Opengear CM8100 User Manual

Console manager

Table of Contents

Quick Links

Download this manual

User Guide

Software Release 24.11.3

Table of Contents

Need help?

Do you have a question about the CM8100 and is the answer not in the manual?

Questions and answers

Summary of Contents for Opengear CM8100

Page 1 User Guide Software Release 24.11.3...
Page 2: Table Of Contents
CONTENTS Contents Copyright © Document Revision History Safety & FCC Statement Safety Statement FCC Warning Statement About This User Guide Installation And Connection Power Connection Dual Power Supply LED Power Status Indicator SNMP Alerts for Power-related Events SNMP Alert Configuration Device Status LEDs Connecting to the Network Serial Connection...
Page 3 Cellular Modem Antenna Gain Specifications 39 MPE Safe Distance Statement CM8100-10G-5G Antenna Gain and Collocated Radio Transmitter Specifications. Antenna Gain Collocated Radio Transmitters RF Band Support Device Reboot Initial Settings Default Settings Serial Port Settings Browser WebUI Using the WebUI...
Page 4 MONITOR Menu System Log LLDP CDP Neighbors Triggered Playbooks ACCESS Menu Local Terminal Serial Ports Quick Search Access Using Web Terminal or SSH Serial Port Logging Display Port Logs CONFIGURE Menu Serial Ports Edit Serial Ports Assigning Unique IP Addresses for Each Console Port Configure Single Sessions for Ports Single Session Enabled In the WebUI In Config Shell...
Page 5 Autodiscovery Autodiscovery Enhancements Cancel Autodiscovery Schedule Autodiscovery Retrieve Port Discovery Logs Local Management Consoles Lighthouse Enrollment Manual Enrollment Using UI Manual Enrollment Using the CLI Playbooks Create Or Edit a Playbook Trigger Section: Trigger Types: Action Section: PDUs Add and Configure a PDU PDU Settings Table PDU Operation System Alerts...
Page 6 Syslog Alert Severity System Alerts - Networking (Connection Status) Configure Signal Strength Alerts Network Connections Network Interfaces Dual SIM Display SIM Status and Signal Strength Installing A New SIM Card Select The Active SIM (Manual Failover Mode) Select The Primary SIM (Automatic Failover Mode) 113 Dual SIM Failover Failover Modes Activate or Configure Failover...
Page 7 Determine if Modem is Ready & Available Determine if the Modem is Currently Being Upgraded Bonds and Bridges Bonds Create A New Bond Edit an Existing Bond Edit Bond - Form Definitions Bridges Create A New Bridge Edit an Existing Bridge Edit Bridge - Form Definitions Spanning Tree Protocol Enable STP in a Bridge...
Page 8 Static Routes Configure Static Routes Create a Static Route Edit a Static Route Delete a Static Route Manage Static Routes via Command Line Network Resilience Out-Of-Band Failover Enable Out-Of-Band Failover DNS Queries on a Dormant Failover Interface OOB Failover Types & Failover Behavior IP Passthrough Configure IP Passthrough Settings...
Page 9 Non-Admin Users Protected Groups and Users Understanding Serial Port Access Create a New Group Edit an Existing Group Local Users Create a New User With Password Create a New User With No Password (Remote Authentication) Modify An Existing User Account With Password Manage SSH Authorized Keys for a User Account Delete a User's Account Remote Authentication...
Page 10 Services FIPS Compliance Configure FIPS Enable FIPS Enable FIPS via Config Shell: Enable FIPS via ogcli: Disable FIPS Disable FIPS via Config Shell: Verify that FIPS is Enabled Considerations for Using the FIPS Feature Brute Force Protection Configure Brute Force Protection Viewing Current Bans Managing Brute Force Protection via Command Line 209 HTTPS Certificate...
Page 11 REST API Config Shell Interfaces, Neighbors and Networks. Interfaces Context Neighbors Context Networks Context Interaction With Configuration Files Confirm OSPF Neighbours Wireguard Configuration Viewing a WireGuard Configuration Configure WireGuard through Config Shell or REST Config Shell WireGuard Configuration REST API WireGuard Configuration Configurable WireGuard Fields WireGuard Context Sub-objects Addresses...
Page 12 Syslog Add a New Syslog Server Global Serial Port Settings Global Serial Port Settings Tab - Field Definitions Syslog Facility Definitions Syslog Severity Definitions Edit or Delete an Existing Syslog Server Session Settings File Server Enable TFTP Service Modify Firewall Zones to Allow the TFTP Service to be Used Update the TFTP Service Storage Location SNMP Service SNMP Alert Managers...
Page 13 Example 2: Permit Access to WAN Zone HTTPS from a Trusted Source Network Only Custom Rules (firewalld “rich-rules”) Custom Rules Examples: Useful Templates for use in WebUI or CLI Sample Rich Rules Templates Firewall Management Firewall Zone Settings Zone Setup Manage Port Forwarding Manage Custom Rules Firewall Source Address Filtering...
Page 14 Administration Date and Time Setting Time Setting by NTP Time Setting Manually Factory Reset Factory Reset Procedures Reset from the WebUI Reset at the External Erase Button Reset from the CLI Terminal Reboot Perform a Simple Reboot from the WebUI Export/Restore Configuration Export Configuration Export Configuration via WebUI...
Page 15 System Upgrade Perform a System Upgrade Upgrade via Fetch From Server Upgrade via Upload Advanced Options Communicating With The Cellular or POTS Modem Internal Modem (POTS) Configuring the POTS Modem CM8148-10G-5G Configuration via the WebUI POTS Configuration via the Config Shell POTS Configuration via the CLI Logging Config CLI GUIDE...
Page 16 Config CLI Commands apply Apply all Changes Apply Changes to Specific Sections of Configuration changes delete diff discard Discard Groups of Changes Discard Specific Changes edit exit help (or ?) Help Command Used Standalone Help Used in Conjunction with a Command Help Used with a Configuration Option import/export show...
Page 17 Configure NET3 Static IPV4 for OM2224-24e units 366 Configure WireGuard through Config Shell Root User Password - cleartext Root User Password = password via SHA256 Define Password Complexity Rules Hostname Contact Info Time Zone and NTP Create Admin User Create Breakglass User (belongs to netgrp) Enable netgrp - Set to ConsoleUser Change SSH Delimiiter to : default is + Change Port Labels...
Page 18 Description Example Error Messages Error Messages String Values In Config Commands Description Example Error Messages Opengear CLI Guide Getting Started with ogcli Access ogcli Help and Usage Information Basic Syntax ogcli Operations Supplying Data To ogcli Here Document Inline Arguments...
Page 19 Using the diff Tool Configure a DNS Advanced Portmanager PMShell Guide Running pmshell pmshell Commands Custom Control Codes for Serial Ports Configure Custom Control Codes Configure Control Codes for a Specified Port (CLI Examples) Configure a Control Code Value for All Ports Control Codes for All Ports via CLI (Examples) DNS Configuration Configure DNS via the Web UI...
Page 20: Copyright
“as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose. Opengear may make improvements and/or changes in this manual or in the product (s) and/or the program(s) described in this manual at any time. This product could include technical inaccuracies or typographical errors.
Page 21: Document Revision History
Serial Port logging data counters Serial Port autodiscovery System Alerts - UI layout changes 23.03.0 March 2023 Updates to: Added CM8100-10G SKU items to Guide 10G Updates to OOB Failover OOB Failover - additional probe address added Added Firewall - Source Address Fil- tering 23.10.0...
Page 22 SNMP Service Remote Authentication SNMP Alert Managers PDUs 24.11.3 Feb 2025 Audit, review and update of main sec- tions of the User Guide LDAP over SSH added to Remote Authentication CM8100-10G-5G Antenna Gain & RF Band Support Specifications Document Revision History 24.11.3...
Page 23: Safety & Fcc Statement
Do not remove the metal covers. There are no operator serviceable components inside. Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock. Refer all service to Opengear qualified personnel. To avoid electric shock the power cord protective grounding conductor must be connected through to ground.
Page 24 Any changes or modifications made to this device without the explicit approval or consent of Opengear will void Opengear of any liability or responsibility of injury or loss caused by any malfunction. This equipment is for indoor use and all the communication wiring are limited to inside of the building.
Page 25: About This User Guide
ABOUT THIS USER GUIDE This user guide is up to date for the 24.11.3 firmware release. When using a minor release there may or may not be a specific version of the user guide for that release. About This User Guide 24.11.3...
Page 26: Installation And Connection
This section describes how to install the appliance hardware and connect it to controlled devices. CM8100 Features: CM8100-10G Features: The following features apply to the CM8100-10G model: Static IP on Net 3. Pin out switching by software selectable pinout. Two additional 10G SFP+ fiber interfaces.
Page 27 CM8196-10G Installation And Connection 24.11.3...
Page 28 Installation And Connection 24.11.3...
Page 29: Power Connection
POWER CONNECTION The CM8100 models have dual power inlets with auto failover built in. These power supplies accept AC input voltage between 100 and 240 VAC with a frequency of 50 or 60 Hz. See the following tables for typical power draw.
Page 30 Active multi-zone power draw monitoring of 12V power. Power Draw No monitoring on 120V AC. Sensors Power Connection 24.11.3...
Page 31: Dual Power Supply
DUAL POWER SUPPLY Dual Power Supply, including Dual DC (DDC) can provide power redundancy for devices, especially those that may operate in harsher environments. A secondary power supply provides redundancy for the device if one PSU is unplugged or in the event of a failure.
Page 32: Snmp Alerts For Power-Related Events
SNMP ALERTS FOR POWER-RELATED EVENTS The System Voltage Range SNMP alert is triggered when there is a change in power status such as a system reboot or when the voltage on either power supply leaves or enters the configured range of the System Voltage alert. SNMP ALERT CONFIGURATION The System Voltage Range SNMP alert is configured in the Configure >...
Page 33: Device Status Leds
DEVICE STATUS LEDS The LED states shown below are determined through user-configurable threshold values for the Cell LED Amber / Green light, and modem enabled / disabled information. Status LEDs LED Condition Amber Green LED Off Amber Solid Green Solid Flashing Flashing Power...
Page 34 CM8100 ONLY NET1 No active Network Network link Network link network con- activity (any speed) nection NET2 No active Network Network link Network link network con- activity (any speed)
Page 35 activity is IOIO received, on either con- sole/usb con- sole or device serial ports. Note: The amber LED signal threshold config is set to 50%.of normal signal strength. For information on the setting of network and power alert thresholds, see: "System Alerts - Networking (Connection Status)" on page 105 "System Alerts - Power"...
Page 36: Connecting To The Network
CONNECTING TO THE NETWORK Generally, Console Manager products have two network connections labeled NET1 and NET2. In the CM8100 there are options for copper wiring (on a standard RJ-45 connector). The CM8100-10G also has a static IP port on NET3.
Page 37: Serial Connection
SERIAL CONNECTION Note:X1 and X2 are Opengear specific labels, where X2 = Cisco straight and X1 = Cisco reversed. Local Console Port: Serial Port 1 is the default local console port. CM8100 Serial Ports: The serial connections feature RS-232 with Cisco Straight X2 pinout, 50 to 230, 400bps.
Page 38: Cellular Connectivity
CELLULAR CONNECTIVITY The cellular interface is certified for global deployments with most carriers and provides a CAT12 LTE interface supporting most frequencies in use. To activate the cellular interface, you should contact your local cellular carrier and activate a data plan associated to the SIM installed.
Page 39: Cellular Modem Antenna Gain Specifications
CELLULAR MODEM ANTENNA GAIN SPECIFICATIONS MPE SAFE DISTANCE STATEMENT Opengear cellular products are intended for use 28cm or more from the body. This meets limits for Maximum Permissive Exposure (MPE) and is the minimum safe distance. Cellular Modem Antenna Gain Specifications...
Page 40: Cm8100-10G-5G Antenna Gain And Collocated Radio Transmitter Specifications
CM8100-10G-5G ANTENNA GAIN AND COLLOCATED RADIO TRANSMITTER SPECIFICATIONS. ANTENNA GAIN Cellular Modem Antenna Gain Specifications 24.11.3...
Page 41: Collocated Radio Transmitters
COLLOCATED RADIO TRANSMITTERS RF BAND SUPPORT Cellular Modem Antenna Gain Specifications 24.11.3...
Page 42: Device Reboot
DEVICE REBOOT When the Console Manager reboots, the cellular IP address will not be preserved. To reboot the unit: Select CONFIGURE > System > Reboot. To conduct a full erase and factory reset see "Factory Reset" on page 291 Note: Factory reset will reset the appliance to its factory default settings. Any modified configuration information is erased.
Page 43: Initial Settings
By default, all interfaces are enabled. The unit can be managed via Web GUI or by command line interface (CLI). Tip: There is also a Quick Start Guide to assist with easy setup of the Console Manager. The QSG is available at: https://opengear.com/support/documentation/ Note:For Configure Serial Ports (see "Serial Ports" on page 68) Initial Settings...
Page 44: Default Settings
See also the Quick Start Guide available at the Opengear documentation web page: https://opengear.com/support/documentation/ The CM8100 is configured with a default static IP Address for NET1 of 192.168.0.1 Subnet Mask 255.255.255.0. The CM8100-10G devices are configured with a default static IP Address for NET3 of 192.168.0.1 Subnet Mask 255.255.255.0.
Page 45: Using The Webui
4. After log in the WebUI is available. Check system details in the top right-hand side of the WebUI. 5. In the Navigation Bar on the left side, navigate to the ACCESS > Serial Ports page. The Serial Ports page displays a list of all the serial devices, including the links to a Web Terminal or SSH connection for each.
Page 46 The Help menu contains a link to generate a Technical Support Report that can be used by Opengear Support for troubleshooting. It also contains a link to the latest User Guide. The System menu presents the Current version, REST API version, Hostname, Serial Number, Model, and Current user.
Page 47: Management Console Connection Via Cli
MANAGEMENT CONSOLE CONNECTION VIA CLI The Command Line Interface (CLI) is accessible using your preferred application to establish an SSH session. Open a CLI terminal on your desktop, then: 1. Input the default IP Address of 192.168.0.1. SSH port 22 is enabled by default. 2.
Page 48: Change The Root Password
CHANGE THE ROOT PASSWORD For security reasons, only the root user can initially log in to the appliance. Upon initial login the default password must be changed. Note:Users are prevented from reusing the word “default” as their password. The factory default password automatically expires after a factory reset and users must choose a new password.
Page 49 3. In the Edit User page, if required, enter an optional description in the Description field. Enter a new password in the Password field and re-enter the password in the Confirm Password field. Change the Root Password 24.11.3...
Page 50 4. Click Save User. A green banner confirms the password change has been saved. Change the Root Password 24.11.3...
Page 51: Disable A Root User
DISABLE A ROOT USER To disable a root user: Note:Before proceeding, make sure that another user exists that has the Administrator role or is in a group with the Administrator role. For information on creating, editing, and deleting users, see "Local Users"...
Page 52: Change Network Settings
CHANGE NETWORK SETTINGS The interface supports both IPv4 and IPv6 networks. The IP address of the unit can be setup for Static or DHCP. The following settings can be configured for network ports: IPv4, IPv6. Static and/or DHCP. Enabling or disabling network interfaces. Ethernet Media types.
Page 53 4. Select the Interface and Connection Type for your new connection. 5. The form on the bottom part of the page will change based on the Connection Type you choose. Enter the necessary information and click Apply. To disable or delete interfaces, use the controls on the expanded section on the CONFIGURE >...
Page 54: Change The Ethernet Media Type
CHANGE THE ETHERNET MEDIA TYPE 1. Click CONFIGURE > Network Connections > Network Interfaces. 2. Click the expand arrow to the right of the interface you wish to modify. Change Network Settings 24.11.3...
Page 55 3. Click Enabled . 4. To change the interface media setting, click the Edit button and edit the media settings as needed and click Apply. Change Network Settings 24.11.3...
Page 56 Change Network Settings 24.11.3...
Page 57: Monitor Menu
MONITOR MENU The MONITOR Menu is a relatively short section comprising only three topics. MONITOR Menu 24.11.3...
Page 58: System Log
SYSTEM LOG MONITOR > System Log The Console Manager maintains a log of system activity, access, and communications events with the server and with attached serial, network and power devices. To view the System Log, click MONITOR > System Log. The System Log page lets you change the Number of Log Lines displayed on the screen.
Page 59: Lldp Cdp Neighbors
LLDP CDP NEIGHBORS The Console Manager displays LLDP/CDP Neighbors when enabled for a connection. See "Network Discovery Protocols" on page 213 to enable/disable. LLDP CDP Neighbors 24.11.3...
Page 60: Triggered Playbooks
TRIGGERED PLAYBOOKS For information on creating Playbooks, see the Playbooks topic in this User Guide. To monitor current Playbooks, click on Monitor > Triggered Playbooks. Choose the time period if desired, and filter by Name of Playlist to view any that have been triggered.
Page 61: Access Menu
