Clavister SG4500 Series Скачать руководство пользователя | Manualshive

Страница: 58 / 87

background image

Firstly, we must change the current CLI context to be the

IPRuleSet

called

main

using the

command:

Device:/> cc IPRuleSet main

Now add an IP rule called

allow_ping_outbound

to allow ICMP pings to pass:

Device:/main> add IPRule name=allow_ping_outbound

Action=NAT SourceInterface=ge3
SourceNetwork=InterfaceAddresses/ge3_net
DestinationInterface=ge2
DestinationNetwork=all-nets
Service=ping-outbound

The IP rule again has the

NAT

action and this is necessary if the protected local hosts have private

IP addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the IP
address of the interface connected to the ISP as the source interface. Responding hosts will send
back ICMP responses to this single IP and CorePlus will then forward the response to the correct
private IP address.

Adding a Drop All Rule

Scanning of the IP rule set is done in a top-down fashion. If no matching IP rule is found for a
new connection then the

default rule

is triggered. This rule is hidden and cannot be changed and

its action is to drop all such traffic as well as generate a log message for the drop.

In order to gain control over the logging of dropped traffic, it is recommended to create a drop
all rule as the last rule in the

main

IP rule set. This rule has an

Action

of

Drop

with the source and

destination network set to

all-nets

and the source and destination interface set to

any

.

The service for this rule must also be specified and this should be set to

all_services

in order to

capture all types of traffic. The command for creating this rule is:

Device:/main> add IPRule name=drop_all

Action=Drop SourceInterface=any
SourceNetwork=any
DestinationInterface=any
DestinationNetwork=all-nets
Service=all_services

Uploading a License

Without a valid license loaded, CorePlus operates in

demonstration mode

which means it will

cease operations after 2 hours from startup. To remove this restriction, a valid license must be
uploaded to the Clavister Security Gateway.

To do this, download a license as described in the last part of

Section 3.2, “Web Interface and

Wizard Setup”

. This license can then be uploaded directly to CorePlus using a

Secure Copy

(SCP)

client (see the CorePlus Administrators Guide for more details of using SCP). As soon as upload of
the license is complete, the 2 hour restriction will be removed and CorePlus will be restricted
only by the restrictions of the license.

Chapter 3: CorePlus Configuration

58

«
...
56
57
58
59
60
...
»

Содержание SG4500 Series

Страница 1: ...lavister SG4500 Series Getting Started Guide Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 Fax 46 660 12250 www clavister com Published 2011 03 24 Copyright 2011 Clavister A...

Страница 2: ...Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes...

Страница 3: ...Configuration 24 3 1 Management Workstation Connection 24 3 2 Web Interface and Wizard Setup 29 3 3 Manual Web Interface Setup 36 3 4 CLI Setup 51 3 5 Downgrading to 8 nn 59 3 6 Troubleshooting Setup...

Страница 4: ...ies Keypad and Display 11 2 1 A Typical SFP SFP Module 17 2 2 An Example of an SFP 1000 Base TX Module 17 2 3 Installing an SFP SFP Module 17 2 4 The SG4500 Series RS 232 Console Port 19 2 5 Rear View...

Страница 5: ...hand side of the page followed by a short paragraph in italicized text There are the following types of such sections Note This indicates some piece of information that is an addition to the preceding...

Страница 6: ...le For example http www clavister com Trademarks Certain names in this publication are the trademarks of their respective owners CorePlus is the trademark of Clavister AB Windows Windows XP Windows Vi...

Страница 7: ...pliance Open the packaging box used for shipping and carefully unpack the contents The delivered product packaging should contain the following 1 The Clavister SG4500 Series appliance 2 A mounting kit...

Страница 8: ...he SG4500 Series appliance is marked with the European Waste Electrical and Electronic Equipment WEEE directive symbol which is shown below The product and any of its parts should not be discarded of...

Страница 9: ...ical interface in the CorePlus software configuration Going from left to right the Ethernet interfaces are A set of 4 interfaces consisting of i 2 x Small Form Pluggable Plus SFP Ethernet interfaces w...

Страница 10: ...the link speed and has the following states Not lit dark if the link is 10 Mb Green if the link is 100 Mb Yellow if the link is 1 Gb USB Ports Next to the RS 232 port are 2 USB ports These ports are...

Страница 11: ...monstration mode then this is indicated along with how much time is left before timeout If CorePlus is in lockdown mode then this is shown CPU and Connections This shows the CPU load and the total num...

Страница 12: ...cal Ethernet interface present The information displayed for each interface is i The logical CorePlus interface name ii The current linkspeed iii If the link is full duplex FD or half duplex HD This i...

