Clavister NetWall 100 Series Getting Started Manual
  1. Manuals
  2. Brands
  3. Clavister Manuals
  4. Firewall
  5. NetWall 100 Series
  6. Getting started manual

Clavister NetWall 100 Series Getting Started Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Clavister NetWall 100 Series
Getting Started Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NetWall 100 Series and is the answer not in the manual?

Questions and answers

Related Manuals for Clavister NetWall 100 Series

Summary of Contents for Clavister NetWall 100 Series

  • Page 1 Clavister NetWall 100 Series Getting Started Guide...
  • Page 2 Clavister. Disclaimer The information in this document is subject to change without notice. Clavister makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose. Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.

  • Page 3: Table Of Contents

    3.4. Local Console Port Connection ..............28 3.5. Connecting Power .................. 30 4. cOS Core Configuration ..................32 4.1. The NetWall 100 Series Default Configuration ..........32 4.2. Web Interface and Wizard Setup ............... 34 4.3. Manual Web Interface Setup ..............43 4.4.
  • Page 4 1.3. NetWall 100 Series Interface Ports ..............11 1.4. NetWall 100 Series Status Panel View ..............12 3.1. The NetWall 100 Series Local Console Port ............28 3.2. NetWall 100 Series Power Inlet Connector ............30 5.1. Factory Reset Using the Web Interface ............... 74...

  • Page 5: Preface

    The target audience for this guide is the administrator who has taken delivery of a packaged Clavister NetWall 100 Series appliance and is setting it up for the first time. The guide takes the user from unpacking and installation of the device through to power-up, including network connections and initial cOS Core configuration.
  • Page 6 Text links Where a "See section" link is provided in the main text, this can be clicked on to take the reader directly to that reference. For example, see Appendix A, NetWall 100 Series Specifications. Web links Web links included in the document are clickable. For example, http://www.clavister.com.

  • Page 7: Netwall 100 Series Overview

    1.1. Unpacking Figure 1.1. An Unpacked NetWall 100 Series Unit This section details the unpacking of a single NetWall 100 Series device. Open the packaging box used for shipping and carefully unpack the contents. The packaging should contain the following:...
  • Page 8 Core license to the standby unit. When the faulty unit is returned to Clavister, a new cold standby unit is immediately sent back. More details about the CSB service can be found in the separate NetWall Hardware Replacement Guide PDF publication.
  • Page 9 Chapter 1: NetWall 100 Series Overview The product, and any of its parts, should not be discarded using a regular refuse disposal method. At end-of-life, the product and parts should be given to an appropriate service that deals with the disposal of such specialist materials.

  • Page 10: Interfaces And Ports

    Internet. In the default cOS Core configuration, the LAN1 interface of the NetWall 100 Series has an IPv4 DHCP server enabled on it so it will automatically hand out IP addresses belonging to the default management network to a connecting client.

  • Page 11: Netwall 100 Series Interface Ports

    100Base-Tx, or 1000Base-T. The interface names are written by each interface. Figure 1.3. NetWall 100 Series Interface Ports The full connection capabilities of all the NetWall 100 Series Ethernet interfaces are listed at the end of Appendix A, NetWall 100 Series Specifications.

  • Page 12: Status Lights

    Chapter 1: NetWall 100 Series Overview 1.3. Status Lights The NetWall 100 Series features a set of status lights on the opposite side to the Ethernet ports. Figure 1.4. NetWall 100 Series Status Panel View These LEDs indicate the overall system status, as well as the status of the Ethernet interfaces.

  • Page 13: Zero Touch Support

    There is an option in the previous step to always enable zero touch by default for all new licenses. • The version of cOS Core running on the NetWall 100 Series must be 12.00.16 or later. This might require an upgrade of the factory installed cOS Core version. •...
  • Page 14 Chapter 1: NetWall 100 Series Overview Zero Touch Can Also Simplify Hardware Replacement In addition to simplifying the addition of a new NetWall 100 Series, the zero touch feature can also simplify hardware replacement of a NetWall 100 Series with another NetWall 100 Series.

  • Page 15: Hardware Sensor Monitoring

    In addition, log message alerts can be automatically generated if a sensor reaches a value outside of its normal operational range. Configuring this feature, as well as a list of all the sensors available on each Clavister hardware model and their normal ranges, can be found in the Hardware Monitoring section of the separate...
  • Page 16 Chapter 1: NetWall 100 Series Overview...

