Amer-networks E5Web GUI Manual de usuario

Clavister cOS CoreAdministration GuideVersion: 10.20.02Clavister ABSjögatan 6JSE-89160 ÖrnsköldsvikSWEDENPhone: +46-660-299200www.clavister.comPublish

8.1. Normal LDAP Authentication ... 5338.2. LDAP for PPP with CHAP, MS-CHAPv1 or

InControlFollow the same steps used for the Web Interface below.Web Interface1. Go to: System > Device > Remote Management > Add > SNMP ma

Default: N/ASystem LocationThe physical location of the node.Default: N/AInterface Description (SNMP)What to display in the SNMP MIB-II ifDescr variab

Default: 500Using the hwm CLI CommandTo get a list current values from all available sensors, the following command can be used:Device:/> hwm -allT

Note: Sensors can differ depending on hardware typeEach hardware model can have a different set of sensors in different locations and withdifferent op

Sensor Name Sensor Type Sensor Number Minimum Limit Maximum LimitCPUTemp TEMP 0 0 65SysTemp TEMP 1 65 65• Eagle E5Monitoring is not available.• Eagle

• 2 - PSU inserted, powered up.2.4.6. Memory Monitoring SettingsThe System > Device > Hardware Monitoring section of the Web Interface or InCont

2.5. Diagnostic Tools2.5.1. OverviewIn the case of a serious system problem cOS Core provides some tools to aid in identifying thecause. These are:• D

Generation date/time: 2008-07-04 14:23:56 List of loaded PE-modules:fwloader(1.07.04): BA:0x00100000, EP:0x00101028, SS:0x0, IS:0xe7000fwcore(810.20.0

At this point, the file cap_lan.cap should be downloaded to the management workstation foranalysis.5. A final cleanup is performed and all memory take

information to a file on the Clavister Security Gateway.These output files are placed into the cOS Core root directory and the file name is specified

List of Examples1. Example Notation ... 142.1. Remote Manage

hardware units and they should each be reset to the base configuration.Resetting to the base configuration can be done through the CLI or Web Interfac

If the -burnin option is used, a set of tests, known as the test subset, is repeated continuously for aperiod of time. The default test period is two

2.6. Maintenance2.6.1. Software UpgradesClavister Security Gateways are driven and controlled by cOS Core and this consists of two majorcomponents: th

These have bug fixes only with no feature additions. They are freely available to all customerswho are licensed to run the base version involved in th

It can be advisable to make a full system backup before performing a system upgrade. If there isa requirement to wind back the upgrade, the system bac

• Appendix A, Update Subscriptions2.6.3. Backing Up ConfigurationsThe administrator has the ability to take a snapshot of a cOS Core system at a given

version, an cOS Core upgrade can then be performed.The Management Interfaces UsedBoth types of backup, configuration and system, can be performed eith

As an alternative to using SCP, the administrator can initiate a backup or restore of theconfiguration or complete system directly through the Web Int

1. Go to: Status > Maintenance > Reset & Restore > Reset2. Select Restore the entire unit to factory defaults then confirm and wait for t

Note: Original CorePlus 8.nn systems need two resetsIf an upgrade from a CorePlus 8.nn version has been done previously on Clavisterhardware that was

3.31. Uploading a Certificate with the Web Interface or InControl ... 2273.32. Uploading a Certificate with Web Interface o

can explicitly choose the driver from a list using the -force_driver option.The index number of the PCI card is first identified from the output of th

2.7. LicensingOverviewTo use cOS Core in a live environment, a cOS Core license file must be installed. A unique licensefile is needed for each proces

license installed before.2. Automatically through the Web InterfaceGo to Status > Maintenance > License and enter the customer username and pass

Lockdown ModecOS Core will enter a state known as Lockdown Mode if certain license violations occur. While inlockdown mode, only remote management tra

Warning: More restrictive licenses can cause lockdownIf a more restrictive license is loaded into cOS Core so that the existing number of anobject typ

HA Cluster LicensingIn a cOS Core High Availability Cluster, two identical licenses must be purchased, one for themaster and one for the slave unit. B

Chapter 2: Management and Maintenance126

Chapter 3: FundamentalsThis chapter describes the fundamental logical objects which make up a cOS Core configuration.These objects include such items

• It increases understanding of the configuration by using meaningful symbolic names.• Using address object names instead of entering numerical addres

3. Enter 192.168.10.16 for the IP Address4. Click OKExample 3.2. Adding an IP NetworkThis example adds an IPv4 network named wwwsrvnet with address 19

6.20. Activating Anti-Virus Scanning ... 4656.21. Setting up IDP for a Mail Server .

4. Click OKExample 3.4. Deleting an Address ObjectTo delete an object named wwwsrv1 in the address book, do the following:Command-Line InterfaceDevice

InControlFollow the same steps used for the Web Interface below.Web Interface1. Go to: Objects > Address Book > Add > Ethernet Address2. Spec

Note: IP and MAC AddressesAddress book objects can never contain both IP addresses and Ethernet MAC addressessince these are entirely different in the

address book folders. These folders are just like a folder in a computer's file system. They arecreated with a given name and can then be used to

3.2. IPv6 SupportAll the IP addresses discussed so far are of the IPv4 type. The IP address standard IPv6 is designedas a successor to IPv4 with the p

2. Specify a suitable name for the object, in this case: wan_net63. Enter 2001:DB8::/32 for the IP6 Address4. Click OKAdd the IP address:1. Go to: Obj

Web Interface1. Go to: System > Advanced Settings > IP Settings2. Enable the setting: Enable IPv63. Click OKB. Enable IPv6 on an InterfaceOnce I

enabled by default).Enabling IPv6 Router AdvertisementAn additional option for an Ethernet interface is to enable IPv6 router advertisement. This mean

Enabling ICMP Error Pass ThroughUnlike IPv4, fragmentation of IPv6 packets is only done by the originating host using the host'sselection of MTU

First, change the CLI context to be the main routing table:Device:/> cc RoutingTable mainAdd the IPv6 route:Device:/main> add Route6 Network=my_

PrefaceIntended AudienceThe target audience for this reference guide is Administrators who are responsible forconfiguring and managing Clavister Secur

The above rule assumes that IPv6 has been enabled on the wan interface.A general discussion of ping and its options along with IPv4 usage can be found

examines the cOS Core neighbor discovery cache.Neighbor discovery handling in cOS Core resembles ARP handling in that a cache is maintainedin local me

given the value AcceptLog. This can help identify if the cause is the same IPv6 address movingbetween hardware Ethernet addresses.• NDCacheSizeThe nei

3.3. Services3.3.1. OverviewA Service object is a reference to a specific IP protocol with associated parameters. A servicedefinition is usually based

all_tcpudp All TCP and UDP servicesipsec-suite The IPsec+IKE suitel2tp-ipsec L2TP using IPsec for encryption and authenticationl2tp-raw L2TP control a

3.3.2. Creating Custom ServicesIf the list of predefined cOS Core service objects does not meet the requirements for certaintraffic then a new service

Single Port For many services, a single destination port is sufficient. Forexample, HTTP usually uses destination port 80. The SMTPprotocol uses port

sent to reduce the rate of traffic flow. On the other hand, dropping ICMP messages increasessecurity by preventing them being used as a means of attac

This example shows how to add a TCP/UDP service, using destination port 3306, which is used byMySQL:Command-Line InterfaceDevice:/> add Service Ser

When a message type is selected but no code values are given then all codes for that type isassumed.ICMP Message TypesThe message types that can be se

prompt followed by the command:Device:/> somecommand someparameter=somevalueInControlThe InControl actions for the example are shown here. They are

IP protocol numbersThe currently assigned IP protocol numbers and references are published by the InternetAssigned Numbers Authority (IANA) and can be

a configuration and decrease the ability to troubleshoot problems.3.3.6. Custom Service TimeoutsAny service can have its custom timeouts set. These ca

3.4. Interfaces3.4.1. OverviewAn Interface is an important logical building block in cOS Core. All network traffic that transitsthrough, originates fr

• Virtual LAN (VLAN) interfaces as specified by IEEE 802.1Q. When routing IP packets over aVirtual LAN interface, they will be encapsulated in VLAN-ta

Important: Remove references before removing interfacesIf a logical interface is to be deleted from a cOS Core configuration, it is important to first

Ethernet FramesDevices broadcast data as Ethernet frames and other devices "listen" to determine if they are theintended destination for any

Each Ethernet interface is required to have an Interface IP Address, which can be either a staticaddress or an address provided by DHCP. The interface

packets.Auto is the default behavior.• Enable DHCP ClientcOS Core includes a DHCP client feature for dynamic assignment of address information by acon

on an interface with this option.When enabled, default switch routes are automatically added to the routing table for theinterface and any correspondi

• Change the IP address directly on the interface. For example, if we want to change the IPv4address of the lan interface to 10.1.1.2, we could use th

ImportantThis is an essential point that the reader should read and understand.WarningThis is essential reading for the user as they should be aware t

3.4.2.1. Useful CLI Commands for Ethernet InterfacesThis section summarizes the CLI commands most commonly used for examining andmanipulating cOS Core

InterfaceAddresses/lan_ip InterfaceAddresses/wan_netInterfaceAddresses/lan_net ServerSetting Interface AddressesThe CLI can be used to set the address

To enable the interface lan:Device:/> set EthernetDevice lan -enableTo set the driver on an Ethernet interface card the command is:Device:/> set

Require that the assigned broadcast address is the highest address in the assigned network.Default: EnabledDHCP_MinimumLeaseTimeMinimum lease time (se

Size of Yukon-II receive ring (per interface).Default: 256Ringsize_yukonii_txSize of Yukon-II send ring (per interface).Default: 256Interface Monitor

Percentage of errors in sent packets at which to declare a problem.Default: 73.4.3. Link AggregationWhere individual physical Ethernet interfaces of a

With negotiated aggregation, the switch to which the aggregated interfaces are connected isconfigured to use LACP (Link Aggregation Control Protocol).

However, it is recommended that the physical cabling is in place before the LinkAggregationobject is activated and saved. This will provide the behavi

4. Repeat the previous step to add the If2 interface5. Click OK3.4.4. VLANOverviewVirtual LAN (VLAN) support in cOS Core allows the definition of one

• A physical interface does not need to be dedicated to VLANs and can carry a mixture of VLANand non-VLAN traffic.Physical VLAN Connection with VLANTh

Chapter 1: cOS Core OverviewThis chapter outlines the key features of cOS Core.• Features, page 17• cOS Core Architecture, page 22• cOS Core State Eng

• More than one interface on the security gateway can carry VLAN trunk traffic and these willconnect to separate switches. More than one trunk can be

It is important to understand that the administrator should treat a VLAN interface just like aphysical interface in that they require both appropriate

Point-to-Point Protocol over Ethernet (PPPoE) is a tunneling protocol used for connecting multipleusers on an Ethernet network to the Internet through

address of the interface.User authenticationIf user authentication is required by the ISP, the username and password can be setup in cOSCore for autom

This example shows how to configure a PPPoE client on the wan interface with traffic routed overPPPoE.CLIDevice:/> add Interface PPPoETunnel PPPoEC

• Traversing network equipment that blocks a particular protocol.• Tunneling IPv6 traffic across an IPv4 network.• Where a UDP data stream is to be mu

The GRE protocol allows for an additional checksum over and above the IPv4 checksum. Thisprovides an extra check of data integrity.The Virtual Routing

Any traffic passing between A and B is tunneled through the intervening network using a GREtunnel and since the network is internal and not public the

• Use Session Key: 1• Additional Encapsulation Checksum: Enabled3. Define a route in the main routing table which routes all traffic to remote_net_A o

Name The name of the interface for display and reference in cOS Core.Loop to This is the name of the other loopback interface in the pair. The other i

addition, cOS Core supports features such as Virtual LANs,Route Monitoring, Proxy ARP and Transparency.For more information, please see Chapter 4, Rou

It can be useful to outline the steps required to make use of loopback interfaces in the simplestpossible example.Figure 3.2. A Simple Network with Lo

illustrated below.Figure 3.3. Components of Loopback Interface SetupThe example below explains the detailed management user interface steps required f

B. Create the second loopback interface1. Go to: Network > Interfaces and VPN > Loopback > Add > Loopback Interface2. Under General enter:

Device:/> add Interface InterfaceGroup examplegroupMembers=exampleIf1,exampleIf2InControlFollow the same steps used for the Web Interface below.Web

3.5. ARP3.5.1. OverviewAddress Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3)address to a data link layer hard

The Expires ColumnThe third column in the table, Expires, is used to indicate how much longer the ARP entry will bevalid for.For example, the first en

The Size of the ARP CacheBy default, the ARP Cache is able to hold 4096 ARP entries at the same time. This is adequate formost scenarios but on rare o

