manualshive.com logo in svg

Clavister SG4300 Series, Руководство по началу работы, Страница: 37 / 68

Поделиться
Скачать
Clavister SG4300 Series Скачать руководство пользователя страница 37

The destination network in the IP rule is specified as the predefined IP4 Address object all-nets.
This is used since we don't know to which IP address the web surfing will be done and this allows
surfing to any IP address. IP rules are processed in a top down fashion, with the first matching rule
being obeyed. An all-nets rule like this should be placed towards the bottom of the rule set since
other rules with narrower destination addreses should trigger before it does.

Only one rule is needed since any traffic controlled by a NAT rule will be controlled by the CorePlus
state engine. This means that the rule will allow connections that originate from the source
network/destination and also implicitly allow any returning traffic that results from those
connections.

In the above, we selected the service called http_all which is already defined in CorePlus. It is
advisable to make the service in an IP rule as restrictive as possible to provide the best security
possible. Custom service objects can be created and new service objects can be created which are
combinations of existing services.

We could have specified the rule Action to be Allow, but only if all the hosts on the protected local
network have public IP addresses. By using NAT, CorePlus will use the destination interface's IP
address as the source IP. This means that external hosts will send their responses back to the
interface IP and CorePlus will automatically direct the traffic back to the originating local host.
Only the outgoing interface therefore needs to have a public IP address and the internal network
topology is hidden.

To allow web surfing, DNS lookup also needs to be allowed in order to resolve URLs into IP
addresses. The service http_all does not include the DNS protocol so we need a similar IP rule that
allows this. This could be done with one IP rule that uses a custom service which combines the
HTTP and DNS protocols but the recommended method is to create an entirely new IP rule that
mirrors the above rule but specifies the service as dns-all. This method provides the most clarity
when the configuration is examined for any problems. The screenshot below shows a new rule
called lan_to_wan_dns being created to allow DNS.

3.3. Manual Web Interface Setup

Chapter 3. CorePlus Configuration

37

Содержание SG4300 Series

Страница 1: ...Started Guide Clavister SG4300 Series Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 Fax 46 660 12250 www clavister com Build 91006 Published 2009 09 29 Copyright 2009 Clavi...

Страница 2: ...ose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revis...

Страница 3: ...3 Console Port Connection 16 2 4 Connecting Power 18 3 CorePlus Configuration 20 3 1 Management Workstation Connection 20 3 2 Web Interface and Wizard Setup 24 3 3 Manual Web Interface Setup 31 3 4 C...

Страница 4: ...splay 9 2 1 A Typical 1000 Base LX SX Module 14 2 2 Installing a 1000 Base LX SX Module 14 2 3 A typical 1000 Base TX module 14 2 4 Installing a 1000 Base TX Module 15 2 5 The SG4300 Series RS 232 Con...

Страница 5: ...in text Special sections of text which the reader should pay special attention to are indicated by icons on the the left hand side of the page followed by a short paragraph in italicized text There ar...

Страница 6: ...liance 2 A mounting kit for 19 racks The side brackets for this kit are already attached but can be removed for flat surface operation 3 Attachable rubber feet for flat surface mounting 4 An Ethernet...

Страница 7: ...1 1 Unpacking the Product Chapter 1 Product Overview 7...

Страница 8: ...e of 4 LEDs which show SFP port status These are illuminated green when a link is established 6 x RJ45 Gigabit Ethernet ports with logical interface names ge1 to ge6 These connections are capable of l...

Страница 9: ...en this is indicated along with how much time is left before timeout If CorePlus is in lockdown mode then this is shown CPU and Connections This shows the CPU load and the total number of current stat...

Страница 10: ...peed iii If the link is full duplex FD or half duplex HD This is not shown if the linkspeed is Gigabit since it will always be full duplex iv The IP address assigned to the interface Hardware Monitor...

Страница 11: ...1 3 The Keypad and Display Chapter 1 Product Overview 11...

Страница 12: ...tal with the rating limit for the circuit The maximum ampere ratings are usually printed on the devices near the AC power connectors Do not install the appliance in an environment where the operating...

Страница 13: ...be followed A rack or cabinet used for mounting should be adequately secured to prevent it from becoming unstable and or falling over Devices installed in a rack or cabinet should be mounted as low as...

Страница 14: ...urchased separately Installation of different types SFP units is usually done in a similar way With the units shown the modules are inserted into sockets with the label facing upwards The module slide...

Страница 15: ...000 Base TX Module Note The installation images above do not feature the SG4300 Series However the SFP installation principles are the same on all Clavister hardware models 2 2 Installing SFP Modules...

