1. Manuals
  2. Brands
  3. Clavister Manuals
  4. Network Hardware
  5. SG4500 Series
  6. Getting started manual

Clavister SG4500 Series Getting Started Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Clavister SG4500 Series
Getting Started Guide
Clavister AB
Sjögatan 6J
SE-89160 Örnsköldsvik
SWEDEN
Phone: +46-660-299200
Fax: +46-660-12250
www.clavister.com
Published 2011-03-24
Copyright © 2011 Clavister AB

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SG4500 Series and is the answer not in the manual?

Questions and answers

Related Manuals for Clavister SG4500 Series

Summary of Contents for Clavister SG4500 Series

  • Page 1 Clavister SG4500 Series Getting Started Guide Clavister AB Sjögatan 6J SE-89160 Örnsköldsvik SWEDEN Phone: +46-660-299200 Fax: +46-660-12250 www.clavister.com Published 2011-03-24 Copyright © 2011 Clavister AB...
  • Page 2 Clavister. Disclaimer The information in this document is subject to change without notice. Clavister makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose. Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.

  • Page 3: Table Of Contents

    Table of Contents Preface ........................ 5 1. Product Overview ....................7 1.1. Unpacking the Product ................7 1.2. Interfaces and Ports ................. 9 1.3. The Keypad and Display ................11 2. Installation ...................... 14 2.1. Installation Guidelines ................14 2.2. Installing SFP/SFP+ Modules ..............17 2.3.
  • Page 4 List of Figures 1.1. An Unpacked Clavister SG4500 Series Appliance ..........8 1.2. Front View of the Clavister SG4500 Series............9 1.3. The SG4500 Series Keypad and Display .............. 11 2.1. A Typical SFP/SFP+ Module ................17 2.2. An Example of an SFP 1000 Base TX Module ............17 2.3.

  • Page 5: Preface

    The target audience for this guide is the administrator who has taken delivery of a packaged Clavister SG4500 Series appliance and is setting it up for the first time. The guide takes the user from unpacking and installation of the device through to power-up, including network connections and initial CorePlus configuration.
  • Page 6 Where a "See section" link is provided in the main text, this can be clicked on to take the reader directly to that reference. For example, see Section 3.6, “Troubleshooting Setup”. Web links Web links included in the document are clickable. For example, http://www.clavister.com. Trademarks Certain names in this publication are the trademarks of their respective owners.

  • Page 7: Product Overview

    • The Keypad and Display, page 11 1.1. Unpacking the Product This section details the unpacking of the SG4500 Series appliance. Open the packaging box used for shipping and carefully unpack the contents. The delivered product packaging should contain the following: The Clavister SG4500 Series appliance.
  • Page 8 All documentation can be freely downloaded in PDF format from the Clavister website. End of Life Treatment The SG4500 Series appliance is marked with the European Waste Electrical and Electronic Equipment (WEEE) directive symbol which is shown below. The product, and any of its parts, should not be discarded of by means of regular refuse disposal.

  • Page 9: Interfaces And Ports

    Figure 1.2. Front View of the Clavister SG4500 Series. The SG4500 Series features a number of connection ports. On the far right is the RS-232 console port and an LED display screen. To the left of these are a set of 10 Ethernet interfaces.
  • Page 10 Chapter 1: Product Overview All ge interfaces support Automatic MDI-X and do not require a crossover cable for direct connection from another computer. Status lights are located at the top-right and top-left of the ge interfaces. The top-left light flashes green to indicate data traffic. The top-right light shows the link speed and has the following states: •...

  • Page 11: The Keypad And Display

    Chapter 1: Product Overview 1.3. The Keypad and Display The SG4500 Series features a keypad and display on the right hand front side of the hardware consisting of an LED display and 4 navigation buttons. The buttons are used to either move forwards or backwards through a sequential list of parameters which are always shown on the display while the power is on.
  • Page 12 Chapter 1: Product Overview • Memory Information This shows the current uptime (time since last restart), the total hardware RAM memory available to CorePlus and the current memory usage. • Anti-Virus Information This shows the current signature count in the Anti-Virus database and the time of the last database update.
  • Page 13 Chapter 1: Product Overview...