ACCESS MENU The ACCESS menu provides access to Local Terminal of the Console Manager. It also provides SSH and Web Terminal access to specific ports. ACCESS Menu 24.11.3...
Page 62: Local Terminal
LOCAL TERMINAL The Console Manager includes a web-based terminal. To access this bash shell instance: 1. Select ACCESS > Local Terminal 2. At the login prompt, enter a username and password. 3. A bash shell prompt appears. This shell supports most standard bash commands and also supports copy-and- paste to and from the terminal.
Page 63: Serial Ports
SERIAL PORTS Tip: Ensure you are on the ACCESS > Serial Ports page and not the similar CONFIGURE > Serial Ports page. The ACCESS > Serial Ports page allows you to quickly locate and access specific ports via Web Terminal or SSH link shown in the image below. Callout # Item Definition Serial port edit button.
Page 64: Quick Search
Click the Expand arrow (5) to the right of the port to see the Port Logging status or access the port Edit button, which is a link to the CONFIGURE > Serial Ports page. (ogcli: ogcli get ports/ports_status). The following information is displayed under Access > Serial Ports when the individual serial ports are expanded: Rx byte counter (counter reset requires ‘Admin’...
Page 65: Serial Port Logging
Choosing SSH opens an application you have previously associated with SSH connections from your browser. Note:MS WIndows does not connect to puTTY by default. You may need to install the WinSCP program to launch puTTY from the Opengear WebUI SSH Serial Port button. SERIAL PORT LOGGING The port logging facility and severity associated with the serial port logs is controlled and set at the Configure >...
Page 66: Display Port Logs
DISPLAY PORT LOGS Tip: The log is accessed by clicking the Port Log link on the ACCESS > Serial Ports page. The link is only available when port logging is enabled. Serial Ports 24.11.3...
Page 67: Configure Menu
CONFIGURE MENU This section provides step-by-step instructions for the menu items under the CONFIGURE menu. CONFIGURE Menu 24.11.3...
Page 68: Serial Ports
SERIAL PORTS Tip: Ensure you are on the CONFIGURE > Serial Ports page and not the similar ACCESS > Serial Ports page. Navigate to CONFIGURE > Serial Ports; a list of serial ports is displayed. On this page you can configure and edit specific ports. Click the Edit button (pencil icon) to the right of the port to display the port editing page.
Page 69 The pin-out type is fixed on the CM8100. Port Pinout CM8100-10G Selectable - X2 Cisco Straight The pin-out type is software selectable on the CM8100- Baud Rate Baud rate Select the Baud rate expec- ted for this port. From 50 to 230,400 bps.
Page 70: Assigning Unique Ip Addresses For Each Console Port
ing OOB Shell commands. LOGGING SETTINGS Logging Level Disabled Specify the level of detail Events Only you require in the logs. Logs Events & Received Characters may also be sent to a Syslog Events & All Characters server. Other settings to consider are: "GLOBAL SERIAL PORT SETTINGS”...
Page 71: Configure Single Sessions For Ports
CONFIGURE SINGLE SESSIONS FOR PORTS Single Session Port Config, or Single Session is a feature that can be enabled on a given port to prevent multiple users from connecting to that port or limit the port to a single concurrent connection. This feature is port-specific and is disabled by default. This feature needs to be enabled on a port-by-port basis.
Page 72 When the Single Session feature is enabled and the port is in use, if a subsequent user attempts to connect to the port, the connection is declined, and the second user will receive the message: Unable to connect. Another session is currently active. Please disconnect from the current session before attempting to connect again.
Page 73: In Config Shell
IN CONFIG SHELL The Single Session feature can be enabled or disabled by editing the single_ session field of a port. When a user port level Administrator access is logged in via pmshell, the port configuration menu can be accessed via any port by pressing the escape character (~ by default) followed by c (~c).
Page 74 logging_level disabled mode consoleServer parity none pinout portnum 1 single_session false stopbits 1 control_code (object) break "" chooser "" pmhelp "" portlog "" power "" quit "" ip_alias (array) The feature is enabled by typing single_session true, then apply the change. config(port port01): single_session true config(port port01):...
Page 75: Single Session Behavior
SINGLE SESSION BEHAVIOR The following table describes single session feature behavior in various circumstances. What occurs if users are connected to the port with the feature dis- abled, then the feature is enabled while users are still connected? Users who are already connected will continue to be able to use the port.
Page 76: Configure Raw Tcp Access For Serial Ports
This feature should only be used on a secure network. Note: Raw TCP access is disabled by default on Opengear devices. Users must enable Raw TCP access on a serial port through the WebUI, Config CLI or ogcli.
Page 77: Service Implementation
SERVICE IMPLEMENTATION Raw TCP access allows you to access serial ports on a device directly by connecting to a TCP port in the range 40XX. In order to achieve Raw TCP access, you first need to allow TCP packets through port 4002 in the firewall: Navigate to the Firewall Management page in the WebUI.
Page 78: Webui Configuration
WEBUI CONFIGURATION Raw TCP access can be enabled or disabled on a selected serial port through the WebUI. When looking at the serial port access page, the enabled/disabled status of Raw TCP access is visible under the Other Settings tab for each serial port. In the WebUI, navigate to Access >...
Page 79: Config Cli Configuration
At the Edit Serial Port page, scroll down the page to see the Raw TCP settings: To Enable Raw TCP, click the Enabled button then click Apply at the bottom of the page. A confirmation message is flagged when Raw TCP is successfully enabled.
Page 80 parity none pinout X2 portnum raw_tcp false single_session false stopbits 1 control_code (object) break "" chooser "" pmhelp "" portlog "" power "" quit "" ip_alias (array) To enable Raw TCP access: config(port port02): raw_tcp true config(port port02): apply Updating entity port item port02. To disable Raw TCP access: config(port port02): raw_tcp false config(port port02): apply...
Page 81: Ogcli Configuration
OGCLI CONFIGURATION To enable Raw TCP access on a port through ogcli, users can use ogcli update to set raw_tcp to true on the target port (the device information in the ogcli command below is shown as an example): root@om2216-l-tp1-p3:~# ogcli update port port02 raw_tcp=true To disable Raw TCP, set raw_tcp to false on the target port: root@om2216-l-tp1-p3:~# ogcli update port port02 raw_tcp=false You can check that the socket is active by running:...
Page 82: Autodiscovery Enhancements
Syslogging enhancement assists in the diagnosis of common issues (for example, no communications or, hostname failed validation). Autodiscovery does not collect a hostname when there is a communication issue between the console server and the target device. The logs are saved for the last-run instance of autodiscovery. The UI displays error messages and logs with the reason for auto-discovery failure, for example: Authentication failed.
Page 83: Cancel Autodiscovery
--auth-timeout --hostname-pattern options can also be configured via the WebUI --username --password under Optional Credentials. If the values are provided (optional), they will be used to attempt login to obtain the hostname to a downstream serial device. You can only specify a single username and/or password to try on all devices.
Page 84: Retrieve Port Discovery Logs
The Schedule Autodiscovery window allows you to select the ports and specify a time and period for port detection to run. Activate the schedule by clicking on the Enabled button. The Serial Port Autodiscovery Page: RETRIEVE PORT DISCOVERY LOGS At the top-right of the UI window, click on the Log File red text to retrieve the port discovery logs or by clicking on the...
Page 85 Port Discovery Log File Example: Serial Ports 24.11.3...
Page 86: Local Management Consoles
LOCAL MANAGEMENT CONSOLES This feature allows Administrators to log in and configure the OM via the RJ-45 or USB ports on the device. You can edit settings or disable the local RJ45 serial console (Cisco straight -X2 pinout) and the USB serial console (needs user supplied micro-USB to USB-A cable).
Page 87 To disable a local management console: Click CONFIGURE > Local Management Consoles. Click on the Disable Management Console Port button under Actions next to the console you wish to disable. Local Management Consoles 24.11.3...
Page 88: Lighthouse Enrollment
LIGHTHOUSE ENROLLMENT Opengear appliances can be enrolled into a Lighthouse instance, providing centralized access to console ports, automation, and central configuration of Opengear devices. Lighthouse central management uses a persistent, public key authenticated SSH tunnels to maintain connectivity to managed console servers.
Page 89 Tip: The same token will be entered in the NEW LIGHTHOUSE ENROLLMENT page of the Console Manager. Enroll your Console Manager in this Lighthouse instance: Click CONFIGURE > Lighthouse Enrollment 3. Click on the Add Lighthouse Enrollment button on the top-right of the page. The New Lighthouse Enrollment page opens.
Page 90: Manual Enrollment Using The Cli
Note:Enrollment can also be done directly via Lighthouse using the Add Node function. See the Lighthouse User Guide for more instructions on enrolling Opengear devices into Lighthouse. MANUAL ENROLLMENT USING THE CLI For complete instructions on Lighthouse Enrollment via the CLI please refer to this link: Manual enrollment using UI or CLI .
Page 91: Playbooks
PLAYBOOKS Playbooks are configurable systems that periodically check if a user-defined Trigger condition has been met. Playbooks can be configured to perform one or more specified Reactions when a specific trigger event occurs. The Playbook Landing Page: CREATE OR EDIT A PLAYBOOK CONFIGURE >...
Page 92: Trigger Section
TRIGGER SECTION: Callout # Field Required Information Name Enter a meaningful name that will help other users understand the pur- pose of this playbook instance. Playbooks 24.11.3...
Page 93 Description Enter a detailed description of the playbook. Status Enable or Disable this playbook instance. Interval The interval, in seconds, of the fre- quency that this playbook is repeated. Trigger Type A drop-down selector for the trigger type for this playbook instance (see "Trigger Types:"...
Page 94: Trigger Types
TRIGGER TYPES: Trigger Reaction Description CLI Log in Triggers upon Login or Logout events. Select either or both. CLI Log in Failure Monitor the terminal and trigger on failed user log in attempts. Cell Connection Triggered whenever the cellular connection state changes.
Page 95: Action Section
Network Settings Monitors network interfaces for specific attributes and triggers a user-defined response when they change. Ping Periodically pings an address and triggers a user-defined response upon failure. Monitors selected serial ports and triggers a user-defined Serial Login reaction upon user login and logout events. Serial Pattern Monitors serial ports and triggers a reaction when data matching a pattern is received on specific ports.
Page 96 4. To monitor current Playbooks, click on the Monitor > Triggered Playbooks menu (shown below). Select the time period if desired and filter by Name of Playlist to view any that have been triggered. Playbooks 24.11.3...
Page 97: Pdus
PDUS One or more Power Distribution Units (PDUs), both Local and Remote can be monitored. To add information for a PDU, select Configure > PDUs. ADD AND CONFIGURE A PDU PDU configuration definitions are provided in the on the "PDU Settings Table" on the next page.
Page 98: Pdu Settings Table
6. Click on the Configure Outlets link, assign a port for each of the PDUs' ports and enter a meaningful name for each outlet. 7. When you are finished, click Apply. A green banner confirms your settings. PDU SETTINGS TABLE PDU Settings Label Enter a meaningful label that will easily identify the...
Page 99: Pdu Operation
Username Enter the Username to use when connecting. Password User password to use when connecting to the device. Remote Mode Only Remote Mode Only Address The remote address of the PDU. SNMP Protocol Click the drop-down arrow and select the correct transport protocol used to communicate with the PDU.
Page 100 power-up cycle. PDUs 24.11.3...
Page 101: System Alerts
SYSTEM ALERTS Tip: For more detailed information about configuring SNMP Alerts see the individual topic pages that follow. System Alert Managers can be added or deleted under Configure > System Alerts for the following: "System Alerts - General" on the next page: Covers notification for the following causes.
Page 102: System Alerts - General
SYSTEM ALERTS - GENERAL AUTHENTICATION Provides notification when a user attempts to log in via SSH, REST API, or, the device's serial ports. An alert is sent regardless of whether the log in has succeeded or failed. Navigate to Configure > System Alerts > General > Authentication. Click on the Enabled button to activate the function.
Page 103: System Alerts - Power
SYSTEM ALERTS - POWER The PSU is one of the most critical part of the Console Manager, so it is essential to ensure that the PSU is operating within its design tolerances. When voltage SNMP alerts are enabled, network operators are immediately notified of PSU failures (subject to network connectivity and latency).
Page 104: Syslog Alert Severity
Note:The Disabled button de-activates the power syslog function and power alerts will be stopped until activated again SYSLOG ALERT SEVERITY For Power Lost alert, click the drop-down list and select the severity level required (default level is 3 - ERROR) when power level is outside the pre-set range.
Page 105: System Alerts - Networking (Connection Status)
SYSTEM ALERTS - NETWORKING (CONNECTION STATUS) The alert related to this functionality is the Network Connection Status which sends an alert when cell signal strength leaves or re-enters a user-defined range, or, when the network link state changes. A slider adjusts the upper and lower signal strength limits.
Page 106 Click Apply. The Details Saved banner confirms your settings. When an event occurs that causes the signal strength to re-enter the user-defined range, an SNMP alert will be triggered. In the above image, if any anomaly occurs that causes the signal strength to drop below 33 or above 66, an SNMP alert will be triggered.
Page 107: Network Connections
NETWORK CONNECTIONS The Network Connections menu provides: "Network Interfaces" on the next page, "IPsec Tunnels" on page 146 "Static Routes" on page 151 Network Connections 24.11.3...
Page 108: Network Interfaces
NETWORK INTERFACES The interface supports both IPv4 and IPv6 networks. The IP address of the unit can be setup for Static or DHCP. The following settings can be configured for network ports: IPv4, IPv6 Static and/or DHCP Enabling or disabling network interfaces Ethernet Media types For detailed information about Network Interface configuration and adding a new connection, see...
Page 109: Dual Sim
DUAL SIM CONFIGURE > NETWORK CONNECTIONS> Network Interfaces > WWAN0 - Cellular Interface Console Manager has been available for some time with support for two SIM cards/slots, whereby, it is possible designate which SIM slot is the Active SIM that is normally used by the CM for OOB communications (in Automatic failover mode this SIM is termed the Primary SIM).
Page 110 1. Navigate to Configure > Network Connections > Network Interfaces. 2. Click on the WWAN0 - Cellular Interface row. 3. . The information bar expands, and the page shows the current status of the active and inactive SIM cards. Note:If the unit does not have a cell modem - then the cellular interface will not be visible.
Page 111: Installing A New Sim Card
Note:When the Refresh button is clicked the signal strength is only updated for the active SIM. If you would like to know what the other SIM Signal Strength is, you need to activate it, let the modem come back online, which may take 3 minutes or more.
Page 112: Select The Active Sim (Manual Failover Mode)
SELECT THE ACTIVE SIM (MANUAL FAILOVER MODE) Switching the active SIM must be done manually. To switch the Active SIM: 1. Navigate to CONFIGURE > NETWORK CONNECTIONS > Network Interfaces > WWAN0 - Cellular Interface . 2. Click the Settings cog , this will display the MANAGE WWAN0 - Cellular Interface page and the current status of both SIM slots, including the current carrier name.
Page 113: Select The Primary Sim (Automatic Failover Mode)
5. If you require, you can monitor the interface during the changeover via the CLI with the command:. watch ip address show dev wwan0 You can also set the SIM settings by expanding the menu for each SIM to set the APN.
Page 114 1. Click the Primary button of the SIM selected to be the primary SIM. Dual SIM 24.11.3...
Page 115 2. Select the required Failback Policy for the failback SIM and complete the failback policy details: 3. Click the Confirm button at the bottom of the page. A green banner will appear to con- firm that the new settings have been saved. Dual SIM 24.11.3...
Page 116: Dual Sim Failover
DUAL SIM FAILOVER CONFIGURE > NETWORK CONNECTIONS> Network Interfaces > WWAN0 - Cellular Interface > Edit Console Managers that carry two SIM cards can be configured so that either SIM card slot may be activated. In failover mode, either of the two SIM cards may be designated as the Primary SIM.
Page 117: Failover Modes
FAILOVER MODES Features of Failover include: Select Enabled SIM failover. Specify SIM failback policy (applicable when the Ethernet connection and primary SIM are both down): Dual SIM Failover 24.11.3...
Page 118: Activate Or Configure Failover