Страница 16: ...d Wizard Setup If the RS 232 port is used for setup no password is initially needed and the CLI commands required are described in Section 3 4 CLI Setup Note Setting a console password The serial cons...

Страница 17: ...sole port follow these steps 1 Check that the console connection settings are configured as described above 2 Connect one of the connectors on the RS 232 cable supplied directly to the console port on...

Страница 18: ...eries 2 Plug the other end of the power cord into a grounded power outlet 3 Power on the appliance using the On Off switch at the back of the unit 4 The SG4300 Series will boot up and CorePlus will st...

Страница 19: ...2 4 Connecting Power Chapter 2 Installation 19...

Страница 20: ...tandard web browser running on a standalone computer also referred to as the management workstation can be used to access the CorePlus Web Interface This provides an intuitive graphical interface for...

Страница 21: ...below and in the setup wizard as the WAN interface In this manual we will assume that the physical ge2 interface of the SG4300 Series is used for Internet connection although it could be any other un...

Страница 22: ...ault management interface To enter these settings on a PC running Windows XP the following steps are needed Click the Start button Right click on My Network Places and select Properties Right click th...

Страница 23: ...Note Apple Mac Workstation Setup To set up an Apple Mac as the workstation see Appendix D Apple Mac IP Setup 3 1 Management Workstation Connection Chapter 3 CorePlus Configuration 23...

Страница 24: ...mporarily turned off to allow the setup wizard to run If there is no response from CorePlus and the reason is not clear refer to the help checklist in Section 3 5 Troubleshooting Setup The CorePlus Se...

Страница 25: ...changes have been made and activated either through the wizard Web Interface or CLI then the wizard cannot be run since the wizard requires that CorePlus has the factory defaults The Wizard Assumes In...

Страница 26: ...e forgotten restoring to factory defaults will restore the original admin admin combination The password should be composed in a way which makes it difficult to guess Wizard step 2 Set the date and ti...

Страница 27: ...the next wizard screen All fields need to be entered except for the Secondary DNS server field 4B DHCP automatic configuration All required IP addresses will automatically be retrieved from the ISP s...

Страница 28: ...y the ISP DNS servers are set automatically after connection with PPTP Wizard step 5 DHCP server settings If the Clavister Security Gateway is to function as a DHCP server it can be enabled here in th...

Страница 29: ...NS server specified should be the DNS supplied by your ISP When specifying a hostname as a server instead of an IP address the hostname should be prefixed with the string dns For example the hostname...

Страница 30: ...key to do this For the SG4300 Series this key can be found written on the label on the underside of the unit If you are already registered as a customer then you will need to login to the Customer We...

Страница 31: ...be different any interface can perform any logical function With the SG4300 Series the ge1 interface is the default management interface The other interfaces can be used as required For this section...

Страница 32: ...must have the prefix dns Once the values are set correctly we can press the OK button to save the values while we move on to more steps in CorePlus configuration Although changed values like this are...

Страница 33: ...e activating a new configuration Sometimes activating configuration changes in small batches can be appropriate in order to check that a small set of changes work as planned It is however not advisabl...

Страница 34: ...setup is done Also these addresses are private IP addresses and in reality an ISP would use public IP addresses instead Let s now add the gateway IP4 Address object which we will call wan_gw and assig...

Страница 35: ...r Enter the details of the object into the properties fields for the IP4 Address Below we have entered the IP address 10 5 4 1 for the address object called wan_gw This is the IP of the ISP s router w...

Страница 36: ...to a given destination network and destination interface A route defined in a CorePlus routing table which specifies on which interface CorePlus can find the traffic s destination IP address If multi...

Страница 37: ...be created which are combinations of existing services We could have specified the rule Action to be Allow but only if all the hosts on the protected local network have public IP addresses By using N...

Страница 38: ...dress objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default route for this interface using the given default...

Страница 39: ...n CorePlus routing table which specifies that the network all nets can be found on the interface connected to the ISP and this route must also have the correct Default Gateway IP address specified Thi...

Страница 40: ...erface object needs to be created Let us assume that the PPTP tunnel will be called wan_pptp with a a remote endpoint 10 5 4 1 which has been defined as the IP4 Address object pptp_endpoint Go to Inte...

Страница 41: ...o do this go to System DHCP DHCP Servers and select Add DHCP Server We can now specify the server properties In addition it is important to specify the Default gateway for the server This will be hand...