  • Page 14: Installation

    The maximum ratings for the SG4500 Series are listed in Appendix A, Specifications. Rating figures can also be found written on individual SG4500 Series PSU modules.
  • Page 15 Appendix A, Specifications. Flat Surface Installation The SG4500 Series can be mounted on any appropriate stable, flat, level surface that can safely support the weight of the appliance and its attached cables.
  • Page 16 Rear brackets should be used to support appliances at the rear. Important: Use rear brackets for rack mounting It is strongly recommended that the rear brackets included with the SG4500 Series are fitted and used to support the appliance from the back when rack mounted.

  • Page 17: Installing Sfp/Sfp+ Modules

    Small Form Pluggable (SFP) and Small Form Pluggable Plus (SFP+) modules can be sourced from different manufacturers. Shown below is a typical unit. The SG4500 Series does not come as standard with these modules and they must be purchased separately.
  • Page 18 SFP or SFP+ support. Important: Cover unused SFP and SFP+ interfaces with dust caps The SG4500 Series SFP and SFP+ interfaces are covered with dust caps when the product is unpacked. These prevent dust entering theinterfaceopenings. It is strongly recommended that dust caps are always used to cover ports when there is no module inserted.

  • Page 19: Console Port Connection

    If the SG4500 Series is not placed in a secure area, it is therefore advisable to set the console password. This is done using the console boot menu and more detail on this can be found in the CorePlus Administrators Guide.
  • Page 20 1 stop bit. • No flow control. • An RS-232 cable with appropriate terminating connectors. The SG4500 Series package includes an RS-232 null-modem cable. Connection Steps To connect a terminal to the console port, follow these steps: Check that the console connection settings are configured as described above.

  • Page 21: Connecting Power

    PSU. It does not matter which of the two SG4500 Series PSU slots is fitted with the PSU and which is fitted with the filler module. It should also be remembered that the CorePlus hardware monitoring feature will consider a missing PSU to be a malfunctioned PSU and any CorePlus Hardware Monitoring alarms should be adjusted accordingly.
  • Page 22 The alarm will switch off when the both supplies are fully operational. The SG4500 Series will boot up and CorePlus will start. After a brief period of time, CorePlus will be running and the appliance will be ready for initial configuration from a management workstation using either the Web Interface or the Command Line Interface (CLI) as the management interface.
  • Page 23 Chapter 2: Installation...

  • Page 24: Coreplus Configuration

    3.1. Management Workstation Connection CorePlus Starts after Power Up It is assumed you have now unpacked, positioned and powered up the SG4500 Series unit. If not, you should refer to the earlier chapters in this manual before continuing. Clavister's CorePlus network security operating system is preloaded on the hardware and will automatically boot up after power is supplied.
  • Page 25 WAN interface. In this guide, it is assumed that the physical ge2 interface of the SG4500 Series is used for Internet connection although it could be any other unused interface.
  • Page 26 This is usually done by using a crossover cable. Note: A crossover cable is not necessary for Gigabit interfaces On the SG4500 Series, the ge1 to ge6 Ethernet ports support Automatic MDI-X and do not require a crossover cable. Direct connection with a regular cable is possible.
  • Page 27 Chapter 3: CorePlus Configuration • Enter the IP addresses given above and click OK. Note: DNS addresses can be entered later To browse the Internet from the management workstation via the security gateway then it is possible to go back to the last step's properties dialog later and enter DNS server IP addresses.
  • Page 28 Chapter 3: CorePlus Configuration IP Setup on Other Platforms The following appendixes describe management workstation IP setup for other platforms: • Appendix C, Vista IP Setup. • Appendix D, Windows 7 IP Setup. • Appendix E, Apple Mac IP Setup.