Proxy ARP is covered in Section 4.2.6, “Proxy ARP” and is not discussed further in this section.ARP Object PropertiesAn ARP object has the following p

To understand the difference between Publish and XPublish it is necessary to understand thatwhen cOS Core responds to an ARP query, there are two MAC

Device:/> add ARPND Interface=lanIP=192.168.10.15Mode=StaticMACAddress=4b-86-f6-c5-a2-14InControlFollow the same steps used for the Web Interface b

For details of this feature, seeSection 6.4, “Anti-VirusScanning”.Intrusion Detection andPreventionTo mitigate application-layer attacks towards vulne

ARP RequestsThe ARP specification states that a host should update its ARP Cache with data from ARPrequests received from other hosts. However, as thi

3.6. IP Rules and IP Policies3.6.1. Security PoliciesBefore examining IP rule sets in detail, we will first look at the generic concept of security po

The IP Policy object is an alternative to using IP Rule objects. They are designed to simply thecreation of policies and make it easier to define such

Specifying Any Interface or NetworkWhen specifying the filtering criteria in any of the policy rule sets, there are several usefulpredefined configura

As stated above, when cOS Core is started for the first time, the default IP rules drop all traffic soat least one IP rule must be added to allow traf

which allows monitoring of opened and active connections passing through the ClavisterSecurity Gateway. If the action is Drop or Reject then the new c

• ServiceThe Service in an IP rule is also important because if an Application Layer Gateway object is to beapplied to traffic then it must be associa

types allow bi-directional traffic flow once the initial connection is set up. The Source Networkand Source Interface in the rule means the source of

If the action is Return then the rule scanning resumes at the rule which follows the last Gotoaction (if there was no last Goto then the connection is

rules with a Goto action are then added to the main rule set, and these point to the rule set thatcontains the individual rules that related to the tr

Clavister cOS CoreAdministration GuideVersion: 10.20.02Published 2014-03-31Copyright © 2014 Clavister ABCopyright NoticeThis publication, including al

Chapter 2, Management and Maintenance.High Availability High Availability (HA) is supported through automaticfault-tolerant fail-over to a secondary C

Using folders is simply a way for the administrator to conveniently divide up IP rule set entriesand no special properties are given to entries in dif

be used when organizing IP rules.A compliment and alternative to folders for organizing objects is using configuration objectgroups. Object groups all

properties.If it is desirable to create an object group for the two IP rules for web surfing, this is done with thefollowing steps:• Select the first

box is selected, a full spectrum color palette appears which allows selection by clicking anycolor in the box with the mouse.In this example, we might

Moving Group ObjectsOnce an object, such as an IP rule, is within a group, the context of move operations becomes thegroup. For example, right clickin

Creating IP PoliciesAn IP policy has the following basic properties:• Allow or Deny ActionAn IP policy either allows a particular type of traffic or i

Viewing IP Rules Created by IP PoliciesAs mentioned previously, IP policies create IP rules in the background. These IP rules cannot beviewed through

Command-Line InterfaceDevice:/> add IPPolicyName=http_to_serverAction=AllowSourceInterface=wanSourceNetwork=all-netsDestinationInterface=coreDestin

Enabling Application ControlApplication Control can be enabled in two ways:• Specifying applications directly for IP rules or IP policies.This is the

Name=Allow_CompInControlFollow the same steps used for the Web Interface below.Web Interface1. Go to: Policies > Add > IPRule2. Specify a suitab

• The Hardware Replacement Guide for swapping out Clavister hardware with the same ordifferent unit.• The Migration Guide for upgrading cOS Core from

been authenticated by cOS Core and are one of the usernames specified for the rule orbelong to one of the specified groups.For a Deny rule, the reques

Now, add the ApplicationRule object:Device:/bt_app_list> add ApplicationRuleAction=AllowAppFilter=3UserAuthGroups=rogue_userForwardChain=narrow_025

2. Specify a suitable name for the list, in this case bt_app_list3. Select Application Control4. In the dialog:• Set Enable Application Control to Yes

InControlFollow the same steps used for the Web Interface below.Web InterfaceFirst, define the Application Rule Set:1. Go to: Policies > Firewallin

Extended LoggingWhen using application content control, it is possible to enable logging for different content.This means that special log messages wi

5. Choose Matches specific applications6. Open the Web node and choose Facebook7. Press the Select button to close the filter dialogDefine an Applicat

Device:/> appcontrol compressioncompression - Compression:ccpcomp2 application(s)To view a single definition, the individual name can be used witho

All the saved filters can be displayed with the command:Device:/> appcontrol -filter -show_listsTo delete all saved filters, use the command: All t

bandwidth usage. For example, video streaming sites, Java/Flash game sites• Risk Level 1Low-risk. Signatures that could be candidates for blocking. Ty

3.7. SchedulesIn some scenarios, it might be useful to control not only what functionality is enabled, but alsowhen that functionality is being used.F

1.2. cOS Core Architecture1.2.1. State-based ArchitectureThe cOS Core architecture is centered around the concept of state-based connections.Tradition

Section 3.9, “Date and Time”.Example 3.30. Setting up a Time-Scheduled Security PolicyThis example creates a schedule object for office hours on weekd

• SourceInterface: lan• SourceNetwork lan_net• DestinationInterface: any• DestinationNetwork: all-nets4. Click OKChapter 3: Fundamentals221

3.8. Certificates3.8.1. OverviewThe X.509 StandardcOS Core supports digital certificates that comply with the ITU-T X.509 standard. This involvesthe u

Property Value Remarks---------------- -------------- ---------Name: HTTPSAdminCertType: LocalCertificateData: (binary data)PrivateKey: (binary data)N

Between creating the request and importing the signed certificate file, the certificate objecthas a Type set to the value Request.These functions are

which the certificate is valid. When this validity period expires, the certificate can no longer beused and a new certificate must be issued.Important

Identification ListsIn addition to verifying the signatures of certificates, cOS Core also employs identification lists.An identification list is a li

Graphical Interface UploadingExample 3.31. Uploading a Certificate with the Web Interface or InControlIn this example a certificate stored on the mana

4. Use the file chooser to select a certificate file with the filetype .cer. No private key file shouldbe present. When InControl asks if the private

3.9. Date and Time3.9.1. OverviewCorrectly setting the date and time is important for cOS Core to operate properly. Timescheduled policies, auto-updat

combinations. Also important are the Application Layer Gateway (ALG) objects which are used todefine additional parameters on specific protocols such

1. Go to: System > Device > Date and Time2. Click Set Date and Time3. Set year, month, day and time via the dropdown controls4. Click OKNote: A

principles regulating DST vary from country to country, and in some cases there can be variationswithin the same country. For this reason, cOS Core do

Internet. The server sends back the time in seconds since midnight on January 1st, 1900.Configuring Time ServersUp to three time servers can be config

Example 3.38. Manually Triggering a Time SynchronizationTime synchronization can be triggered from the CLI. The output below shows a typical response.

Example 3.40. Forcing Time SynchronizationThis example demonstrates how to force time synchronization, overriding the maximumadjustment setting.Comman

Primary Time ServerDNS hostname or IP Address of Timeserver 1.Default: NoneSecondary Time ServerDNS hostname or IP Address of Timeserver 2.Default: No

3.10. DNSOverviewA DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numericIP address. FQDNs are unambiguous textual

2. Enter the following:• Primary Server: 10.0.0.1• Secondary Server: 10.0.0.23. Click OKDNS Lookup and IP RulesIn the case of DNS server request being

myuid:[email protected]/nic/update?hostname=mydns.dyndns.orgThis could be sent by using HTTP Poster. Alternatively, the URL could be automatica

3.11. Internet Access SetupOverviewOne of the first things an administrator often wants to do after starting cOS Core for the first timeis to set up a

tables to confirm that there is a route with this network as the destination on the sameinterface.If the Access Rule lookup or the reverse route looku

• The IP address of the ISP's "gateway" router.• A network address for the network between the ISP and the Clavister Security Gateway.

See Chapter 5, DHCP Services for more information about this topic.Example 3.42. Enabling DHCPAssume that the wan is connected to the gateway of the I

3.11.4. Creating a RouteInitially, no route will exist in the main routing table that allows traffic to reach the Internet sothis must be defined. The

• Interface: wan• Network: all-nets• Gateway: isp_gw_ip3. Click OK3.11.5. Creating IP Rules or IP PoliciesBefore traffic can flow to the ISP, appropri

Device:/> add IPPolicySourceInterface=lanSourceNetwork=lan_netDestinationInterface=wanDestinationNetwork=all-netsService=dns-allSourceAction=NATNam

• Destination Network: all-nets• Service: dns-all3. Select Address Translation and in the dialog:• Under Source Address Translation enable NAT• Close

configured during initial connection to the ISP.When DHCP configures the DHCP servers in cOS Core, names are automatically assigned to theseservers so

3.12. ICMP PingThe combination of the ICMP echo request and echo reply messages are known as ping. Theyprovide a simple diagnostic tool to find out if

ping-inbound. An example IP rule for ping messages arriving on the wan interface would be thefollowing:Action SourceInterfaceSourceNetworkDestinationI

Incoming Packet Simulation with -srcifInstead of testing the responsiveness of a remote host, the cOS Core ping command can be usedto simulate an inco

use of the different Application Layer Gateways, layer 7 scanning engines and so on, tofurther analyze or transform the traffic.• If the contents of t

Combining -srcif with -srcipIt is possible to combine -srcip with the -srcif option to simulate a packet arriving on a giveninterface with a given sou

Chapter 3: Fundamentals251

Chapter 4: RoutingThis chapter describes how to configure IP routing in cOS Core.• Overview, page 252• Static Routing, page 253• Policy-based Routing,

4.2. Static RoutingThe most basic form of routing is known as Static Routing. The term "static" is used because mostentries in a routing tab

• Local IP AddressThis parameter usually does not need to be specified. If it is specified, cOS Core responds toARP queries sent to this address. A sp

Route # Interface Destination Gateway1 lan 192.168.0.0/242 dmz 10.4.0.0/163 wan 195.66.77.0/244 wan all-nets 195.66.77.4The above routing table provid

through ARP queries. ARP works because the clients and the cOS Core interface are part of thesame network.A second network might then be added to the

second network must also have their Default Gateway set to 10.2.2.1 in order to reach theClavister Security Gateway.This feature is normally used when

If an established connection cannot be found, then the routing table is consulted. It is importantto understand that the route lookup is performed bef

• It does not matter even if there is a separate route which includes the gateway IP address andthat routes traffic to a different interface.Composite

1.3. cOS Core State Engine Packet FlowThe diagrams in this section provide a summary of the flow of packets through the cOS Corestate-engine. There ar

InControlFollow the same steps used for the Web Interface below.Web InterfaceTo see the configured routing table:1. Go to: Network > Routing > R

When this option is selected, the appropriate all-nets route is automatically added to the mainrouting table for the interface.Example 4.2. Adding a R

present for cOS Core to understand how to route traffic that is destined for the itself.There is one route added for each Ethernet interface in the sy

Tip: Understanding output from the routes commandFor detailed information about the output of the CLI routes command, refer to theseparate CLI Referen

as healthy. This method is appropriate for monitoring that theinterface is physically attached and that the cabling is workingas expected. As any chan

disabled and instigate route failover for existing and new connections. For already establishedconnections, a route lookup will be performed to find t

should fail.There are, however, some problems with this setup: if a route failover occurs, the default routewill then use the dsl interface. When a ne

security gateway comes online.Minimum Number of HostsAvailableThis is the minimum number of hosts that must beconsidered to be accessible before the r

The maximum number of milliseconds allowable between a poll request and the response. Ifthis threshold is exceeded then the host is considered unreach

ARP poll intervalThe time in milliseconds between ARP-lookup of hosts. This may be overridden in individualroutes.Default: 1000Ping poll intervalThe t

Figure 1.2. Packet Flow Schematic Part IIThe packet flow is continued on the following page.Chapter 1: cOS Core Overview27

impose security policies on the traffic passing between the different network parts.A Typical ScenarioAs an example of a typical proxy ARP scenario, c

Figure 4.4. A Proxy ARP ExampleTransparent Mode as an AlternativeTransparent Mode is an alternative and preferred way of splitting Ethernet networks.