Страница 13: ...Chapter 1 Product Overview 13...

Страница 14: ...nstallation requires a different power cord than the one supplied with the appliance be sure to use a cord displaying the mark of the safety agency that defines the regulations for power cords in your...

Страница 15: ...evated dust levels can significantly reduce the operating lifetime of fans Note Detailed information concerning power supply range operating temperature range etc can be found at the end of this publi...

Страница 16: ...nces at the rear Important Use rear brackets for rack mounting It is strongly recommended that the rear brackets included with the SG4500 Series are fitted and used to support the appliance from the b...

Страница 17: ...d they must be purchased separately Figure 2 1 A Typical SFP SFP Module Figure 2 2 An Example of an SFP 1000 Base TX Module Installation of the different types of modules is usually done in a similar...

Страница 18: ...P support Important Cover unused SFP and SFP interfaces with dust caps The SG4500 Series SFP and SFP interfaces are covered with dust caps when the product is unpacked These prevent dust entering thei...

Страница 19: ...s done through a web browser as described in Section 3 2 Web Interface and Wizard Setup If the RS 232 port is used for setup no password is initially needed and the CLI commands required are described...

Страница 20: ...Connection Steps To connect a terminal to the console port follow these steps 1 Check that the console connection settings are configured as described above 2 Connect one of the connectors on the RS 2...

Страница 21: ...not fitted then the second PSU slot must be filled with a special PSU Filler Module component The filler module is necessary to prevent the alarm sounding because the hardware will detect only one act...

Страница 22: ...itial configuration is discussed in detail in Section 3 1 Management Workstation Connection Important Protecting Against Power Surges It is strongly recommended that the purchase and use of a separate...

Страница 23: ...Chapter 2 Installation 23...

Страница 24: ...rs in this manual before continuing Clavister s CorePlus network security operating system is preloaded on the hardware and will automatically boot up after power is supplied The Default Management In...

Страница 25: ...ace Alternatively CLI access can be through a console connected directly to the local RS 232 port on the SG4500 Series hardware Direct console connection is described in Section 2 3 Console Port Conne...

Страница 26: ...are on the same IP network This means the workstation interface should be first assigned the following static IP addresses IP address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1...

Страница 27: ...be entered later To browse the Internet from the management workstation via the security gateway then it is possible to go back to the last step s properties dialog later and enter DNS server IP addr...

Страница 28: ...Platforms The following appendixes describe management workstation IP setup for other platforms Appendix C Vista IP Setup Appendix D Windows 7 IP Setup Appendix E Apple Mac IP Setup Chapter 3 CorePlus...

Страница 29: ...mporarily turned off to allow the setup wizard to run If there is no response from CorePlus and the reason is not clear refer to the help checklist in Section 3 6 Troubleshooting Setup The CorePlus Se...

Страница 30: ...ate screen and run again by choosing the Setup Wizard option from the Web Interface toolbar Once any configuration changes have been made and activated either through the wizard Web Interface or CLI t...

Страница 31: ...d as shown below It is recommended that this is always done and the new username password is remembered if these are forgotten restoring to factory defaults will restore the original admin admin combi...

Страница 32: ...ould be entered in the next wizard screen All fields need to be entered except for the Secondary DNS server field 4B DHCP automatic configuration All required IP addresses will automatically be retrie...

Страница 33: ...ically after connection with PPTP Wizard step 5 DHCP server settings If the Clavister Security Gateway is to function as a DHCP server it can be enabled here in the wizard on a particular interface or...

Страница 34: ...ce In this setup this corresponds to 192 168 1 1 The DNS server specified should be the DNS supplied by your ISP When specifying a hostname as a server instead of an IP address the hostname should be...

Страница 35: ...er Registration Key to register the key also referred to as the License Number For the SG4500 Series this key can be found written on a label on the underside or back of the appliance The license cent...

Страница 36: ...capabilities may be different any interface can perform any logical function With the SG4500 Series the ge1 interface is the default management interface The other interfaces can be used as required F...

Страница 37: ...dns Once the values are set correctly we can press the OK button to save the values while we move on to more steps in CorePlus configuration Although changed values like this are saved by CorePlus th...

Страница 38: ...s It is up to the administrator to decide how many changes to make before activating a new configuration Sometimes activating configuration changes in small batches can be appropriate in order to chec...

Страница 39: ...both belong is 10 5 4 0 24 Note Private IP addresses are used for example only Each installation s IP addresses will be different from these IP addresses but they are used here only to illustrate how...