Never - The node never switches back to the Primary. Delayed (specified in minutes) - The node switches back to primary after a pre-defined time has elapsed. On disconnect - See the table "Cellular Interface Policy Settings" on the next page for an explanation of the policy.
Page 119: Cellular Interface Policy Settings
Click the Edit link next to the Cellular Interface Enabled/Disabled switch. Select the Enabledfailover option. Ensure the correct SIM card is selected as the Primary SIM (see 'Set Primary SIM' in "Dual SIM" on page 109). Complete the Cellular Interface options in accordance with the table below. Click Confirm to activate the failover policy settings, a green banner will confirm the settings are enabled.
Page 120 Field Definition CELLULAR SIM FAILOVER Switch between the Primary SIM Card and the - Enabled. secondary SIM Card on disconnection. Primary SIM Failover Failover Probe Address. Network address to probe in order to determine if connection is active. Note: The probe address accepts IPv4, IPv6 addresses and hostnames.
Page 121 On Disconnect Secondary SIM Failback. Failback Probe Address ie. The Network address to probe in order to determine if the connection is active. Test Interval The number of seconds between connectivity probe tests (this not the same thing as Attemp- ted Failback).
Page 122: Cellular Modem Firmware Upgrade
Opengear or use a carrier that is not supported by the standard cellular modem firmware.
Page 123: Cell-Fw-Update Help
The 'defer if failed over' feature provides some protection. CELL-FW-UPDATE HELP Cellular Modem Firmware Upgrade 24.11.3...
Page 124: Update Local File List And Download Latest Firmware Files
UPDATE LOCAL FILE LIST AND DOWNLOAD LATEST FIRMWARE FILES This procedure will update the local file list and download the latest firmware files. Note: cell-fw-update can be run directly from a CLI shell as root and requires no configuration. You can combine this update action with the following download operation by providing both -u and -d simultaneously.
Page 125: List Supported Carriers
copy - localfiles.txt copy - localdb.txt copy - SHA1SUMS Note: The cell-fw-update -u and cell-fw-update -d commands may be run separately. LIST SUPPORTED CARRIERS The resulting carriers shown below are for example only (local results may vary). root@om2216-l:~# /etc/scripts/cell-fw-update -l att AT&T docomo DoCoMo generic Generic kddi KDDI...
Page 126: Automatic Firmware Update For Current Carrier
Specify a firmware set to download to the modem. This allows you to update the modem with a specific firmware set instead of one provided by Opengear FTP. The path to the firmware set specified must be relative from the directory /mnt/nvram/cellfw/.
Page 127 root@om8148-10g-tp2-p35:~# cell-fw-update --unsafe -m SWIX65C_ 02.13.08.00.cwe -m SWIX65C_02.13.08.00_GENERIC_030.047_001.nvu Waiting for clients to stop using the modem... The modem is now locked === INFO === The modem is locked by client cellfw No clients want to use the modem UIM failover status is disabled Active UIM slot is 1 (ICCID: 89610180003137049629) Operator is telstra corp.
Page 128: Modem Update Troubleshooting Guide
FW info from modem: Model ID : EM7565 FW Version : SWIX65C_02.13.08.00 Carrier Name : GENERIC Carrier PRI Revision: 030.047_001 Firmware download process completed successfully. INFO: QDL Port: /dev/wwan0qdl0 INFO: Device Path: /dev/wwan0qmi0 INFO: FW Path: /tmp/cell-fw-update.4045 Waiting for modem to disconnect from the host ... Modem disconnected from host.
Page 129: Determine If Modem Is Ready & Available
DETERMINE IF MODEM IS READY & AVAILABLE The service ModemManager is an essential dependency for all cellular modem operations. Please ensure it is running. root@om8196-10g:~# systemctl start ModemManager If the modem is running correctly, it should be able to be detected by ModemManager within 60 seconds of the service starting.
Page 130 root@om2216-l:~# ps aux | grep cell root 122965 0.2 0.0 4780 3992 pts/0 S+ 23:42 0:00 /bin/bash /usr/bin/cell-fw-update -aud root 125966 0.0 0.0 3332 1756 pts/1 S+ 23:47 0:00 grep cell The following example shows that there is no upgrade running: root@om2216-l:~# ps aux | grep cell-fw root 126417 0.0 0.0 3332 1776 pts/1 S+ 23:48 0:00 grep cell-fw Cellular Modem Firmware Upgrade...
Page 131: Bonds And Bridges
BONDS AND BRIDGES BONDS Network bonds allow combining two or more network interfaces together into a single logical "bonded" interface for load balancing, redundancy or improved performance depending on the bond mode used. Definitions of the bond details as in the Bond Form Definitions table later in this topic.
Page 132: Edit An Existing Bond
5. Click the Create button to finalize the creation of the new bond. Network connections from non-primary interfaces will be deleted when the new bond is created. EDIT AN EXISTING BOND To edit an existing bond: 1. Navigate to the Configure > Network Connections > Network Interfaces page on the WebUI.
Page 133 the bonded interface is dispersed over the real interfaces. Available modes are: Round Robin Balancing - Packets are sequentially transmitted/received through each interface, one by one. Active Backup - If the active secondary interface is changed during a failover, the bond interface’s MAC address is then changed to match the new active sec- ondary’s MAC address.
Page 134: Bridges
quency in milliseconds. This determines how often the link state of each secondary is inspected for link failures. A value of zero will disable MII link monitoring. Network Inter- Click the checkbox of each network interface you want to face Selection include in the bridge.
Page 135: Create A New Bridge
Note: Whether creating a new bridge or editing an existing bridge the page is very similar. CREATE A NEW BRIDGE To create a new bridge: 1. Navigate to the Configure > Network Connections > Network Interfaces page on the WebUI. 2. Click on the New Bridge button that is located at the top-right of the window.
Page 136: Edit Bridge - Form Definitions
4. Select which interface will serve as the primary interface for the new bridge. 5. Change the bridge details as required in accordance with the Bridge Form Definitions table. 6. Click the Update button to finalize the edit process. Updating the bridge will tem- porarily interrupt network activity on this interface.
Page 137 Primary Interface Select the interface that is to be used for selecting the MAC address of the aggregate. The new bond inherits the MAC address of the primary interface. On creation, any Network Connections which exist on the Primary Interface will be attached to the Bond/Bridge after it is initially cre- ated.
Page 138: Spanning Tree Protocol
SPANNING TREE PROTOCOL Spanning Tree Protocol (STP) allows an Console Manager to discover and eliminate loops in network bridge links, preventing broadcast radiation and allowing redundancy. When STP is implemented on switches to monitor the network topology, every link between switches, and in particular redundant links, are cataloged. The spanning- tree algorithm blocks forwarding on redundant links by setting up one preferred link between switches in the LAN.
Page 139: Bridge With Stp Enabled - Ui
BRIDGE WITH STP ENABLED - UI CONFIGURE > NETWORK CONNECTIONS > Network Interfaces > Select the target interface > New Bridge page 1. In the Network Interfaces page, click the Create New Bridge button. 2. Click to select the Enable Spanning Tree Protocol option. BRIDGE WITH STP ENABLED - OGCLI admin@cm8148:~# ogcli get physif system_net_physifs-5 bridge_setting.id="system_net_physifs-5"...
Page 140: Bridge With Stp Disabled - Ogcli
BRIDGE WITH STP DISABLED - OGCLI admin@cm8148:~# ogcli update physif system_net_physifs-5 bridge_ setting.stp_enabled=false bridge_setting.id="system_net_physifs-5" bridge_setting.stp_enabled=false description="Bridge" device="br0" enabled=true id="system_net_physifs-5" media="bridge" name="init_br0" slaves[0]="net2.3" Spanning Tree Protocol 24.11.3...
Page 141: Configure A Vlan
CONFIGURE A VLAN The CM Series has flexible Ethernet capabilities, including support for VLANs. More specifically, it supports 802.1Q VLAN tagging to allow a trunked connection into an external switch or other device. It also supports the Linux logical "bridge group" feature which is the ability to group physical and virtual interfaces together.
Page 142 router. A VLAN is mainly used to form groups among the hosts regardless of where the hosts are physically located. In a bigger network, the configured VLANs with interfaces assigned as access and trunk ports on switches could look like this: Switch Ports For models with built-in switch ports, by default these are configured in a single bridge group called "Switch", which effectively puts all the switch ports into one...
Page 143 In order to communicate with an Ethernet interface, VLAN or bridge group, the CM must have a configured IP address on what is called a connection or "conn". This is similar in concept to a layer 3 subinterface or virtual interface on other networking equipment.
Page 144 Configure CM Switch Ports as VLAN access ports (untagged ports) To map the CM switch ports as "Access Ports" into a trunked VLAN, the CM uses a Bridge Group to join the switch port(s) to the same Layer 2 bridge domain as the VLAN subinterface, effectively bridging them together.
Page 145 Configure a VLAN 24.11.3...
Page 146: Ipsec Tunnels
(sometimes referred to as host to site, or host to host). IPsec does not make a formal distinction between initiator and responder, however the Opengear CM can both initiate tunnels (as the "initiator") and have other devices initiate tunnels to it (as a "responder").
Page 147: Name And Status
NAME AND STATUS 3. In the Name section of the page, give your new tunnel a unique name and click the Enabled button. 4. Set the Console Server to be the Initiator or Responder. Note:When Initiatoris selected, the node will actively initiate the tunnel by sending IKE negotiation packets to the remote end.
Page 148: Authentication
6. Select the Algorithm Proposal. This is a set of algorithms used for negotiation when attempting to establish the IPsec tunnel. By default, the node will attempt to negotiate the tunnel using a list of common algorithms which are considered safe. Alternatively, a set of default proposals that guarantee Perfect Forward Secrecy (PFS) can be selected.
Page 149: Addressing
ADDRESSING 13. Enter the Local Address to be used as the source address of the tunnel. If left blank, IPsec will automatically use a default. 14. Enter a Local Subnet. Specify local traffic to be tunneled. When no subnets are specified, only traffic originating from this device will be tunneled.
Page 150: Enable The Ipsec Tunnel
Delay - the time interval between polling the peer (default is 60 seconds). Timeout - the waiting time before deciding that a peer connection is not live (default is 90 seconds). Action - the action to be performed when a connection is timed-out. (default is Restart).
Page 151: Static Routes
STATIC ROUTES Static routes are predefined paths that traffic can be configured to take through the network for purposes such as security, cost or to override the default route. The list of configured static routes is displayed in a table with their current status indicated by the status column.
Page 152: Configure Static Routes
Status Meaning The network The route cannot be installed as there are no active interface has no connections on this interface. active connections CONFIGURE STATIC ROUTES On the Static Routes page, you can add, edit, or delete static routes. Note:Only basic validation is performed when static routes are saved. Check the status column to ensure your route is installed and working correctly.
Page 153: Edit A Static Route
Destination Default Address Metric IPv4 IPv6 1024 Click the Apply button to save the changes. If the changes are saved successfully you are returned to the Static Routes list page. If there is an error with the configuration and the route fails to install, a red banner is displayed.
Page 154: Manage Static Routes Via Command Line
Click Yes to confirm the action. If the route was removed from the routing table as expected, a green success banner is displayed. MANAGE STATIC ROUTES VIA COMMAND LINE Administrative users can also view the status and perform configuration of static routes via the command line interface.
Page 155 Description Command Get static route ogcli get static_routes configuration via ogcli Create static ogcli create static_route << END route via ogcli destination_address="1.1.1.1" destination_netmask=32 gateway_address="1.1.1.1" interface="net1" metric=0 Update static ogcli update static_route "1.1.1.1" << END route via ogcli interface="net2" metric=100 Delete static route ogcli delete static_route "1.1.1.1"...
Page 156: Network Resilience
NETWORK RESILIENCE Under the NETWORK RESILIENCE menu, you can manage Out-of-Band (OOB) settings. Network Resilience 24.11.3...
Page 157: Out-Of-Band Failover
OUT-OF-BAND FAILOVER Out-Of-Band (OOB) Failover detects network disruption via the probe interface, and automatically activates a cellular or ethernet interface connection to re-establish network access. OOB failover requires an IPv4 address (in dotted decimal format), or an IPv6 address, or a domain name, which is always reachable and unlikely to change. When OOB failover is enabled, the node regularly pings this address, using the probe interface, to check for network connectivity.
Page 158 2. In the Failover Interface section, select the failover interface from the drop-down list. Configurable probe (failover from) and failover (failover to) interfaces are shown below: NET1 - the default probe interface. Cellular - the default failover interface for cellular-capable models. NET2 - the default failover interface for non-cellular models.
Page 159: Dns Queries On A Dormant Failover Interface
Note:The shortcut button Enabled/Disabled is disabled or removed when an interface is in active failover. DNS QUERIES ON A DORMANT FAILOVER INTERFACE The Dormant DNS option allows DNS queries on the failover interface to be disabled in normal operation so that DNS queries can be paused. The option configures how the DNS name servers and search domains configured for the failover interface are used by the system.
Page 160: Oob Failover Types & Failover Behavior
OOB FAILOVER TYPES & FAILOVER BEHAVIOR Failover Mode Description Setting Interface Disabled Enabled Always up When OOB Failover is disabled, the default out- going interface cannot be specified, the default route is selected auto- matically. Outbound network con- nections (e.g. VPN client tunnels, SNMP alerts) are established accord- ing to the main static...
Page 161 tunnels, SNMP alerts) are established or re- established over net- work or cellular con- nection during failover. The advantage of this mode is the secondary connection is com- pletely inactive during normal operation which may be advantageous where the goal is to keep the interface off the Internet as much as possible, e.g.
Page 162 cedence over the failed “probe” interface. Out- bound network traffic (e.g. VPN client tunnels, SNMP alerts) are estab- lished or re-established over the network or cel- lular connection during failover. The advantage of this mode is the network or cellular connection is available for inbound out-of-band access dur- ing normal operation.
Page 163: Ip Passthrough
IP PASSTHROUGH Nodes with dialout support and an Ethernet port can enable a special DHCP service called IP Passthrough. When IP Passthrough is enabled, other devices (e.g. the "passthrough target" or "downstream host") that are plugged into the Ethernet port will operate as if they are directly connected to the dialout network.
Page 164: Service Intercepts
SERVICE INTERCEPTS Tip: When IP Passthrough is enabled, access to this node directly via the cellular interface will no longer work. You can configure specific ports below which will be redirected to this node instead of the downstream device. Enter the port number that is to be used for HTTPS Intercepts. Enter a port to be redirected to this node's SSH service.
Page 165 When you have completed the IP Passthrough Settings and Service Intercept form, ensure the IP Passthrough status is set to Enabled, then, click Apply. IP Passthrough 24.11.3...
Page 166: User Management
USER MANAGEMENT Under the User Management menu, you can create, edit, and delete groups and users, as well as assign users to groups. You can also set up remote user authentication. User Management 24.11.3...
Page 167: Groups
GROUPS Groups are used to grant privileges to users. When a user is a member of a group, defined privileges may be granted to the group by an Administrator. When editing a group, the (authorized) user selects from a list of devices, all of which are under the heading SERIALLY CONNECTED DEVICES.
Page 168: Defined Access Rights
A User inherits all Access Rights from all the Groups they are a member of. Some features may require the user to hold multiple access rights to access the feature through a specific interface. For example, a user needs the “right to use the web UI”...
Page 169: Admin Access Rights (Admin)
only to those that are added to the same group con- Restricted CLI taining the pmshell rights. Port Config Permits access to configure serial ports. This access right gives the holder the ability to configure serial ports. This right does not give the holder the ability to access the serial port.
Page 170: Portmanager Shell Access Rights (Pmshell)
log into the WebUI. see a listing of serial ports (The “Access → Serial Ports” menu item). edit a restricted set of user configuration such as changing their own password. PORTMANAGER SHELL ACCESS RIGHTS (PMSHELL) Any user who was previously a Console User role now inherits the pmshell access rights and there are no functional changes for this user.
Page 171: Configure > Serial Ports View