4.3. Policy-based RoutingOverviewPolicy-based Routing (PBR) is an extension to the standard routing described previously. It offersadministrators sign

Routing TablescOS Core, as standard, has one default routing table called main. In addition to the main table, itis possible to define one or more, ad

to say routes to the core interface (which are routes to cOS Core itself).4. Click OKExample 4.5. Adding RoutesAfter defining the routing table MyPBRT

Example 4.6. Creating a Routing RuleIn this example, a routing rule called my_routing_rule is created. This will select the routing tableMyPBRTable fo

The Forward and Return Routing Table can be DifferentIn most cases, the routing table for forward and return traffic will be the same. In some cases i

2. A search is now made for a routing rule that matches the packet's source/destinationinterface/network as well as service. If a matching rule i

The first two options can be regarded as combining the alternate table with the main table andassigning one route if there is a match in both tables.I

Contents of the Policy-based Routing Policy:SourceInterfaceSourceRangeDestinationInterfaceDestinationRangeSelected/ServiceForwardVR tableReturnVR tabl

Figure 1.3. Packet Flow Schematic Part IIIChapter 1: cOS Core Overview28

4.4. Route Load BalancingOverviewcOS Core provides the option to perform Route Load Balancing (RLB). This is the ability todistribute traffic over mul

processing steps is as follows:1. Route lookup is done in the routing table and a list of all matching routes is assembled. Theroutes in the list must

Figure 4.6. The RLB Spillover AlgorithmSpillover Limits are set separately for ingoing and outgoing traffic with only one of thesetypically being spec

different metric. The route with the lowest metric is chosen first and when that route'sinterface limits are exceeded, the route with the next hi

Internet access is available from either one of two ISPs, whose gateways GW1 GW2 are connectedto the security gateway interfaces WAN1 and WAN2. RLB wi

Example 4.8. Setting Up RLBIn this example, the details of the RLB scenario described above will be implemented. Theassumption is made that the variou

• Click OK5. Select Add > Route again to add the second route6. The dialog for a new route will appear. For the second route, enter:• Interface: WA

• Use two ISPs, with one tunnel connecting through one ISP and the other tunnel connectingthrough the other ISP. RLB can then be applied as normal wit

4.5. Virtual Routing4.5.1. OverviewVirtual Routing is a cOS Core feature that allows the creation of multiple, logically separatedvirtual systems with

Figure 4.8. Virtual RoutingWhen the administrator configures this in cOS Core, interface If1 is made a member of routingtable pbr1 but not pbr2. In ot

Apply RulesThe figure below presents the detailed logic of the Apply Rules function in Figure 1.2, “Packet FlowSchematic Part II” above.Figure 1.4. Ex

communication between the virtual systems. For example, Department A does not need tocommunicate with Department B. If communication between them is n

Route # Interface Network Gateway2 If2 192.168.0.0/24Getting traffic from each network to and from the Internet is straightforward. Assuming onlyoutbo

Here, each organization gets a virtual system of its own. These connect to the main routing tableusing pairs of loopback interfaces. The routing table

Also note how the IPv4 addresses of the internal interfaces of the virtual systems differ. Ifper-interface routing table membership were not used, the

Note that SAT rules do not need to take into account that there are more organizationsconnected to the same physical unit. There is no direct connecti

connection will be shown; before and after address translation. Also, the routing tables usedin the forward and return direction will be shown.• Enabl

4.6. OSPFThe feature called Dynamic Routing is implemented in cOS Core using the Open Shortest Path First(OSPF) architecture.This section begins by lo

In contrast to DV algorithms, Link State (LS) algorithms enable routers to keep routing tables thatreflect the topology of the entire network.Each rou

Under OSPF, this exchange of routing information is completely automatic.OSPF Provides Route RedundancyIf we now take the above scenario and add a thi

and to determine the optimal path. The principal metrics used include:Path length The sum of the costs associated with each link. A commonly used valu

Table of ContentsPreface ... 141. cOS Core

Chapter 1: cOS Core Overview30

It is possible to configure separate authentication methods for each AS.OSPF AreasAn OSPF Area consists of networks and hosts within an AS that have b

With cOS Core, the DR and the BDR are automatically assigned.NeighborsRouters that are in the same area become neighbors in that area. Neighbors are e

This virtual link is established between two Area Border Routers (ABRs) that are on one commonarea, with one of the ABRs connected to the backbone are

Figure 4.14. Virtual Links with Partitioned BackboneThe virtual link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In

having a route in its routing tables for the destination.The key aspect of an OSPF setup is that connected Clavister Security Gateways share theinform

interface participating in the OSPF AS.Private Router ID This is used in an HA cluster and is the ID for this securitygateway and not the cluster.Note

In other words, the OSPF authentication method must be replicated on all ClavisterSecurity Gateways.AdvancedTime SettingsSPF Hold Time Specifies the m

There can only be one backbone area and it forms the centralportion of an AS. Routing information that is exchangedbetween different area always trans

multicast address 224.0.0.5. Those packets will be heard by all otherthe OSPF routers on the network. For this reason, no configuration ofOSPF Neighbo

InfTrans Delay Specifies the estimated transmit delay for the interface. This valuerepresents the maximum time it takes to forward a LSA packettrough

Chapter 2: Management and MaintenanceThis chapter describes the management, operations and maintenance related aspects of cOSCore.• Managing cOS Core,

Network The network consisting of the smaller routers.Advertise If the aggregation should be advertised or not.In most, simple OSPF scenarios, OSPF Ag

received routing information, and it might be crucial to avoid parts of the routing databasegetting published to other routers.For this reason, Dynami

Figure 4.16. Dynamic Routing Rule Objects4.6.4.2. Dynamic Routing RuleThis object defines a dynamic routing rule.General ParametersName Specifies a sy

OSPF Tag Specifies an interval that the tag of the routers needs to be in between.4.6.4.3. OSPF ActionThis object defines an OSPF action.General Param

Figure 4.17. Setting Up OSPFIn this example we connect together the two Clavister Security Gateways with OSPF so they canshare the routes in their rou

Finally, a Dynamic Routing Rule needs to be defined to deploy the OSPF network. This involvestwo steps:i. A Dynamic Routing Policy Rule object is adde

and those interfaces are configured with OSPF Router Process objects, OSPF will beginexchanging routing information.Confirming OSPF DeploymentIt is no

2. Choose a random internal IP networkFor each security gateway, we need to choose a random IP network using internal, private IPv4addresses. For exam

4.6.6. An OSPF ExampleThis section goes through the detailed setup steps for the simple OSPF scenario illustratedbelow.Figure 4.19. An OSPF ExampleHer

Follow the same steps used for the Web Interface below.Web Interface1. Go to: Network > Routing > OSPF > Add > OSPF Router Process2. Enter

based computer. The server serves as a repository for all cOS Coreconfiguration data and mediates all management commands sentby clients.More informat

5. Click OKNow, repeat this for security gateway B, using the same OSPF Area object name of area_0.Example 4.11. Add OSPF Interface ObjectsFor securit

Example 4.12. Import Routes from an OSPF AS into the Main Routing TableIn this example, the routes received using OSPF will be added into the main rou

Web Interface1. Go to: Network > Routing > Routing Rules2. Click on the newly created ImportOSPFRoutes3. Go to: Routing Action > Add > Dyn

Command-Line InterfaceFirst, change the CLI context to be the DynamicRoutingRule just added for export:Device:/> cc DynamicRoutingRule ExportDefRou

• DebugDDesc - Log database description packets.• DebugExchange - Log exchange packets.• DebugLSA - Log LSA events.• DebugSPF - Log SPF calculation ev

The OSPF CLI commandThe CLI command ospf provides various options for examining the behavior of OSPF in real-timeon a particular.In order to see gener

4.7. Multicast Routing4.7.1. OverviewThe Multicast ProblemCertain types of Internet interactions, such as conferencing and video broadcasts, require a

For multicast to function with an Ethernet interface on any Clavister Security Gateway,that interface must have multicast handling set to On or Auto.

Figure 4.20. Multicast Forwarding - No Address TranslationNote: SAT Multiplex rules must have a matching Allow ruleRemember to add an Allow rule that

1. Go to: Objects > Services > Add > TCP/UDP2. Now enter:• Name: multicast_service• Type: UDP• Destination: 1234B. Create an IP rule:1. Go to

2.1.2. Default Administrator AccountsBy default, cOS Core has a local user database, AdminUsers, which contains two predefined useraccounts:• Username

If, for example, multiplexing of the multicast group 239.192.100.50 is required to the outputinterfaces if2 and if3, then the command to create the ru

The following SAT Multiplex rule needs to be configured to match the scenario described above:InControlFollow the same steps used for the Web Interfac

4.7.3. IGMP ConfigurationIGMP signalling between hosts and routers can be divided into two categories:• IGMP ReportsReports are sent from hosts toward

Figure 4.23. Multicast Proxy ModeIn Snoop Mode, the Clavister Security Gateway will act transparently between the hosts andanother IGMP router. It wil

1. Go to: Network > Routing > IGMP Rules > Add > IGMP Rule2. Under General enter:• Name: A suitable name for the rule, for example Reports

4.7.3.2. IGMP Rules Configuration - Address TranslationThe following examples illustrates the IGMP rules needed to configure IGMP according to theAddr

2. Under General enter:• Name: A suitable name for the rule, for example Queries_if1• Type: Query• Action: Proxy• Output: if1 (this is the relay inter

• Destination Interface: core• Destination Network: auto• Multicast Source: 192.168.10.1• Multicast Group: 239.192.10.0/244. Click OKB. Create the sec

the default route.Default: EnabledIGMP Before RulesFor IGMP traffic, by-pass the normal IP rule set and consult the IGMP rule set.Default: EnabledIGMP

The interval in milliseconds between General Queries sent by the device to refresh its IGMP state.Global setting on interfaces without an overriding I

Clavister Product Default Web Interface Management InterfaceLynx X8 G1Eagle E5/E7 geswWolf W3/W5 M1Virtual Series If1Changing the management interface

4.8. Transparent Mode4.8.1. OverviewTransparent Mode UsageThe cOS Core Transparent Mode feature allows a Clavister Security Gateway to be placed at ap

• Routing Mode using non-switch routes.• Transparent Mode using switch routes.With non-switch routes, the Clavister Security Gateway acts as a router

interface. As the Layer 3 Cache is only used for IP traffic, Layer 3 Cache entries are stored as singlehost entries in the routing table.For each IP p

Specifying a network or address range is, of course, only possible if the administrator has someknowledge of the network topology and often this may n

Transparent Mode with VLANsIf transparent mode is being set up for all hosts and users on a VLAN then the techniquedescribed above of using multiple r

clients located behind a security gateway operating in transparent mode. In this case, cOS Coremust be correctly configured as a DHCP relayer to corre

single logical IP network in Transparent Mode with a common address range (in this example192.168.10.0/24).Figure 4.25. Transparent Mode Internet Acce

Clavister Security Gateway is acting like a level 2 switch and address translation is done at thehigher IP OSI layer.The other consequence of not usin

Network=10.0.0.0/24AutoSwitchRoute=YesAdd the IP rule:Device:/> add IPRule Action=AllowService=httpSourceInterface=lanSourceNetwork=10.0.0.0/24Dest

• Name: http_allow• Action: Allow• Service: http• Source Interface: lan• Destination Interface: any• Source Network: 10.0.0.0/24• Destination Network:

After entering a valid username and password the Login button is clicked. If the user credentialsare valid, the administrator is taken to the main Web

Example 4.21. Setting up Transparent Mode for Scenario 2Configure a Switch Route over the lan and dmz interfaces for address range 10.0.0.0/24 (assume

Device:/> add IPRule Action=AllowService=httpSourceInterface=wanSourceNetwork=all-netsDestinationInterface=dmzDestinationNetwork=wan_ipName=http_wa

3. Click OKConfigure the routing:1. Go to: Network > Routing > Routing Tables > main > Add > SwitchRoute2. Now enter:• Switched Interfa

7. Go to: Policies > Add > IPRule8. Now enter:• Name: http_wan_to_dmz• Action: Allow• Service: http• Source Interface: wan• Destination Interfac

Figure 4.28. An Example BPDU Relaying ScenarioImplementing BPDU RelayingThe cOS Core BDPU relaying implementation only carries STP messages. These STP

• Drop/Log - Drop all MPLS packets without verification and log these drops.4.8.6. Advanced Settings for Transparent ModeCAM To L3 Cache Dest Learning

Transparency ATS SizeDefines the maximum total number of ARP Transaction State (ATS) entries. Valid values are128-65536 entries.Default: 4096Note: Opt

• Drop - Drop packets• DropLog - Drop and log packetsDefault: DropLogRelay Spanning-tree BPDUsWhen set to Ignore all incoming STP, RSTP and MSTP BPDUs

Chapter 4: Routing358

Chapter 5: DHCP ServicesThis chapter describes DHCP services in cOS Core.• Overview, page 359• cOS Core DHCP Servers, page 361• IPv4 DHCP Relay, page

cOS Core objects. The central area of the Web Interface displays information about thosemodules. Current performance information is shown by default.N

The lease time can be configured in a DHCP server by the administrator.Chapter 5: DHCP Services360

5.2. cOS Core DHCP ServerscOS Core DHCP servers assign and manage the IP addresses taken from a specified address pool.These servers are not limited t

This is the IP address of the DHCP relayer through which the DHCP request has come.Requests from local clients or other DHCP relayers will be ignored.

