Download Print this page

Opengear OM2200 User Manual

Operations manager

Hide thumbs Also See for OM2200:

User manual (162 pages)

,

Quick start manual (5 pages)

,

Quick start manual (8 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual

User Guide

Software Release 24.11.3

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the OM2200 and is the answer not in the manual?

Questions and answers

Summary of Contents for Opengear OM2200

Page 1 User Guide Software Release 24.11.3...
Page 2: Table Of Contents
CONTENTS Contents Copyright © Document Revision History Safety & FCC Statement Safety Statement FCC Warning Statement About This User Guide Installation And Connection Power Connection DC Powered OM1200 Dual Power Supply LED Power Status Indicator SNMP Alerts for Power-related Events SNMP Alert Configuration Device Status LEDs Connecting to the Network...
Page 3 Cellular Modem Antenna Gain Specifications 40 MPE Safe Distance Statement OM1200 antenna gain and collocated radio transmitter spe- cifications. Device Reboot Initial Settings Default Settings Serial Port Settings Browser WebUI Using the WebUI Management Console Connection via CLI Accessing the WebUI CLI Terminal Change the Root Password Disable a Root User Change Network Settings...
Page 4 MONITOR Menu System Log LLDP CDP Neighbors Triggered Playbooks ACCESS Menu Local Terminal Serial Ports Quick Search Access Using Web Terminal or SSH Serial Port Logging Display Port Logs CONFIGURE Menu Serial Ports Edit Serial Ports Assigning Unique IP Addresses for Each Console Port Configure Single Sessions for Ports Single Session Enabled In the WebUI In Config Shell...
Page 5 Autodiscovery Autodiscovery Enhancements Cancel Autodiscovery Schedule Autodiscovery Retrieve Port Discovery Logs Local Management Consoles Lighthouse Enrollment Manual Enrollment Using UI Manual Enrollment Using the CLI Automatic Enrollment By Lighthouse Service Portal (LSP) LSP Service Initialization LSP Commands Restarting The Service LSP Errors and Exit Codes LSP Logging &...
Page 6 System Alerts System Alerts - General Authentication Configuration Change System Alerts - Power Enable Power Supply Syslog Alerts Syslog Alert Severity System Alerts - Temperature Configure SNMP System Temperature Alerts System Alerts - Networking (Connection Status) Configure Signal Strength Alerts Network Connections Network Interfaces Dual SIM...
Page 7 Cellular Modem Firmware Upgrade Modem Firmware Upgrade Procedures Cellular Availability During Upgrade cell-fw-update Help Update Local File List and Download Latest Firmware Files List Supported Carriers Automatic Firmware Update for Current Carrier Firmware Update For Specific Carrier Manual Firmware Update Modem Update Troubleshooting Guide Determine if Modem is Ready &...
Page 8 Configure a VLAN IPsec Tunnels Create, Add or Edit IPsec Tunnels NAME and STATUS IKE Settings Authentication Tunnel Settings Addressing Dead Peer Detection Enable the IPSec Tunnel Static Routes Configure Static Routes Create a Static Route Edit a Static Route Delete a Static Route Manage Static Routes via Command Line Network Resilience Out-Of-Band Failover...
Page 9 User Management Groups Permission Changes in the Web UI Understanding Access Rights Defined Access Rights Admin Access Rights (admin) WebUI Access Rights (web_ui) Portmanager Shell Access Rights (pmshell) Port Configuration Access Rights Access > Serial Ports View Configure > Serial Ports View Non-Admin Users Protected Groups and Users Understanding Serial Port Access...
Page 10 Configure LDAP over SSL LDAP and LDAPS Port Settings Limitations for LDAPS Implementation Upgrade Limitations Local Password Policy Set Password Complexity Requirements Set Password Expiration Interval Password Policy Implementation Rules Services FIPS Compliance Configure FIPS Enable FIPS Enable FIPS via Config Shell: Enable FIPS via ogcli: Disable FIPS Disable FIPS via Config Shell:...
Page 11 HTTPS Certificate Network Discovery Protocols Routing Dynamic Routing Static Routing (via the ogcli) Static Routing ogcli Help Create Static Route - Example: Static Routing Arguments OSPF Configuration Managed Configuration Items New Fields in REST API & Config Shell REST API Config Shell Interfaces, Neighbors and Networks.
Page 12 Addresses Peers Hooks Adding a WireGuard Interface to a Firewall Zone Unauthenticated SSH to Serial Ports Enable Unauthenticated SSH Enable SSH Enable/Disable Connecting Directly to Serial Ports Feature Persist Properties and Settings Syslog Add a New Syslog Server Global Serial Port Settings Global Serial Port Settings Tab - Field Definitions Syslog Facility Definitions Syslog Severity Definitions...
