP addresses are set via DHCP and an all nets route is added the connection to the Internet is configure...

Страница 68: ...ated in the main routing table when the tunnel is defined The destination network for this route is the remote network specified for the tunnel and for the public Internet this should be all nets As w...

Страница 69: ...In this case we will call the created DHCP server object my_dhcp_server Device add DHCPServer my_dhcp_server IPAddressPool dhcp_range Interface G1 Netmask 255 255 255 0 DefaultGateway InterfaceAddress...

Страница 70: ...P Responding hosts will send back ICMP responses to this single IP and cOS Core will then forward the traffic to the correct private IP address Adding a Drop All Policy is Recommended Scanning of IP r...

Страница 71: ...ut is reduced to a maximum limit of 1 Mbps Installation Methods The following methods can be used for installing the first cOS Core license in the 6000 Series unit Automatically through the Setup Wiza...

Страница 72: ...e parameters When installing a license through the Web Interface or when using the startup wizard the options to restart or reconfigure are presented to the administrator With the CLI and SCP these op...

Страница 73: ...product which is used for managing cOS Core configurations This method can also be used to install the first license Licenses and license installation are described further in the separate cOS Core Ad...

Страница 74: ...ss of the management computer is not configured correctly 4 Is the management interface properly connected Check the link indicator lights on the management interface If they are dark then there may b...

Страница 75: ...the command Device arpsnoop none 7 Check the management access rules for a network connection If connecting to the default management interface using the Web Interface or an SSH client check that the...

Страница 76: ...ined with protocol type By default no IP rules are defined so all traffic is dropped At least one IP rule needs to be defined before traffic can traverse the Clavister Next Generation Firewall An alte...

Страница 77: ...to them and at what severity The cOS Core Log Reference Guide provides a complete listing of the log messages that cOS Core is capable of generating The CLI Reference Guide The CLI Reference Guide pro...

Страница 78: ...Chapter 4 cOS Core Configuration 78...

Страница 79: ...SU is fitted into the second PSU slot after taking out the dummy slot filler Each PSU module is secured by a lock which is internal to the PSU and this is opened with a black sliding locking lever The...

Страница 80: ...nt PSU status and therefore failure can be detected by using the cOS Core Hardware Monitoring feature and this is fully described in the separate cOS Core Administration Guide This feature can confirm...

Страница 81: ...ore hardware monitoring should also indicate the presence and positive status of the new PSU 6 Move the PSU s hinged metal retaining bracket back so that it covers the cable connector to prevent it be...

Страница 82: ...capabilities and can be one of the following 8 x RJ45 Gigabit Ethernet interfaces 8 x RJ45 Gigabit Ethernet interfaces with PoE PoE installation is discussed further in Chapter 7 Power over Ethernet S...

Страница 83: ...Series 8 x SFP Gigabit Interface Module Figure 6 3 NetWall 6000 Series 4 x SFP 10 Gigabit Expansion Module Figure 6 4 NetWall 6000 Series 4 x SFP 10 Gigabit Expansion Module with QAT Chapter 6 Interfa...

Страница 84: ...screwdriver before undoing completely by hand The screws are on springs and will spring out when they are no longer held by the thread in the chassis 3 Attach an earthed anti static wrist strap to the...

Страница 85: ...ill have the name E1 2 For the NetWall 6000 Series the slot numbers go from left to right when looking at the front of the device In other words slot number 1 is the left hand slot cOS Core will also...

Страница 86: ...ly pressing it inwards as illustrated below Figure 6 7 Insertion of an Ethernet Module Caution Insert SFP SFP modules in the correct sockets An SFP module must not be inserted in an SFP socket Similar...

Страница 87: ...eters An uninstalled PoE capable 6000 Series expansion module is shown below Figure 7 1 NetWall 6000 Series 8 x RJ45 Gigabit with PoE PoE Expansion Module The above image shows a small LED at the cent...

Страница 88: ...that power is applied to the NetWall 6000 Series appliance and the module s interfaces appear in cOS Core s interface list All interface ports on the expansion module will have the PoE feature enable...

Страница 89: ...2 3at Type 2 The total loading across all Ethernet ports should never exceed 120 Watts and a maximum load distribution across the ports should ideally follow one of the patterns shown in the table bel...

Страница 90: ...The current cOS Core configuration will be lost but can be restored if a backup is available With the NetWall 6000 Series a reset can be done in one of the following ways Using the Web Interface A fac...

Страница 91: ...t the local console connection The complete procedure is performed with the following steps 1 Make sure a separate management computer running as a console is attached to the local console port of the...

Страница 92: ...nking stops the reset is being performed 4 If a console was connected in step 1 the console output will indicate that the hardware has successfully been reset to its factory defaults 5 After completio...

Страница 93: ...product or any other misuse Any replacement Hardware will be warranted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earl...

Страница 94: ...ndling charge in addition to mailing and or shipping costs Note that the procedures for swapping any NetWall hardware model with an identical or different model type are described in the separate NetW...

Страница 95: ...user serviceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I o...

Страница 96: ...lle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wan...

Страница 97: ...na de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta ha...

Страница 98: ...W for each PSU AC 100 W PoE to external devices 802 3at and 802 3af from expansion module Ethernet Interface Support Gigabit RJ45 interfaces Automatic MDI X 1000BASE T copper RJ45 100m 100BASE TX cop...

Страница 99: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Head office Sales 46 0 660 299200 Customer support 46 0 660 297755 www clavister com...

Отзывы:

Нет отзывов