  • Page 29: Web Interface And Wizard Setup

    Chapter 3: CorePlus Configuration 3.2. Web Interface and Wizard Setup This chapter describes the setup when accessing the CorePlus for the first time through a web browser. The user interface accessed in this way is called the Web Interface. Note: Screenshot images are edited Many of the screenshots in this section have had sections cut from the original image to aid readability.
  • Page 30 The wizard assumes that Internet access will be configured. If this is not the case, for example if the Clavister Security Gateway is being used in Transparent Mode between two internal networks, then the configuration setup is best done with individual Web Interface steps or through the CLI instead of through the wizard.
  • Page 31 Chapter 3: CorePlus Configuration The wizard makes setup easier because it automates what would otherwise be a more complex set of individual setup steps. It also reminds you to perform important tasks such as setting the date and time and configuring a log server. The steps that the wizard goes through after the welcome screen are listed next.
  • Page 32 Chapter 3: CorePlus Configuration Wizard step 4: Select the WAN interface settings This step selects how the WAN connection to the Internet will function. It can be one of Manual configuration, DHCP, PPPoE or PPTP as shown below. These four different connection options are discussed next in the following subsections 4A to •...
  • Page 33 DNS servers are set automatically after connection with PPTP. Wizard step 5: DHCP server settings If the Clavister Security Gateway is to function as a DHCP server, it can be enabled here in the wizard on a particular interface or configured later.
  • Page 34 Chapter 3: CorePlus Configuration Wizard step 6: Helper server settings Optional NTP and Syslog servers can be enabled here in the wizard or configured later. Network Time Protocol servers keep the system date and time accurate. Syslog servers can be used to receive and store log messages sent by CorePlus.
  • Page 35 Register New License. You will require your Clavister Registration Key to register (the key also referred to as the License Number. For the SG4500 Series, this key can be found written on a label on the underside or back of the appliance.

  • Page 36: Manual Web Interface Setup

    All CorePlus interfaces are logically equal for CorePlus and although their physical capabilities may be different, any interface can perform any logical function. With the SG4500 Series, the ge1 interface is the default management interface. The other interfaces can be used as required. For this section, it is assumed that the ge2 interface will be used for connection to the public Internet and the ge3 interface will be used for connection to a protected, local network.
  • Page 37 Chapter 3: CorePlus Configuration By pressing the Set Date and Time button, a dialog appears that allows the exact time to be set. A Network Time Protocol (NTP) servers can optionally be configured to maintain the accuracy of the system date and time and this will require public Internet access. Enabling this option is strongly recommended since it ensures the accuracy of the date and time.
  • Page 38 Reconfiguration is a process that the CorePlus administrator may initiate often. Normally, reconfiguration takes a brief amount of time and causes only a slight delay in traffic throughput. Active user connections through the Clavister Security Gateway should rarely be lost. Tip: How frequently to commit changes It is up to the administrator to decide how many changes to make before activating a new configuration.
  • Page 39 Let's now add the gateway IP4 Address object which we will call wan_gw and assign it the IP address 10.5.4.1. The ISP's gateway is the first router hop towards the public Internet from the Clavister Security Gateway. Go to System > Objects > Address Book in the Web Interface navigation tree.
  • Page 40 Chapter 3: CorePlus Configuration All the interface related address objects are gathered together in an address book folder called InterfaceAddresses. By clicking on this folder, we open it and can view the addresses it contains. The first few default addresses in the folder are shown below. By default on initial startup, two IP address objects are create automatically for each interface detected by CorePlus.
  • Page 41 Chapter 3: CorePlus Configuration display a list of the physical interfaces. The first few lines of the interface list for the SG4500 Series are shown below. Click on the interface in the list which is to be connected to the Internet. The properties for this interface will now appear and the relevant settings can be entered or changed.
  • Page 42 Chapter 3: CorePlus Configuration The rule Action is set to NAT (this is explained further below) and the Service is set to http-all which is suitable for most web browsing (it allows both HTTP and HTTPS connections). The interface and network for the source and destinations are defined in the Address Filter section of the rule.
  • Page 43 For the Internet connection to work, we also need a route defined so that CorePlus knows on which interface the web browsing traffic should leave the Clavister Security Gateway. This route will define the interface where the network all-nets (in other words, any network) will be found. If we open the default main routing table by going to Routing >...
  • Page 44 Usually, a DHCP Host Name does not need to be specified but can sometimes be used by an ISP to uniquely identify this Clavister Security Gateway as a particular DHCP client to the ISP's DHCP server.
  • Page 45 Chapter 3: CorePlus Configuration Your ISP will supply the correct values for pppoe_username and pppoe_password in the dialog above. The PPPoE tunnel interface can now be treated exactly like a physical interface by the policies defined in CorePlus rule sets. There also has to be a route associated with the PPPoE tunnel to allow traffic to flow through it, and this is automatically created in the main routing table when the tunnel is defined.
  • Page 46 DHCP Server Setup If the Clavister Security Gateway is to act as a DHCP server then this can be set up in the following way: First create an IP4 Address object which defines the address range to be handed out. Here, we will assume this is called dhcp_range.
  • Page 47 Chapter 3: CorePlus Configuration In addition it is important to specify the Default gateway for the server. This will be handed out to DHCP clients on the internal networks so that they know where to find the public Internet. The default gateway is always the IP address of the interface on which the DHCP server is configured.
  • Page 48 The IP rule again has the NAT action and this is necessary if the protected local hosts have private IP addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the IP address of the interface connected to the ISP as the source interface. Responding hosts will send back ICMP responses to this single IP and CorePlus will then forward the response to the correct private IP address.
  • Page 49 Chapter 3: CorePlus Configuration all rule as the last rule in the main IP rule set. This rule has an Action of Drop with the source and destination network set to all-nets and the source and destination interface set to any. The service for this rule must also be specified and this should be set to all_services in order to capture all types of traffic.
  • Page 50 2 hours from startup. To remove this restriction, a valid license must be uploaded to the Clavister Security Gateway. To do this, download a license as described in the last part of Section 3.2, “Web Interface and Wizard Setup”.