Page 13 SNMP Service SNMP Alert Managers Multiple SNMP Alert Managers Create or Delete an SNMP Manager New SNMP Alert Manager Definitions Firewall Firewall Guide Introduction Firewall Rules Firewall Policies Example WebUI Configuration Example 1: Disallow WAN Zone Access to HTTPS Example 2: Permit Access to WAN Zone HTTPS from a Trusted Source Network Only Custom Rules (firewalld “rich-rules”) Custom Rules Examples:...
Page 14 Firewall Policies Creating Egress Policies in the WebUI Egress Policy Details Create a New Firewall Policy Editing Policies or Rules Configure Egress Policies in the Config Shell Create Rules Under a Policy - Config Shell Logging and Debugging Firewall Policies Firewall Services Adding WireGuard Zones to a Firewall System...
Page 15 Perform a System Upgrade Upgrade via Fetch From Server Upgrade via Upload Advanced Options Communicating With The Cellular or POTS Modem Internal Modem (POTS) Configuring the POTS Modem (OM2200-10G-M-L) Configuration via the WebUI POTS Configuration via the Config Shell POTS Configuration via the CLI...
Page 16 Logging Config CLI GUIDE Navigation in Config CLI Starting a Session in Config CLI Exiting a Config CLI Session Navigating the Config CLI Understanding Fields, Entities and Contexts Global & Entity-Context Commands Global Context Commands Entity Context Commands Config CLI Entities Supported Entities Config CLI Commands apply...
Page 17 Help Used in Conjunction with a Command Help Used with a Configuration Option import/export show up / exit / .. Config CLI Use Case Examples Adding a User Configuring a Port Configure a Single Session on a Port Create or Configure a Loopback Interface Create Source NAT Rules REST API Logging and Debugging...
Page 18 Enable tftp Enable Boot Messages Define Session Timeouts Define MOTD Enable SIMM 1 Enable and Add APN Enable SIMM 1 Complete End Points Enable Failover Add a Syslog Server Set Port Logging Remote Syslog Settings Enable System Monitor SNMP Traps Enable SNMP V2 Service for Polling Enable 2 SNMP Traps and Trap Servers Create a StaTic Route...
Page 19 Opengear CLI Guide Getting Started with ogcli Access ogcli Help and Usage Information Basic Syntax ogcli Operations Supplying Data To ogcli Here Document Inline Arguments Pipes and Standard Input Quoting String Values Tab Completion Displaying Secrets in ogcli Common Configuration Examples...
Page 20 Docker Cron Options: Initial Provisioning via USB Key EULA and GPL UI Button Definitions...
Page 21: Copyright
“as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose. Opengear may make improvements and/or changes in this manual or in the product (s) and/or the program(s) described in this manual at any time. This product could include technical inaccuracies or typographical errors.
Page 22: Document Revision History
Added Firewall - Source Address Fil- tering 23.10.0 November 2023 Dual DC power supply option OM2200-10G-M-DDC-L 10G Modem (POTS) detail and config Support for OSPF and WireGuard New user password limitations (can- not use 'default') Firewall custom rules updated...
Page 23 24.07.0 July 2024 Support for Raw TCP Access for Serial Ports Lighthouse Service Portal (LSP) - Lighthouse Enrollment updated for LSP - LED Status updated for LSP 24.11.1 Nov 2024 Config Diff tool updated in Ogcli Guide & Config CLI Guide Config Rollback (automated) feature added Factory Reset (Erase) procedure...
Page 24: Safety & Fcc Statement
Do not remove the metal covers. There are no operator serviceable components inside. Opening or removing the cover may expose you to dangerous voltage which may cause fire or electric shock. Refer all service to Opengear qualified personnel. To avoid electric shock the power cord protective grounding conductor must be connected through to ground.
Page 25 Any changes or modifications made to this device without the explicit approval or consent of Opengear will void Opengear of any liability or responsibility of injury or loss caused by any malfunction. This equipment is for indoor use and all the communication wiring are limited to inside of the building.
Page 26: About This User Guide
ABOUT THIS USER GUIDE This user guide is up to date for the 24.11.3 firmware release. When using a minor release there may or may not be a specific version of the user guide for that release. About This User Guide 24.11.3...
Page 27: Installation And Connection
INSTALLATION AND CONNECTION This section describes how to install the appliance hardware and connect it to controlled devices. OM2200 Device (provided as an example) Operations Manager Features: 1. Serial ports 8. SIM card slots 2. RJ45 serial console 9. Cell (main) 3.
Page 28 Installation And Connection 24.11.3...