parameter, Lease Store Interval.• Lease Store IntervalThe number of seconds between auto saving the lease database to disk. The default value is86400

10.4.13.244 00-00-00-00-02-14 INACTIVE(STATIC)10.4.13.254 00-00-00-00-02-54 INACTIVE(STATIC)10.4.13.1 00-12-79-3b-dd-45 ACTIVE10.4.13.2 00-12-79-c4-06

Figure 5.1. DHCP Server ObjectsThe following sections discuss these two DHCP server options.5.2.1. Static IPv4 DHCP HostsWhere the administrator requi

Device:/DHCPServer1> show DHCPServerPoolStaticHost 1Property Value----------- -----------------Index: 1Host: 192.168.1.1MACAddress: 00-90-12-13-14-

Data This is the actual information that will be sent in the lease. This can be one value or acomma separated list.The meaning of the data is determin

5.3. IPv4 DHCP RelayNoteDHCP relaying is a feature which is currently only available with IPv4 DHCP.The DHCP ProblemWith DHCP, clients send requests t

TargetDHCPServer=ip-dhcpSourceInterface=ipgrp-dhcpAddRoute=YesProxyARPInterfaces=ipgrp-dhcpInControlFollow the same steps used for the Web Interface b

change the ordering and other operations. The Clone function is used tomake a complete copy of the current object and then add it as the lastobject in

Transaction TimeoutFor how long a dhcp transaction can take place.Default: 10 secondsMax PPMHow many dhcp-packets a client can send to through cOS Cor

5.4. IP PoolsNoteIP pools can currently only be used with IPv4 DHCP.OverviewAn IP pool is used to offer other subsystems access to a cache of DHCP IP

Advanced IP Pool OptionsAdvanced options available for IP Pool configuration are:Routing Table The routing table to be used for lookups when resolving

This displays all the configured IP pools along with their status. The status information is dividedinto four parts:• Zombies - The number of allocate

5.5. DHCPv6 ServerscOS Core provides the ability to set up one or more DHCPv6 servers. Configuring these is almostidentical to configuring an IPv4 DHC

DHCPv6 server. Together, these can significantly increase the speed of addressallocation.Available Memory Can Limit Lease AllocationWhen a DHCPv6 leas

interface lan. Assume that the pool of available IP addresses is already defined by the IPv6address object dhcpv6_range1.The server will also use the

2. Now enter:• Name: dhcpv6_server1• Interface Filter: lan• IP Address Pool: dhcpv6_range13. Select the Options tab4. Enable Handle Rapid Commit Optio

5. Click OK to save the prefix6. Click OK to save the advertisementStatic DHCPv6 HostsWhere the administrator requires a fixed relationship between a

Chapter 5: DHCP Services379

Example 2.1. Remote Management via HTTPS with CA Signed CertificatesCommand-Line InterfaceDevice:/> set Settings RemoteMgmtSettingsHTTPSCertificate

Chapter 6: Security MechanismsThis chapter describes cOS Core security features.• Access Rules, page 380• ALGs, page 384• Web Content Filtering, page

and a Default Access Rule log message will be generated.When troubleshooting dropped connections, the administrator should look out for DefaultAccess

• Network: The IP span that the sender address should belong to.Access Rule ActionsThe Access Rule actions that can be specified are:• Drop: Discard t

1. Go to: Network > Routing > Access > Add > Access2. Now enter:• Name: lan_Access• Action: Expect• Interface: lan• Network: lan_net3. Cli

6.2. ALGs6.2.1. OverviewTo complement low-level packet filtering, which only inspects packet headers in protocols suchas IP, TCP, UDP, and ICMP, Clavi

Maximum Connection SessionsThe service associated with an ALG has a configurable parameter associated with it called MaxSessions and the default value

The opposite to blacklisting, this makes sure certain URLs are always allowed.Wildcarding can also be used for these URLs, as described below.It is im

the download will be dropped. If nothing is marked in this mode then no files can bedownloaded.Additional filetypes not included by default can be add

Figure 6.2. HTTP ALG Processing OrderUsing Wildcards in White and BlacklistsEntries made in the white and blacklists can make use of wildcarding to ha

File Transfer Protocol (FTP) is a TCP/IP-based protocol for exchanging files between a client and aserver. The client initiates the connection by conn

After finishing working with the Web Interface, it is advisable to always logout to prevent otherusers with access to the workstation getting unauthor

certain control commands and provide buffer overrun protection.Hybrid ModeAn important feature of the cOS Core FTP ALG is its automatic ability to per

active mode, the cOS Core FTP ALG will handle the conversion automatically to active mode.A range of client data ports is specified with this option.

The FTP ALG also allows restrictions to be placed on the FTP control channel which can improvethe security of FTP connections. These are:• Maximum lin

In this case, we will set the FTP ALG restrictions as follows.• Enable the Allow client to use active mode FTP ALG option so clients can use both acti

5. Click OKB. Define the Service:1. Go to: Objects > Services > Add > TCP/UDP Service2. Enter the following:• Name: ftp-inbound-service• Type

• Action: NAT• Service: ftp-inbound-service3. For Address Filter enter:• Source Interface: dmz• Destination Interface: core• Source Network: dmz_net•

In this case, we will set the FTP ALG restrictions as follows.• Disable the Allow client to use active mode FTP ALG option so clients can only use pas

B. Create the Service1. Go to: Objects > Services > Add > TCP/UDP Service2. Now enter:• Name: ftp-outbound-service• Type: select TCP from the

• Action: NAT• Service: ftp-outbound-service3. For Address Filter enter:• Source Interface: lan• Destination Interface: wan• Source Network: lan_net•

be written by a TFTP client. The default value is Allow.Remove Request Option Specifies if options should be removed from request. Thedefault is False

2.6.3. Backing Up Configurations ... 1152.6.4. Restore to Factory Defaults ...

completion would not be able to help complete the above command if the tab is pressed duringor after the IPAddress object type.The same object name co

Email size limiting A maximum allowable size of email messages can bespecified. This feature counts the total amount of bytes sentfor a single email w

As described above, if an address is found on the whitelist then it will not be blocked if it alsofound on the blacklist. Spam filtering, if it is ena

extension list that is returned to the client by an SMTP server behind the Clavister SecurityGateway. When an extension is removed, a log message is g

email is from a spammer or not. cOS Core examines the IP packet headers to do this.The reply sent back by a server is either a not listed response or

If dnsbl1 and dnsbl2 say an email is Spam but dnsbl3 does not, then the total calculated will be3+2+0=5. Since the total of 5 is equal to (or greater

• X-Spam-TXT-Records - A list of TXT records sent by the DNSBL servers that identified theemail as Spam.• X-Spam_Sender-IP - IP address used by the em

• Specify the DNSBL servers that are to be used. There can be one or multiple. Multiple serverscan act both as backups to each other as well as confir

• Number of positive (is Spam) responses from each configured DNSBL server.• Number of queries sent to each configured DNSBL server.• Number of failed

Tip: DNSBL serversA list of DNSBL servers can be found at:http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists.6.2.6. The POP3 ALGPOP3 is a mail

The PPTP ALG is provided to deal with a specific issue when PPTP tunnels are used with NAT.Let us suppose we have two clients A and B on a protected i

pressing the up arrow key once will make the last command executed appear at the current CLIprompt. After a command appears it can be re-executed in i

iv. Select the ALG to be the PPTP ALG object that was defined in the first step. In this case, itwas called pptp_alg.• Associate this service object w

Important: Third Party Equipment CompliancecOS Core is based on the SIP implementation described in RFC 3261. However, correctSIP message processing a

supported by cOS Core.Registrars A server that handles SIP REGISTER requests is given the special name ofRegistrar. The Registrar server has the task

The SIP Proxy Record-Route OptionTo understand how to set up SIP scenarios with cOS Core, it is important to first understand theSIP proxy Record-Rout

cOS Core supports a variety of SIP usage scenarios. The following three scenarios cover nearly allpossible types of usage:• Scenario 1Protecting local

The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic toand from the office clients will be sent through the

Action Src Interface Src Network Dest Interface Dest NetworkAllow(or NAT)lan lan_net wan ip_proxyAllow wan ip_proxy lan(or core)lan_net(or wan_ip)With

2. The SIP ALG properties will be displayed3. Specify a name for the ALG, for example sip_alg4. Click OKC. Define a custom Service object for SIP:1. G

• Service: sip_serv• Source Interface: ext• Source Network: proxy_ip• Destination Interface: core• Destination Network: ip_wan• Comment: Allow incomin

• Type set to TCP/UDP3. Define three rules in the IP rule set:• A NAT rule for outbound traffic from the local proxy and the clients on the internalne

makes examining and understanding the configuration easier.Getting the Default or Current Property ValueThe period "." character before a ta

This scenario is similar to the previous but the major difference is the location of the local SIPproxy server. The server is placed on a separate int

well as a setup without NAT (Solution B below).Solution A - Using NATThe following should be noted about this setup:• The IP address of the SIP proxy

This rule has core as the destination interface (in other words, cOS Core itself). When anincoming call is received, cOS Core uses the registration in

Action Src Interface Src Network Dest Interface Dest NetworkOutboundToProxy Allow lan lan_net dmz ip_proxyOutboundFromProxy Allow dmz ip_proxy lan lan

The different protocols used in implementing H.323 are:H.225 RAS signalling and CallControl (Setup) signallingUsed for call signalling. It is used to

• Number of TCP Data ChannelsThe number of TCP data channels allowed can be specified.• Address TranslationFor NATed traffic the Network can be specif

InControlFollow the same steps used for the Web Interface below.Web InterfaceOutgoing Rule:1. Go to: Policies > Add > IPRule2. Now enter:• Name:

• Service: H323• Source Interface: any• Destination Interface: lan• Source Network: 0.0.0.0/0 (all-nets)• Destination Network: lan_net• Comment: Allow

1. Go to: Policies > Add > IPRule2. Now enter:• Name: H323In• Action: SAT• Service: H323• Source Interface: any• Destination Interface: core• So

the Internet, the following rules need to be added to the rule listings in both security gateways.Make sure there are no rules disallowing or allowing

Not all object types belong in a category. The object type UserAuthRule is a type without acategory and will appear in the category list after pressin

• Service: H323• Source Interface: any• Destination Interface: lan• Source Network: 0.0.0.0/0 (all-nets)• Destination Network: lan_net• Comment: Allow

1. Go to: Policies > Add > IPRule2. Now enter:• Name: H323In• Action: SAT• Service: H323• Source Interface: any• Destination Interface: core• So

H.323 phones are connected on the internal network and to the Gatekeeper on the DMZ. TheGatekeeper on the DMZ is configured with a private address. Th

2. Now enter:• Name: H323In• Action: Allow• Service: H323-Gatekeeper• Source Interface: any• Destination Interface: core• Source Network: 0.0.0.0/0 (a

should be make sure there are no rules disallowing or allowing the same kind of ports/trafficbefore these rules.InControlFollow the same steps used fo

possible for internal phones to call the external phones that are registered with thegatekeeper.Example 6.11. Using the H.323 ALG in a Corporate Envir

• Name: LanToGK• Action: Allow• Service: H323-Gatekeeper• Source Interface: lan• Destination Interface: dmz• Source Network: lan_net• Destination Netw

• Comment: Allow communication from the Gateway to H.323 phones on lan_net3. Click OK1. Go to: Policies > Add > IPRule2. Now enter:• Name: Branc

InControlFollow the same steps used for the Web Interface below.Web Interface1. Go to: Policies > Add > IPRule2. Now enter:• Name: ToGK• Action:

• Destination Network: hq-net• Comment: Allow the Gateway to communicate with the Gatekeeper connected to theHead Office3. Click OKNote: Outgoing call

The naming of some objects is optional and is done with the Name= parameter in an addcommand. An object, such as a threshold rule, will always have an

sent to a client at the beginning of a TLS session in order to establish the server's identity andthen be the basis for encryption. Certificates

The steps to take to enable TLS in cOS Core are as follows:1. Upload the host and root certificates to be used with TLS to cOS Core if not done alread

• Renegotation is not supported.• Sending server key exchange messages is not supported which means the key in thecertificate must be sufficiently wea

6.3. Web Content Filtering6.3.1. OverviewWeb traffic is one of the biggest sources for security issues and misuse of the Internet.Inappropriate surfin

web content. Many web sites use Javascript and other types of client-side code and inmost cases, the code is non-malicious. Common examples of this is

Gateway's whitelist, access to that URL is always allowed, taking precedence over DynamicContent Filtering.WildcardingBoth the URL blacklist and

Finally, make an exception from the blacklist by creating a specific whitelist:Device:/content_filtering> add ALG_HTTP_URLURL=www.Clavister.com/*.e

Using URL Filter ObjectsAn alternative method for URL filtering is to define a separate URL Filter object. These are used inthe following series of st

Dynamic WCF DatabasescOS Core Dynamic WCF allows web page blocking to be automated so it is not necessary tomanually specify beforehand which URLs to

Figure 6.8. Dynamic Web Content Filtering FlowIf the requested web page URL is not present in the databases, then the webpage content at theURL will a

• A terminal or a computer with a serial port and the ability to emulate a terminal (such asusing the Hyper Terminal software included in some Microso

6.3.4.2. Setting Up Dynamic Web Content FilteringActivationDynamic Content Filtering is a feature that is enabled by purchasing a subscription to the

Then, create a service object using the new HTTP ALG:Device:/> add ServiceTCPUDP http_content_filtering Type=TCPDestinationPorts=80ALG=content_filt

1. On a workstation on the lan_net network, launch a standard web browser.2. Try to browse to a search site. For example, www.google.com.3. If everyth

Command-Line InterfaceFirst, create an HTTP Application Layer Gateway (ALG) Object:Device:/> add ALG ALG_HTTP content_filteringWebContentFilteringM

Reclassification of Blocked SitesAs the process of classifying unknown web sites is automated, there is always a small risk thatsome sites are given a

previous examples.Dynamic content filtering is now activated for all web traffic from lan_net to all-nets and the useris able to propose reclassificat

on recent events pertaining to topics surrounding a locality (for example, town, city or nation) orculture, including weather forecasting information.