CONFIGURE > SERIAL PORTS VIEW The Configure Serial Ports page is accessible to users with the port_config and web_ui access rights appear in the navigation sidebar menu. This page lists ports that the user has both port_config and web_ui access rights. Tip: It is possible to edit all details on these ports, however, changing the “mode”...
Page 172: Protected Groups And Users
PROTECTED GROUPS AND USERS Certain types of groups and users have protected status, meaning that they cannot be changed or deleted. Protected groups comprise the following: root - The root user is hard-coded member of the Admin group. As such, the root user cannot be deleted.
Page 173 Group Name Accounts Admin Port #03 User Access Rights port_config pmshell web_ui web_ui Serial Ports port-03 port-01 port-02 The effective rights for a user in one or both of those groups is shown in the following table. It shows how access rights assigned to one group will only apply to the serial ports assigned to that same group: The following table shows the effective rights for a user in one or both of those groups, Accounts Admin and Port #03 User:...
Page 174 Access port-02 Access port-03 Note:Note the highlighted cell; a user with pmshell access to port-03 (from the Port #03 user group) does not also get port_config for that port, even though that access right is inherited from the Accounts Admin group. The access rights of a group only apply to the serial ports in that same group.
Page 175: Create A New Group
CREATE A NEW GROUP 1. Select CONFIGURE > USER MANAGEMENT > Groups. Add a new group. admin Click on the group name to edit an existing group. In the EDIT GROUP window - Enable/Disable an existing group. Grant administrative access rights and full control of this console, and all attached devices, to all users of this group.
Page 176 2. Click the Add New Group button. The CREATE GROUP page opens. 3. Enter a Group Name, Description, and set Admin Access to Enabled or Disabled. Specific access rights can be selected in the ACCESS RIGHTS area. Note:Group Name is case sensitive. It can contain numbers and some alphanumeric characters.
Page 177: Edit An Existing Group
Click the Submit button to save the group. After creation, group Status and Admin Access may be enabled or disabled from the CONFIGURE > USER MANAGEMENT > Groups > EDIT GROUP page. EDIT AN EXISTING GROUP 1. Select CONFIGURE > USER MANAGEMENT > Groups. 2.
Page 178: Local Users
LOCAL USERS The Local Users feature allows a single point for the creation or management of local user accounts. The Local Users feature can use SSH authorized keys to control user access by using their local password; it is a point of control for: Authentication and authorization.
Page 179: Create A New User With Password
Manage SSH Authorized Keys. Disable an existing user (or disable selected users). Delete a user (or delete selected users). CREATE A NEW USER WITH PASSWORD Note:Users are prevented from using the word “default” as their password. The factory default password automatically expires after a factory reset and users must choose a new password.
Page 180: Create A New User With No Password (Remote Authentication)
CREATE A NEW USER WITH NO PASSWORD (REMOTE AUTHENTICATION) To create a new user with no password. Note:If a new user is created with no password, this will cause the user to fall- back use remote authentication. 1. Select CONFIGURE > User Management > Remote Authentication 2.
Page 181: Manage Ssh Authorized Keys For A User Account
The Edit Users dialog allows the user’s Description to be changed, Group Memberships modified, and the user’s Password to be reset. The username cannot be changed. To disable a user, uncheck the Enabled checkbox. Note:Users of disabled accounts cannot log in to the Console Manager using either the Web-based interface or via shell-based logins.
Page 182: Delete A User's Account
5. To delete a key, click CONFIGURE > USER MANAGEMENT > Local Users and click the Manage SSH Authorized Key button for the user. 6. Click the Delete button next to the key you wish to remove. DELETE A USER'S ACCOUNT To delete a user's account: 1.
Page 183: Remote Authentication
REMOTE AUTHENTICATION The Console Manager supports three AAA systems. Select the remote authentication mode to be applied (DownLocal, or Local apply for all modes): "Configure RADIUS Authentication " on the next page "Configure TACACS+ Authentication " on page 186 "Configure LDAP Authentication " on page 188 Navigate to CONFIGURE >...
Page 184: Configure Radius Authentication
Tip: All fields in the Remote Authentication form have tooltips that provide additional information to assist with completing the form fields. CONFIGURE RADIUS AUTHENTICATION 1. Under CONFIGURE > User Management > Remote Authentication, select RADIUS from the Mode drop-down menu. Select the preferred Radius Remote Authentication policy to be applied: Radius DownLocal, or Radius Local (see the tips below).
Page 185 3. Enter the authentication Timeout value to apply. The timeout value specifies the number of seconds to wait for a response from the server before trying the next server. Note:The timeout value is global and applied to all authentication methods when you set the value on one authentication method.
Page 186: Configure Tacacs+ Authentication
CONFIGURE TACACS+ AUTHENTICATION 1. Under CONFIGURE > USER MANAGEMENT > Remote Authentication, select TACACS+ from the Mode drop-down menu. Select the preferred TACACS+ Remote Authentication policy to be applied: TACACS+ DownLocal, or TACACS+ Local (see the tips below). Tip: TACACS+ DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down.
Page 187 Accounting server. However, one or more Accounting Servers can be specified. To disable Remote Accounting, select Disable To enable Remote Accounting, select Enable. Click Apply. Note:For Cisco ACS, see Setting up permissions with Cisco ACS 5 and TACACS+ on the Opengear Help Desk. Remote Authentication 24.11.3...
Page 188: Configure Ldap Authentication
CONFIGURE LDAP AUTHENTICATION 1. Under CONFIGURE > User Management > Remote Authentication, select LDAP from the Mode drop-down menu. 2. Select the preferred LDAP Remote Authentication policy to be applied: LDAP DownLocal, or LDAP Local (see the tips below for explanation). Tip: LDAP DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down.
Page 189: Configure Ldap Over Ssl
4. Add the LDAP Bind DN. This is the distinguished name of a user with privileges on the LDAP system to perform the lookups required for retrieving the username of the users, and a list of the groups they are members of. 5.
Page 190 At the SSL section of the LDAP page select the required server protocol: Note:The default setting is LDAP only. Selecting 'LDAP over SSL will use the ldaps://server. Selecting 'LDAP over SSL preferred' will use both ldaps://server and ldap://server. Provide a CA Certificate by dragging the CA Cert file into the CA certificate drop box.
Page 191: Ldap And Ldaps Port Settings
Note:The CA Certificate filename is correct when the certificate is initially uploaded. The filename is not maintained or stored, if the page is later revisited the filename is always shown as “cacert.pem”. Click Apply to load and apply your settings. LDAP AND LDAPS PORT SETTINGS The default ports for LDAP and LDAPS are: LDAP: Port 389...
Page 192: Limitations For Ldaps Implementation
LIMITATIONS FOR LDAPS IMPLEMENTATION UPGRADE LIMITATIONS Previously, the port for LDAP servers had a default value. When upgrading, this port is not cleared. When enabling LDAP over SSL, it may be necessary to clear the port so that the LDAP over SSL default port can be used. Remote Authentication 24.11.3...
Page 193: Local Password Policy
LOCAL PASSWORD POLICY A Password Complexity policy allows network Administrators to implement and enforce a password policy that meets the customers' security standards for local users (including root). This functionality enables Administrators to mandate the setting of complex passwords thus making it difficult for malicious agents to succeed in password attacks.
Page 194 Note:Users are prevented from using the word “default” as their password. The factory default password automatically expires after a factory reset and users must choose a new password. This password policy applies to the WebUI, Config Shell and CLI. users configured on the system using software versions prior to 23.10 with password “default”...
Page 195: Set Password Expiration Interval
SET PASSWORD EXPIRATION INTERVAL CONFIGURE > USER MANAGEMENT > Local Password Policy See also "Password Policy Implementation Rules" below Password Expiration schedules the expiry of passwords to enforce regular password updates. When this feature is applied and a password becomes expired, an expired password prompt is displayed at login.
Page 196 If there are existing user passwords when the expiry is enabled, the expiry time will be applied from when the pass- word was initially set by the user. If a password falls out- side the new expiry period, the user will be immediately prompted to change the password.
Page 197 (e.g., #,$,%) (enabled/disabled separately). The password cannot contain your username. Complexity requirements will apply when a user next tries to update their password. An Administrator can force the expiry of a user's password by running the ogcli command: passwd --expire {username} to force a user to change their password.
Page 198: Services
SERVICES CONFIGURE > SERVICES The CONFIGURE > SERVICES menu lets you manage services that work with the Console Manager. Services 24.11.3...
Page 199: Fips Compliance
CONFIGURE FIPS Enable FIPS mode at the CLI as follows: ENABLE FIPS ENABLE FIPS VIA CONFIG SHELL: root@<device name>:~# config Welcome to the Opengear interactive config shell. Type ? or help for help. config: system/fips config(system/fips): enabled true config(system/fips): apply Updating entity system/fips.
Page 200: Enable Fips Via Ogcli
ENABLE FIPS VIA OGCLI: ogcli update system/fips enabled=true DISABLE FIPS DISABLE FIPS VIA CONFIG SHELL: root@<device name>:~# config Welcome to the Opengear interactive config shell. Type ? or help for help. config: system/fips config(system/fips): enabled false config(system/fips): apply Updating entity system/fips.
Page 201 name: OpenSSL FIPS Provider version: 3.0.8 status: active Check that the digest algorithms provided by OpenSSL is limited to FIPS compliant ciphers/algorithms. root@<device name>:~# openssl list -digest-algorithms Provided: { 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default { 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default { 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default { 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default...
Page 202: Considerations For Using The Fips Feature
{ 2.16.840.1.101.3.4.2.7, SHA3-224 } @ fips { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ fips { 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ fips { 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ fips { 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ fips { 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ fips { 2.16.840.1.101.3.4.2.9, SHA3-384 } @ fips { 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ fips { 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ fips { 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @...
Page 203 Feature Affected Process/Service Impact Lighthouse enroll- OpenVPN OpenVPN is not ment compliant with FIPS standards; this issue is a recognized problem specifically when OpenSSL 3.x is being used. Once OpenVPN addresses this issue, it will also meet FIPS compliance standards. However, for compatibility with Lighthouse...
Page 204 ating FIPS mode to connect. Remote authen- freeradius, tacacs, ldap These are not FIPS tication compliant. chrony Authenticated NTP servers with MD5 will not connect. Use an algorithm that is FIPS com- pliant. SNMP ogtrapd, snmpd, snmptrapd Authentication and Encryption should be used as the security policy as V1 and V2 have no...
Page 205 See the note below: gre (Secure Provisioning) NetOps Modules Opengear NetOps nom-ipaccess-lhvpn (IP access) Modules are not nom-ag-lhvpn (Access Gateway) functional when FIPS mode is enabled. Note: SSH will require the cipher to be manually specified when FIPS is enabled. e.g.
Page 206 Routing protocols Routing protocols (eg. BGP), should not select an MD5 cipher. FIPS Compliance 24.11.3...
Page 207: Brute Force Protection
BRUTE FORCE PROTECTION A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until the one correct combination that works. Brute Force Protection offers an essential defense mechanism by automatically blocking access from offending source IP addresses.
Page 208: Viewing Current Bans
Field Values Description HTTPS Protection Enabled / Disabled Enable Brute Force Protection for WebUI login attempts. Maximum failed attempts Attempts: 3 The number of failed access (minimum) attempts permitted within the given time period before Time period in preventing access. minutes: 1 (minimum) Lockout period 60 (minimum)
Page 209: Managing Brute Force Protection Via Command Line
MANAGING BRUTE FORCE PROTECTION VIA COMMAND LINE For more control over Brute Force Protection, administrative users can use the command line to configure the service and remove bans manually. Description Command Notes Display Brute ogcli get services/brute_ Force Protection force_protection configuration Update Brute Ban time in...
Page 210 Description Command Notes find_time=1 https_enabled=false max_retry=4 ssh_enabled=true Un-ban an fail2ban-client unban IP address <ipaddress> Un-ban all current fail2ban-client unban --all bans List SSH bans SSH protection fail2ban-client status sshd must be enabled. List HTTPs bans HTTPs fail2ban-client status protection must https be enabled.
Page 211: Https Certificate
HTTPS CERTIFICATE The Console Manager ships with a private SSL Certificate that encrypts communications between it and the browser. To examine this certificate or generate a new Certificate Signing Request, select CONFIGURE > SERVICES > HTTPS Certificate. The details of the Current SSL Certificate are shown on the landing page.
Page 212 HTTPS Certificate 24.11.3...
Page 213: Network Discovery Protocols
NETWORK DISCOVERY PROTOCOLS The Console Manager displays LLDP/CDP Neighbors when enabled for a connection. See CONFIGURE > SERVICES > Network Discovery Protocols to enable/disable. The CONFIGURE > SERVICES > Network Discovery Protocols > LLDP/CDP NEIGHBORS page allows you to enable this service by clicking the Enabled checkbox.
Page 214 Network Discovery Protocols 24.11.3...
Page 215: Routing
WebUI and configured using standard Free Range Routing interfaces (e.g., vtysh). Note: Configuration set via vtysh (or other FRR interfaces) will need to be manually backed up in addition to a standard Opengear configuration export. DYNAMIC ROUTING To enable Dynamic Routing on the CM, navigate to the CONFIGURE > SERVICES >...
Page 216: Static Routing (Via The Ogcli)
STATIC ROUTING (VIA THE OGCLI) To enable Static Routing on the CM, open an ogcli terminal by navigating to ACCESS > Local Terminal. STATIC ROUTING OGCLI HELP For Help on implementing a Static Route protocol via ogcli, enter the command: ogcli help static_routes CREATE STATIC ROUTE - EXAMPLE: ogcli create static_route <<...
Page 217: Static Routing Arguments
STATIC ROUTING ARGUMENTS Argument Description Get a list of static routes. create Add a static route. replace Similar to the "Create Static Route" example given on the pre- vious page. Creates a single static route by specifying its UUID; or a list of static routes. Overwrites existing routes. delete Delete all static routes.
Page 218: Ospf Configuration
OSPF CONFIGURATION Open Shortest Path First (OSPF) is a link-state routing protocol used to discover routes on a network. It is used to dynamically adjust routes on the Console Server so that subnets connected to different interfaces can reach each other by routing through the Console Server.
Page 219: New Fields In Rest Api & Config Shell
Routing OSPF WireGuard Tunnels If a firewall zone, policy or WireGuard tunnel is managed, this does not affect sister contexts, for example, if the WireGuard tunnel is managed, any other WireGuard tunnels configured separately by the user are not managed. However, there is only one OSPF configuration file and users will need to bypass the managed_by field in Config Shell in order to edit the configuration.
Page 220: Config Shell
"redistribute_kernel": false, "interfaces": [], "neighbors": [], "networks": [] } } CONFIG SHELL The services/routing OSPF context has new fields similar to the REST API: config(services/routing ospfd): show Entity services/routing field ospfd enabled false redistribute_connected false redistribute_static false router_id "" interfaces (array) neighbors (array) networks (array) Field...
Page 221: Interfaces, Neighbors And Networks
routes will be broadcast to OSPF neighbours. redistribute_static (true / false) Network routes can be statically defined (in OSPF, not the Linux Kernel) by editing the ospfd.conf file or through vtysh . If this option is enabled, redistribute_ routes broadcasts any static routes that are managed by OSPF.
Page 222: Interfaces Context
INTERFACES CONTEXT The services/routing OSPF interfaces context is an array in which each element holds the specific individual interface related parameters for OSPF. Each interface has the following fields: Entity services/routing field ospfd interfaces 0 auth_method "" (required) cost "" priority ...
Page 223: Neighbors Context
manually in the range of 1 to 65535. priority The priority of a router on an OSPF interface mainly is used to determine the designated router/backup designated router (DR/BDR) for a network. OSPF forwards all messages to the designated router, reducing the amount of repetitive routing traffic on the network.
Page 224: Networks Context