Page 29: Power Connection
Note:Country specific IEC power cords are included with the AC Operations Manager. See also "Dual Power Supply" on page 32 "System Alerts - Power" on page 107. Operations Manager Platform (OM2200) Environmental And Power Power Supply Dual AC or 12V DC Power Draw 48 Watts for -24E, others <30W Operating conditions Temperature 5~50C, Rel Humidity 5~90% ...
Page 30: Dc Powered Om1200
Cooling Passive Environmental Sensors Smart Controller with multi-zone temperature sensors. Supervisory environmental controller with safety power down. Power Draw Sensors Active multi-zone power draw monitoring. DC POWERED OM1200 All OM1200 devices are shipped with a 12VDC to universal AC (multi-country clips) wall adapter and a barrel-jack connector.
Page 31 Power Draw Sensors Active multi-zone power draw monitoring. Power Connection 24.11.3...
Page 32: Dual Power Supply
Operations Manager device with a dual power supply. Note:OM1200 and CM devices have displays comprising four LEDs. The OM2200 devices have displays comprising six LEDs that include Lighthouse (Cloud) and Network status. See "Device Status LEDs" on page 34 for LED definitions.
Page 33: Snmp Alerts For Power-Related Events
If a dual PSU device has power connected to one PSU (power supply unit), the LED power status indicator is colored amber indicating that the unit has no redundancy in the event of a power failure. SNMP ALERTS FOR POWER-RELATED EVENTS The System Voltage Range SNMP alert is triggered when there is a change in power status such as a system reboot or when the voltage on either power supply leaves or enters the configured range of the System Voltage alert.
Page 34: Device Status Leds
DEVICE STATUS LEDS The LED states shown below are determined through user-configurable threshold values for the Cell LED Amber / Green light, and modem enabled / disabled information. Status LEDs LED Condition Amber Amber Green LED Off Green Solid Flashing Solid Flashing Power...
Page 35 nection starting. nection is stopping, or normal net- work is up and failover is stopping. Cellular Cellular is Cell is start- Cell is con- The cell is Cell is con- Interface not in use. ing and sig- nected and starting and nected.
Page 36 Note: The amber LED signal threshold config is set to 50%.of normal signal strength. Note: OM1200 series devices do not have a cloud LED, therefore, no LED indication is available for LSP or Lighthouse. For information on the setting of network and power alert thresholds, see: "System Alerts - Networking (Connection Status)"...
Page 37: Connecting To The Network
NET2. In the OM2200 there are options for copper wiring (on a standard RJ-45 connector) and fiber (through a standard SFP module). The network connections on the OM2200 are located on the serial port side of the unit. Connect the provided shielded CAT5 cable to the NET1 to a computer or into your network for initial configuration.
Page 38: Serial Connection
SERIAL CONNECTION Note:X1 and X2 are Opengear specific labels, where X2 = Cisco straight and X1 = Cisco reversed. OM1200 Serial Ports: The serial connections feature RS-232 (Cisco straight –X2). Connect serial devices with the appropriate STP cables. Console Ports:...
Page 39: Cellular Connectivity
CELLULAR CONNECTIVITY Operations Manager products offer an optional global cellular LTE interface (models with -L suffix). The cellular interface is certified for global deployments with most carriers and provides a CAT12 LTE interface supporting most frequencies in use. To activate the cellular interface, you should contact your local cellular carrier and activate a data plan associated to the SIM installed.
Page 40: Cellular Modem Antenna Gain Specifications
CELLULAR MODEM ANTENNA GAIN SPECIFICATIONS MPE SAFE DISTANCE STATEMENT Opengear cellular products are intended for use 28cm or more from the body. This meets limits for Maximum Permissive Exposure (MPE) and is the minimum safe distance. OM1200 ANTENNA GAIN AND COLLOCATED RADIO TRANSMITTER SPECIFICATIONS.
Page 41 Cellular Modem Antenna Gain Specifications 24.11.3...
Page 42: Device Reboot
DEVICE REBOOT The Operations Manager reboots with all settings (e.g., the assigned network IP address) preserved. To reboot the unit: Select CONFIGURE > System > Reboot. To conduct a full erase and factory reset see "Factory Reset" on page 297 Note: Factory reset will reset the appliance to its factory default settings. Any modified configuration information is erased.
Page 43: Initial Settings
By default, all interfaces are enabled. The unit can be managed via Web GUI or by command line interface (CLI). Tip: There is also a Quick Start Guide to assist with easy setup of the Operations Manager. The QSG is available at: https://opengear.com/support/documentation/ Note:For Configure Serial Ports (see "Serial Ports" on page 67) Initial Settings...