  • Page 51: Cli Setup

    • Using a terminal or computer running a console emulator connected directly to the local RS-232 console port on the SG4500 Series. Performing console port connection is described in the hardware installation manual for each Clavister hardware model. The CLI commands listed below are grouped so that they mirror the options available in the setup wizard.
  • Page 52 All CorePlus interfaces are logically equal for CorePlus and although their physical capabilities may be different, any interface can perform any logical function. With the SG4500 Series, the ge1 interface is the default management interface. The other interfaces can be used as desired. For the sake of example, it is assumed here that the ge2 interface will be used for connection to the public Internet and the ge3 interface will be used for connection to a protected, local network.
  • Page 53 Device:/> set IP4Address InterfaceAddresses/ge2_ip Address=10.5.4.35 Note: Qualifying the names of IP objects in folders On initial startup of the SG4500 Series, CorePlus automatically creates and fills the InterfaceAddresses folder in the CorePlus address book with the interface related IP address objects.
  • Page 54 Chapter 3: CorePlus Configuration EthernetDevice: 0:ge2 1:<empty> AutoSwitchRoute: AutoInterfaceNetworkRoute: AutoDefaultGatewayRoute: ReceiveMulticastTraffic: Auto MemberOfRoutingTable: Comments: <empty> Setting the default gateway on the interface has the additional effect that CorePlus automatically creates a route in the default main routing table that has the network all-nets routed on the interface.
  • Page 55 Chapter 3: CorePlus Configuration It is recommended that at least one DNS server is also defined in CorePlus. This DSN server or servers (a maximum of three can be configured) will be used when CorePlus itself needs to resolve URLs which is the case when a URL is specified in a configuration instead of an IP address. If we assume an IP address object called dns1_address has already been defined for the first DNS server, the command to specify the first DNS server is: Device:/>...
  • Page 56 Chapter 3: CorePlus Configuration and this is automatically created in the main routing table when the tunnel is defined. If the PPPoE tunnel object is deleted, this route is also automatically deleted. At this point, no traffic can flow through the tunnel since there is no IP rule defined that allows it. As was done in option A above, we must define an IP rule that will allow traffic from a designated source interface and source network (in this example, the network ge3_net and interface ge3) to flow to the destination network all-nets and the destination interface which is the PPPoE tunnel...
  • Page 57 DHCP Server Setup If the Clavister Security Gateway is to act as a DHCP server then this can be set up in the following way: First define an IP address object which has the address range that can be handed out. Here, we will use the IP range 192.168.1.10-192.168.1.20 as an example and this will be available on the ge3...
  • Page 58 The IP rule again has the NAT action and this is necessary if the protected local hosts have private IP addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the IP address of the interface connected to the ISP as the source interface. Responding hosts will send back ICMP responses to this single IP and CorePlus will then forward the response to the correct private IP address.

  • Page 59: Downgrading To 8.Nn

    Chapter 3: CorePlus Configuration 3.5. Downgrading to 8.nn The SG4500 Series comes preinstalled with a 9.nn CorePlus version and this cannot be downgraded since the hardware does not support 8.nn versions...

  • Page 60: Troubleshooting Setup

    If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the Clavister Security Gateway in the first place. This can be confirmed with a packet sniffer if it is available.
  • Page 61 Chapter 3: CorePlus Configuration A final diagnostic test is to try using the console command: Device:/> arpsnoop -all This will show the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces.

  • Page 62: Going Further With Coreplus

    HTTP ALG provides a number of important features such as content filtering. VPN Setup A common requirement is to quickly setup VPN networks based on Clavister Security Gateways. The CorePlus Administrators Guide includes an extensive VPN section and as part of this, a VPN Quick Start section which goes through a checklist of setup steps for nearly all types of VPN scenarios.
  • Page 63 Clavister company website at http://www.clavister.com or contact your local sales representative. Staying Informed Clavister maintains an RSS feed of announcements that can be subscribed to at https://forums.clavister.com/rss-feeds/announcements/. It is recommended to subscribe to this feed so that you receive notifications when new releases of CorePlus versions are available for download and installation.
  • Page 64 Chapter 3: CorePlus Configuration...

  • Page 65: Product Maintenance

    Single PSU Operation The SG4500 Series does not need both PSUs fitted. The appliance can operate correctly with just one PSU fitted. If this is the case, the second PSU slot should be filled with a special PSU Filler Module.
  • Page 66 The Hardware Monitoring (HWM) functions of CorePlus should be used to remotely monitor the hardware state of the SG4500 Series and associated PSUs. If only one PSU is operating then this is shown through such monitoring regardless if this is intentional and a PSU filler module occupies an empty PSU slot.
  • Page 67 Chapter 4: Product Maintenance Local PSU Failure Indicators If two PSUs are fitted to provide redundancy and there is a single PSU failure, a loud, continuous, audible alarm sound will be heard coming from the appliance. The alarm can be switched off by pressing the red button located to the right of the PSUs.
  • Page 68 Chapter 4: Product Maintenance pressure should be applied only through the black handle. Insert a power cord into the new PSU. Apply the power source to the new PSU. This may be done by just plugging the power cord into a wall socket. The new PSU's green light will illuminate, indicating normal operation and the audible alarm will stop if it hasn't already been switched off.

  • Page 69: Replacing Fan Modules

    Chapter 4: Product Maintenance 4.2. Replacing Fan Modules The SG4500 Series has three individual and independent fan modules that can be hot-swapped onsite. A fan module is shown below. Figure 4.4. An Individual Fan Module The Recommended Replacement Interval All fan modules are liable to wear from mechanical movement and fan failure can lead to much more serious failures from the overheating of electronic components.
  • Page 70 Chapter 4: Product Maintenance Unscrew by hand the retaining screw at the right of the metal grill covering the fans. Caution: Keep away from spinning fans Keep fingers, tools and any loose objects well away from the fans that are still spinning.
  • Page 71 Chapter 4: Product Maintenance A new fan module can now be pushed into the empty space by placing fingers on each of the same left and right brackets. It will click into place when it is level with the other 2 modules.
  • Page 72 Chapter 4: Product Maintenance...