  • Page 17: Registering With Clavister

    Internet access. A. Registering as a Clavister Customer The NetWall 100 Series registration steps for a first time user of Clavister hardware are as follows: Open a web browser, go to https://www.clavister.com and select the MyClavister link.
  • Page 18 Chapter 2: Registering with Clavister The MyClavister login page is presented. If you are already registered, log in and skip to step 8. If you are a new customer accessing MyClavister for the first time, click the Create Account link.
  • Page 19 Chapter 2: Registering with Clavister The confirmation link in the email leads back to the Clavister website to show that confirmation has been successful and logging in is now possible. After logging in, the customer name is displayed with menu options for changing settings and logging out.
  • Page 20 Chapter 2: Registering with Clavister B. Registration of the NetWall 100 Series This section can be skipped if the NetWall 100 Series unit has access to the Internet. With Internet access available, registration can be performed automatically by the cOS Core Setup Wizard which will appear as a browser popup window in the Web Interface when cOS Core starts for the first time.
  • Page 21 Clavister hardware products. After Successful Hardware Registration Once the NetWall 100 Series unit is registered, a cOS Core license for the unit becomes available for download and installation from Clavister servers. This installation can be done automatically through the cOS Core Setup Wizard which is described in Section 4.2, “Web Interface and Wizard...

  • Page 22: Installation

    • Local Console Port Connection, page 28 • Connecting Power, page 30 3.1. General Installation Guidelines Follow these general guidelines when installing the NetWall 100 Series appliance: • Safety Take notice of the safety guidelines laid out in Chapter 7, Safety Precautions. These are specified in multiple languages.
  • Page 23 Do not install the appliance in an environment where the ambient temperature during operation might fall outside the specified operating range. This range is documented in Appendix A, NetWall 100 Series Specifications. The intended operating temperature range is "room temperature". That is to say, the temperature most commonly found in a modern office and in which humans feel comfortable.

  • Page 24: Flat Surface Installation

    Chapter 3: Installation 3.2. Flat Surface Installation The NetWall 100 Series can be mounted on any appropriate stable, flat, level surface that can safely support the weight of the appliance and its attached cables. However, the 100 Series can also be wall mounted by sliding the two brackets on the underside of the unit onto suitably located mounting screws.

  • Page 25: Management Computer Connection

    3.3. Management Computer Connection cOS Core Starts After Power Up It is assumed that the NetWall 100 Series unit is now unpacked, positioned correctly and power is applied. If not, the earlier chapters in this manual should be referred to before continuing.
  • Page 26 Alternatively, direct local Ethernet connection to the LAN1 interface could be done without a switch by using a crossover cable. However, all the RJ45 interfaces on the NetWall 100 Series support Automatic MDI-X so a crossover cable is not necessary.
  • Page 27 Chapter 3: Installation hours. Renewing the lease, for example with a management computer restart, may be necessary to get DNS addresses after they are received on the WAN1 interface. Alternatively, DNS addresses could be entered into the management computer manually. Management Computer Ethernet Interface Setup The only requirement for the Ethernet interface used for connection on the management computer is that DHCP is enabled.

  • Page 28: Local Console Port Connection

    Core Web Interface since neither CLI or boot menu access will be needed. The local console port allows direct management connection to the NetWall 100 Series unit from an external computer acting as a console terminal. This local console access can then be used for both management of cOS Core with CLI commands or to enter the boot menu in order to access firmware loader options.
  • Page 29 Chapter 3: Installation Connect the other end of the cable to a console terminal or to the serial connector of a computer running console emulation software. The Default Local Console Login Credentials The console user credentials for logging in are specified by the predefined admin user and are the same as the credentials for initial network access via the management Ethernet interface: •...

  • Page 30: Connecting Power

    The NetWall 100 Series will boot up as soon as power is applied and cOS Core will start. The progress of the boot up can be seen on a CLI console connected to the local console port.
  • Page 31 Chapter 3: Installation...

  • Page 32: Cos Core Configuration

    • Setup Troubleshooting , page 70 Tip: Upgrade to the latest cOS Core version A new NetWall 100 Series unit may not have the very latest cOS Core version pre-installed. After the initial configuration described in this section, it is recommended to upgrade to the latest available version.
  • Page 33 WAN2, providing redundancy. Changing the Default Configuration Note that there are no restrictions on how cOS Core is configured in the NetWall 100 Series product or how the Ethernet interfaces are used. The administrator is free to change or delete...