Страница 40: ...IP address objects The folder name can be chosen to indicate the folder s contents Now click the Add button at the top left of the list and choose the IP4 Address option to add a new address to the f...

Страница 41: ...inimum of the following two CorePlus configuration objects to exist before it can flow through the Clavister Security Gateway An IP rule defined in a CorePlus IP rule set that explicitly allows traffi...

Страница 42: ...make the service in an IP rule as restrictive as possible to provide the best security possible Custom service objects can be created and new service objects can be created which are combinations of...

Страница 43: ...d earlier after setting up the required IP4 Address objects Note Disabling automatic route generation Automatic route generation is enabled and disabled with the setting Automatically add a default ro...

Страница 44: ...oute has to be added to the main CorePlus routing table which specifies that the network all nets can be found on the interface connected to the ISP and this route must also have the correct Default G...

Страница 45: ...el since there is no IP rule defined that allows it As was done in option A above we must define an IP rule that will allow traffic from a designated source interface and source network in this exampl...

Страница 46: ...lso automatically deleted At this point no traffic can flow through the tunnel since there is no IP rule defined that allows it As was done in option A above we must define an IP rule that will allow...

Страница 47: ...m and this is configured in CorePlus Syslog is one of the most common server types First we create an IP4 Address object called for example syslog_ip which is set to the IP address of the server We th...

Страница 48: ...ppear and we can add a rule in this case called allow_ping_outbound The IP rule again has the NAT action and this is necessary if the protected local hosts have private IP addresses The ICMP requests...

Страница 49: ...gging box All log messages generated by this rule will be given the selected severity and which will appear in the text of the log messages It is up to the administrator to choose the severity and dep...

Страница 50: ...ay To do this download a license as described in the last part of Section 3 2 Web Interface and Wizard Setup This license can then be uploaded directly to CorePlus by selecting the License option from...

Страница 51: ...l cause CorePlus to respond The response will be a normal CLI prompt if connecting locally through the RS 232 console port and a username password combination will not be required a password for this...

Страница 52: ...logically equal for CorePlus and although their physical capabilities may be different any interface can perform any logical function With the SG4500 Series the ge1 interface is the default managemen...

Страница 53: ...nitial startup of the SG4500 Series CorePlus automatically creates and fills the InterfaceAddresses folder in the CorePlus address book with the interface related IP address objects When we specify an...

Страница 54: ...lic Internet Device main add IPRule name lan_to_wan Action Allow SourceInterface ge3 SourceNetwork InterfaceAddresses ge3_net DestinationInterface ge2 DestinationNetwork all nets Service http all This...

Страница 55: ...t Gateway IP address specified This all nets route is added automatically by CorePlus during the DHCP address retrieval process Automatic route generation is a setting for each interface that can be m...

Страница 56: ...ute with the PPTP tunnel to allow traffic to flow through it and this is automatically created in the main routing table when the tunnel is defined The destination network for this route is the Remote...

Страница 57: ...s case ge3_ip NTP Server Setup Network Time Protocol NTP servers can optionally be configured to maintain the accuracy of the system date and time The command below sets up synchronization with the tw...

Страница 58: ...er to gain control over the logging of dropped traffic it is recommended to create a drop all rule as the last rule in the main IP rule set This rule has an Action of Drop with the source and destinat...

Страница 59: ...Downgrading to 8 nn The SG4500 Series comes preinstalled with a 9 nn CorePlus version and this cannot be downgraded since the hardware does not support 8 nn versions Chapter 3 CorePlus Configuration...

Страница 60: ...correctly 4 Is the management interface properly connected Check the link indicator lights on the management interface If they are dark then there may be a cable problem 5 Check the cable type connec...

Страница 61: ...using the console command Device arpsnoop all This will show the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces Cha...

Страница 62: ...h combinations of the source destination interface network combined with protocol type By default no IP rules are defined so all traffic is dropped At least one IP rule needs to be defined before traf...

Страница 63: ...n Courses For details about classroom and online CorePlus education as well as CorePlus certification visit the Clavister company website at http www clavister com or contact your local sales represen...

Страница 64: ...Chapter 3 CorePlus Configuration 64...

Страница 65: ...n The SG4500 Series does not need both PSUs fitted The appliance can operate correctly with just one PSU fitted If this is the case the second PSU slot should be filled with a special PSU Filler Modul...

Страница 66: ...ower cord is inserted and external power is applied Important Dusty environments reduce PSU fan lifetimes SG4500 Series PSU fans are designed to work in environments with reasonable air quality Elevat...

Страница 67: ...e 4 3 The PSU Status LED Swapping a PSU To swap a failed PSU 1 Switch off the power source to the faulty PSU This may be done by simply unplugging the power cable from a wall socket 2 Remove the power...