NETWORKS CONTEXT The services/routing OSPF networks context is an array where each element holds IP network configurations to enable the system OSPF service for: config(services/routing ospfd networks): add config(services/routing ospfd networks 0): show Entity services/routing field ospfd networks 0 address_with_mask "" (required) area ""...
Page 225 file for OSPF. If the first line contains only the text ! autogen, the configuration system will overwrite the file, otherwise, the configuration system will have no effect. To verify the OSPF configuration, the configuration file generated can be found in /etc/quagga/ospfd.conf: ! autogen ! This configuration file has been autogenerated.
Page 226: Confirm Ospf Neighbours
line vty CONFIRM OSPF NEIGHBOURS Use the vtysh command line tool to see if OSPF neighbours have been discovered: root@<device name>-q:~# vtysh -c 'show ip ospf neighbor' Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL - 0 Attempt/DROther 33.007s 10.0.0.1 wg-smf-1:10.0.0.2 0 0 0 (Where wg-smf-1 is a user-named interface).
Page 227: Wireguard Configuration
WireGuard . Refer to the WireGuard online tools index page: index : wireguard-tools Note:Opengear does not own or operate the WireGuard tools web page and is not responsible for its content or maintenance. The link is provided only for the reader's convenience.
Page 228 Provide a name for the interface (wg0 in the example below). Set enabled. Set the private_key of your WireGuard interface. Add an address (at least one) for your WireGuard interface (10.0.0.1/24 in this case). Add a peer with the following parameters: endpoint_address, endpoint_port, public_key.
Page 229: Config Shell Wireguard Configuration
config(wireguard wg0 peers 0): endpoint_port 51820 config(wireguard wg0 peers 0): up config(wireguard wg0 peers): top CONFIG SHELL WIREGUARD CONFIGURATION The following shows a typical WireGuard configuration in Config Shell: config: show wireguard wg0 Entity wireguard item wg0 description "" enabled true mtu 1420 name wg0 port 51820...
Page 230: Rest Api Wireguard Configuration
post_up_hooks (array) pre_down_hooks (array) pre_up_hooks (array) REST API WIREGUARD CONFIGURATION The following shows a typical WireGuard configuration in Config Shell: "wireguards": [ "enabled": true, "post_down_hooks": [], "id": "wireguard_tunnels-1", "pre_up_hooks": [], "post_up_hooks": [], "private_key": "AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=", "name": "wg0", "pre_down_hooks": [], "addresses": [ "10.0.0.1/24"...
Page 231: Configurable Wireguard Fields
"o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=", "endpoint_address": "192.168.1.2", "endpoint_port": 51820 } ] } ] CONFIGURABLE WIREGUARD FIELDS The WireGuard <interface-name> context holds the configuration for a WireGuard connection. The following fields can be configured: WireGuard Field Description description This can be any user text to describe the WireGuard interface.
Page 232: Wireguard Context Sub-Objects
only contain letters, numbers, hyphens or underscores. port The port the local instance of WireGuard will listen on. The range is 1 to 65535 and defaults to 51820. private_key The private key to use to authenticate the local WireGuard interface. This is obtained by running the wg genkey command.
Page 233: Peers
PEERS The following list defines the WireGuard settings for WireGuard-capable remote peers. Each peer has the following fields: config(wireguard wg0 peers 0): show Entity wireguard item wg0 field peers 0 endpoint_address "" endpoint_port "" keep_alive "" public_key "" (required) allowed_ips (array) (required) Peer Field Description endpoint_address...
Page 234: Hooks
routes traffic. For multiple WireGuard interfaces on the same device, the addresses must not overlap. The IP addresses specified here are the addresses of the peer’s WireGuard interface(s) - this is where the peer “routes traffic”. These are specified as IPv4 addresses in a.b.c.d/<cidr_mask>...
Page 235: Adding A Wireguard Interface To A Firewall Zone
ADDING A WIREGUARD INTERFACE TO A FIREWALL ZONE The WireGuard interface can be added to a firewall zone as in the following example: Entity firewall/zone item zone description "" (required) label "" (required) masquerade "" (required) name zone permit_all_traffic "" (required) address_filters (array) custom_rules (array) physifs (array)
Page 236: Ssh
To modify the properties of the port used for connecting to serial consoles via SSH, navigate to CONFIGURE > SERVICES > SSH . The following table gives the definitions of the configurable SSH properties. Parameter Definition Serial Port Delim- The delimiting character used to separate the username iter with port selection information.
Page 237: Unauthenticated Ssh To Serial Ports
Usually, you would need to authenticate on the Opengear appliance, followed by any log in to a device you are connecting to via the serial port.
Page 238: Enable Ssh
ENABLE SSH Note: This feature may be enabled using the default settings without the need for configuration. 1. Open the SSH form, Configure > Services > SSH > SSH (form). 2. Complete the SSH form (if this is the first time Unauthenticated SSH has been used), a description of the input data is provided at "Properties and Settings"...
Page 239: Connecting Directly To Serial Ports
TCP port 3000, so SSH to TCP port 3001 directly con- nects you to serial port 1 SSH to the Opengear node, # SSH to serial log in adding +portXX to your username (e.g. port 1 by port root+port01 or operator+port01).
Page 240: Feature Persist
SSH to the Opengear node, # SSH to serial log in adding the +port-label to your username (e.g. port labelled root+Router or operator+Router). Router ssh -l operator+Router 70.33.235.190 Note: For additional reading on connecting to serial ports see: Communicating with serial port connected devices Note:Serial ports in the Local Console and Disabled ports modes are not available for SSH connection.
Page 241 port selection information. The default value is the + character. Default is ‘+’, maximum length is 1. The prohibited characters are ‘\’, ‘ ” ’, ‘ ` ’, ‘ ‘, ‘=’ and ‘#’. Source: schema required ssh_delimiter: string (default = "+"; minimum = 1;...
Page 242 Port Number for Direct This port number will be used for direct SSH links SSH Links on the serial ports page. Set this option if you have configured SSH to be reachable on a non- standard port. Max Startups Start The number of connections pending authentication before new connections begin to be refused.
Page 243 connections are refused. Unauthenticated Access This is the feature Enable/Disable button. to Serial Ports Unauthenticated SSH to Serial Ports 24.11.3...
Page 244: Syslog
SYSLOG Administrative users can specify multiple external servers to which the Syslog can be exported via TCP or UDP. There is a drop-down on each serial port to enable the logging and to define the “scope” of logging. The Syslog page lists any previously added external syslog servers. ADD A NEW SYSLOG SERVER Note:The combination of server address, protocol and port should be unique.
Page 245: Global Serial Port Settings
6. Enter the correct Port. If no port is entered, UDP defaults to port 514 and TCP defaults to 601. 7. From the drop-down list, select the required severity level to be logged, eight levels of log severity are supported. 8.
Page 246: Syslog Facility Definitions
Port The Syslog Server IP address. Minimum Log Log entries with a value equal or greater than the level Severity Level specified are sent to the server. Send Serial Port Click to enable serial port logging. Logs Add Button Click to initiate the syslog, wait for confirmation banner. SYSLOG FACILITY DEFINITIONS Facility Definition...
Page 247: Syslog Severity Definitions
uucp UUCP subsystem Cron Clock daemon Authpriv Security/authentication messages FTP daemon Local Locally used facilities SYSLOG SEVERITY DEFINITIONS Severity Definition 0- Emergency System is unusable. 1 - Alert Action must be taken immediately. 2 - Critical Critical conditions. 3 - Error Error conditions.
Page 248: Edit Or Delete An Existing Syslog Server
EDIT OR DELETE AN EXISTING SYSLOG SERVER To edit an existing syslog server, click the hyperlinked Red Text server name in the server list (see the Syslog page image above). Make the required changes, then click the Submit button. Delete a server by clicking the Delete icon at the top-right of the Edit Syslog Server page.
Page 249: Session Settings
SESSION SETTINGS Use Session Settings to set timeouts for console sessions where the users have been idle for a specified time. At timeout, the user’s Web, CLI or Serial Port sessions are terminated, thus excluding authorized users with physical access to the node that has been left connected.
Page 250 Serial Port Session Timeout: Set the timeout from 1 to 1440 minutes or set it to 0 to disable the timeout. Click the Apply button to save the settings. The new session timeout will take immediate effect on all pmshell sessions, including ones in use.
Page 251: File Server
FILE SERVER The Console Manager can be configured to serve files to clients via Trivial File Transfer Protocol (TFTP). TFTP can be used by nodes on the network to perform a network boot, or to allow backup and restore of configuration files. Note: Limitations The user is responsible for disk space management.
Page 252: Modify Firewall Zones To Allow The Tftp Service To Be Used
MODIFY FIREWALL ZONES TO ALLOW THE TFTP SERVICE TO BE USED The TFTP service must be allowed through a firewall zone so that clients may upload and retrieve files. Navigate to the Firewall Management page via CONFIGURE > FIREWALL > Management. Expand the desired firewall zone and click the Edit Zone button. Allow the "tftp"...
Page 253 Note:The storage location must be an existing directory before running ogcli update. Caution: Using a storage volume other than /mnt/nvram is not recommended. Data may be lost after reboot, or be inaccessible when switching boot slots. As an administrative user, run: ogcli update services/tftp path=\"<new path>\"...
Page 254: Snmp Service
SNMP SERVICE Navigate to the CONFIGURE > SNMP > SNMP Service to open the SNMP Service page. SNMP Service allows you to specify which SNMP services to enable. When you click on ENABLED for SNMP V1 & V2 or SNMP V3, a detail form appears where you can add service specific settings.
Page 255: Snmp Alert Managers
SNMP ALERT MANAGERS Navigate to CONFIGURE > Services > SNMP Alert Managers to open the SNMP Alert Managers page. See the "Multiple SNMP Alert Managers" on the next page feature for information about configuring more than one SNMP manager. To create or configure SNMP Alert Manager, click the Add New SNMP Alert Manager button at the top-right of the page.
Page 256: Multiple Snmp Alert Managers
MULTIPLE SNMP ALERT MANAGERS The Multiple SNMP Alert Managers feature provides the option to configure more than one SNMP manager. Multiple SNMP Alert Managers can receive, trap and inform events that can be used to trigger remedial action; events can be sent to multiple SNMP Alert Managers.
Page 257: New Snmp Alert Manager Definitions
Note:For SNMP V3 TRAPS, an Engine ID will be provided by default if none is specified. This is generated by the snmpd service and can be found in the SNMPD RUNTIME CONF /var/lib/net-snmp/snmpd.conf. Traps will be sent for Alerts added in Configure > SNMP Alerts. Traps will also be sent to all the configured SNMP Alert Managers for a Playbook SNMP Reaction.
Page 258 TCP - A commonly used protocol used to transmit data from other higher-level pro- tocols that require all transmitted data to arrive. UDP6 - Similar to UDP but uses IPv6. TCP6 - Similar to TCP but uses IPv6. Version The version of SNMP protocol to use. The default value is v2c.
Page 259: Firewall
FIREWALL In the CONFIGURE > FIREWALL menu you can configure: "Firewall Guide" on the next page "Firewall Management" on page 268 "Firewall Policies" on page 275 "Firewall Services" on page 283 "Adding WireGuard Zones to a Firewall" on page 284 Firewall 24.11.3...
Page 260: Firewall Guide
FIREWALL GUIDE INTRODUCTION Opengear firmware is equipped with a powerful firewall stack based on leading open source firewalld and nftables tools. The default firewall rule set is configured with a default-deny policy. The firewall is based on the concept of configurable Zones. Zones enable operators to create multiple “firewall segments”...
Page 261: Firewall Rules
Note:To access services on the device, a user must have both access through the firewall and the appropriate authorization, e.g., via a local user account or remote AAA. There are several kinds of rules and policies that may be applied to Zones. FIREWALL RULES Permitted Services Rules allow access to Services for requests arriving on interfaces in the Zone –...
Page 262: Example Webui Configuration
EXAMPLE WEBUI CONFIGURATION The following examples use Permitted Services Rules and Custom Rules features Note:Some aspects of the WebUI may change in future releases. EXAMPLE 1: DISALLOW WAN ZONE ACCESS TO HTTPS The default configuration is to allow HTTPS (i.e. the WebUI & API) on the WAN Zone.
Page 263: Example 2: Permit Access To Wan Zone Https From A Trusted Source Network Only
EXAMPLE 2: PERMIT ACCESS TO WAN ZONE HTTPS FROM A TRUSTED SOURCE NETWORK ONLY When a service is permitted using a Permitted Services Rule, connections to the service in that Zone are permitted regardless of the originating network the connection is coming from. To disallow connections from all but a trusted source network, use Custom Rules (examples below) instead.
Page 264: Custom Rules (Firewalld "Rich-Rules")
Note:It is not recommended to mix firewall configurations between the UI (WebUI/CLI) and firewalld commands (firewall-cmd) from Linux shell. Commands may be overwritten. Recommended to use either WebUI or CLI for all supported functionality instead of firewall-cmd CUSTOM RULES (FIREWALLD “RICH-RULES”) This feature enables users to define fine-grained control of services inside a zone.
Page 265: Useful Templates For Use In Webui Or Cli
Example 4: Drop Specific Service (HTTP) rule family="ipv4" service name="http" drop Example 5: Permit specific source subnet and log connection attempts rule family="ipv4" source address="10.0.0.0/16" accept log Example 6: Permit IPv6 packets with source address, TCP port number 4000. Log the packets rule family="ipv6"...
Page 266: Sample Rich Rules Templates
In ogcli: ogcli replace firewall/zones << 'END' firewall_zones[0].custom_rules[0].description="allow rule" firewall_zones[0].custom_rules[0].rule_content="rule family='ipv4' source address='192.168.67.101/32' service name='telnet' accept" … SAMPLE RICH RULES TEMPLATES 1. rule family="ipv4" source address="<user-to-fill>" accept|drop|reject 2. rule family="ipv4" destination address="<user-to-fill>" accept|drop|reject 3. rule family="ipv4" destination address="<user-to-fill>" accept|drop|reject 4. rule family="ipv4" source address="<user-to-fill>" accept|drop|reject 5.
Page 267 8. rule family="ipv4" source address="<user-to-fill>" destination address="<user-to-fill>" accept|reject|drop log 9. rule family="ipv4" source address="<user-to-fill>" port port=<usr-to-fill> protocol=tcp|udp accept|reject|drop 10. rule family="ipv4" source address="<user-to-fill>" protocol value="tcp|udp" accept|reject|drop Note: Ordering of rules is important. See this public article: Firewalld Rich Rules Explained. In the Template: Choose one of the actions accept|reject|drop [Drop action does not send any response back to source, reject does].
Page 268: Firewall Management
FIREWALL MANAGEMENT Navigate to the Firewall Management page, CONFIGURE > FIREWALL > Management, from here you can: Add a new firewall zone. Add a firewall service. Edit a firewall zone - manage the zone setup. Manage port forwarding. Manage custom rules for firewalls. Firewall Management main page.
Page 269: Zone Setup
Note:The application of any custom rules will result in Permit All Traffic being enabled in a zone. ZONE SETUP You can inspect details of any zone by clicking the Expand icon to the right of the zone. Once expanded, you can click Edit Zone to change settings for a particular zone.
Page 270: Manage Port Forwarding
MANAGE PORT FORWARDING The MANAGE PORT FORWARDING tab allows you to add, edit, and delete forwarding rules for the particular zone you are editing. MANAGE CUSTOM RULES Note:The application of any custom rules will result in Permit All Traffic being enabled in a zone.
Page 271: Firewall Source Address Filtering
To add a new custom rule: 1. Click Add custom rule. 2. Enter an optional description for this rule. 3. Enter the rule content, custom rule content formatted with firewall-cmd syntax. 4. Click Apply. Note:All rules will be wrapped as follows: firewall-cmd --permanent --zone=lan --add-rich-rule=RULE CONTENT FIREWALL SOURCE ADDRESS FILTERING Source address filtering provides an interface by which users can permit access to...
Page 272 This feature removes generic or global permitted services within firewall zones, and instead allows users to permit a service on a specified source address (or address range) within the firewall zone. Source address filters configured in a zone apply to all the interfaces within that zone.
Page 273 You can choose to enable permit all traffic, which will permit all traffic in the zone (unless there is a custom rule configured overwriting this behavior). If the permit all traffic option is disabled, you will have the option to configure permitted services for any allowed source address.
Page 274: Firewall Source Address Bulk Services
FIREWALL SOURCE ADDRESS BULK SERVICES PERMITTED SERVICES The firewall source ip field allows you to assign permitted services to specified source ip addresses in bulk rather than needing individual rich rules to add each specific service. This change allows you to easily target specific IP Addresses with permitted services.
Page 275: Firewall Policies