  • Page 34: Web Interface And Wizard Setup

    Chapter 4: cOS Core Configuration 4.2. Web Interface and Wizard Setup This section describes the setup when accessing cOS Core for the first time through a web browser. The cOS Core user interface accessed in this way is called the Web Interface (or WebUI). It assumes that a physical network connection has been set up from a management computer to the default management Ethernet interface, as described in Section 3.3, “Management Computer Connection”.
  • Page 35 Chapter 4: cOS Core Configuration The browser should now be told to accept the Clavister certificate by choosing the option to continue. Note: Sending a CA signed certificate can be configured It is possible to configure cOS Core to use a CA signed certificate instead of its default self-signed certificate for the management login.
  • Page 36 The wizard assumes that Internet access will be configured. If this is not the case, for example if the Clavister Next Generation Firewall is being used in Transparent Mode between two internal networks, then the configuration setup is best done with manual Web Interface steps or through the CLI instead of through the wizard and these are explained in the two sections that follow.
  • Page 37 Chapter 4: cOS Core Configuration Wizard step 1: Enter a new admin password and optionally change the username The first step in setup with the wizard is to enter a new password for the admin user. The admin username can also be changed if required, as shown in the screenshot below. The Enforce Strong Passwords option is present in cOS Core versions from 11.05 onwards.
  • Page 38 Chapter 4: cOS Core Configuration Wizard step 3: Select transparent mode interfaces This step allows any transparent mode interfaces to be set up. If no transparent mode interfaces are required, leave this dialog in the default Normal Mode and go to the next step. Transparent mode interfaces can be configured at any time later, outside of the wizard.
  • Page 39 Chapter 4: cOS Core Configuration These four different connection options are discussed next in the subsections 5A to 5D that follow. • 5A. Static - manual configuration Information supplied by the ISP should be entered in the next wizard screen. All fields need to be entered except for the Secondary DNS server field.
  • Page 40 DNS servers are set automatically after connection with PPTP. Wizard step 6: DHCP server settings If the Clavister Next Generation Firewall is to function as a DHCP server, it can be enabled here in the wizard on a particular interface or configured later.
  • Page 41 Time Protocol servers keep the system date and time accurate. Syslog servers can be used to receive and store log messages sent by cOS Core. By selecting the Clavister option, the current time will be updated over the Internet from Clavister's own timeserver.
  • Page 42 Internet access must have been set up in previous wizard steps for this option to function. The only input required is the MyClavister username and password for the Clavister website. This also creates a lasting link between the 100 Series and the Clavister servers so that any future license updates can be installed automatically.