Страница 42: ...w through the Clavister Security Gateway As discussed earlier the CorePlus will drop any traffic unless an IP rule explicitly allows it Let us suppose that we wish to allow the pinging of external hos...

Страница 43: ...connection then the default rule is triggered This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop In order to gain cont...

Страница 44: ...ted For example we can delete the drop all IP rule created in the previous paragraph by right clicking the rule and selecting Delete in the context menu The rule now appears with a line scored through...

Страница 45: ...then the Upload License button to send it to CorePlus As soon as upload of the license is complete the 2 hour restriction will be removed and CorePlus will be restricted only by the restrictions of th...

Страница 46: ...console port and a username password combination will not be required a password for this console can be set later Device If connecting remotely through an SSH Secure Shell client an administration u...

Страница 47: ...can be used as desired For the sake of example we will assume that the ge2 interface will be used for connection to the public Internet and the ge3 interface will be used for connection to a protected...

Страница 48: ...ress object which is located in a folder we must qualify the object s name with the name of the folder When we specify for example the address ge2_ip we must qualify it with the folder name InterfaceA...

Страница 49: ...he internal network hosts have public IP addresses but in most scenarios this will not be true and internal hosts will have private IP addresses In that case we must use NAT to send out traffic so tha...

Страница 50: ...route is added the connection to the Internet is configured but no traffic can flow to or from the Internet since there is no IP rule defined that allows it As was done in the previous option A above...

Страница 51: ...network for this route is the Remote Network specified for the tunnel and for the public Internet this should be all nets As with all automatically added routes if the PPTP tunnel object is deleted th...

Страница 52: ...ed to maintain the accuracy of the system date and time The command below sets up synchronization with the two NTP servers at hostname pool ntp org and IP address 10 5 4 76 Device set DateTime TimeSyn...

Страница 53: ...nded to create a drop all rule as the last rule in the main IP rule set This rule has an Action of Drop with the source and destination network set to all nets and the source and destination interface...

Страница 54: ...nected Check the link indicator lights on the management interface If they are dark then there may be a cable problem 5 Check the cable type connected to the management interface Is the management int...

Страница 55: ...ill show the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces 3 5 Troubleshooting Setup Chapter 3 CorePlus Configurati...

Страница 56: ...defined so all traffic is dropped At least one IP rule needs to be defined before traffic can traverse the Clavister Security Gateway In addition to IP rules routes need to be defined so that traffic...

Страница 57: ...vister company website at http www clavister com or contact your local sales representative Staying Informed Clavister maintains an RSS feed of announcements that can be subscribed to at https forums...

Страница 58: ...3 6 Going Further with CorePlus Chapter 3 CorePlus Configuration 58...

Страница 59: ...rranty service can be obtained within the warranty period with the following steps 1 Obtain a Return Material Authorization RMA number from Clavister This must be obtained before the product is sent b...

Страница 60: ...vister support can be contacted by email at support clavister com Customer Remedies Clavister s entire liability according to this warranty shall be at Clavister s option either return of the price pa...

Страница 61: ...e A 2 Regulatory and Safety Standards Safety UL CE EMC FCC class A CE class A VCCI class A Figure A 3 Environmental Humidity 20 to 95 noncondensing Operational Temperature 0 to 45 C Vibration 0 41 Grm...

Страница 62: ...Appendix B Declarations of Conformity 62...

Страница 63: ...Appendix B Declarations of Conformity 63...

Страница 64: ...ddsjorden har terst llts F r LAN kablage g ller dessutom att om LAN et t cker ett omr de som betj nas av mer n ett str mf rs rjningssystem m ste deras respektive skyddsjord vara ihopkopplade LAN kabla...

Страница 65: ...essere installato un collegamento a terra di sicurezza non interrompibile che vada dalla fonte d alimentazione principale ai terminali d entrata al cavo d alimentazione oppure al set cavo d alimentazi...

Страница 66: ...nes en la red de energ a el ctrica Manejar con precauci n los componentes de metal de la LAN que est n al descubierto Este aparato no contiene pieza alguna susceptible de reparaci n por parte del usua...

Страница 67: ...ity Gateway To do this a selected Ethernet interface on the Mac must be configured correctly with a static IP The setup steps for this with Mac OS X are 1 Go to the Apple Menu and select System Prefer...

Страница 68: ...5 Now set the following values IP Address 192 168 1 30 Subnet Mask 255 255 255 0 Router 192 168 1 1 6 Click Apply to complete the static IP setup Appendix D Apple Mac IP Setup 68...

Отзывы:

Нет отзывов