A web site may be classified under the Game Sites category if its content focuses on or includesthe review of games, traditional or computer based, or

A web site may be classified under the Malicious category if its content is capable of causingdamage to a computer or computer environment, including

A web site may be classified under the Drugs/Alcohol category if its content includes drug andalcohol related information or services. Some URLs categ

SSH (Secure Shell) CLI AccessThe SSH (Secure Shell) protocol can be used to access the CLI over the network from a remotehost. SSH is a protocol prima

HTML Page ParametersThe HTML pages contain a number of parameters that can be used as needed. The parametersavailable are:• %URL% - The URL which was

9. Click OK to exit editing10. Go to: Policies > User Authentication User Authentication Rules11. Select the relevant HTML ALG and click the Agent

6.4. Anti-Virus Scanning6.4.1. OverviewThe cOS Core anti-virus module protects against malicious code carried in data passing throughthe Clavister Sec

and can determine, with a high degree of certainty, if a virus is in the process of beingdownloaded to a user behind the Clavister Security Gateway. O

Protocol Specific behaviorSince anti-virus scanning is implemented through an Application Level Gateway (ALG), specificprotocol specific features are

When used with IP rules, an ALG must then be associated with an appropriate service objectfor the protocol to be scanned. The service object is then a

3. Select the TCP in the Type dropdown list4. Enter 80 in the Destination Port textbox5. Select the HTTP ALG just created in the ALG dropdown list6. C

specified in Appendix C, Verified MIME filetypes) then the filetype in the file's name is used whenthe excluded list is checked.3. Compression Ra

2. The active unit performs an automatic reconfiguration to update its database.3. This reconfiguration causes a failover so the passive unit becomes

6.5. Intrusion Detection and Prevention6.5.1. OverviewIntrusion DefinitionComputer servers can sometimes have vulnerabilities which leave them exposed

Changing the admin User PasswordIt is recommended to change the default password of the admin account from admin tosomething else as soon as possible

latest intrusion threats. For full details about obtaining the IDP service please refer to Appendix A,Update Subscriptions.Figure 6.11. IDP Database U

> Update Center.Updating in High Availability ClustersUpdating the IDP databases for both the units in an HA Cluster is performed automatically byc

ordered by group. However, its purpose is for reference only and it is not possible to add rulesignatures through this tree. A screen shot of the list

• Invalid hex encodingA valid hex sequence is where a percentage sign is followed by two hexadecimal values torepresent a single byte of data. An inva

Evasion AttacksAn evasion attack has a similar end-result to the insertion Attack in that it also generates twodifferent data streams, one that the ID

Attackers who build new intrusions often reuse older code. This means their new attacks canappear in circulation quickly. To counter this, Clavister I

The group type is one of the values IDS, IPS or Policy. These types are explained above.2. Signature Group CategoryThis second level of naming describ

6.5.7. Setting Up IDPThe steps for setting up IDP are as follows:• Create an IDP Rule object which identifies the traffic to be processed.• Add one or

Device:/> add IDPRule Service=smtpSourceInterface=wanSourceNetwork=wan_netDestinationInterface=dmzDestinationNetwork=ip_mailserverName=IDPMailSrvRu

from the external network that are based on the SMTP protocol.1. Select the Rule Action for the IDP rule2. Now enter:• Action: Protect• Signatures: IP

Device:/> commitshould be issued to make those changes permanent.Note: Examples in this guide assume activation will be performedMost of the exampl

The following are the recommendations for IDP employment:• Enable only the IDP signatures for the traffic that is being allowed. For example, if the I

6.6. Denial-of-Service Attacks6.6.1. OverviewThe same advantages that the Internet brings to business also benefit hackers who use the samepublic infr

The triggering factor is that the last fragment makes the total packet size exceed 65535 bytes,which is the highest number that a 16-bit integer can s

• By stripping the URG bit by default from all TCP segments traversing the system. This isconfigurable in the Web Interface by going to:System > Ad

• Smurf and Papasmurf type floods will be seen as ICMP Echo Responses at the victim side.Unless FwdFast rules are in use, such packets are never allow

If the attacker chooses a fragment offset higher than the limits imposed by the values specifiedin System > Advanced Settings > Length Limit Set

6.7. Blacklisting Hosts and NetworksOverviewcOS Core implements a Blacklist of host or network IP addresses which can be utilized to protectagainst tr

It is also important to understand that although whitelisting prevents a particular source frombeing blacklisted, it still does not prevent cOS Core m

Chapter 6: Security Mechanisms488

Chapter 7: Address TranslationThis chapter describes cOS Core address translation capabilities.• Overview, page 489• NAT, page 491• NAT Pools, page 49

mean the tunnels are lost and have to be re-established because the tunnel SAs are no longervalid.Checking Configuration IntegrityAfter changing a cOS

This section describes and provides examples of configuring NAT and SAT rules.Chapter 7: Address Translation490

7.2. NATDynamic Network Address Translation (NAT) provides a mechanism for translating original sourceIP addresses to a different address. Outgoing pa

destination port is used.However, since there is a possible range of 64,500 source ports and the same number fordestination ports, it is theoretically

195.11.22.33:32789 => 195.55.66.77:803. The recipient server then processes the packet and sends its response.195.55.66.77:80 => 195.11.22.33:32

The NATAction option could be left out since the default value is to use the interface address. Thealternative is to specify UseSenderAddress and use

Service=http-allAction=AllowSourceAction=NATThe NATAction option could be left out since the default value is to use the interface address. Thealterna

• Several internal machines can not communicate with the same external server using thesame IP protocol.Note: Restrictions only apply to IP level prot

protocol but the PPTP tunnel from the client terminates at the security gateway. When this trafficis relayed between the security gateway and the Inte

7.3. NAT PoolsOverviewNetwork Address Translation (NAT) provides a way to have multiple internal clients and hosts withunique private, internal IP add

is reached then an existing state with the longest idle time is replaced. If all states in the table isactive then the new connection is dropped. As a

4. Routing ... 2524.1. Overview ...

The CLI provides a command called sessionmanager for managing management sessionsthemselves. The command can be used to manage all types of management

Example 7.3. Using NAT PoolsThis example creates a stateful NAT pool with the external IP address range 10.6.13.10 to10.16.13.15. This is then used wi

• Name: my_stateful_natpool• Pool type: stateful• IP Range: nat_pool_range3. Select the Proxy ARP tab and add the WAN interface4. Click OKC. Finally,

7.4. SAT7.4.1. IntroductioncOS Core Static Address Translation (SAT) functionality can translate ranges of IP addresses and/orport numbers to other, p

Translating Both Source and Destination AddressIt also possible to have two SAT rules triggering for the same connection. Although unusual, it ispossi

Specifying the Type of Port MappingIf the Port property is specified for the SAT rule, cOS Core performs port translation in a way thatis slightly dif

Command-Line InterfaceCreate a SAT IP rule:Device:/> add IPRule Action=SATService=httpSourceInterface=wanSourceNetwork=all-netsDestinationInterface

2. Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ3. Now enter:• Action: Allow• Service: http• Source Interface: wan• Source Netwo

interface of the SAT rule must be set to any. The correct second rule for the external or internaltraffic is then selected based on the source interfa

Reversing the order of the NAT and Allow rules as shown below solves the problem.# Action Src Iface Src Net Dest Iface Dest Net Service SAT Action1 SA

Original Destination Address Translated Destination Address194.1.2.19 192.168.0.53194.1.2.20 192.168.0.54194.1.2.21 192.168.0.55194.1.2.22 192.168.0.5

The CLI script command is the tool used for script management and execution. The completesyntax of the command is described in the CLI Reference Guide

Create a SAT rule for the translation:Device:/> add IPRule Action=SATService=httpSourceInterface=anySourceNetwork=all-netsDestinationInterface=wanD

3. Click OK and repeat for all 5 public IPv4 addressesCreate a SAT rule for the translation:1. Go to: Policies > Add > IPRule2. Specify a suitab

The SAT IP rule to perform the translation would be:# Action Src Iface Src Net Dest Iface Dest Net Service SAT Action1 SAT any all-nets wan 194.1.2.16

Device:/> add Address IPAddress wwwsrv_priv Address=10.10.10.5Publish the five public IPv4 addresses on the wan interface using ARP publish. A CLI

Finally, create an associated Allow rule:1. Go to: Policies > Add > IPRule2. Specify a suitable name for the rule, for example Allow_HTTP_To_DMZ

• Attempts to communicate with the web server's public address - port 84, will result in aconnection to the web server's private address - p

• External traffic to wan_ip will match rules 1 and 4, and will be sent to wwwsrv. This is correct.• Return traffic from wwwsrv will match rules 2 and

ii. Single Port - This is used for a one-to-one translation to the new port number specified.iii. Transposed - This transposes a range of port numbers

7.4.8. Protocols Handled by SATGenerally, SAT can handle all protocols that allow address translation to take place. However,there are protocols that

Chapter 7: Address Translation519

Device:/> script -execute -name=my_script.sgs 126.12.11.01 "If1 address"When the script file runs, the variable replacement would mean th

Chapter 8: User AuthenticationThis chapter describes how cOS Core implements user authentication.• Overview, page 520• Authentication Setup, page 522•

Method A may require a special piece of equipment such as a biometric reader. Another problemwith A is that the special attribute often cannot be repl

8.2. Authentication Setup8.2.1. Setup SummaryThe following list summarizes the steps for User Authentication setup with cOS Core:• Have an authenticat

policy that allows the connections.When specifying the Source Network for an IP rule or policy, a user defined IP object can be usedwhere the Authenti

If the Network behind user option is specified then this is the metric that will be used withthe route that is automatically added by cOS Core. If the

Web InterfaceFirst, create a new user database:1. Go to: System > Device > Local User Databases > Add > LocalUserDatabase2. Now enter:• Na

RADIUS SecurityTo provide security, a common shared secret is configured on both the RADIUS client and theserver. This secret enables encryption of th

for security.A retry timeout value of 2 means that cOS Core will resend the authentication request to thesever if there is no response after 2 seconds

LDAP IssuesUnfortunately, setting up LDAP authentication may not be as simple as, for example, RADIUSsetup. Careful consideration of the parameters us

• NameThe name given to the server object for reference purposes in cOS Core. For example, cOSCore authentication rules may be defined which reference

Removing ScriptsTo remove a saved script, the script -remove command can be used. For example, to remove themy_script.sgs script file, the command wou

In Microsoft Active Directory, the groups a user belongs to can be found by looking at a usersdetails under the MemberOf tab.• Use Domain NameSome ser

• Base ObjectDefines where in the LDAP server tree search for user accounts shall begin.The users defined on an LDAP server database are organized int

contains the user password in plain text. The LDAP server administrator must make sure thatthis field actually does contain the password. This is expl

• Total number of invalid usernames.• Total number of invalid password.LDAP Authentication CLI CommandsThe CLI objects that correspond to LDAP servers

B. PPP Authentication with CHAP, MS-CHAPv1 or MS-CHAPv2 EncryptionIf PPP with CHAP, MS-CHAPv1 or MS-CHAPv2 is used for authentication, a digest of the

between the Clavister Security Gateway and the server must be protected. A VPN linkshould be used if the link between the two is not local.Access to t

rule since one single rule with XAuth as the agent will be used for all IPsec tunnels.However, this approach assumes that a single authentication sour

The maximum time that a connection can exist (no value is specified by default).If an authentication server is being used then the option to Use timeo

7. If a timeout restriction is specified in the authentication rule then the authenticated user willbe automatically logged out after that length of t