Страница 68: ...er cord into a wall socket 8 The new PSU s green light will illuminate indicating normal operation and the audible alarm will stop if it hasn t already been switched off Tip Having spare PSUs onsite H...

Страница 69: ...es fans are designed to work in environments with reasonable air quality Elevated dust levels in the surrounding air can substantially reduce the operating lifetimes of fan modules Identifying Failure...

Страница 70: ...fans modules 3 The fans are secured in place by a simple spring mechanism on each module s left and right side and this will release the module if sufficient outward even force is applied Each module...

Страница 71: ...he fan will begin to spin immediately 6 Replace the metal grill by locating its two tabs into the locating holes on the left and secure it by screwing back the retaining screw by hand The retaining sc...

Страница 72: ...Chapter 4 Product Maintenance 72...

Страница 73: ...eplacement Hardware will be warranted for the remainder of the original warranty period or thirty days whichever is longer Note that the term Start Date means the earlier of the product registration d...

Страница 74: ...r memory data contained in stored on or integrated with any product returned to Clavister pursuant to this warranty Contacting Clavister Should there be a problem with the online form then Clavister s...

Страница 75: ...er serviceable parts inside these products Only service trained personnel can perform any adjustment maintenance or repair S kerhetsf reskrifter Dessa produkter r s kerhetsklassade enligt klass I och...

Страница 76: ...elle zu den Ger teingabeterminals den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus Sobald Grund zur Annahme besteht dass der Schutz beeintr chtigt worden ist das Netzkabel aus der Wa...

Страница 77: ...rna de puesta a tierra Es preciso que exista una puesta a tierra continua desde la toma de alimentac on el ctrica hasta las bornas de los cables de entrada del aparato el cable de alimentaci n hasta h...

Страница 78: ...491 hours Regulatory and Safety Standards Safety UL CE EMC FCC class A CE class A VCCI class A Environmental Humidity 20 to 95 noncondensing Operational Temperature 0 to 45 C Vibration 0 41 Grms2 3 50...

Страница 79: ...Appendix B Declarations of Conformity 79...

Страница 80: ...Appendix B Declarations of Conformity 80...

Страница 81: ...ateway s address of 192 168 1 1 The IP address 192 168 1 30 will be used for this purpose and the steps to set this up with Vista are as follows 1 Press the Windows Start button 2 Select the Control P...

Страница 82: ...se the following IP address and enter the following values IP Address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 DNS addresses can be entered later once Internet access is esta...

Страница 83: ...ay s address of 192 168 1 1 The IP address 192 168 1 30 will be used for this purpose and the steps to set this up with Windows 7 are as follows 1 Press the Windows Start button 2 Select the Control P...

Страница 84: ...the following IP address and enter the following values IP Address 192 168 1 30 Subnet mask 255 255 255 0 Default gateway 192 168 1 1 DNS addresses can be entered later once Internet access is establ...

Страница 85: ...ity Gateway To do this a selected Ethernet interface on the Mac must be configured correctly with a static IP The setup steps for this with Mac OS X are 1 Go to the Apple Menu and select System Prefer...

Страница 86: ...5 Now set the following values IP Address 192 168 1 30 Subnet Mask 255 255 255 0 Router 192 168 1 1 6 Click Apply to complete the static IP setup Appendix E Apple Mac IP Setup 86...

Страница 87: ...Clavister AB Sj gatan 6J SE 89160 rnsk ldsvik SWEDEN Phone 46 660 299200 Fax 46 660 12250 www clavister com...

Отзывы:

Нет отзывов

Похожие инструкции для SG4500 Series

Mini Field Agent

Бренд: GE Страницы: 87

Бренд: Vanguard Страницы: 121

Бренд: 4RF Страницы: 7

Бренд: ICP DAS USA Страницы: 8

Бренд: iDirect Страницы: 60

Бренд: Qualys Страницы: 2

Бренд: Zonet Страницы: 10

Бренд: Samsung Страницы: 65

Бренд: Oracle Страницы: 24

Бренд: SeaLevel Страницы: 17

Бренд: Supermicro Страницы: 16

Active Module Carrier VX402C-64

Бренд: C&H Страницы: 32

Бренд: Gbord Страницы: 8

Бренд: Comelit Страницы: 19

Бренд: VideoWave Страницы: 12

ADSL Ethernet & USB Combo Router Lynx L-510

Бренд: Starbridge Networks Страницы: 59

CL-SOM-AM57 Series

Бренд: CompuLab Страницы: 79

Бренд: Renesas Страницы: 40

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды