1. Manuals
  2. Brands
  3. Clavister Manuals
  4. Network Hardware
  5. NetWall E80B
  6. Getting started manual

Clavister NetWall E80B Getting Started Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Clavister NetWall E80B
Getting Started Guide
Clavister AB
Sjögatan 6J
SE-89160 Örnsköldsvik
SWEDEN
Head office/Sales: +46-(0)660-299200
Customer support: +46-(0)660-297755
www.clavister.com
Published 2019-04-03
Copyright © 2019 Clavister AB

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NetWall E80B and is the answer not in the manual?

Questions and answers

Related Manuals for Clavister NetWall E80B

Summary of Contents for Clavister NetWall E80B

  • Page 1 Clavister NetWall E80B Getting Started Guide Clavister AB Sjögatan 6J SE-89160 Örnsköldsvik SWEDEN Head office/Sales: +46-(0)660-299200 Customer support: +46-(0)660-297755 www.clavister.com Published 2019-04-03 Copyright © 2019 Clavister AB...
  • Page 2 Clavister. Disclaimer The information in this document is subject to change without notice. Clavister makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose. Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.

  • Page 3: Table Of Contents

    1.3. Interfaces and Ports ................11 1.4. Zero Touch Support ................12 1.5. Hardware Sensor Monitoring ..............13 2. Registering with Clavister .................. 15 3. E80B Installation ....................20 3.1. General Installation Guidelines ..............20 3.2. Flat Surface Installation ................22 3.3.
  • Page 4 1.2. Clavister E80B Connection Ports ............... 11 3.1. The E80B Mini-USB Local Console Port ............... 28 3.2. Rear view of the Clavister E80B ................. 30 3.3. E80B Power Inlet Socket .................. 30 5.1. Factory Reset Using the Web Interface ............... 74...

  • Page 5: Preface

    The target audience for this guide is the administrator who has taken delivery of a packaged Clavister E80B appliance and is setting it up for the first time. The guide takes the user from unpacking and installation of the device through to power-up, including network connections and initial cOS Core configuration.
  • Page 6 Where a "See section" link is provided in the main text, this can be clicked on to take the reader directly to that reference. For example, see Appendix A, E80B Specifications. Web links Web links included in the document are clickable. For example, http://www.clavister.com. Trademarks Certain names in this publication are the trademarks of their respective owners.

  • Page 7: E80B Product Overview

    Chapter 1: E80B Product Overview • E80B Models and Differences, page 7 • Unpacking the E80B, page 9 • Interfaces and Ports, page 11 • Zero Touch Support, page 12 • Hardware Sensor Monitoring, page 13 1.1. E80B Models and Differences There are two E80B models: •...
  • Page 8 Chapter 1: E80B Product Overview names LAN and WAN. • E80B Ethernet LEDs are above the Ethernet port for a better indication of link status. • The E80B status LEDs illuminate with an amber color.

  • Page 9: Unpacking The E80B

    Service, along with a description of the hardware replacement procedure. The Cold Standby Service To ensure maximum uptime, a Cold Standby (CSB) Service is available from Clavister as an addition to certain cOS Core support agreements. This service allows a second, identical E80B unit to be...
  • Page 10 Core license to the standby unit. When the faulty unit is returned to Clavister, a new cold standby unit is immediately sent back. More details about the CSB service can be found in the separate Hardware Replacement Guide.

  • Page 11: Interfaces And Ports

    Chapter 1: E80B Product Overview 1.3. Interfaces and Ports This section is an overview of the E80B product's external design. Figure 1.2. Clavister E80B Connection Ports The E80B features the following connection ports on the front panel: • A mini-USB (type mini-B) port for console connection marked with the letter C. This port is used for direct access to the cOS Core Boot Menu and the cOS Core Command Line Interface (CLI).

  • Page 12: Zero Touch Support

    Chapter 1: E80B Product Overview 1.4. Zero Touch Support The E80B product can support the Zero Touch feature in the Clavister InControl management software product. This means that it is possible to power up the E80B, connect it to the Internet, and the E80B device will automatically register itself with an InControl server.

  • Page 13: Hardware Sensor Monitoring

    In addition, log message alerts can be automatically generated if a sensor reaches a value outside of its normal operational range. Configuring this feature, as well as a list of all the sensors available on each Clavister hardware model and their normal ranges, can be found in the Hardware Monitoring section of the separate...
  • Page 14 Chapter 1: E80B Product Overview...

  • Page 15: Registering With Clavister

    The wizard is described in Section 4.1, “Web Interface and Wizard Setup”. Manual registration of the E80B on the Clavister website - This is described in the last half of this chapter. Manual registration may be necessary if the E80B does not have Internet access.
  • Page 16 Chapter 2: Registering with Clavister The MyClavister login page is presented. If you are already registered, log in and skip to step 8. If you are a new customer accessing MyClavister for the first time, click the Create Account link.
  • Page 17 Chapter 2: Registering with Clavister Below is an example of the heading in the email that would be received. The confirmation link in the email leads back to the Clavister website to show that confirmation has been successful and logging in is now possible.
  • Page 18 If the unit does not have Internet access then manual registration is required and this is done using the following steps: Log in to the Clavister website and select the Register License option. The registration page is displayed. Under the tab Hardware Serial Number and Service Tag, enter the Hardware Serial Number and Service Tag must be entered.
  • Page 19 Once the E80B hardware unit is registered, a cOS Core license for the unit becomes available for download and installation from Clavister servers. This installation can be done automatically through the cOS Core Setup Wizard which is described in Section 4.1, “Web Interface and Wizard Setup”.

  • Page 20: E80B Installation

    • Mini-USB Console Port Connection, page 28 • Connecting Power, page 30 3.1. General Installation Guidelines Follow these general guidelines when installing your Clavister E80B appliance: • Safety Take notice of the safety guidelines laid out in Chapter 7, Safety Precautions. These are specified in multiple languages.
  • Page 21 Chapter 3: E80B Installation • Surge Protection A third party surge protection device should be considered and is strongly recommended as a means to prevent electrical surges reaching the appliance. This is mentioned again in Section 3.6, “Connecting Power”. • Temperature Do not install the appliance in an environment where the ambient temperature during operation might fall outside the specified operating range.

  • Page 22: Flat Surface Installation

    Chapter 3: E80B Installation 3.2. Flat Surface Installation The E80B can be mounted on any appropriate stable, flat, level surface that can safely support the weight of the appliance and its attached cables. Note: Attach the rubber feet provided with the E80B Adhesive rubber feet for the E80B unit are provided with the E80B in its packaging.

  • Page 23: Rack Mounting

    Chapter 3: E80B Installation 3.3. Rack Mounting A Rack Mount Kit is supplied with the E80B for mounting the product in a 19-inch rack. Included with the kit is the following: • 2 x side brackets. • 6 x bracket screws. 3 for securing one bracket to one side of the E80B. The kit is attached to the sides of the E80B unit prior to mounting in the rack.
  • Page 24 Chapter 3: E80B Installation Repeat this for each side of the E80B so the brackets are mounted as shown below. The E80B is now ready to be rack mounted. No rear support is required.

  • Page 25: Management Computer Connection

    Clavister's cOS Core network security operating system is preloaded on the E80B and will automatically boot up after power is applied. After the start-up sequence is complete, an external management computer can be used to configure cOS Core.
  • Page 26 Chapter 3: E80B Installation Network Connection Setup For setting up access across a network using the Web Interface or the CLI via SSH, it is necessary to connect an Ethernet interface on an external management computer to the default management Ethernet interface on the E80B. The default management Ethernet interface for the E80B is the LAN and this is assigned the default IPv4 address of 192.168.1.1 by cOS Core.
  • Page 27 Chapter 3: E80B Installation Management Computer Ethernet Interface Setup The only requirement for the Ethernet interface used for connection on the management computer is that DHCP is enabled. cOS Core automatically enables a DHCP server on the firewall's LAN interface and this allocates the required IP addresses to the management computer using DHCP.

  • Page 28: Mini-Usb Console Port Connection

    For the Linux and MacOS micro-USB drivers or to download the Windows driver manually, go to the E80B product page which can be found at https://www.clavister.com/start. Direct the console emulator on the computer to connect to the newly installed device. After successful connection, commands can be issued to the cOS Core Command Line Interface (CLI).
  • Page 29 Chapter 3: E80B Installation CLI Setup”. Remote Console Connection Using SSH An alternative to using the local console port for CLI access is to connect over a network via a physical Ethernet interface and using a Secure Shell (SSH) client on the management computer to issue CLI commands.

  • Page 30: Connecting Power

    Core will start. Important Please review the electrical safety information in Chapter 7, Safety Precautions. Figure 3.2. Rear view of the Clavister E80B Connecting AC Power To connect power, follow these steps: Connect the end of the power cord to the power inlet on the E80B.
  • Page 31 Chapter 3: E80B Installation Initial cOS Core configuration is described in Chapter 4, cOS Core Configuration. Important: Protecting against power surges It is recommended that the purchase and use of a separate surge protection unit from a third party is considered for the power connection to the E80B hardware. This is to ensure that the E80B is protected from damage by sudden external electrical power surges through the power cable.
  • Page 32 Chapter 3: E80B Installation...

  • Page 33: Cos Core Configuration

    Chapter 4: cOS Core Configuration • Web Interface and Wizard Setup, page 33 • Manual Web Interface Setup, page 43 • Manual CLI Setup, page 58 • License Installation Methods, page 66 • Setup Troubleshooting , page 68 • Going Further with cOS Core, page 70 Note: Upgrading to the latest cOS Core version A new E80B may not have the very latest cOS Core version pre-installed.
  • Page 34 In the latest Microsoft browser, the following error message will be displayed in the browser window. The browser should now be told to accept the Clavister certificate by choosing the option to continue.
  • Page 35 Chapter 4: cOS Core Configuration The Login Dialog cOS Core will next respond like a web server with the initial login dialog page, as shown below. The available Web Interface language options are selectable at the bottom of this dialog. This defaults to the language set for the browser if cOS Core supports that language.
  • Page 36 The wizard assumes that Internet access will be configured. If this is not the case, for example if the Clavister Next Generation Firewall is being used in Transparent Mode between two internal networks, then the configuration setup is best done with manual Web Interface steps or through the CLI instead of through the wizard and these are explained in the two sections that follow.
  • Page 37 Chapter 4: cOS Core Configuration Wizard step 2: Set the date and time Many cOS Core functions rely on an accurate date and time, so it is important that this is set correctly in the fields shown below. The default time zone location is ClavisterHQ which means the default location and time zone will be Stockholm.
  • Page 38 Chapter 4: cOS Core Configuration Note: This step is only available with version 11.04 or later The step to optionally set up transparent mode interfaces in the startup wizard is only available with cOS Core version 11.04 or later. Also, the available interface list shown above will vary according to the platform on which cOS Core is running.
  • Page 39 Chapter 4: cOS Core Configuration These four different connection options are discussed next in the subsections 5A to 5D that follow. • 5A. Static - manual configuration Information supplied by the ISP should be entered in the next wizard screen. All fields need to be entered except for the Secondary DNS server field.
  • Page 40 DNS servers are set automatically after connection with PPTP. Wizard step 6: DHCP server settings If the Clavister Next Generation Firewall is to function as a DHCP server, it can be enabled here in the wizard on a particular interface or configured later.
  • Page 41 Time Protocol servers keep the system date and time accurate. Syslog servers can be used to receive and store log messages sent by cOS Core. By selecting the Clavister option, the current time will be updated over the Internet from Clavister's own timeserver.
  • Page 42 Internet access must have been set up in previous wizard steps for this option to function. The only input required is the MyClavister username and password for the Clavister website. This also creates a lasting link between the E80B and the Clavister servers so that any future license updates can be installed automatically.

  • Page 43: Manual Web Interface Setup

    Core. Ethernet Interfaces The physical connection of external networks to the Clavister Next Generation Firewall is through the various Ethernet interfaces which are provided by the hardware platform. On first-time startup, cOS Core scans for these interfaces and determines which are available and allocates their names.
  • Page 44 Chapter 4: cOS Core Configuration Note: Specifying a URL for the time server For cOS Core versions prior to 12.00.09 a time server URL must have the prefix "dns:". For version 12.00.09 and later, an FQDN Address address must be used instead of a direct URL reference.
  • Page 45 Reconfiguration is a process that the cOS Core administrator may initiate often. Normally, reconfiguration takes a brief amount of time and causes only a slight delay in traffic throughput. Active user connections through the Clavister Next Generation Firewall should rarely be lost. Tip: How frequently to commit configuration changes It is up to the administrator to decide how many changes to make before activating a new configuration.
  • Page 46 IPv4 address 203.0.113.1. The ISP's gateway is the first router hop towards the public Internet from the Clavister Next Generation Firewall. Go to Objects > Address Book in the Web Interface. The current contents of the address book will be listed and will contain a number of predefined objects automatically created by cOS Core after it scans the interfaces for the first time.
  • Page 47 Chapter 4: cOS Core Configuration On initial startup, two IPv4 address objects are created automatically for each interface detected by cOS Core. One IPv4 address object is named by combining the physical interface name with the suffix "_ip" and this is used for the IPv4 address assigned to that interface. The other address object is named by combining the interface name with the suffix "_net"...
  • Page 48 At this point, the connection to the Internet is configured but no traffic can flow to or from the Internet since all traffic needs a minimum of the following two cOS Core configuration objects to exist before it can flow through the Clavister Next Generation Firewall: •...
  • Page 49 Chapter 4: cOS Core Configuration • A route defined in a cOS Core routing table which specifies on which interface cOS Core can find the traffic's destination IP address. If multiple matching routes are found, cOS Core uses the route that has the smallest (in other words, the narrowest) IP range.
  • Page 50 Chapter 4: cOS Core Configuration The destination network is specified as the predefined IP4 Address object all-nets. This is used since it cannot be known in advance to which IP address web browsing will be directed and all-nets allows browsing to any IP address. IP rule sets are processed in a top down fashion, with the search ending at first matching entry.
  • Page 51 For the Internet connection to work, a route also needs to be defined so that cOS Core knows on which interface the web browsing traffic should leave the Clavister Next Generation Firewall. This route will define the interface where the network all-nets (in other words, any network) will be found.
  • Page 52 DHCP client. Usually, a DHCP Host Name does not need to be specified but can sometimes be used by an ISP to uniquely identify this Clavister Next Generation Firewall as a particular DHCP client to the ISP's DHCP server.
  • Page 53 Chapter 4: cOS Core Configuration An ISP will supply the correct values for pppoe_username and pppoe_password in the dialog above. The PPPoE tunnel interface can now be treated exactly like a physical interface by the policies defined in cOS Core rule sets. There also has to be a route associated with the PPPoE tunnel to allow traffic to flow through it, and this is automatically created in the main routing table when the tunnel is defined.
  • Page 54 PPTP tunnel that has been defined. DHCP Server Setup If the Clavister Next Generation Firewall is to act as a DHCP server then this can be set up in the following way: First, create an IP4 Address object which defines the address range to be handed out. Here, it is assumed that this has the name dhcp_range.
  • Page 55 Chapter 4: cOS Core Configuration Also in the Options tab, we should specify the DNS address which is handed out with DHCP leases. This could be set, for example, to be the IPv4 address object dns1_address. Syslog Server Setup Although logging may be enabled, no log messages are captured unless at least one log server is set up to receive them and this is configured in cOS Core.
  • Page 56 As with previous policy definitions, NAT should also be enabled if the protected local hosts have private IPv4 addresses. The ICMP messages will then be sent out from the Clavister Next Generation Firewall with the IP address of the interface connected to the ISP as the source interface.
  • Page 57 Chapter 4: cOS Core Configuration If this IP policy were the only one defined, the main IP rule set listing would be as shown below. A Valid License Must Be Installed Lastly, a valid license should be installed to remove the cOS Core 2 hour demo mode limitation. Without a license installed, cOS Core will have full functionality during the 2 hour period following startup, but after that, only management access will be possible.