HTTP authentication cannot operate unless a rule is added to the IP rule set to explicitly allowauthentication to take place. This is also true with H

The following should be noted for automatically created scripts:• Automatically created scripts omit the object category.In the created script example

after authentication, as it is defined in the IP rule.It is assumed that the authentication IPv4 address object lan_users_net has been defined and thi

2. Now enter:• Name: allow_http_auth• Action: NAT• Service: http-all• Source Interface: lan• Source Network: lan_users_net• Destination Interface any•

8.3. ARP AuthenticationARP authentication (sometimes referred to as MAC authentication) is authentication based on theMAC address of a connecting clie

Specifying the MAC Address on a ServerThe MAC address is entered as a text string in the database of the authenticating server. This textstring must f

8.4. Customizing Authentication HTML PagesUser Authentication makes use of a set of HTML files to present information to the user duringthe authentica

HTML Page ParametersThe HTML pages for WebAuth can contain a number of parameters which are used as needed.These are:• %CHALLENGE_MESSAGE% - The quest

Follow the same steps used for the Web Interface below.Web Interface1. Go to: System > Advanced Settings > HTTP Banner files > Add > ALG B

The usage of SCP clients is explained further in Section 2.1.6, “Secure Copy”.4. Using the CLI, the relevant user authentication rule should now be se

8.5. Policies Requiring AuthenticationOnce a user is authenticated to cOS Core, it is then possible to create security policies in the formof IP rules

InControlFollow the same steps used for the Web Interface below.Web InterfaceCreate the IP4Address object that specifies the IP range of connecting cl

Commenting Script FilesAny line in a script file that begins with the # character is treated as a comment. For example:# The following line defines th

8.6. User Identity AwarenessSometimes it is more convenient for client users if they can automatically validate themselves tocOS Core instead of being

iii. The user's IP.The Identity Awareness Agent must be installed on all domain controllers that make up theactive directory.• The user's IP

usernames that will be allowed are user1@mydomain and [email protected] is also assumed that the Clavister Authentication Agent software has already b

2. Select the User Authentication tab3. In the username box enter: user1@mydomain,user2@mydomain4. Click OKCreate an IP Policy which allows access to

Figure 8.4. The Identity Awareness Agent InterfaceThe Encryption Key and Listening IP should be set to the same values configured in the cOS CoreAuthe

• At least Windows Server 2008™ R2.• The role Remote Desktop Session Host must be installed.• The option IP virtualization per session must be enabled

8.7. Two Factor AuthenticationWhen access to resources is based on username and password credentials, the security can befurther strengthened by using

“Customizing Authentication HTML Pages”.• The administrator must configure the RADIUS server appropriately and that is not covered inthis document.• I

8.8. Radius RelayOverviewThe cOS Core feature RADIUS Relay is designed for telecom scenarios, such as Mobile DataOffloading (MDO), where User Equipmen

If this is not done on all DHCP servers, irrespective of whether they are used with RADIUSrelay or not, it could possibly create a security vulnerabil

File type Upload possible Download possibleSystem Backup (full.bak) Yes (also with WebUI) Yes (also with WebUI)Firmware upgrades Yes NoLicenses (licen

This optional IP address will be used as the sending IP of the request sent to the RADIUSserver. If not set, the IP address of the sending interface w

Device:/> add IPRule Action=AllowService=all_servicesSourceInterface=If1SourceNetwork=client_netDestinationInterface=If2DestinationNetwork=all-nets

• Netmask: 255.255.255.03. Select the Options tab and enable the option:Distribute leases only to RADIUS relay authenticated clients4. Click OKCreate

specific attribute. The Clavister Vendor ID is 5089 and the Clavister-User-Group isdefined as vendor-type 1 with a string value type.Chapter 8: User A

Chapter 8: User Authentication564

Chapter 9: VPNThis chapter describes the Virtual Private Network (VPN) functionality in cOS Core.• Overview, page 565• VPN Quick Start, page 569• IPse

2. Client to LAN connection - Where many remote clients need to connect to an internalnetwork over the Internet. In this case, the internal network is

normally not handled at the network level but rather is usually done at a higher, transactionlevel.9.1.3. VPN PlanningAn attacker targeting a VPN conn

access per user (group) in the future.• Should the keys be changed? If they are changed, how often? In cases where keys are sharedby multiple users, c

9.2. VPN Quick StartOverviewLater sections in this chapter will explore VPN components in detail. To help put those latersections in context, this sec

To download a configuration backup to the current local directory, the command would be:> scp [email protected]:config.bak ./To upload a file to an

9.2.1. IPsec LAN to LAN with Pre-shared KeysThe objective is to create a secure means of joining two networks: a Local Network which is onthe protecte

• An Allow rule for outbound traffic that has the previously defined ipsec_tunnel object asthe Destination Interface. The rule's Destination Netw

Note: The system time and date should be correctThe cOS Core date and time should be set correctly since certificates have an expiry dateand time.Also

A. IP addresses already allocatedthe IPv4 addresses may be known beforehand and have been pre-allocated to the roamingclients before they connect. The

NoteThe option to dynamically add routes should not be enabled in LAN to LANtunnel scenarios.• Enable the option Require IKE XAuth user authentication

• Specify if the client will use config mode.There are a variety of IPsec client software products available from a number of suppliers and thismanual

internal network and handed out to a client.• Use a new address range that is totally different to any internal network. This preventsany chance of an

• Add individual users to TrustedUsers. This should consist of at least a username andpassword combination.The Group string for a user can also be spe

The step to set up user authentication is optional since this is additional security to certificates.Also review Section 9.7, “CA Server Access”, whic

As described for L2TP, the NAT rule lets the clients access the public Internet via the ClavisterSecurity Gateway.5. Set up the client. For Windows XP

confirmation.The console password can be any sequence of characters but must be no greater than 64characters in length. It is recommended to use only

with a PSK tunnel for L2TP/IPsec.7. Create a User Authentication Rule with the following properties:i. Authentication Agent: XAuthii. Authentication S

9.3. IPsec ComponentsThis section looks at the IPsec standards and describes in general terms the various components,techniques and algorithms that ar

IPsec protocol used (ESP/AH/both) as well as the session keys used to encrypt/decrypt and/orauthenticate/verify the transmitted data.An SA is unidirec

will reply by saying that nothing on the list was acceptable, and possibly also provide a textualexplanation for diagnostic purposes.This negotiation

unique piece of data uniquely identifying the endpoint.Authentication using Pre-Shared Keys is based on theDiffie-Hellman algorithm.Local and RemoteNe

parameters, such as Diffie-Hellman groups and PFS, cannotbe negotiated and this mean it is important to have"compatible" configurations at b

It is specified in time (seconds) as well as data amount(kilobytes). Whenever one of these expires, a new phase-1exchange will be performed. If no dat

authentication.The algorithms supported by Clavister Security GatewayVPNs are:• SHA1• MD5IPsec Lifetime This is the lifetime of the VPN connection. It

Manual Keying AdvantagesSince it is very straightforward it will be quite interoperable. Most interoperability problemsencountered today are in IKE. M

case when using pre-shared keys and roaming clients. Instead, should a client be compromised,the client's certificate can simply be revoked. No n

• Reset to Factory DefaultsThis option will restore the hardware to its initial factory state. The operations performed ifthis option is selected are

Figure 9.2. The ESP protocol9.3.5. NAT TraversalBoth IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols werenot desig

UDP EncapsulationAnother problem that NAT traversal resolves is that the ESP protocol is an IP protocol. There is noport information as we have in TCP

CAST128, MD5, SHA1.Example 9.1. Using an Algorithm Proposal ListThis example shows how to create and use an IPsec Algorithm Proposal List for use in t

9.3.7. Pre-shared KeysPre-Shared Keys are used to authenticate VPN tunnels. The keys are secrets that are shared bythe communicating parties before co

2. Enter a name for the pre-shared key, for example MyPSK3. Choose Hexadecimal Key and click Generate Random Key to generate a key to thePassphrase te

Command-Line InterfaceFirst create an Identification List:Device:/> add IDList MyIDListThen, create an ID:Device:/> cc IDList MyIDListDevice:/My

• Country: Sweden• Email Address: [email protected]. Click OKFinally, apply the Identification List to the IPsec tunnel:1. Go to: Network > I

9.4. IPsec TunnelsMany of the properties of the IPsec tunnel objects required for tunnel establishment havealready been discussed in Section 9.3.2, “I

negotiations then take place, resulting in the tunnel becoming established to the remoteendpoint.Local Initiation of Tunnel EstablishmentAlternatively

The advanced settings for DPD are described further in Section 9.4.6, “IPsec Advanced Settings”.DPD is enabled by default for cOS Core IPsec tunnels.

6.2.9. The H.323 ALG ... 4236.2.10. The TLS ALG ...

Note: Output buffer limitationsThe only limitation with issuing CLI commands through the serial console is that there isa finite buffer allocated for

• Set up the Rules (a 2-way tunnel requires 2 rules).9.4.3. Roaming ClientsAn employee who is on the move who needs to access a central corporate serv

1. Go to: Network > Interfaces and VPN > IPsec > Add > IPsec Tunnel2. Now enter:• Name: RoamingIPsecTunnel• Local Network: 10.0.1.0/24 (Th

B. Upload all the client self-signed certificates:1. Go to: Objects > Key Ring > Add > Certificate2. Enter a suitable name for the Certificat

• Identification List: Select the ID List that is to be associated with the VPN Tunnel. In thiscase, it will be sales5. Under the Routing tab:• Enable

5. Enter the name for the client6. Select Email as Type7. In the Email address field, enter the email address selected when the certificate wascreated

with IP addresses and corresponding netmasks, and to exchange other types of informationassociated with DHCP. The IP address provided to a client can

Example 9.8. Using Config Mode with IPsec TunnelsAssuming a predefined tunnel called vpn_tunnel1 this example shows how to enable ConfigMode for that

A Root Certificate usually includes the IP address or hostname of the Certificate Authority tocontact when certificates or CRLs need to be downloaded

The ikesnoop command can be entered via a CLI console or directly via the RS232 Console.To begin monitoring the full command is:Device:/> ikesnoop

Life type : SecondsLife duration : 43200Life type : KilobytesLife duration : 50000Transform 2/4Transform ID : IKEEncryption algorithm : Rijndael-cbc (

If the administrator expects that configuration changes will break the communicationbetween cOS Core and the web browser (for example, by changing the

Authentication method: Pre-shared key or certificateGroup description: Diffie Hellman (DH) groupLife type: Seconds or kilobytesLife duration: No of se

Step 3. Clients Begins Key ExchangeThe server has accepted a proposal at this point and the client now begins a key exchange. Inaddition, NAT detectio

Payload data length : 16 bytesN (Notification)Payload data length : 8 bytesProtocol ID : ISAKMPNotification : Initial contactExplanation of Above Valu

SA life duration : 50000Encapsulation mode : TunnelTransform 2/4Transform ID : Rijndael (aes)Key length : 128Authentication algorithm : HMAC-SHA-1SA l

Packet length : 156 bytes# payloads : 5Payloads:HASH (Hash)Payload data length : 16 bytesSA (Security Association)Payload data length : 56 bytesDOI :

Default: 4 times the license limit of IPsec Max TunnelsIPsec Max TunnelsSpecifies the total number of IPsec tunnels allowed. This value is initially t

turn be signed by another CA, which may be signed by another CA, and so on. Each certificatewill be verified until one that has been marked as "t

Default: InlineDisable Public-Key Hardware AccelerationThis option would only be enabled for troubleshooting and diagnostic purposes. In normaloperati

Default: 15 secondsChapter 9: VPN618

9.5. PPTP/L2TPThe access by a client using a modem link over dial-up public switched networks, possibly withan unpredictable IP address, to protected

An Alternative Method of Changing Management InterfaceAn alternative method of changing the management interface and to avoid the 30 second delayentir

Troubleshooting PPTPA common problem with setting up PPTP is that a router and/or switch in a network is blockingTCP port 1723 and/or IP protocol 47 b

9.5.2. L2TP ServersLayer 2 Tunneling Protocol (L2TP) is an IETF open standard that overcomes many of the problemsof PPTP. Its design is a combination

4. Under the PPP Parameters tab, select L2TP_Pool in the IP Pool control.5. Under the Add Route tab, select all-nets in the Allowed Networks control.6

Now we will setup the IPsec Tunnel, which will later be used in the L2TP section. As we are goingto use L2TP, the Local Network is the same IP as the

l2tp_ipsec. ProxyARP also needs to be configured for the IPs used by the L2TP Clients.C. Setup the L2TP Tunnel:Command-Line InterfaceDevice:/> add

Follow the same steps used for the Web Interface below.Web Interface1. Go to: Policies > User Authentication User Authentication Rules > Add >