  • Page 43: Manual Web Interface Setup

    The NetWall 100 Series uses the LAN1 interface as its default management interface. To describe manual Internet setup, it is assumed here that the LAN2 interface will be used for connection to a protected internal client network and the WAN2 interface will be used for connection to the public Internet.
  • Page 44 ClavisterHQ which is Stockholm time. Alternatively, the Synchronize button can be pressed to get the current date and time from external Network Time Protocol (NTP) servers. Clavister's own NTP server is also an option. Using NTP servers will require Internet access.
  • Page 45 Chapter 4: cOS Core Configuration Note: Use an FQDN address for a time server An FQDN Address object must be used when specifying a time server address. See the relevant cOS Core Administration Guide section for more explanation. Once the values are set correctly, press the OK button to save the values temporarily. Configuration changes will not become active until the new configuration becomes the current and active configuration.
  • Page 46 The steps to configure these Internet connection alternatives with the Web Interface are discussed next. Note that on the NetWall 100 Series, a DHCP client is enabled in the default configuration on the WAN1 and WAN2 interfaces so that usually method B is used. The other methods are included here in case they are needed.
  • Page 47 IPv4 address 203.0.113.1. The ISP's gateway is the first router hop towards the public Internet from the Clavister Next Generation Firewall. Go to Objects > Address Book in the Web Interface. The current contents of the address book will be listed and will contain a number of predefined objects automatically created by cOS Core after it scans the interfaces for the first time.
  • Page 48 Chapter 4: cOS Core Configuration Now click the Add button at the top left of the list and choose the IP4 Address option to add a new address to the folder. Enter the details of the object into the properties fields for the IP4 Address object. Below, the IPv4 address 203.0.113.1 has been entered for the address object called wan_gw.
  • Page 49 An IP policy therefore needs to exist that will allow traffic from clients to the Internet. Note that with the NetWall 100 Series, the main IP rule set will already contain a number of predefined entries in the default configuration that will allow clients on the LAN1 interface to access the Internet via the WAN1 or WAN2 interfaces.
  • Page 50 Chapter 4: cOS Core Configuration The destination network is specified as the predefined IP4 Address object all-nets. This is used since it cannot be known in advance to which IP address web browsing will be directed and all-nets allows browsing to any IP address. IP rule sets are processed in a top down fashion, with the search ending at the first matching entry.
  • Page 51 Chapter 4: cOS Core Configuration As was done for HTTP, NAT should also be enabled with this IP policy so all DNS queries are sent out by cOS Core with the outgoing interface's IP address as the source IP. For the Internet connection to work, a route also needs to be defined so that cOS Core knows on which interface web browsing traffic should leave the firewall.
  • Page 52 ISP's DHCP server by enabling the DHCP Client option for the interface connected to the ISP. Note that on the NetWall 100 Series, a DHCP client is enabled in the default cOS Core configuration on the WAN1 and WAN2 interfaces. Enabling DHCP is described here in case it needs to be manually enabled.
  • Page 53 Chapter 4: cOS Core Configuration An ISP will supply the correct values for pppoe_username and pppoe_password in the dialog above. The PPPoE tunnel interface can now be treated exactly like a physical interface by the policies defined in cOS Core rule sets. There also has to be a route associated with the PPPoE tunnel to allow traffic to flow through it, and this is automatically created in the main routing table when the tunnel is defined.
  • Page 54 DHCP Server Setup If a NetWall 100 Series interface is to have a DHCP server enabled on it, first create an IP4 Address object which defines the address range to be handed out. Here, it is assumed that this has the name dhcp_range.
  • Page 55 Chapter 4: cOS Core Configuration Also in the Options tab, we should specify the DNS address which is handed out with DHCP leases. This could be set, for example, to be the IPv4 address object dns1_address. External Syslog Server Setup By default, only cOS Core's internal memlog feature will capture generated log messages.
  • Page 56 Chapter 4: cOS Core Configuration As with previous policy definitions, NAT should also be enabled if the protected local hosts have private IPv4 addresses. The ICMP messages will then be sent out from the firewall with the IP address of the interface connected to the ISP as the source. Responding hosts will send back ICMP responses to this address and cOS Core will then forward the traffic to the correct private IPv4 address.
  • Page 57 Chapter 4: cOS Core Configuration If this IP policy were the only one defined, the main IP rule set listing would be as shown below. A Valid License Must Be Installed Lastly, a valid license should be installed to remove the cOS Core 2 hour demo mode limitation. Without a license installed, cOS Core will have full functionality during the 2 hour period following startup, but after that, only management access will be possible.

  • Page 58: Manual Cli Setup

    • Using the Local Console An external computer running a console emulator can be physically connected directly to the local console port on the NetWall 100 Series. • Using a Network Connection An SSH client on an external computer can be used to connect across a network to the IPv4 address 192.168.1.1 on the default management Ethernet interface.
  • Page 59 The steps to configure these Internet connection alternatives with the CLI are discussed next. Note that on the NetWall 100 Series, a DHCP client is enabled by default on the WAN1 interface so that usually method B is used. The other methods are included here in case they are needed.
  • Page 60 Device:/> set Address IP4Address InterfaceAddresses/WAN2_net Address=203.0.113.0/24 In the default configuration of the NetWall 100 Series, a DHCP client is automatically enabled on the WAN2 interface, so this must be disabled for a manual setup: Device:/> set Interface Ethernet WAN2 DHCPEnabled=No...
  • Page 61 LAN2_net which is connected to the interface LAN2. Note that with the NetWall 100 Series, the main IP rule set will already contain a number of predefined entries that will allow clients on the LAN1 interface to access the Internet via the WAN1 or WAN2 interfaces.
  • Page 62 Chapter 4: cOS Core Configuration The service used in the above is http-all which will allow web browsing from the protected network but this does not include the DNS protocol to resolve URIs into IP addresses. To solve this problem, a custom service could be used in the above IP policy which combines http-all with the dns-all service.
  • Page 63 Chapter 4: cOS Core Configuration C. PPPoE setup For PPPoE connection, define a PPPoE tunnel interface on the interface connected to the ISP. The interface WAN2 is assumed to be connected to the ISP in the command shown below which creates a PPPoE tunnel object called wan_ppoe: Device:/>...
  • Page 64 DHCP Server Setup Any interface on the NetWall 100 Series can be set up with a DHCP server so connecting clients can be automatically allocated an IP address from a predefined range.
  • Page 65 NTP Server Setup Network Time Protocol (NTP) servers can be configured to maintain the accuracy of the system date and time. By default, no time server is configured. Clavister provides its own time server which can be used with the following command: Device:/>...
  • Page 66 Chapter 4: cOS Core Configuration Adding a "Drop All" Policy is Recommended Scanning of IP rule sets is done in a top-down fashion. If no matching rule set entry is found for traffic then a hidden, implicit default rule is triggered. This rule cannot be changed and its action is to drop all such traffic as well as generate a log message when it is triggered.