  • Page 58: Manual Cli Setup

    Chapter 4: cOS Core Configuration 4.3. Manual CLI Setup This chapter describes the cOS Core setup steps using CLI commands instead of the Web Interface and the setup wizard. The CLI is accessible using either of the following two methods: •...
  • Page 59 Ethernet Interfaces The connection of external networks to the Clavister Next Generation Firewall is via the various Ethernet interfaces which are provided by the hardware platform. On first-time startup, cOS Core determines which interfaces are available and allocates their names. One interface is chosen as the initial default management interface and this can only be changed after initial startup.
  • Page 60 Chapter 4: cOS Core Configuration We first must set or create a number of IPv4 address objects. It is assumed here that the interface used for Internet connection is G2, the ISP gateway IPv4 address is 203.0.113.1, the IPv4 address for the connecting interface will be 203.0.113.35 and the network to which they both belong is 203.0.113.0/24.
  • Page 61 Chapter 4: cOS Core Configuration Setting the default gateway on the interface has the additional effect that cOS Core automatically creates a route in the default main routing table that has the network all-nets routed on the interface. This means that we do not need to explicitly create this route. Even though an all-nets route is automatically added, no traffic can flow without the addition of an IP Policy which explicitly allows traffic to flow.
  • Page 62 Chapter 4: cOS Core Configuration Device:/> set DNS DNSServer1=dns1_address Assuming a second IP object called dns2_address has been defined, the second DNS server is specified with: Device:/> set DNS DNSServer2=dns2_address B. DHCP - automatic configuration Alternatively, all required IP addresses can be automatically retrieved from the ISP's DHCP server by enabling DHCP on the interface connected to the ISP.
  • Page 63 Chapter 4: cOS Core Configuration PPPoE tunnel object is deleted, this route is also automatically deleted. At this point, no traffic can flow through the tunnel since there is no IP rule set entry defined that allows it. As was done in option A above, we must define an IP policy that will allow traffic from a designated source network and source interface (in this example, the network G1_net and interface G1) to flow to the destination network all-nets and the destination interface which is the PPPoE tunnel that has been defined.
  • Page 64 DHCP Server Setup If the Clavister Next Generation Firewall is to act as a DHCP server then this can be set up in the following way: By default on the E80B, the interface LAN already has a DHCP server enabled on it which hands out addresses from the predefined address object LAN_DHCPPool (192.168.1.100-192.168.1.250).
  • Page 65 The IP policy above assumes NAT will be used and this is necessary if the protected local hosts have private IPv4 addresses. The ICMP requests will be sent out from the Clavister Next Generation Firewall with the IP address of the interface connected to the ISP as the source interface.

  • Page 66: License Installation Methods

    Core for another two hours. To remove this 2 hour restriction, a valid license must be installed. Licenses are files which are made available for download from the Clavister servers but before they become available, the user must have registered themselves with Clavister and doing this is described in Chapter 2, Registering with Clavister.
  • Page 67 Automatically, by creating a permanent link between the E80B and the associated MyClavister account on the Clavister website. Doing this is one of the last options in the setup wizard. Alternatively, the link can be established later by going to the Status > Maintenance >...

  • Page 68: Setup Troubleshooting

    If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the Clavister Next Generation Firewall in the first place. This can be confirmed with a packet sniffer if it is available.
  • Page 69 Chapter 4: cOS Core Configuration This will display console messages that show all the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces. To look at the ARP activity only a particular interface, follow the command with the interface name: Device:/>...