• Action: Allow• Service: all_services• Source Interface: l2tp_tunnel• Source Network: l2tp_pool• Destination Interface: any• Destination Network: all

Pass L2TP traffic sent to the Clavister Security Gateway directly to the L2TP Server withoutconsulting the rule set.Default: EnabledPPTP Before RulesP

• Activity Sense - Specifies if dial-on-demand should trigger on Send or Recv or both.• Idle Timeout - The time of inactivity in seconds to wait befor

L2TP Version 3 (L2TPv3) is a tunneling protocol that is an alternative to standard L2TP (standardL2TP is also referred to as L2TPv2). L2TPv2 can only

4. Set the following:• IP address: 192.168.1.25. Click OKNote: In virtualized configurations, interfaces addresses are stored in the top level of the

Change the properties of the Ethernet interface connected to the protected network so thatTransparent Mode is enabled.C. Set any required L2TPv3 Serve

IP=If3_ipLocalNetwork=If3_netInterface=If2ServerIP=If2_ipB. Next, enable transparent mode on the protected interface If3:Device:/> set Interface Et

Assume the same scenario as the previous example, but this time the L2TPv3 tunnel is itselfbeing tunneled through an IPsec Tunnel object called my_ips

The cOS Core L2TPv3 server can handle VLAN tagged Ethernet frames so that a protectedinternal network can be accessed by external clients over VLAN co

Device:/> add Interface VLAN my_vlan_localEthernet=If3VLANID=555IP=If3_arbitrary_ip1Network=If3_netAutoSwitchRoute=YesC. Last, create a VLAN object

5. Click OKC. Last, create a VLAN object on the L2TPv3 tunnel interface my_l2tpv3_if:1. Go to: Network > Interfaces and VPN > VLAN > Add >

9.6. SSL VPN9.6.1. OverviewcOS Core provides an additional type of VPN connection called SSL VPN. This makes use of theSecure Sockets Layer (SSL) prot

iv. Client users need to be defined in the Authentication Source of the authentication rule.This source can be a local user database, a RADIUS server

network and these define the relationship between the security gateway and the connectingclients.A private IP network should be used for this purpose.

Note: Pool addresses must not exceed a /24 network sizeSSL VPN will not function correctly if an IP address is handed out that exceeds thesize of a Cl

Example 2.7. Changing the HA Management IP AddressThis example will change the slave management IP address for the lan interface to 192.168.1.2 foran

If this option has not been chosen before, it must be selected first to install theproprietary Clavister SSL VPN client application.ii. Connect the SS

Figure 9.6. The SSL VPN Client LoginThe difference between the two approaches above is that when the SSL VPN client software isstarted by browsing to

Figure 9.7. The SSL VPN Client StatisticsSSL VPN Client OperationWhenever the SSL VPN client application runs, the following happens:• A route is adde

Should the SSL VPN client application terminate prematurely for some reason, the Windowsrouting table may not be left in a consistent state and the au

1. Go to: Network > Interfaces and VPN > SSL > Add > SSL VPN Interface2. Now enter:• Specify a suitable name, in this example my_sslvpn_if

For external client connection, a web browser should be directed to the IP address my_sslvpn_if.This is done either by typing the actual IP address or

9.7. CA Server AccessOverviewCertificate validation can be done by accessing a separate Certifícation Server (CA) server. Forexample, the two sides of

Gateway through the public DNS system.The same steps should be followed if the other side of the tunnel is another securitygateway instead of being ma

the way they work but the majority will attempt to validate the certificate.Placement of Private CA ServersThe easiest solution for placement of a pri

9.8. VPN TroubleshootingThis section deals with how to troubleshoot the common problems that are found with VPN.9.8.1. General TroubleshootingIn all t

• User Database: AdminUsers• Interface: If2• Network: all-nets5. Click OK2.1.9. Management Advanced SettingsUnder the Remote Management section of the

9.8.2. Troubleshooting CertificatesIf certificates have been used in a VPN solution then the following should be looked at as asource of potential pro

For example, with a large number of tunnels avoid using:Device:/> ipsecstat -num=allAnother example of what to avoid with many tunnels is:Device:/&

3. Ike_invalid_payload, Ike_invalid_cookie.4. Payload_Malformed.5. No public key found.6. ruleset_drop_packet.1. Could not find acceptable proposal /

Name Local Network Remote Network Remote GatewayVPN-3 lannet office3net office3gwSince the tunnel L2TP in the above table is above the tunnel VPN-3, a

• The Clavister Security Gateway is unable to reach the Certificate Revocation List (CRL) on theCA server in order to verify if the certificate is val

In this scenario, it can be seen that the defined remote network on Side B is larger than thatdefined for Side A's local network. This means that

Chapter 9: VPN656

Chapter 10: Traffic ManagementThis chapter describes how cOS Core can manage network traffic.• Traffic Shaping, page 657• IDP Traffic Shaping, page 67

to the outer IP header of ESP packets of IPsec tunnels. The field can alternatively be set to afixed value in the outer tunnel packets as described in

Clavister Security Gateway. Different rate limits and traffic guarantees can be created as policiesbased on the traffic's source, destination and

• Realtime loggers: 4• Stat pollers: 4• Receive contexts: 2• Send contexts: 4NetConMaxChannels is the maximum total allowed for all these connection t

Security Gateway. One, none or a series of pipes may be specified.• The Return ChainThese are the pipe or pipes that will be used for incoming (arrivi

Figure 10.2. FwdFast Rules Bypass Traffic ShapingUsing Pipes with Application ControlWhen using the Application Control feature, it is possible to ass

3. Enter 2000 in the Total textbox under Pipe Limits4. Click OKTraffic needs to be passed through the pipe and this is done by using the pipe in a Pip

A single pipe does not care in which direction the traffic through it is flowing when it calculatestotal throughout. Using the same pipe for both outb

Follow the same steps used for the Web Interface below.Web Interface1. Go to: Traffic Management > Traffic Shaping > Pipe Rules2. Right-click on

Figure 10.3. Differentiated Limits Using ChainsIf surfing uses the full limit of 125 Kbps, those 125 Kbps will occupy half of the std-in pipe leaving1

Figure 10.4. The Eight Pipe PrecedencesPrecedence Priority is RelativeThe priority of a precedence comes from the fact that it is either higher or low

handle. If a packet arrives with an already allocated precedence below the minimum then itsprecedence is changed to the minimum. Similarly, if a packe

Lowest Precedence LimitsIt is usually is not needed to have a limit specified for the lowest (best effort) precedence sincethis precedence simply uses

If more than 96 Kbps of precedence 2 traffic arrives, any excess traffic will be moved down to thebest effort precedence. All traffic at the best effo

Object OrganizationIn the Web Interface the configuration objects are organized into a tree-like structure based onthe type of the object.In the CLI,

before ssh-in and telnet-in, then traffic will reach std-in at the lowest precedence onlyand hence compete for the 250 Kbps of available bandwidth wit

In addition to, or as an alternative to the total group limit, individual precedences can havevalues specified. These values are, in fact, guarantees

• Set the pipe limit, as usual, to be 400 Kbps.• Set the Grouping option for the pipe to have the value Destination IP.• Set the total for the pipe&ap

balancing lowers the limit per user to about 13 Kbps (64 Kbps divided by 5 users).Dynamic Balancing takes place within each precedence of a pipe indiv

changing conditions.Attacks on BandwidthTraffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacksor other flood

• Dynamic Balancing can be used to specify that all users in a group get a fair and equalamount of bandwidth.10.1.10. More Pipe ExamplesThis section l

RuleNameForwardPipesReturnPipesSourceInterfaceSourceNetworkDestinationInterfaceDestinationNetworkSelectedServiceall_1mbps out-pipe in-pipe lan lannet

RuleNameForwardPipesReturnPipesSourceInterfaceSourceNetworkDestInterfaceDestNetworkSelectedServicePrecedenceother out-otherout-pipein-otherin-pipelan

Total: 2000The following pipe rules are then needed to force traffic into the correct pipes and precedencelevels:RuleNameForwardPipesReturnPipesSrcInt

10.2. IDP Traffic Shaping10.2.1. OverviewThe IDP Traffic Shaping feature is traffic shaping that is performed based on information comingfrom the cOS

values of the object properties. This example shows how to display the contents of aconfiguration object representing the telnet service.Command-Line

This will be the period of time after rule triggering during which traffic shaping is applied toany associated connections that are opened.Typically,

Unintended ConsequencesTo explain this unintended traffic shaping, consider a client A that connects to host X with P2Ptraffic and triggers an IDP rul

Figure 10.8. IDP Traffic Shaping P2P Scenario10.2.6. Viewing Traffic Shaping ObjectsViewing HostsIDP traffic shaping has a special CLI command associa

Device:/> pipes -showThe IDP Traffic Shaping pipes can be recognized by their distinctive naming convention which isexplained next.Pipe NamingcOS C

10.3. Threshold RulesOverviewThe objective of a Threshold Rule is to have a means of detecting abnormal connection activity aswell as reacting to it.

• Host BasedThe threshold is applied separately to connections from different IP addresses.• Network BasedThe threshold is applied to all connections

The length of time, in seconds, for which the source is blacklisted can also be set.This feature is discussed further in Section 6.7, “Blacklisting Ho

10.4. Server Load Balancing10.4.1. OverviewThe Server Load Balancing (SLB) feature allows the administrator to spread client applicationrequests over

• SLB can allow network administrators to perform maintenance tasks on servers orapplications without disrupting services. Individual servers can be r

10.4.3. Selecting StickinessIn some scenarios, such as with SSL connections, it is important that the same server is used for aseries of connections f

InControlFollow the same steps used for the Web Interface below.Web Interface1. Go to: Objects > Services2. Select the telnet entry in the list3. I

The default value for this setting is 2048 slots in the table.• Net SizeThe processing and memory resources required to match individual IP addresses

Figure 10.11. Stickiness and Round-RobinIf the connection-rate algorithm is applied instead, R1 and R2 will be sent to the same serverbecause of stick

that the routing table chosen must necessarily contain routes for all the servers in the SLB rule.)Monitoring MethodsThe method by which hosts are pol

• PortsThe port number for polling when using the TCP or HTTP option.More than one port number can be specified in which case all ports will be polled

The table below shows the rules that would be defined for a typical scenario of a set of webservers behind the Clavister Security Gateway for which th

Device:/> add IPRule Action=SLB_SATSourceInterface=anySourceNetwork=all-netsDestinationInterface=coreDestinationNetwork=wan_ipService=http-allSLBAd

1. Go to: Policies > Firewalling > Main IP Rules > Add > IP Rule2. Enter:• Name: web_slb• Action: SLB_SAT• Service: HTTP• Source Interface

• Source Network: all-nets• Destination Interface: core• Destination Network: wan_ip3. Click OKChapter 10: Traffic Management697

Chapter 10: Traffic Management698

Chapter 11: High AvailabilityThis chapter describes the high availability fault-tolerance feature in Clavister Security Gateways.• Overview, page 699•

8.8. Radius Relay ... 5589. VPN ...

4. In the Name text box, enter myhost5. Enter 192.168.10.10 in the IP Address textbox6. Click OK7. Verify that the new IP4 address object has been add

longer operational.Interconnection of Cluster UnitsIn a cluster, the master and slave units must be directly connected to each other by asynchronizati

network failures between a single Clavister Security Gateway and hosts. This technique isdescribed further in Section 2.4.3, “The Link Monitor”.Licens

11.2. HA MechanismsThis section discusses in more depth the mechanisms cOS Core uses to implement the highavailability feature.Basic PrinciplesClavist

• The destination MAC address is the Ethernet multicast address corresponding to the sharedhardware address and this has the form:11-00-00-00-nn-mmWhe

3. The inactive (slave) unit reconfigures to activate the new database files.4. The active (master) unit now reconfigures to activate the new database

11.3. Setting Up HAThis section provides a step-by-step guide for setting up an HA Cluster. Setup is explained in thefollowing subsections:• Physical

• The individual addresses specified for an interface in an IP4 HA Address object allowremote management through that interface. These addresses can a

In the scenario shown above, the lan interface on the master and the lan interface on the slavewould be connected to the same switch which then connec

connected to the slave unit in the cluster. The procedure for doing this with each unit is asfollows:1. Connect to the Clavister Security Gateway thro

The easiest and quickest way to configure a new master unit is as follows:1. Use the normal configuration backup function to make a backup of the conf

3. In the dropdown menu displayed, select Undo DeleteListing Modified ObjectsAfter modifying several configuration objects, you might want to see a li

Note: IP addresses could be public IPv4 addressesThe term "private IPv4 address" is not strictly correct when used here. Eitheraddress used

so that it is unique (the default value is 0). The Cluster ID determines that the MAC address forthe cluster is unique.• Enabling the advanced setting

11.4. HA IssuesThe following points should be kept in mind when managing and configuring an HA Cluster.VPN Tunnel SynchronizationcOS Core provides com