  • Page 67: License Installation

    The NetWall 100 Series Uses a SECaaS License When cOS Core runs on the NetWall 100 Series hardware it requires a subscription based Security as a Service (SECaaS) license. The SECaaS license is managed in the same way as an older non-SECaaS license but requires the following to be configured in cOS Core: •...
  • Page 68 Automatically, by creating a permanent link between the 100 Series and the associated MyClavister account on the Clavister website. Doing this is one of the last options in the setup wizard. Alternatively, the link can be established later by going to the Status > Maintenance >...
  • Page 69 Chapter 4: cOS Core Configuration • Automatically through the separate InControl software product which is used for managing cOS Core configurations. This method can also be used to install the first license. Licenses and license installation are described further in the separate cOS Core Administrators Guide.

  • Page 70: Setup Troubleshooting

    If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the Clavister Next Generation Firewall in the first place. This can be confirmed with a packet sniffer if it is available.
  • Page 71 Chapter 4: cOS Core Configuration interfaces and confirm that the correct cables are connected to the correct interfaces. To look at the ARP activity only a particular interface, follow the command with the interface name: Device:/> arpsnoop <interface> To switch snooping off, use the command: Device:/>...
  • Page 72 Chapter 4: cOS Core Configuration...

  • Page 73: Resetting To Factory Defaults

    Chapter 5: Resetting to Factory Defaults In some circumstances, it may be necessary to reset the NetWall 100 Series appliance to the state it was in when it left the factory and before it was delivered to a customer. This process is known as a reset to factory defaults or simply a factory reset.
  • Page 74 • Using the CLI The cOS Core CLI can be used by connecting to one of the NetWall 100 Series's Ethernet interfaces using an SSH client over a network. A reset is performed by entering the reset -unit command twice in succession: Device:/>...

  • Page 75: Warranty Service

    Start Date (as defined below). The warranty will only apply to failure of the product if Clavister is informed of the failure not later than two (2) years from the Start Date or thirty (30) days after that the failure was or ought to have been noticed by the customer.
  • Page 76 Sjögatan 6J 891 60 Örnsköldsvik SWEDEN If the product has not yet been registered with Clavister through its website, some proof of purchase (such as a copy of the dated purchase invoice) must be provided with the shipped product. Important: An RMA Number must be obtained before shipping! Any package returned to Clavister without an RMA number will be rejected and shipped back at the customer's expense.

  • Page 77: Safety Precautions

    Chapter 7: Safety Precautions Safety Precautions Clavister NetWall 100 Series devices are Safety Class I products and have protective ground terminals. There must be an uninterrupted safety earth ground from the main power source to the product’s input wiring terminals, power cord, or supplied power cord set. Whenever it is likely that the protection has been impaired, disconnect the power cord until the ground has been restored.
  • Page 78 Chapter 7: Safety Precautions Informations concernant la sécurité Cet appareil est un produit de classe I et possède une borne de mise à la terre. La source d’alimentation principale doit être munie d’une prise de terre de sécurité installée aux bornes du câblage d’entree, sur le cordon d’alimentation ou le cordon de raccordement fourni avec le produit.
  • Page 79 Chapter 7: Safety Precautions • se la vostra LAN copre un’area servita da più di un sistema di distribuzione elettrica, accertatevi che i collegamenti a terra di sicurezza siano ben collegati fra loro; • i cavi LAN possono occasionalmente andare soggetti a pericolose tensioni transitorie (ad esempio, provocate da lampi o disturbi nella griglia d’alimentazione della società...

  • Page 80: Netwall 100 Series Specifications

    100-240 VAC, 50-60 Hz, 0.6 A Typical Power Consumption 12 W PSU Rated Power 24 W Ethernet Interface Support Gigabit RJ45 interfaces Automatic MDI-X 1000BASE-T (copper RJ45 100m) 100BASE-TX (copper RJ45 100m) 10BASE-T (copper RJ45 100m) For more information about Clavister products, go to: https://www.clavister.com...
  • Page 81 Clavister AB Sjögatan 6J SE-89160 Örnsköldsvik SWEDEN Head office/Sales: +46-(0)660-299200 Customer support: +46-(0)660-297755 www.clavister.com...

Table of Contents