  • Page 70: Going Further With Cos Core

    IP rules identify the targeted traffic using combinations of the source/destination interface/network combined with protocol type. By default, no IP rules are defined so all traffic is dropped. At least one IP rule needs to be defined before traffic can traverse the Clavister Next Generation Firewall.
  • Page 71 It is recommended to subscribe to this feed so that you receive notifications when new releases of cOS Core versions are available for download and installation. Alternatively, announcements can be read directly from the Clavister forums which can be found at https://forums.clavister.com/.
  • Page 72 Chapter 4: cOS Core Configuration...

  • Page 73: Resetting To Factory Defaults

    Chapter 5: Resetting to Factory Defaults In some circumstances, it may be necessary to reset the E80B hardware to the state it was in when it left the factory and was delivered to a customer. This process is known as a reset to factory defaults or simply a factory reset.
  • Page 74 Chapter 5: Resetting to Factory Defaults Figure 5.1. Factory Reset Using the Web Interface • Using the CLI The cOS Core CLI can be used by connecting to one of the E80B's Ethernet interfaces using an SSH client over a network. A reset is performed by entering the reset -unit command twice in succession: Device:/>...
  • Page 75 Chapter 5: Resetting to Factory Defaults Important: The local console password will be reset to none If a local console password was set this will also be reset to the factory default of no password. If required, the local console password should be set later by choosing the boot menu option Enable Console Password.

  • Page 76: Warranty Service

    Start Date (as defined below). The warranty will only apply to failure of the product if Clavister is informed of the failure not later than two (2) years from the Start Date or thirty (30) days after that the failure was or ought to have been noticed by the customer.
  • Page 77 Sjögatan 6J 891 60 Örnsköldsvik SWEDEN If the product has not yet been registered with Clavister through its website, some proof of purchase (such as a copy of the dated purchase invoice) must be provided with the shipped product. Important: An RMA Number must be obtained before shipping! Any package returned to Clavister without an RMA number will be rejected and shipped back at the customer's expense.

  • Page 78: Safety Precautions

    Chapter 7: Safety Precautions Safety Precautions Clavister E80B devices are Safety Class I products and have protective ground terminals. There must be an uninterrupted safety earth ground from the main power source to the product’s input wiring terminals, power cord, or supplied power cord set. Whenever it is likely that the protection has been impaired, disconnect the power cord until the ground has been restored.
  • Page 79 Chapter 7: Safety Precautions Informations concernant la sécurité Cet appareil est un produit de classe I et possède une borne de mise à la terre. La source d’alimentation principale doit être munie d’une prise de terre de sécurité installée aux bornes du câblage d’entree, sur le cordon d’alimentation ou le cordon de raccordement fourni avec le produit.
  • Page 80 Chapter 7: Safety Precautions • se la vostra LAN copre un’area servita da più di un sistema di distribuzione elettrica, accertatevi che i collegamenti a terra di sicurezza siano ben collegati fra loro; • i cavi LAN possono occasionalmente andare soggetti a pericolose tensioni transitorie (ad esempio, provocate da lampi o disturbi nella griglia d’alimentazione della società...

  • Page 81: E80B Specifications

    Typical Power Consumption 12 W 43 BTU PSU Rated Power 25 W Ethernet Interface Support Gigabit RJ45 interfaces Automatic MDI-X 1000BASE-T (copper RJ45 100m) 100BASE-TX (copper RJ45 100m) 10BASE-T (copper RJ45 100m) For more information about Clavister products, go to: http://www.clavister.com.

  • Page 82: Declarations Of Conformity

    Appendix B: Declarations of Conformity...
  • Page 83 Appendix B: Declarations of Conformity...
  • Page 84 Clavister AB Sjögatan 6J SE-89160 Örnsköldsvik SWEDEN Head office/Sales: +46-(0)660-299200 Customer support: +46-(0)660-297755 www.clavister.com...

Table of Contents