FIREWALL POLICIES Firewall egress filtering may be used to allow or deny traffic leaving a device. This feature allows you to create firewall egress rules, which govern outgoing traffic leaving the device. Firewall egress filtering extends the firewall/policies endpoint, allowing customization over both incoming (ingress) and outgoing (egress) traffic, thus allowing greater control of the device’s security.
Page 276: Egress Policy Details
EGRESS POLICY DETAILS New policies are created by first clicking on the Add Policy button at the top-right of the Firewall Policies page of the WebUI. New policies can have a user-defined default action, either ACCEPT, CONTINUE, DROP, or REJECT, which describes how traffic moving through the ingress and egress zones will be treated.
Page 277: Create A New Firewall Policy
REJECT Rejects every packet (a message warns that the connection was rejected and that packets will not be allowed through): ssh: connect to host 10.236.3.7 port 22: Connection refused DROP Drops every packet (users will not get a message, the con- nection will hang).
Page 278: Editing Policies Or Rules
EDITING POLICIES OR RULES Rules associated with a policy can be edited. When saving their changes after editing, you are prompted to double check their changes using the Confirm Action window, which presents an overview of the policy changes. Note:Editing a firewall policy or rule may interrupt access to the device. Firewall Policies 24.11.3...
Page 279: Configure Egress Policies In The Config Shell
CONFIGURE EGRESS POLICIES IN THE CONFIG SHELL Firewall policies may be created through Config Shell an example is given below: config: firewall/policy config(firewall/policy): add incoming config(firewall/policy incoming): default_action accept config(firewall/policy incoming): egress_zones config(firewall/policy incoming egress_zones): add host config(firewall/policy incoming egress_zones): up config(firewall/policy incoming): ingress_zones config(firewall/policy incoming ingress_zones): add any config(firewall/policy incoming ingress_zones): up...
Page 280: Create Rules Under A Policy - Config Shell
don't match any rule. priority The priority of the policy dictates when it is applied compared to other policies and zones. Policies with negative priorities are applied before rules in zones; policies with positive priorities are applied after. A priority of 0 is reserved for Rules and is not used for policies.
Page 281: Logging And Debugging Firewall Policies
priority 0 source_address "" services (array) Rule Configurable Fields action The action that will be applied to matching packets. destination_address The destination address to which this rule will apply. log_prefix This sets the prefix of the info level log that is sent when this rule is hit.
Page 282 Check the journal for firewall related messages: journalctl -xeu firewalld Note: firewalld is used to create firewall rules, firewalld is discussed in Interzone Policies and in "Firewall Guide" on page 260. Firewall Policies 24.11.3...
Page 283: Firewall Services
FIREWALL SERVICES The Firewall Services page of the WebUI provides a list of existing, predefined Firewall services and provides a means of creating, defining and editing services. Firewall Services 24.11.3...
Page 284: Adding Wireguard Zones To Afirewall
ADDING WIREGUARD ZONES TO A FIREWALL The WireGuard interface can be added to a firewall zone as in the following example: Entity firewall/zone item zone description "" (required) label "" (required) masquerade "" (required) name zone permit_all_traffic "" (required) address_filters (array) custom_rules (array) physifs (array) port_forwarding_rules (array)
Page 285: System
SYSTEM The CONFIGURE > SYSTEM menu lets you change the Console Manager hostname, perform system upgrades, and reset the system. CHECK SYSTEM DETAILS To ascertain current system details click on the System link at the top-right of the CM window. System 24.11.3...
Page 286: Administration
ADMINISTRATION To set the hostname, add a contact email, or set a location for the Console Manager: Click CONFIGURE > SYSTEM > Administration. Edit the Hostname field. Click Apply, the new settings are saved. Administration 24.11.3...
Page 287: Date And Time Setting
DATE AND TIME SETTING It is important to set the local Date and Time in your Opengear device as soon as it is configured. Features such as Syslog and NFS logging use the system time for time- stamping log entries, while certificate generation depends on a correct Timestamp to check the validity period of the certificate.
Page 288 Select the NTP option. Enter the NTP server address and select whether Authentication is required. Click on Add NTP Server if another NTP server is required and complete the address for the second NTP server. Click Apply NTP Settings. Date and Time Setting 24.11.3...
Page 289: Time Setting Manually
TIME SETTING MANUALLY Navigate to the CONFIGURE > DATE & TIME > Time Settings page. Select the Console Manager’s time zone from the Time Zone drop-down list. A filter is provided to make selection easier. Select the Manual option. Under Configure Date and Time, click on the calendar icon to open the Date and Time Picker.
Page 290 Date and Time Setting 24.11.3...
Page 291: Factory Reset
FACTORY RESET You can perform a factory reset at the UI by pressing the Factory Reset button (CONFIGURE > SYSTEM > Factory Reset) or at the external Erase button, or from the CLI. All three methods are covered in this topic. During a factory reset the device is reset to the factory default.
Page 292 If you still wish to proceed with the reset, Select the Proceed with the factory reset checkbox. 5. Click Reset. Warning: This operation performs the same operation as the hard factory erase button. This resets the appliance to its factory default settings. Any modified configuration information is erased.
Page 293: Reset At The External Erase Button
RESET AT THE EXTERNAL ERASE BUTTON Press the external physical Erase button on the device once. Note:On most devices the button is at the front panel, near the LEDs. On the OM1200 the button is on the rear, near the power inlet). CONFIRM all LEDs come on.
Page 294: Reset From The Cli Terminal
RESET FROM THE CLI TERMINAL Log in at the CLI terminal, then enter: root@om2248-l-tp1-p14:~# factory_reset Confirm: Factory reset system? [yes/no]: Follow the procedure from step 2 in the 'Erase button' procedure above. Factory Reset 24.11.3...
Page 295: Reboot
REBOOT PERFORM A SIMPLE REBOOT FROM THE WEBUI To reboot the Console Manager: Navigate to CONFIGURE > SYSTEM > Reboot. Select Proceed with the reboot, Click Reboot. See also "Factory Reset" on page 291 for detailed information about device behavior that may occur during a factory reset procedure. Reboot 24.11.3...
Page 296: Export/Restore Configuration
EXPORT/RESTORE CONFIGURATION EXPORT CONFIGURATION The current system configuration can be downloaded as a plain text file. It contains all configuration performed via the WebUI and the ogcli tool. It does not contain log files, user scripts, docker containers, service configuration or other files stored via other means.
Page 297: Export Configuration Via Ogcli
To export the system configuration, click the Download button and save this file. Sensitive data such as passwords and tokens will be obfuscated in the configuration export. Note:The default filename includes the system hostname and a timestamp. For example, cm8148_20210910_config.txtem8000_20210910_config.txt EXPORT CONFIGURATION VIA OGCLI The system configuration can also be exported using the ogcli tool.
Page 298: Restore Configuration
Caution: Configuration exported with --secrets=mask cannot be used to import configuration. RESTORE CONFIGURATION An exported system configuration can be imported to the node using the WebUI or ogcli tool. Note:If the configuration was exported using --secrets=mask, it cannot be used for configuration import. Note:It may take up to ten minutes to import a config file with a large amount of configuration.
Page 299: Import Configuration Via Ogcli
Click the Restore tab Select the configuration file to import. Review the configuration by clicking the arrow to display the file content. Click the Upload File button to start the import process. A green banner will display when the configuration import is successful. IMPORT CONFIGURATION VIA OGCLI The system configuration can also be imported using the ogcli tool.
Page 300: Import Configuration
IMPORT CONFIGURATION Configuration that is imported using the ogcli import command will be merged with the current system configuration, preserving the current values, and adding missing entries from the exported configuration where required. As an administrative user, run the following command: ogcli import <file_path>...
Page 301: Updating The Import/Restore File
Rollback maintains operational stability, ensuring the system does not become partially upgraded due to some error during upgrade. The ability to roll back to a previously safe configuration minimizes downtime and service disruption, making it a vital addition to the system's resilience. Rollback behavior in the event of a detected restore failure: The system automatically detects a configuration update failure.
Page 302: Rollback Capabilities
config replace system/session_timeout <<'END' cli_timeout=0 serial_port_timeout=0 webui_timeout=20 ROLLBACK CAPABILITIES When the system initiates a rollback, it will log to syslog, print a message in the CLI and display a pop up “toast” notification in the WebUI. This system is resilient to network issues; once Rollback is started it will continue without the user being connected to the network.
Page 303: Lighthouse Node Backup
Rollback cannot be initiated once import/restore is complete. LIGHTHOUSE NODE BACKUP Configuration export can be scheduled to be performed periodically using the Lighthouse Node Backup feature. For more details, consult the Lighthouse User Guide: https://opengear.com/support/documentation/ Export/Restore Configuration 24.11.3...
Page 304: System Upgrade
PERFORM A SYSTEM UPGRADE 1. Navigate to the CONFIGURE > System > System Upgrade page. 2. Select the Upgrade Method, either Fetch image from HTTP/HTTPS Server or Upload Image. Note:See https://opengear.com/support/device-updates/ for firmware updates. System Upgrade 24.11.3...
Page 305: Upgrade Via Fetch From Server
4. Click Perform Upgrade. Note:The Advanced Options section should only be used if a system upgrade is being performed as part of an Opengear Support call. Once the upgrade has started, the System Upgrade page displays feedback as to the state of the process.
Page 306: Advanced Options
ADVANCED OPTIONS The Console Manager supports a number of command line interface (CLI) options and REST API. # address : Primary Lighthouse address to enroll with # api_port : Optional port to use for the primary address when requesting enrollment # password : LH global or bundle enrollment password # bundle : Name of LH enrollment bundle Advanced Options...
Page 307: Communicating With The Cellular Or Pots Modem
COMMUNICATING WITH THE CELLULAR OR POTS MODEM Interfacing with the cellular modem is currently only available via CLI. Usage: mmcli [OPTION?] - Control and monitor the ModemManager Options: -h, --help Show help options --help-all Show all help options --help-manager Show manager options --help-common Show common options --help-modem...
Page 308 --help-location Show Location options --help-messaging Show Messaging options --help-voice Show Voice options --help-time Show Time options --help-firmware Show Firmware options --help-signal Show Signal options --help-oma Show OMA options --help-sim Show SIM options --help-bearer Show bearer options --help-sms Show SMS options --help-call Show call options Application Options:...
Page 309: Internal Modem (Pots)
Use asynchronous methods -a, --async --timeout=[SECONDS] Timeout for the operation INTERNAL MODEM (POTS) The CM8148-10G-5G is fitted with an internal POTS modem. The POTS modem can be used to obtain CLI access to the CM, which allows users to dial into a device and obtain a command prompt by using the modem.
Page 310: Configuration Via The Webui
serial console to the requester. Baud rate The baud rate to use between the modem and the internal serial port. Custom AT Command Sequence This is a single-line, multi-command string to use to initialize the modem with specific behavior. CONFIGURATION VIA THE WEBUI Configure >...
Page 311 Required Action Command Example show pots_modem modem01 Show the POTS modem con- figuration edit pots_modem modem01 mode Enable the POTS modem dialin edit pots_modem modem01 mode dis- Disable the POTS modem abled edit pots_modem modem01 baud 38400 Set the modem baud rate edit pots_modem modem01 command_ Set an AT command sequence 'AT+CGI=09'...
Page 312: Pots Configuration Via The Cli
There is no need to add the prefix AT for subsequent commands after the semicolon. Some commands expect a value to be entered and require an = to be present eg. AT+GCI=09 Spaces are not allowed in the command sequence. Example Custom AT Commands Intended Action Command Example...
Page 313: Logging
LOGGING At modem start-up, the following log is printed to syslog: Jul 26 02:37:22 CM8148-10G-5G systemd[1]: Started Serial Getty on modem01. Mgetty logs are redirected to rsyslog, which include the logging of what is received and sent from the pots modem. No other modem logs are output.
Page 314: Config Cli Guide
CONFIG CLI GUIDE The Config Command Line Interface(CLI) provides users with an interactive and familiar environment similar to other networking devices that users may be familiar with. The result is a user-experience that feels like an Interactive CLI . Advantages of the Config CLI are: Interactive CLI makes everyday operations such as configuration changes and troubleshooting activities easier for users.
Page 315: Navigation In Config Cli
NAVIGATION IN CONFIG CLI STARTING A SESSION IN CONFIG CLI Start the Config Shell by typing config at a bash prompt. The bash prompt is presented to root and Administrator users when they log in via SSH or on the management or local console.
Page 316 Starting at the root, enter endpoint names to descend down to lower endpoints. Similarly, type 'up' to ascend towards the root or type 'top' to reset to the root context. Note:Every endpoint name is an operation that descends into that endpoint. When using the config CLI, it is possible to navigate ‘downwards’...
Page 317: Understanding Fields, Entities And Contexts
UNDERSTANDING FIELDS, ENTITIES AND CONTEXTS The Config CLI allows you to configure the device settings through a number of required fields, which provide the settings for the device. These fields are grouped in entities that describe a small set of functionality, for example, there is a ‘user’...
Page 318 You select a context by typing the name of the target entity and pressing Enter/Return; the new context is shown in the prompt between brackets. In the following example, the ‘user’ context is accessed and then the ‘john’ sub-entity is accessed causing the context to become ‘user john’.
Page 319 config: monitoring/alerts/power power_supply_voltage_alert syslog config(monitoring/alerts/power power_supply_voltage_alert syslog): Navigation in Config CLI 24.11.3...
Page 320: Global & Entity-Context Commands
GLOBAL & ENTITY-CONTEXT COMMANDS GLOBAL CONTEXT COMMANDS The table below lists commands available on any context: Global Command Description help (or '?') Show help which is context sensitive. It will list some special details about the current context, the list of sub entities (or fields) and a list of available commands.
Page 321 Entity Command Description <field> Show the value of a field. help <entity> Displays short-form help for the specific entity. <field> <value> Set the value of a field. delete Deletes the current enitity. This is available when the context entity is an item in a list. Append a sub-entity or field to the current entity.
Page 322: Config Cli Entities
CONFIG CLI ENTITIES The Config Shell allows the user to configure a number of fields which are the settings for the device. These fields are grouped in entities that describe a small set of functionality. For example, there is a ‘user’ entity which is used to access user settings.
Page 323 auto_response/reaction Read and manipulate the Auto-Response reactions on the NetOps Console Server appliance. auto_response/status Read the AutoResponse Status on the NetOps Con- sole Server appliance. auto_response/status/ Read the AutoResponse Status of Beacon Modules beacon-module on the NetOps Console Server appliance. cellfw/info Retrieve cellular modem version and related inform- ation.
Page 324 status. firewall/policy A collection of policies defined for the NetOps Con- sole Server appliance's firewall. A policy specifies which zones traffic is allowed to route between. firewall/predefined_service A collection of predefined services for the NetOps Console Server appliance's firewall. A service is a named grouping of one or more TCP or UDP ports for a particular networking protocol.
Page 325 information about what part of the IP Passthrough connection process the device is currently at and information about the connected downstream device. ipsec_tunnel Read and manipulate the IPsec tunnels on the NetOps Console Server appliance. lighthouse_enrollment View and control enrollment to a lighthouse. local_password_policy Configure the password policy for local users.
Page 326 monitoring/ Retrieve and configure Networking Alert Group set- alerts/networking tings. monitoring/alerts/power Retrieve and configure Power Alert Group settings. monitoring/alerts/system Retrieve and configure System Alert Group settings. Configure, monitor and control PDUs connected to the device. pdus/drivers Read the PDU driver list. physif Read and manipulate the network physical interfaces on the NetOps Console Server appliance.
Page 327 services/lldp Provides access to the Network Discovery Protocols (LLDP/CDP) configuration. services/ntp Provides access to the NTP client configuration on the system. services/routing Retrieve and configure routing services on the NetOps Console Server appliance. services/ SNMP Alert Managers are used to receive and log snmp_alert_manager SNMP TRAP and INFORM messages sent by the NetOps Console Server.