Page 44: Default Settings
DEFAULT SETTINGS Tip: See also the Quick Start Guide available at the Opengear documentation web page: https://opengear.com/support/documentation/ The Operations Manager comes configured with a default static IP Address for NET1 of 192.168.0.1 Subnet Mask 255.255.255.0. SERIAL PORT SETTINGS The default settings for the serial ports (1 up to 48) on a new device are: The default settings for the serial ports (4 up to 8) on a new device are: “Console server”...
Page 45: Using The Webui
The WebUI has three menu options on the upper-right: Help, System, and Log out. The Help menu contains a link to generate a Technical Support Report that can be used by Opengear Support for troubleshooting. It also contains a link to the latest User Guide.
Page 46 Default Settings 24.11.3...
Page 47: Management Console Connection Via Cli
MANAGEMENT CONSOLE CONNECTION VIA CLI The Command Line Interface (CLI) is accessible using your preferred application to establish an SSH session. Open a CLI terminal on your desktop, then: 1. Input the default IP Address of 192.168.0.1. SSH port 22 is enabled by default. 2.
Page 48: Change The Root Password
CHANGE THE ROOT PASSWORD For security reasons, only the root user can initially log in to the appliance. Upon initial login the default password must be changed. Note:Users are prevented from reusing the word “default” as their password. The factory default password automatically expires after a factory reset and users must choose a new password.
Page 49 3. In the Edit User page, if required, enter an optional description in the Description field. Enter a new password in the Password field and re-enter the password in the Confirm Password field. Change the Root Password 24.11.3...
Page 50 4. Click Save User. A green banner confirms the password change has been saved. Change the Root Password 24.11.3...
Page 51: Disable A Root User
DISABLE A ROOT USER To disable a root user: Note:Before proceeding, make sure that another user exists that has the Administrator role or is in a group with the Administrator role. For information on creating, editing, and deleting users, see "Local Users"...
Page 52: Change Network Settings
CHANGE NETWORK SETTINGS The interface supports both IPv4 and IPv6 networks. The IP address of the unit can be setup for Static or DHCP. The following settings can be configured for network ports: IPv4, IPv6. Static and/or DHCP. Enabling or disabling network interfaces. Ethernet Media types.
Page 53 4. Select the Interface and Connection Type for your new connection. 5. The form on the bottom part of the page will change based on the Connection Type you choose. Enter the necessary information and click Apply. To disable or delete interfaces, use the controls on the expanded section on the CONFIGURE >...
Page 54: Change The Ethernet Media Type
CHANGE THE ETHERNET MEDIA TYPE 1. Click CONFIGURE > Network Connections > Network Interfaces. 2. Click the expand arrow to the right of the interface you wish to modify. 3. Click Enabled . Change Network Settings 24.11.3...
Page 55 4. To change the interface media setting, click the Edit button and edit the media settings as needed and click Apply. Change Network Settings 24.11.3...
Page 56: Monitor Menu
MONITOR MENU The MONITOR Menu is a relatively short section comprising only three topics. MONITOR Menu 24.11.3...
Page 57: System Log
SYSTEM LOG MONITOR > System Log The Operations Manager maintains a log of system activity, access, and communications events with the server and with attached serial, network and power devices. To view the System Log, click MONITOR > System Log. The System Log page lets you change the Number of Log Lines displayed on the screen.
Page 58: Lldp Cdp Neighbors
LLDP CDP NEIGHBORS The Operations Manager displays LLDP/CDP Neighbors when enabled for a connection. See "Network Discovery Protocols" on page 219 to enable/disable. LLDP CDP Neighbors 24.11.3...
Page 59: Triggered Playbooks
TRIGGERED PLAYBOOKS For information on creating Playbooks, see the Playbooks topic in this User Guide. To monitor current Playbooks, click on Monitor > Triggered Playbooks. Choose the time period if desired, and filter by Name of Playlist to view any that have been triggered.
Page 60: Access Menu
ACCESS MENU The ACCESS menu provides access to Local Terminal of the Operations Manager. It also provides SSH and Web Terminal access to specific ports. ACCESS Menu 24.11.3...
Page 61: Local Terminal
LOCAL TERMINAL The Operations Manager includes a web-based terminal. To access this bash shell instance: 1. Select ACCESS > Local Terminal 2. At the login prompt, enter a username and password. 3. A bash shell prompt appears. This shell supports most standard bash commands and also supports copy-and- paste to and from the terminal.
Page 62: Serial Ports
SERIAL PORTS Tip: Ensure you are on the ACCESS > Serial Ports page and not the similar CONFIGURE > Serial Ports page. The ACCESS > Serial Ports page allows you to quickly locate and access specific ports via Web Terminal or SSH link shown in the image below. Callout # Item Definition Serial port edit button.