The unique individual IP addresses of the master and slave cannot safely be used for anythingbut management. Using them for anything else, such as for

Both Units Going ActiveIn the case of a misconfiguration of an HA cluster, a worst case scenario could arise where boththe master and slave think the

11.5. Upgrading an HA ClusterThe cOS Core software versions running on the master and slave in an HA cluster should be thesame. When a new cOS Core ve

Now, connect to the active unit (which is still running the old cOS Core version) with a CLIconsole and issue the ha -deactivate command. This will ca

11.6. Link Monitoring and HARedundant Network PathsWhen using an HA configuration, it can be important to use redundant paths to vital resourcessuch a

11.7. HA Advanced SettingsThe following cOS Core advanced settings are available for High Availability:Sync Buffer SizeHow much sync data, in Kbytes,

Chapter 11: High Availability719

This example shows how to activate and commit a new configuration.Command-Line InterfaceDevice:/> activateThe system will validate and start using

Chapter 12: Advanced SettingsThis chapter describes the additional configurable advanced settings for cOS Core that are notalready described in the ma

attack to be based on illegal checksums.Default: EnabledLog non IPv4/IPv6Logs occurrences of IP packets that are not IPv4 or IPv6.Default: EnabledLog

Multicast TTL on LowWhat action to take on too low multicast TTL values.Default: DropLogDefault TTLIndicates which TTL cOS Core is to use when origina

IP router alert optionHow to handle IP packets with contained route alert.Default: ValidateLogBadIP Options OtherAll options other than those specifie

12.2. TCP Level SettingsTCP Option SizesVerifies the size of TCP options. This function acts in the same way as IPOptionSizes describedabove.Default:

Default: 7000 bytesTCP Auto ClampingAutomatically clamp TCP MSS according to MTU of involved interfaces, in addition toTCPMSSMax.Default: EnabledTCP Z

TCP Option ALTCHKREQDetermines how cOS Core will handle alternate checksum request options. These options wereinitially intended to be used in negotia

TCP SYN/RSTThe TCP RST flag together with SYN; normally invalid (strip=strip RST).Default: DropLogTCP SYN/FINThe TCP FIN flag together with SYN; norma

Default: DropLogTCP Sequence NumbersDetermines if the sequence number range occupied by a TCP segment will be compared to thereceive window announced

12.3. ICMP Level SettingsICMP Sends Per Sec LimitSpecifies the maximum number of ICMP messages cOS Core may generate per second. Thisincludes ping rep

2.2. Events and Logging2.2.1. OverviewThe ability to log and analyze system activities is an essential feature of cOS Core. Loggingenables not only mo

12.4. State SettingsConnection ReplaceAllows new additions to the cOS Core connection list to replace the oldest connections if there isno available s

• LogAll – Logs all packets in the connection.Default: LogLog Connection UsageThis generates a log message for every packet that passes through a conn

12.5. Connection Timeout SettingsThe settings in this section specify how long a connection can remain idle, that is to say with nodata being sent thr

Connection lifetime for IGMP in seconds.Default: 12Other Idle LifetimeSpecifies in seconds how long connections using an unknown protocol can remain i

12.6. Length Limit SettingsThis section contains information about the size limits imposed on the protocols directly under IPlevel, such as TCP, UDP a

Max AH LengthSpecifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsecwhere only authentication is applied. Thi

Default: EnabledChapter 12: Advanced Settings736

12.7. Fragmentation SettingsIP is able to transport up to 65536 bytes of data. However, most media, such as Ethernet, cannotcarry such huge packets. T

number of samples, it is more likely to find mismatching duplicates. However, more comparisonsresult in higher CPU load.Default: Check8 – compare 8 ra

of the packet. DuplicateFrags determines whether such a fragment should be logged. Note thatDuplicateFragData can also cause such fragments to be logg

• Emergency• Alert• Critical• Error• Warning• Notice• Info• DebugBy default, cOS Core sends all messages of level Info and above to any configured log

packet from arriving.Default: 20Reassembly Illegal LimitOnce a whole packet has been marked as illegal, cOS Core is able to retain this in memory for

12.8. Local Fragment Reassembly SettingsMax ConcurrentMaximum number of concurrent local reassemblies.Default: 256Max SizeMaximum size of a locally re

12.9. SSL SettingsSSL Processing PriorityThe maximum amount of CPU resources that SSL processing is allowed to use for opening newSSL connections. Thi

Enable cipher TLS_RSA_EXPORT_WITH_NULL_SHA1 (no encryption, just message validation).Default: DisabledTLS RSA EXPORT NULL MD5Enable cipher TLS_RSA_EXP

12.10. Miscellaneous SettingsUDP Source Port 0How to treat UDP packets with source port 0.Default: DropLogPort 0How to treat TCP/UDP packets with dest

value for some specific issues.If cOS Core is upgraded, Dynamic High Buffers should be enabled since the memoryrequirements of a new version may chang

be allocated, regardless of this setting. For more information about pipes and pipe users, seeSection 10.1, “Traffic Shaping”.Default: 512Chapter 12:

Chapter 12: Advanced Settings747

Appendix A: Update SubscriptionsOverviewA number of cOS Core features function by accessing the Clavister Service Provisioning Network(CSPN) which con

• Providing a log server has been configured, a log message will be sent which indicates thatsubscription renewal is required.Important: Renew subscri

An SNMP2c Event Receiver can be defined to collect SNMP Trap log messages. These receiversare typically used to collect and respond to critical alerts

Querying Server StatusTo get the status of the Clavister network servers use the command:Device:/> updatecenter -serversDeleting Local DatabasesSom

Appendix B: IDP Signature GroupsFor IDP scanning, the following signature groups are available for selection. There is a version ofeach group under th

Group Name Intrusion TypeFTP_DIRNAME Directory name attackFTP_FORMATSTRING Format string attackFTP_GENERAL FTP protocol and implementationFTP_LOGIN Lo

Group Name Intrusion TypeP2P_GENERAL General P2P toolsP2P_GNUTELLA Gnutella P2P toolPACKINGTOOLS_GENERAL General packing tools attackPBX_GENERAL PBXPO

Group Name Intrusion TypeSSL_GENERAL SSL protocol and implementationTCP_GENERAL TCP protocol and implementationTCP_PPTP Point-to-Point Tunneling Proto

Appendix C: Verified MIME filetypesSome cOS Core Application Layer Gateways (ALGs) have the optional ability to verify that thecontents of a downloade

Filetype extension Applicationcmf Creative Music filecore/coredump Unix core dumpcpl Windows Control Panel Extension filedbm Database filedcx Graphics

Filetype extension Applicationmmf Yamaha SMAF Synthetic Music Mobile Application Formatmng Multi-image Network Graphic Animationmod Ultratracker modul

Filetype extension Applicationso UNIX Shared Library filesof ReSOF archivesqw SQWEZ archive datasqz Squeeze It archive datastm Scream Tracker v2 Modul

Appendix D: The OSI FrameworkOverviewThe Open Systems Interconnection (OSI) model defines a framework for inter-computercommunications. It categorizes

Feb 5 2000 09:45:23 gateway.ourcompany.com EFW: DROP:Subsequent text is dependent on the event that has occurred.In order to facilitate automated proc

Appendix E: Third Party Software LicensesThe cOS Core product makes use of a number of third party software modules which are subjectto the following

to that copy.3. Object Code Incorporating Material from Library Header Files. The object code form of anApplication may incorporate material from a he

work.6. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundationmay publish revised and/or new versions of the GNU L

royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of,publicly display, publicly perform, sublicense, and distribute t

7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensorprovides the Work (and each Contributor provides its Con

Martin Wendt. Dual licensed under the MIT (see above) or GPL Version 2 licenses.flot by MITJavascript plotting library for jQuery. Released under the

Alphabetical IndexAaccess rules, 380accounting, 82advanced settings, 87and high availability, 86configuring, 84interim messages, 84limitations with NA

HTTP, 538identity awareness agent, 553local user database, 522MAC address duplicate problem, 543rules, 535setup summary, 522source, 536SSH client key

changing password, 58enabling password, 57line speed, 45password length, 57content filteringcategories, 455order of static and dynamic, 444phishing, 4

evasion attack prevention, 473events, 73log message receivers, 74log messages, 73FFailed Fragment Reassembly setting, 738filetype download block/allow

RFC 5424 ComplianceBy default, cOS Core sends Syslog messages in a format that is suitable for most Syslog servers.However, some servers may require s

IGMP, 326advanced settings, 337configuration, 332rules configuration, 335IGMP Before Rules setting, 338IGMP Idle Lifetime setting, 732IGMP Last Member

in routing rules, 275MTU size, 137neighbor discovery, 138ping command usage, 139proxy neighbor discovery, 138with high availability, 140ISP connection

Max Other Length setting, 735Max Pipe Users setting, 745Max PPM (DHCP) setting, 370Max PPP Resends setting, 627Max Radius Contexts setting, 88Max Reas

quick start guide, 578server, 619PPTP Before Rules setting, 627precedencesin pipes, 665pre-shared keys, 570, 593non-ascii character problem, 593Primar

server load balancing, 687connection-rate algorithm, 688idle timeout setting, 689max slots setting, 689net size setting, 689round-robin algorithm, 688

threshold rules, 684Timeout setting, 745time servers, 231Time Sync Server Type setting, 234Time Zone setting, 234TLS ALG, 439advantages, 440cryptograp

DSCP forwarding, 170license limitations, 170port based, 169port based VLAN, 170trunk, 169VMware, 17IPsec AES acceleration, 616licensing, 125setup docu

Clavister ABSjögatan 6JSE-89160 ÖrnsköldsvikSWEDENPhone: +46-660-299200www.clavister.com

For backwards compatibility, cOS Core versions older than 8.90 support output to this logger butthe software itself is not included with the distribut

This specifies the log messages that will be affected by the exception. If the ID number of thelog message is not specified then all log messages for

10.1.8. Traffic Shaping Recommendations ... 67310.1.9. A Summary of Traffic Shaping ...

Note: SNMP Trap standardscOS Core sends SNMP Traps which are based on the SNMPv2c standard as defined byRFC1901, RFC1905 and RFC1906.Example 2.20. Sen

The delay in seconds between alarms when a continuous alarm is used. As discussed inSection 2.4.5, “Hardware Monitoring”, the log event messages gener

2.3. RADIUS Accounting2.3.1. OverviewThe Central Database ApproachWithin a network environment containing large numbers of users, it is advantageous t

Parameters included in START messages sent by cOS Core are:• Type - Marks this AccountingRequest as signaling the beginning of the service (START).• I

• How Authenticated - How the user was authenticated. This is set to either RADIUS if the userwas authenticated via RADIUS, or LOCAL if the user was a

• The external RADIUS server itself must be correctly configured.Source IP SelectionBy default, the Source IP property will be set to Automatic and th

• Port: 1813• Retry Timeout: 2• Shared Secret: 231562514098273• Confirm Secret: 231562514098273• Routing Table: main3. Click OK2.3.5. RADIUS Accountin

Three Connection Attempts are MadeOnly after cOS Core has made three attempts to reach the server will it conclude that theaccounting server is unreac

If this option is not enabled, cOS Core will shut down even though there may be RADIUSaccounting sessions that have not been correctly terminated. Thi

2.4. MonitoringThe real-time performance of cOS Core can be monitored in a number of ways. They are:• Using the real-time monitoring functionality in

List of Figures1.1. Packet Flow Schematic Part I ... 261.2. Packet Flow Schem

TCP SYN - Total number of TCP connections in the SYN phase.TCP FIN - Total number of TCP connections in the FIN phase.Other - Total number of other co

Frags received – The number of IP packet fragments received by this interface.Frag reass – The number of complete packets successfully reassembled fro

Per Rule StatisticsUsage – Number of used IPs in the pool.Usage (%) – Above value calculated as a percentage.Active Clients – Number of currently acti

Total Sessions Spam - Total number of URLs found to be Spam.Total Sessions Dropped - Total number of sessions dropped.SMTP ALG DNSBL Server Statistics

Misses – Number of requests not met.High Availability StatisticsInterface Queue – Size of the queue used for the sync interface.Queue Usage Packets –

The Link Monitor is a cOS Core feature that allows monitoring of the connectivity to one or moreIP addresses external to the Clavister Security Gatewa

reconfigure takes place and the slave will take over when it detects this inactivity. Ifreconfiguration with failover is desirable it is better to sel

reconfiguration or full restart. This means that an unreachablehost can be responsible for triggering an action once but nottwice.A group of three hos

• Addresses: my_host3. Click OK2.4.4. SNMP MonitoringOverviewSimple Network Management Protocol (SNMP) is a standardized protocol for management ofnet

• Network - The IP address or network from which SNMP requests will come.• Community - The community string which provides password security for the a