Page 328 ssh/authorized_key Configure the SSH authorized keys for a specific user. static_route Configuring and viewing static routes. system/admin_info Retrieve or change the NetOps Console Server appli- ance system's information (hostname, contact and location). system/banner Retrieve or change the appliance system's banner text.
Page 329 system/ssh_port The SSH port used in Direct SSH links. system/ Configure the SSH authorized keys for all users. system_authorized_key system/time Retrieve and update the NetOps Console Server's time. system/timezone Retrieve and update the system's timezone. system/version Retrieve the appliance's most recent firmware and REST API version.
Page 330: Config Cli Commands
CONFIG CLI COMMANDS Command Definition Add a new item for an entity. apply Apply changes on just the current entity. changes View a list of config areas with unapplied changes. delete Delete an item for an entity. diff Show additions, removals, changes and functional dif- ferences between the input and running configurations.
Page 331: Add
import/export Copy a config file from a specific network location to the console server and run the file. The import/export commands operate in bash, ie. outside of config CLI. You must exit config to operate the import/export features. show Display information relevant to the configuration section, highlighting changes.
Page 332: Apply
Syntax add <entity> <optional-entity> <label> <optional-field> <optional-value> Example add user aconsoleuser description "I am a console user" APPLY Description The apply command allows users to stage configuration changes by allowing proposed changes to be held in memory, separate from active configuration until they are applied.
Page 333: Apply All Changes
apply all – When the ‘all’ parameter is added, the command will apply all changes to all items that have been changed in this session. Syntax apply [all] Examples Apply changes to a single item These commands change a user. Then the apply command is used while still in the “user myuser”...
Page 334: Apply Changes To Specific Sections Of Configuration
config(port port01): label "Port for my group" config(port port01): top config: apply all APPLY CHANGES TO SPECIFIC SECTIONS OF CONFIGURATION From within a specific section of hierarchy. For example: config users johnsmith apply This will apply any changes made specifically within the user’s configuration section. Apply changes from a different section in the hierarchy: For example, if changes have been made in config users johnsmith...
Page 335: Changes
apply all CHANGES Description The changes command allows users to view a list of config areas with unapplied changes. This will be a list, ordered alphabetically. Users should be able to copy and paste items from the list and use it in conjunction with the show command to view details. Parameters none Syntax...
Page 336: Delete
DELETE Description The delete command is used to delete an item or entity or remove a config section or sub-section. The command requires a unique value to identify the record. This will be used for the entity's label field. Similar to the add command, delete makes the change in a temporary state and will affect configuration only once applied.
Page 337: Diff
Note: The config diff tool performs the diff functionality in the same way as ogcli diff, and can be used interchangeably using export files in either format. See config diff in the "Opengear CLI Guide" on page 392. Diff tool behavior Diff shows additions, removals and changes clearly in the a streamlined format with only functional differences between the input and running configurations.
Page 338 If any section, list item or sub-property is out of order between the input configuration and the running configuration, it is not shown in the diff unless the values have actually changed. If the input configuration file is missing properties or sections of configuration, it shows the differences between running configuration and the default values for those properties.
Page 339: Discard
3. Configuration differs from template with defaults: Differences between active configuration and default configuration because the input file was empty. 4. Configuration matches template with defaults: No differences between active configuration and default configuration with empty input file. Positional arguments <input_file>...
Page 340 The discard command is used to remove unapplied changes. This can be used to discard specific or configuration wide changes including: Updates to configuration items. Additions not applied. Items designated for deletion. Parameters discard - when used on its own discard the current item when in an item context, otherwise it will be an error.
Page 341: Discard Groups Of Changes
The following commands discard changes to an existing item. The item isn’t removed in this case since it has been applied previously. The description field will revert back to whatever it was before. config: user root config(user root): description "Root user" config(user root): discard The following commands discard changes to multiple entities, the group and port entities.
Page 342: Discard Specific Changes
If “username” is an existing user but with no changes, the user will be informed that there are no configuration changes to discard. DISCARD SPECIFIC CHANGES port port01 discard If the entity has unapplied changes it will be discarded. If there are no unapplied changes an information message is displayed. Confirmation Discarding changes at a section, or configuration wide level will give a warning that multiple changes will be discarded.
Page 343: Exit
Examples Consider the following change to a port label: config port port_01 label "Office-switch" Alternatively, consider making the change from the root of configuration mode. config edit port port_01 label "Office-switch" EXIT Description The exit command can be run at any level in the configuration structure and will allow you to leave config mode.
Page 344: Help (Or ?)
HELP (OR ?) Description Note:Config mode will accept either help or a question mark ? input. Can be used in the following ways: A standalone command to view available options for the configuration section. In combination with a command to access help documentation. In combination with a configuration option to access help documentation and examples.
Page 345: Help Command Used Standalone
config(port port01): ? The following will print help for the baudrate field when in the “port port01” context: config(port port01): help baudrate config(port port01): baudrate ? HELP COMMAND USED STANDALONE When used by itself, help or ? returns a list of available commands or configuration options.
Page 346: Import/Export
pinout ? This will display a list of available options. label ? This will display expected format and a sample. IMPORT/EXPORT Description Note:The import / export and associated commands operate in bash, ie. outside of config CLI. You must exit config to operate the import/export features. The Import / Export feature allows you to export the current configuration to a file and import or restore the configuration from that file.
Page 347 This command can be run at any level in the hierarchy and used to export either: The configuration across the node Configuration specific to the users’s location in the hierarchy. export all current config Will display all config on the console server before it has been applied for copying. export all saved config Will display all saved config on the console server for copying.
Page 348 config import /tmp/console_server.config Positional arguments {export,import,restore,merge,replace,get} Positional Argument Description export Export the current configuration. import Import config from a file. restore Restore config from a file. merge Merge a provided list with existing config. replace Replace a list or item. Display an entity's associated values.
Page 349: Show
Export in json format. --entities Display entities and exit. Exporting to a file Note:The import/export and associated commands operate in bash, ie. outside of config CLI. You must exit config to operate the import/export features. SHOW Description The show command displays information relevant to the configuration section, including the highlighting of changes.
Page 350 entity The entity to display, or to show details of. item The item to display or show details of. field The field to show the value of. Syntax show <optional entity> <optional item> <optional field> Context Examples using context The following examples show how the output of the show command changes in accordance with context as it may be used at the config, physif, net1 contexts: show - at the config context: Config CLI Commands...
Page 351 show - at the physif context: Config CLI Commands 24.11.3...
Page 352 show - at the net1 context: Examples using parameters The following examples show the output of the show command when used with different parameters: Config CLI Commands 24.11.3...
Page 353 Config You can view the content of all configuration in JSON format. You can also view the config of a specific section of the hierarchy you are in. show-config Directed Usage You will also be able to look into a config sections using the show command. For example: show auth user Will display a flat list of users.
Page 354: Up / Exit
show auth user “username” Will display the configuration for the user specified. UP / EXIT / .. Description These commands allow users to traverse the configuration hierarchy. The position will move one level up in the hierarchy. If used at the root configuration level, it should point trigger the exit command. Parameters No parameters.
Page 355 config: port port01 config(port port01): up config(port): port02 config(port port02): Config CLI Commands 24.11.3...
Page 356: Config Cli Use Case Examples
‘//’ prefix. Where sessions continue onto the next page, this is shown with the comment "// session continues here:" # config Welcome to the Opengear interactive config shell. Type ? or help for help. // Move to the user entity config: user config(user): help add Add a new item for entity user.
Page 357 description // Session continues here: enabled true no_password false password (required) ssh_password_enabled true username matt groups (array) // Fill out some fields config(user matt): password topsecretpassword config(user matt): description scrum master config(user matt): show Entity user item matt description scrum master * enabled true password...
Page 358: Configuring A Port
admin myuser netgrp config(user matt groups): add admin config(user matt groups): up // Exit the groups list // Session continues here: // Show and apply config(user matt): show Entity user item matt description scrum master * enabled true password topsecretpassword * ssh_password_enabled true username ...
Page 359 Names (type <name> or help <name>) ================================== USB-A USB-E USB-front-lower port03 port07 port11 port15 port19 port23 USB-B USB-F USB-front-upper port04 port08 port12 port16 port20 port24 USB-C USB-G port01 port05 port09 port13 port17 port21 USB-D USB-H port02 port06 port10 port14 port18 port22 Commands (type help <command>) ============================== exit help show up...
Page 360: Configure A Single Session On A Port
parity none pinout X2 stopbits 1 control_code (object) break a * chooser pmhelp portlog power quit ip_alias (array) config(port port01): apply Updating entity port item port01. config(port port01): CONFIGURE A SINGLE SESSION ON A PORT The feature is enabled by typing single_session true, then apply the change. config(port port01): single_session true config(port port01):...
Page 361: Create Or Configure A Loopback Interface
CREATE OR CONFIGURE A LOOPBACK INTERFACE Loopbacks are not physical interfaces and as such cannot be attached to a firewall zone; firewall zone or policy rules must be created for whatever interface you are connecting over. Service translations can be created through the firewall/service_translation endpoint to change the source address of outbound packets to the loopback address.
Page 362 To add an address to a loopback interface, navigate to the conns endpoint and attach an ipv4 or ipv6 static address to the loopback (dhcp and ipv6_automatic are invalid for loopbacks): ADD AN ADDRESS IN CONFIG SHELL config: conn config(conn): add new config(conn new): mode static config(conn new): physif loop config(conn new): ipv4_static_settings...
Page 363: Create Source Nat Rules
CREATE SOURCE NAT RULES Note: When referring to service translation rules, we refer to translating the source ip of traffic to a desired source ip address. To change the source address of outbound packets for a particular service, a service_ translation rule must be added, see the following example: The following rule contains a list of outbound services along with the changed source address for the service packets.
Page 364: Rest Api
If required, source NAT may be used for all tcp and udp traffic leaving the box by adding the service all-tcp-udp to the service list: config(firewall/service_translation 10.0.0.1): show Entity firewall/service_translation item 10.0.0.1 address 10.0.0.1 services (array) 0 all-tcp-udp Note: There must be either a static or dynamic route to the loopback address from which you are connecting to the device.
Page 365: Logging And Debugging
The address can be ipv4 or ipv6 (no netmask required), and does not need to exist on the box (a warning is presented if the address does not exist). The list of services is a list of strings of service names. The outbound services must already be defined on the box, either as a predefined firewalld service or as a custom user service.
Page 366: Configure Net2 Static Ipv4
CONFIGURE NET2 STATIC IPV4 add conn net2-static-1 mode static physif net2 conn net2-static-1 ipv4_static_settings address 192.168.3.58 gateway 192.168.3.1 netmask 255.255.255.0 CONFIGURE NET3 STATIC IPV4 FOR OM2224-24E UNITS add conn net3-static-1 mode static physif net3 conn net3-static-1 ipv4_static_settings address 192.168.4.58 gateway 192.168.4.1 netmask 255.255.255.0 CONFIGURE WIREGUARD THROUGH CONFIG SHELL WireGuard is configured through Config Shell (or REST API).
Page 367 Set the private_key of your WireGuard interface. Add an address (at least one) for your WireGuard interface (10.0.0.1/24 in this case). Add a peer with the following parameters: endpoint_address, endpoint_port, public_key. Add an allowed_ip for your peer. At least one - this is the WireGuard address(es) (as it can also accept an address range) of the other interface to which you are connected.
Page 368: Root User Password - Cleartext
ROOT USER PASSWORD - CLEARTEXT edit user root password newpassword ROOT USER PASSWORD = PASSWORD VIA SHA256 openssl passwd -5 password Note:This operation is not available in Config Shell. DEFINE PASSWORD COMPLEXITY RULES edit local_password_policy password_complexity_enabled true password_expiry_interval_enabled true edit local_password_policy password_disallow_username true password_must_contain_number true password_must_contain_special true...
Page 369: Contact Info
CONTACT INFO edit system/admin_info contact "fred.bloggs@opengear.com" hostname "om2216-l.lab" location "Happy Valley Lab" TIME ZONE AND NTP edit system/timezone timezone "America/New_York" edit services/ntp enabled true services/ntp servers add value "74.207.242.234" Config CLI Use Case Examples 24.11.3...
Page 370: Create Admin User
CREATE ADMIN USER add user admin description "admin" enabled true no_password false password "password" user admin groups add "admin" CREATE BREAKGLASS USER (BELONGS TO NETGRP) add user breakglass description "breakglass" enabled true no_password false password "password" user breakglass groups add "netgrp" Config CLI Use Case Examples 24.11.3...
Page 371: Enable Netgrp - Set To Consoleuser
ENABLE NETGRP - SET TO CONSOLEUSER edit group netgrp enabled true group netgrp ports add port01 add port02 add port03 add port04 group netgrp access_rights add web_ui add pmshell delete admin CHANGE SSH DELIMIITER TO : DEFAULT IS + edit services/ssh ssh_url_delimiter ":" CHANGE PORT LABELS edit port port01 label "cisco1"...
Page 372: Enable Tacacs - Set Mode To Remotelocal
ENABLE TACACS - SET MODE TO REMOTELOCAL edit auth mode "tacacs" edit auth tacacsMethod "pap" tacacs Password "tac_tests" policy "remotelocal" tacacsService "raccess" auth tacacsAuthenticationServers add hostname "192.168.2.220" port 49 ENABLE LLDP ON NET1 & NET2 edit services/lldp enabled true services/lldp physifs add "net1"...
Page 373: Enable Boot Messages
ENABLE BOOT MESSAGES Displays on local console port. edit managementport ttyS0 kerneldebug true DEFINE SESSION TIMEOUTS edit system/session_timeout cli_timeout 100 serial_port_timeout 100 webui_timeout 100 Note:The inactivity timer starts only after you exit Config Shell, ie. it begins the count when you have left config and are at the bash command prompt. DEFINE MOTD Enter banner text within quotations.
Page 374: Enable Simm 1 Complete End Points
ENABLE SIMM 1 COMPLETE END POINTS edit physif wwan0 enabled true physif wwan0 cellular_setting active_sim 1 apn hologram iptype IPv4v6 sim_failback_disconnect_mode ping sim_failback_policy never sim_failover_disconnect_mode ping sim_failover_policy never physif wwan0 cellular_setting sims 0 fail_probe_address 8.8.8.8 fail_probe_count 3 fail_probe_interval 600 fail_probe_threshold 1 failback_delay 60 iptype "IPv4v6"...
Page 375: Enable Failover
iptype IPv4v6 slot 2 ENABLE FAILOVER edit failover/settings enabled true probe_address 192.168.2.1 probe_physif net1 ADD A SYSLOG SERVER services/syslog_server add server1 address 192.168.34.113 protocol TCP port 610 description "my syslog server" Add Five Syslog Servers Note:Due to page width limitations, in the following example, some command lines break over two lines.