Page 63: Quick Search
Click the Expand arrow (5) to the right of the port to see the Port Logging status or access the port Edit button, which is a link to the CONFIGURE > Serial Ports page. (ogcli: ogcli get ports/ports_status). The following information is displayed under Access > Serial Ports when the individual serial ports are expanded: Rx byte counter (counter reset requires ‘Admin’...
Page 64: Serial Port Logging
Choosing SSH opens an application you have previously associated with SSH connections from your browser. Note:MS WIndows does not connect to puTTY by default. You may need to install the WinSCP program to launch puTTY from the Opengear WebUI SSH Serial Port button. SERIAL PORT LOGGING The port logging facility and severity associated with the serial port logs is controlled and set at the Configure >...
Page 65: Display Port Logs
DISPLAY PORT LOGS Tip: The log is accessed by clicking the Port Log link on the ACCESS > Serial Ports page. The link is only available when port logging is enabled. Serial Ports 24.11.3...
Page 66: Configure Menu
CONFIGURE MENU This section provides step-by-step instructions for the menu items under the CONFIGURE menu. CONFIGURE Menu 24.11.3...
Page 67: Serial Ports
SERIAL PORTS Tip: Ensure you are on the CONFIGURE > Serial Ports page and not the similar ACCESS > Serial Ports page. Navigate to CONFIGURE > Serial Ports; a list of serial ports is displayed. On this page you can configure and edit specific ports. Click the Edit button (pencil icon) to the right of the port to display the port editing page.
Page 68 tifier. This can be used to locate this port using the Quick Search form on the ACCESS > Serial Ports page. Mode Console Server mode Disabled allows access to a down- Console Server stream device via its serial port. Local Console Local Console mode allows access to the OM device’s console through a serial...
Page 69: Assigning Unique Ip Addresses For Each Console Port
LOGGING SETTINGS Logging Level Disabled Specify the level of detail Events Only you require in the logs. Logs Events & Received Characters may also be sent to a Syslog Events & All Characters server. Other settings to consider are: "GLOBAL SERIAL PORT SETTINGS”...
Page 70: Configure Single Sessions For Ports
CONFIGURE SINGLE SESSIONS FOR PORTS Single Session Port Config, or Single Session is a feature that can be enabled on a given port to prevent multiple users from connecting to that port or limit the port to a single concurrent connection. This feature is port-specific and is disabled by default. This feature needs to be enabled on a port-by-port basis.
Page 71 When the Single Session feature is enabled and the port is in use, if a subsequent user attempts to connect to the port, the connection is declined, and the second user will receive the message: Unable to connect. Another session is currently active. Please disconnect from the current session before attempting to connect again.
Page 72: In Config Shell
IN CONFIG SHELL The Single Session feature can be enabled or disabled by editing the single_ session field of a port. When a user port level Administrator access is logged in via pmshell, the port configuration menu can be accessed via any port by pressing the escape character (~ by default) followed by c (~c).
Page 73 logging_level disabled mode consoleServer parity none pinout portnum 1 single_session false stopbits 1 control_code (object) break "" chooser "" pmhelp "" portlog "" power "" quit "" ip_alias (array) The feature is enabled by typing single_session true, then apply the change. config(port port01): single_session true config(port port01):...
Page 74: Single Session Behavior
SINGLE SESSION BEHAVIOR The following table describes single session feature behavior in various circumstances. What occurs if users are connected to the port with the feature dis- abled, then the feature is enabled while users are still connected? Users who are already connected will continue to be able to use the port.
Page 75: Configure Raw Tcp Access For Serial Ports
This feature should only be used on a secure network. Note: Raw TCP access is disabled by default on Opengear devices. Users must enable Raw TCP access on a serial port through the WebUI, Config CLI or ogcli.
Page 76: Service Implementation
SERVICE IMPLEMENTATION Raw TCP access allows you to access serial ports on a device directly by connecting to a TCP port in the range 40XX. In order to achieve Raw TCP access, you first need to allow TCP packets through port 4002 in the firewall: Navigate to the Firewall Management page in the WebUI.
Page 77: Webui Configuration
WEBUI CONFIGURATION Raw TCP access can be enabled or disabled on a selected serial port through the WebUI. When looking at the serial port access page, the enabled/disabled status of Raw TCP access is visible under the Other Settings tab for each serial port. In the WebUI, navigate to Access >...
Page 78: Config Cli Configuration
At the Edit Serial Port page, scroll down the page to see the Raw TCP settings: To Enable Raw TCP, click the Enabled button then click Apply at the bottom of the page. A confirmation message is flagged when Raw TCP is successfully enabled.