  • Page 73: Warranty Service

    (2) years from the Start Date (as defined below). The warranty will only apply to failure of the product if Clavister is informed of the failure not later than two (2) years from the Start Date or thirty (30) days after that the failure was or ought to have been noticed by the customer.
  • Page 74 Sjögatan 6J 891 60 Örnsköldsvik SWEDEN If the product has not yet been registered with the Clavister through it's client web, a proof of purchase (such as a copy of the dated purchase invoice) must be provided with the shipped product.

  • Page 75: Safety Precautions

    Chapter 6: Safety Precautions Safety Precautions Clavister SG4500 Series devices are Safety Class I products and have protective ground terminals. There must be an uninterrupted safety earth ground from the main power source to the product’s input wiring terminals, power cord, or supplied power cord set. Whenever it is likely that the protection has been impaired, disconnect the power cord until the ground has been restored.
  • Page 76 Chapter 6: Safety Precautions Informations concernant la sécurité Cet appareil est un produit de classe I et possède une borne de mise à la terre. La source d’alimentation principale doit être munie d’une prise de terre de sécurité installée aux bornes du câblage d’entree, sur le cordon d’alimentation ou le cordon de raccordement fourni avec le produit.
  • Page 77 Chapter 6: Safety Precautions • se la vostra LAN copre un’area servita da più di un sistema di distribuzione elettrica, accertatevi che i collegamenti a terra di sicurezza siano ben collegati fra loro; • i cavi LAN possono occasionalmente andare soggetti a pericolose tensioni transitorie (ad esempio, provocate da lampi o disturbi nella griglia d’alimentazione della società...

  • Page 78: Specifications

    Appendix A: Specifications Below are the key hardware specifications for Clavister SG4500 Series installation. Dimensions, Weight and MTBF Height x Width x Depth (mm) 44 x 440 x 500 Hardware Weight 9.0 kg Hardware Form Factor 19 inch Rack Mountable...

  • Page 79: Declarations Of Conformity

    Appendix B: Declarations of Conformity...
  • Page 80 Appendix B: Declarations of Conformity...

  • Page 81: Vista Ip Setup

    If a PC running Microsoft Vista is being used as the CorePlus management workstation, the computer's Ethernet interface connected to the Clavister Security Gateway must be configured with an IP address which belongs to the network 192.168.1.0/24 and is different from the security gateway's address of 192.168.1.1.
  • Page 82 Appendix C: Vista IP Setup Select and display the properties for Internet Protocol Version 4 (TCP/IPv4). In the properties dialog, select the option Use the following IP address and enter the following values: • IP Address: 192.168.1.30 • Subnet mask: 255.255.255.0 •...

  • Page 83: Windows 7 Ip Setup

    If a PC running Microsoft Windows 7 is being used as the CorePlus management workstation, the computer's Ethernet interface connected to the Clavister Security Gateway must be configured with an IP address which belongs to the network 192.168.1.0/24 and is different from the security gateway's address of 192.168.1.1.
  • Page 84 Appendix D: Windows 7 IP Setup Select and display the properties for Internet Protocol Version 4 (TCP/IPv4). In the properties dialog, select the option Use the following IP address and enter the following values: • IP Address: 192.168.1.30 • Subnet mask: 255.255.255.0 •...

  • Page 85: Apple Mac Ip Setup

    Appendix E: Apple Mac IP Setup An Apple Mac can be used as the management workstation for initial setup of a Clavister Security Gateway. To do this, a selected Ethernet interface on the Mac must be configured correctly with a static IP.
  • Page 86 Appendix E: Apple Mac IP Setup Now set the following values: • IP Address: 192.168.1.30 • Subnet Mask: 255.255.255.0 • Router: 192.168.1.1 Click Apply to complete the static IP setup.
  • Page 87 Clavister AB Sjögatan 6J SE-89160 Örnsköldsvik SWEDEN Phone: +46-660-299200 Fax: +46-660-12250 www.clavister.com...

Table of Contents