Page 376: Set Port Logging Remote Syslog Settings
port 514 port_logging_enabled true protocol UDP add services/syslog_server server3 address 192.168.34.116 min_severity info port 514 port_logging_enabled true protocol UDP add services/syslog_server server4 address 192.168.128.1 description "lighthouse-remote-syslog" min_severity info port 514 port_logging_enabled true protocol UDP SET PORT LOGGING REMOTE SYSLOG SETTINGS edit logs/portlog_settings facility daemon severity infoEnable system monitor snmp traps Config CLI Use Case Examples...
Page 377: Enable System Monitor Snmp Traps
ENABLE SYSTEM MONITOR SNMP TRAPS monitoring/alerts/power power_supply_voltage_alert millivolt_lower 11000 millivolt_upper 13000 snmp enabled true up monitoring/alerts/networking cell_signal_strength_alert enabled true threshold_lower 33 threshold_upper 66 monitoring/alerts/system authentication_alert enabled true up config_change_alert enabled true up temperature_alert enabled true threshold_lower 35 threshold_upper 67 up Config CLI Use Case Examples 24.11.3...
Page 378: Enable Snmp V2 Service For Polling
ENABLE SNMP V2 SERVICE FOR POLLING edit services/snmpd enable_legacy_versions true enable_secure_snmp false enabled true port 161 protocol UDP edit services/snmpd rocommunity "TkcxJAAAABBfDsigaxdDf7whb3sxKQKnjtCuuy/0COC6rE3lUu9ghg==" ENABLE 2 SNMP TRAPS AND TRAP SERVERS Note:Due to page width limitations, in the following example, some command lines break over two lines.
Page 379: Create A Static Route
CREATE A STATIC ROUTE Note:Due to page width limitations, in the following example, some command lines break over two lines. add static_route "static route test" destination_address 10.0.0.0 destination_netmask 8 interface net2 EDIT LAN (NET2) FIREWALL ZONE (allow only source address traffic) firewall/zone lan custom_rules add description "source_net4-1"...
Page 380: Custom_Rule Example For Port And Protocol
firewall/zone wan custom_rules add description "source_net4-1" rule_content "rule family=ipv4 source address=192.168.2.0/24 accept" up add description "source_net4-2" rule_content "rule family=ipv4 source address=192.168.4.0/24 accept" up CUSTOM_RULE EXAMPLE FOR PORT AND PROTOCOL add firewall/service myports label "My Serial Ports" firewall/service myports add port 3001 protocol tcp up apply...
Page 381: Enroll Into Lighthouse
up up ENROLL INTO LIGHTHOUSE add lighthouse_enrollment lh1 address 2.21.99.188 bundle om2216-l token password Config CLI Use Case Examples 24.11.3...
Page 382: How Changes Are Applied Or Discarded
HOW CHANGES ARE APPLIED OR DISCARDED When fields and entities are changed, the changes are not immediately applied to the system configuration but remain in a staged status. Items that are staged are indicated by an ‘*' (asterisk) when the ‘show’ command is used. In addition, the 'changes’...
Page 383 When any changes have been made to a single or multiple entities, the following commands become available. These commands are described in detail in the Config CLI Commands section: Command Description changes Show staged changes on all entities. apply Apply changes only on the current entity. discard Discard changes only on the current entity.
Page 384 groups (array) config(user john): changes Entity user item john (edit) description Scrum Master config(user john): How Changes Are Applied or Discarded 24.11.3...
Page 385: Multi-Field Updates
MULTI-FIELD UPDATES DESCRIPTION Within Config Shell, it is possible to update multiple fields with one command line. This is restricted to ‘flat’ fields within the current context ie arrays and sub-objects cannot currently be updated all in one command line. For example, the following port fields can all be changed in a single command: baudrate, databits, escape_char, label, logging_level, mode, parity, pinout and stopbits.
Page 386: Error Messages
config(port port01 ip_alias 1): up config(port port01 ip_alias): up config(port port01): changes Entity port item port01 (edit) control_code (object) break b chooser c ip_alias (array) 1 (object) interface net1 ipaddress 10.83.0.6/24 config(port port01): If certain fields are hidden and only visible by first configuring other fields, these hidden fields need to be set in another line.
Page 387 staged changes will not be affected. In the following example, the user description was previously changed to “my user” config(user consoleuser): show Entity user item consoleuser description my user * enabled true no_password false password "" ssh_password_enabled true groups (array) 0 consoleuser If a bad field name or value is supplied on the command line, then the existing staged value is retained.
Page 388 ssh_password_enabled true groups (array) 0 consoleuser The bad value for the field is indicated by an error message hinting the expected type of the value: config(user consoleuser): description "My console user" enabled bad Value bad for field enabled cannot be parsed as a boolean. config(user consoleuser): show Entity user item consoleuser description my user *...
Page 389: Error Messages
ERROR MESSAGES When an error is made in the command line an error message which identifies the error is returned. For example, if the first token of the command is mistyped, the unknown command message is displayed. config: usear root There is no command usear root.
Page 390: String Values In Config Commands
STRING VALUES IN CONFIG COMMANDS DESCRIPTION The syntax for the use of string values has changed. It was previously possible to enter values containing spaces without using quotes. Multiple fields can now be assigned in one command line, quotes are required to keep field values together. EXAMPLE The following example shows setting multiple fields where the field value for the description has spaces.
Page 391: Error Messages
If the value itself must contain quotes, there is a triple quote form for entering string values: config(user consoleuser): description """My "console" user""" enabled true config(user consoleuser): changes Entity user item consoleuser (edit) description My "console" user enabled true The triple quoted string is used for entering multi-line strings: config(system/banner): banner """...
Page 392: Opengear Cli Guide
OPENGEAR CLI GUIDE The ogcli command line tool is used for getting and setting configuration, and for retrieving device state and information. The purpose of ogcli is perform a single operation and exit. Operations are performed on a single entity, a list of entities, or all entities.
Page 393 A description and example usage of a specific ogcli operation. ogcli help <entity> A description of a specific entity and the operations it supports. ogcli help <entity> An example of how to perform a specific operation <operation> on a specific entity. Opengear CLI Guide 24.11.3...
Page 394: Basic Syntax
Show additions, removals, changes and functional dif- ferences between the input and running configurations. See also config diff . Retrieve a list or single item. help Display ogcli help. import Import system configuration, merging with current system configuration. Opengear CLI Guide 24.11.3...
Page 395: Supplying Data To Ogcli
HERE DOCUMENT A here document (heredoc) is a form of input redirection that allows entering multiple lines of input to a command. The syntax of writing heredoc takes the following form: ogcli [command] << 'DELIMITER' HEREDOC DELIMITER Opengear CLI Guide 24.11.3...
Page 396: Inline Arguments
The data can also be entered via stdin by piping the data to the ogcli command. echo 'enabled=true description="operator"' | ogcli update user <username> Alternatively, you can provide a file via input redirection with <. echo 'enabled=true description="operator"' > partial_record Opengear CLI Guide 24.11.3...
Page 397: Quoting String Values
When entering the start of a command, press the <tab> key to complete the phrase to the nearest match. If there are multiple matches, all options will be displayed for your reference. Opengear CLI Guide 24.11.3...
Page 398: Displaying Secrets In Ogcli
This behavior can be overridden to display sensitive fields in clear text, obfuscated form, or masked form using the --secrets option. The clear text and obfuscated forms are also accepted when supplying a sensitive field. # ogcli --secrets=cleartext get snmpd auth_password="my_secret" Opengear CLI Guide 24.11.3...
Page 399: Common Configuration Examples
UPDATE ITEM WITH FIELD WHERE VALUE IS A STRING ogcli update user <username> description=\"operator\" UPDATE ITEM WITH FIELD WHERE VALUE IS NOT A STRING For example, a numeric or boolean value ogcli update user <username> enabled=true Opengear CLI Guide 24.11.3...
Page 400: Compare Current Configuration With A Proposed Configuration
<file_path> COMPARE CURRENT CONFIGURATION WITH A PROPOSED CONFIGURATION The updated ogcli diff tool enables Opengear users to compare a proposed configuration with an existing configuration so that they may understand any prospective changes to the config. The diff function performs a comparison of active configuration and an input configuration file, which must be in the format an export file produced by either a config export <template-file>...
Page 401 (+). For example, the new_user user does not exist in the active configuration, but is present in the input file supplied. If the input file was imported, this user would be added. ogcli --secrets=obfuscate merge users <<'END' + users[1].enabled=true + users[1].groups[0]="admin" + users[1].no_password=false + users[1].ssh_password_enabled=true + users[1].username="new_user" Opengear CLI Guide 24.11.3...
Page 402 If the input configuration file is missing properties or sections of configuration, the diff function will instead consider the differences between active configuration and the default values for those properties. Missing sections or properties from the input Opengear CLI Guide 24.11.3...
Page 403 Type ogcli diff --help for more information. This behaviour is the same for config: root@om2248:~# config --secrets=cleartext export config_file oot@om2248:~# config --secrets=cleartext diff config_file root@om2248:~# config --secrets=mask diff config_file The secrets flag provided doesn't match the flag in the proposed Opengear CLI Guide 24.11.3...
Page 404 Comments must start with #. These will be ignored by the diff tool. See also "diff" on page 337 ENABLE LOCAL CONSOLE BOOT MESSAGES ogcli get managementports Opengear CLI Guide 24.11.3...
Page 405 CHANGE ROOT PASSWORD ogcli update user root password=\"oursecret\" CREATE NEW ADMINISTRATIVE USER ogcli create user << 'END' username="adal" description="Ada Lovelace" enabled=true no_password=false groups[0]="groups-1" password="oursecret" MANUALLY SET DATE AND TIME ogcli update system/timezone timezone=\"America/New_York\" Opengear CLI Guide 24.11.3...
Page 406 << 'END' enabled=true servers[0].value="0.au.pool.ntp.org" UPDATE SYSTEM HOSTNAME ogcli update hostname hostname=\"system-hostname\" ADJUST SESSION TIMEOUTS ogcli update system/cli_session_timeout timeout=180 ogcli update system/webui_session_timeout timeout=180 SETUP REMOTE AUTHENTICATION WITH TACACS+ ogcli update auth << 'END' mode="tacacs" tacacsAuthenticationServers[0].hostname="192.168.250.21" tacacsMethod="pap" tacacsPassword="tackey" Opengear CLI Guide 24.11.3...
Page 407 CREATE USER GROUP WITH LIMITED ACCESS TO SERIAL PORTS ogcli create group << 'END' description="Console Operators" groupname="operators" role="ConsoleUser" mode="scoped" ports[0]="ports-10" ports[1]="ports-11" ports[2]="ports-12" VIEW AND CONFIGURE NETWORK CONNECTIONS ogcli get conns ogcli get conn system_net_conns-1 ogcli update conn system_net_conns-1 ipv4_static_ settings.address=\"192.168.0.3\" Opengear CLI Guide 24.11.3...
Page 408: Configure A Dns
(FQDN). When adding an interface to a Bond or Bridge, it will use the DNS configuration of the aggregate interface. Note:Interfaces must have at least one network connection to be able to perform DNS resolution. Opengear CLI Guide 24.11.3...
Page 409 "net1" << END an interface dns.nameservers[0]="1.1.1.1" dns.nameservers[1]="1.0.0.1" dns.search_domains[0]="example.net" dns.search_domains[1]="example.com" Check unbound service systemctl status unbound.service status List forward-zones in use unbound-control list_forwards CONFIGURE SERIAL PORTS ogcli get ports ogcli get ports | grep label ogcli get port ports-1 Opengear CLI Guide 24.11.3...
Page 410 ENABLE CELLULAR MODEM INTERFACE ogcli get physifs ogcli update physif wwan0 << 'END' enabled=true physif.cellular_setting.apn="broadband" physif.cellular_setting.iptype="IPv4v6" DISABLE CELLULAR MODEM INTERFACE ogcli update physif physif wwan0 enabled=false Opengear CLI Guide 24.11.3...
Page 411: Advanced Portmanager Pmshell Guide
ADVANCED PORTMANAGER PMSHELL GUIDE The Portmanager program allows you to access any serial port on the console server using pmshell commands. Routes network connection to serial ports. Checks permissions. Monitors and logs all the data flowing to/from the ports. Allows you to run power commands if the serial port is associated with a PDU outlet.
Page 412 Options Name Result The Single Session feature can be enabled or disabled by editing the single_session field in a given port. When a user port level admin- istration access is logged in via pmshell, the port configuration menu can be accessed via any port by pressing the escape character (~ by default) followed by c (~c).
Page 413: Custom Control Codes For Serial Ports
CUSTOM CONTROL CODES FOR SERIAL PORTS Custom control codes can be defined for ease of use per port or can be applied to all ports. For example, users could define a different Power Menu control code for every port, while having a single control code for View History that applies to all ports.
Page 414: Configure Control Codes For A Specified Port (Cli Examples)
CONFIGURE CONTROL CODES FOR A SPECIFIED PORT (CLI EXAMPLES) Control Codes Action CLI Examples Set control codes for a ogcli update port port02 << given port. In this example, 'END' the user sets multiple con- control_code.break="b" trol codes for port 2 control_code.chooser="c"...
Page 415: Configure A Control Code Value For All Ports
CONFIGURE A CONTROL CODE VALUE FOR ALL PORTS To set a particular control code to one value across all serial ports, Admin users can use the script set-serial-control-codes from the CLI as follows: set-serial-control-codes CONTROL_CODE KEY where: CONTROL_CODE - Must be one of the following values: break, chooser, pmhelp, portlog, power or quit.
Page 416: Dns Configuration
DNS CONFIGURATION DNS settings such as Name Servers and Search Domains can be configured for each network interface, which will override the DHCP provided settings. Name servers allow the system to resolve hostnames to IP addresses to communicate with remote systems. Search domains allow the system to resolve partially qualified domain names (PQDN) by appending entries from the listed search domains to form a fully qualified domain name (FQDN).
Page 417: Dns Search Domains
NAME SERVERS Add one or more name servers to the list by clicking the Add Name Server button. Name servers can be IPv4 or IPv6 addresses. Name servers can be removed from the list by clicking the Delete button next to each row. Click Apply to save the changes.
Page 418: Configure Dns Via The Command Line
CONFIGURE DNS VIA THE COMMAND LINE Description Command Display configured DNS ogcli get physif "net1" settings for an interface Update DNS settings for ogcli update physif "net1" << END an interface dns.nameservers[0]="1.1.1.1" dns.nameservers[1]="1.0.0.1" dns.search_domains[0]="example.net" dns.search_domains[1]="example.com" Check unbound service systemctl status unbound.service status List forward-zones in use unbound-control list_forwards DNS Configuration 24.11.3...
Page 419: Docker
DOCKER Docker is a tool designed to make it easier to create, deploy, and run applications by distributing them in containers. Developers can use containers to package up an application with all of the parts it needs, like libraries and dependencies, and then ship it out as one package.
Page 420: Cron
CRON Cron service can be used for scheduled cron jobs runs. Daemon can be managed via the /etc/init.d/crond interface, and cron tables managed via crontab. Crontab supports: Usage: crontab [options] file crontab [options] crontab -n [hostname] OPTIONS: -u <user> define user -e ...
Page 421 Cron doesn't need to be restarted when crontab file is modified, it examines the modification time on all crontabs and reload those which have changed. To verify the current crond status: /etc/init.d/crond status To check current cron jobs running with the following command to list all crontabs: crontab -l To edit or create a custom crontab file: crontab -e...
Page 422: Initial Provisioning Via Usb Key
INITIAL PROVISIONING VIA USB KEY Also known as “ZTP over USB”, this feature allows provisioning an unconfigured (factory erased) unit from a USB storage device like a thumb drive. The USB device must contain a filesystem recognized by the CM (currently FAT32 or ext4) with a file named manifest.og in the root directory.
Page 423: Eula And Gpl
EULA AND GPL The current Opengear End-User License Agreement and the GPL can be found at http://opengear.com/eula. EULA and GPL 24.11.3...
Page 424: Ui Button Definitions
UI BUTTON DEFINITIONS The table below provides a definition of the button icons used in the UI. Button Icon Definition Edit buttons Add item (eg. SNMP Manager) VLAN interface or create VLAN interface. Bonded interfaces or create new bond Bridged interfaces or create new bridge Standard network interface Cellular interface UI Button Definitions...
Page 425 Interface with bridge Interface with bond Bin widget. Delete selected object. UI Button Definitions 24.11.3...

This manual is also suitable for:

Cm8100-10g Cm8148-10g Cm8196-10g

Opengear CM8100 User Manual

Quick Links

Need help?

Questions and answers

Related Manuals for Opengear CM8100

Summary of Contents for Opengear CM8100