Page 79 parity none pinout X2 portnum raw_tcp false single_session false stopbits 1 control_code (object) break "" chooser "" pmhelp "" portlog "" power "" quit "" ip_alias (array) To enable Raw TCP access: config(port port02): raw_tcp true config(port port02): apply Updating entity port item port02. To disable Raw TCP access: config(port port02): raw_tcp false config(port port02): apply...
Page 80: Ogcli Configuration
OGCLI CONFIGURATION To enable Raw TCP access on a port through ogcli, users can use ogcli update to set raw_tcp to true on the target port (the device information in the ogcli command below is shown as an example): root@om2216-l-tp1-p3:~# ogcli update port port02 raw_tcp=true To disable Raw TCP, set raw_tcp to false on the target port: root@om2216-l-tp1-p3:~# ogcli update port port02 raw_tcp=false You can check that the socket is active by running:...
Page 81: Autodiscovery Enhancements
Syslogging enhancement assists in the diagnosis of common issues (for example, no communications or, hostname failed validation). Autodiscovery does not collect a hostname when there is a communication issue between the console server and the target device. The logs are saved for the last-run instance of autodiscovery. The UI displays error messages and logs with the reason for auto-discovery failure, for example: Authentication failed.
Page 82: Cancel Autodiscovery
--username --password --apply-config --no-apply-config --auth-timeout --hostname-pattern options can also be configured via the WebUI --username --password under Optional Credentials. If the values are provided (optional), they will be used to attempt login to obtain the hostname to a downstream serial device. You can only specify a single username and/or password to try on all devices.
Page 83: Retrieve Port Discovery Logs
The Schedule Autodiscovery window allows you to select the ports and specify a time and period for port detection to run. Activate the schedule by clicking on the Enabled button. The Serial Port Autodiscovery Page: RETRIEVE PORT DISCOVERY LOGS At the top-right of the UI window, click on the Log File red text to retrieve the port discovery logs or by clicking on the...
Page 84 Port Discovery Log File Example: Serial Ports 24.11.3...
Page 85: Local Management Consoles
LOCAL MANAGEMENT CONSOLES Note:Applies to OM2200 Devices only. Not applicable to OM1200. This feature allows Administrators to log in and configure the OM via the RJ-45 or USB ports on the device. You can edit settings or disable the local RJ45 serial console (Cisco straight -X2 pinout) and the USB serial console (needs user supplied micro-USB to USB-A cable).
Page 86 Note:Enabling Kernel Debug Messages can only be applied to a single serial management console. To disable a local management console: Click CONFIGURE > Local Management Consoles. Click on the Disable Management Console Port button under Actions next to the console you wish to disable. Local Management Consoles 24.11.3...
Page 87: Lighthouse Enrollment
LIGHTHOUSE ENROLLMENT Opengear appliances can be enrolled into a Lighthouse instance, providing centralized access to console ports, automation, and central configuration of Opengear devices. Lighthouse central management uses a persistent, public key authenticated SSH tunnels to maintain connectivity to managed console servers.
Page 88 Tip: The same token will be entered in the NEW LIGHTHOUSE ENROLLMENT page of the Operations Manager. Enroll your Operations Manager in this Lighthouse instance: Click CONFIGURE > Lighthouse Enrollment 3. Click on the Add Lighthouse Enrollment button on the top-right of the page. The New Lighthouse Enrollment page opens.
Page 89: Manual Enrollment Using The Cli
SERVICE PORTAL (LSP) Lighthouse Service Portal (LSP) is an Opengear solution that enables Operations Manager nodes (OM1200 and OM2200) to perform a zero touch call home and automatic enrollment into a customers Lighthouse instance of choice. Note:LSP is not configurable and cannot be added in-field.
Page 90 CA running in AWS. An accompanying certificate is stored the secure Trusted Platform Module (TPM). If there are no connectivity issues the LSP status LED (cloud on OM2200) state changes progressively from amber flashing (LSP is running), green flashing (Lighthouse is connecting) and green solid (Lighthouse connected successfully).
Page 91: Lsp Commands
LSP COMMANDS LSP is run by a systemd service and can be controlled by systemctl commands which are self-explanatory: systemctl start lsp systemctl stop lsp systemctl enable lsp systemctl disable lsp The systemd service also checks for the absence of a file /var/lib/lsp/.lsp-disabled before it will actually run the service.
Page 92: Lsp Logging & Errors
LSP. Opengear Support Opengear Support. It may require Required! an RMA. No existing Lighthouse enroll- No existing Lighthouse is con- ment found, proceeding with figured, LSP is able to proceed.
Page 93: Exit Codes
LSP Docker container has fin- The docker container has finished. ished executing. Configuring Lighthouse enroll- Lighthouse enrollment con- ment. figuration has started. Lighthouse enrollment con- Lighthouse enrollment con- figuration applied suc- figuration has completed. cessfully. No Internet connectivity. The device has no Internet con- nectivity and does not have a cel- lular modem, LSP will retry in 60s.
Page 94 The device is not an LSP node. EXIT_RETRY LSP failed, but will retry. EXIT_UNRECOVERABLE_ LSP failed but will not suc- ERROR ceed, support is required. EXIT_STOP LSP has stopped during exe- cution. It can be started manu- ally. Lighthouse Enrollment 24.11.3...
Page 95: Playbooks
PLAYBOOKS Playbooks are configurable systems that periodically check if a user-defined Trigger condition has been met. Playbooks can be configured to perform one or more specified Reactions when a specific trigger event occurs. The Playbook Landing Page: CREATE OR EDIT A PLAYBOOK CONFIGURE >...
Page 96: Trigger Section
TRIGGER SECTION: Callout # Field Required Information Name Enter a meaningful name that will help other users understand the pur- pose of this playbook instance. Playbooks 24.11.3...
Page 97 Description Enter a detailed description of the playbook. Status Enable or Disable this playbook instance. Interval The interval, in seconds, of the fre- quency that this playbook is repeated. Trigger Type A drop-down selector for the trigger type for this playbook instance (see "Trigger Types:"...
Page 98: Trigger Types
TRIGGER TYPES: Trigger Reaction Description CLI Log in Triggers upon Login or Logout events. Select either or both. CLI Log in Failure Monitor the terminal and trigger on failed user log in attempts. Cell Connection Triggered whenever the cellular connection state changes.
Page 99: Action Section
Network Settings Monitors network interfaces for specific attributes and triggers a user-defined response when they change. Ping Periodically pings an address and triggers a user-defined response upon failure. Monitors selected serial ports and triggers a user-defined Serial Login reaction upon user login and logout events. Serial Pattern Monitors serial ports and triggers a reaction when data matching a pattern is received on specific ports.
Page 100 4. To monitor current Playbooks, click on the Monitor > Triggered Playbooks menu (shown below). Select the time period if desired and filter by Name of Playlist to view any that have been triggered. Playbooks 24.11.3...
Page 101: Pdus
PDUS One or more Power Distribution Units (PDUs), both Local and Remote can be monitored. To add information for a PDU, select Configure > PDUs. ADD AND CONFIGURE A PDU PDU configuration definitions are provided in the on the "PDU Settings Table" on the next page.
Page 102: Pdu Settings Table
6. Click on the Configure Outlets link, assign a port for each of the PDUs' ports and enter a meaningful name for each outlet. 7. When you are finished, click Apply. A green banner confirms your settings. PDU SETTINGS TABLE PDU Settings Label Enter a meaningful label that will easily identify the...
Page 103: Pdu Operation
Username Enter the Username to use when connecting. Password User password to use when connecting to the device. Remote Mode Only Remote Mode Only Address The remote address of the PDU. SNMP Protocol Click the drop-down arrow and select the correct transport protocol used to communicate with the PDU.
Page 104 power-up cycle. PDUs 24.11.3...
Page 105: System Alerts
SYSTEM ALERTS Tip: For more detailed information about configuring SNMP Alerts see the individual topic pages that follow. System Alert Managers can be added or deleted under Configure > System Alerts for the following: "System Alerts - General" on the next page: Covers notification for the following causes.
Page 106: System Alerts - General
SYSTEM ALERTS - GENERAL AUTHENTICATION Provides notification when a user attempts to log in via SSH, REST API, or, the device's serial ports. An alert is sent regardless of whether the log in has succeeded or failed. Navigate to Configure > System Alerts > General > Authentication. Click on the Enabled button to activate the function.
Page 107: System Alerts - Power
SYSTEM ALERTS - POWER The PSU is one of the most critical part of the Operations Manager, so it is essential to ensure that the PSU is operating within its design tolerances. When voltage SNMP alerts are enabled, network operators are immediately notified of PSU failures (subject to network connectivity and latency).
Page 108: Syslog Alert Severity
Note:The Disabled button de-activates the power syslog function and power alerts will be stopped until activated again SYSLOG ALERT SEVERITY For Power Lost alert, click the drop-down list and select the severity level required (default level is 3 - ERROR) when power level is outside the pre-set range.
Page 109: System Alerts - Temperature
SYSTEM ALERTS - TEMPERATURE It is essential to ensure that the system is operating within its design temperature as premature aging of the component can occur if the appliance is excessively hot during operation. This can lead to component failure and ultimately result in RMA. When temperature SNMP alerts are enabled (Alerting), network operators are immediately notified (subject to network connectivity and latency) should the PSU begin operating outside user-defined temperature tolerances.
Page 110 In this image, if any temperature sensor reports the system temperature (measured at System Temperature 1 and System Temperature 2 sensors) to be less than 36 degrees C or greater than 67 degrees C, an SNMP alert will be triggered. Tip: The temperature display is automatically converted to Fahrenheit.
Page 111: System Alerts - Networking (Connection Status)
SYSTEM ALERTS - NETWORKING (CONNECTION STATUS) The alert related to this functionality is the Network Connection Status which sends an alert when cell signal strength leaves or re-enters a user-defined range, or, when the network link state changes. A slider adjusts the upper and lower signal strength limits.
Page 112 Click Apply. The Details Saved banner confirms your settings. When an event occurs that causes the signal strength to re-enter the user-defined range, an SNMP alert will be triggered. In the above image, if any anomaly occurs that causes the signal strength to drop below 33 or above 66, an SNMP alert will be triggered.
Page 113: Network Connections
NETWORK CONNECTIONS The Network Connections menu provides: "Network Interfaces" on the next page, "IPsec Tunnels" on page 152 "Static Routes" on page 157 Network Connections 24.11.3...
Page 114: Network Interfaces
NETWORK INTERFACES The interface supports both IPv4 and IPv6 networks. The IP address of the unit can be setup for Static or DHCP. The following settings can be configured for network ports: IPv4, IPv6 Static and/or DHCP Enabling or disabling network interfaces Ethernet Media types For detailed information about Network Interface configuration and adding a new connection, see...
Page 115: Dual Sim
DUAL SIM OM2200-L: CONFIGURE > NETWORK CONNECTIONS> Network Interfaces > WWAN0 - Cellular Interface (LTE) Operations Manager has been available for some time with support for two SIM cards/slots, whereby, it is possible designate which SIM slot is the Active SIM that is normally used by the OM for OOB communications (in Automatic failover mode this SIM is termed the Primary SIM).
Page 116 1. Navigate to Configure > Network Connections > Network Interfaces. 2. Click on the Cellular Interface (LTE) row. The information bar expands, and the page shows the current status of the active and inactive SIM cards. Note:If the unit does not have a cell modem -L then the cellular interface will not be visible.
Page 117: Installing A New Sim Card
if signal is below the lower threshold, Grey for 0 or not active, 5. Click the Refresh button to display the current signal strength of the active SIM. Note:When the Refresh button is clicked the signal strength is only updated for the active SIM.
Page 118: Select The Active Sim (Manual Failover Mode)
Connect the RJ11 cable at the RJ11 port at the rear, you will hear or feel a slight click when it is correctly inserted. The modem is configured at the WebUI. SELECT THE ACTIVE SIM (MANUAL FAILOVER MODE) Switching the active SIM must be done manually. To switch the Active SIM: 1.
Page 119: Select The Primary Sim (Automatic Failover Mode)
Note:During the change-over the current IP address is hidden and then returned when the modem re-connects. 5. If you require, you can monitor the interface during the changeover via the CLI with the command:. watch ip address show dev wwan0 You can also set the SIM settings by expanding the menu for each SIM to set the APN.
Page 120 3. Ensure the cellular interface is enabled by clicking the Enabled button. 4. Under Cellular SIM Failover click the Enabled button, this will display the Primary selec- tion buttons. Dual SIM 24.11.3...
Page 121 1. Click the Primary button of the SIM selected to be the primary SIM. 2. Select the required Failback Policy for the failback SIM and complete the failback policy details: 3. Click the Confirm button at the bottom of the page. A green banner will appear to con- firm that the new settings have been saved.
Page 122: Dual Sim Failover
DUAL SIM FAILOVER OM2200-L: CONFIGURE > NETWORK CONNECTIONS> Network Interfaces > WWAN0 - Cellular Interface (LTE) > Edit Operations Managers that carry two SIM cards can be configured so that either SIM card slot may be activated. In failover mode, either of the two SIM cards may be designated as the Primary SIM.
Page 123: Failover Modes
FAILOVER MODES Features of Failover include: Select Enabled SIM failover. Specify SIM failback policy (applicable when the Ethernet connection and primary SIM are both down): Never - The node never switches back to the Primary. Delayed (specified in minutes) - The node switches back to primary after a pre-defined time has elapsed.
Page 124: Activate Or Configure Failover
Failover settings are per SIM slot and consist of a failover and failback ping test. ACTIVATE OR CONFIGURE FAILOVER OM2200-L: CONFIGURE > NETWORK CONNECTIONS> Network Interfaces > WWAN0 - Cellular Interface (LTE) > Edit Navigate to the Cellular Interface page at: CONFIGURE > NETWORK CONNECTIONS>...
Page 125: Cellular Interface Policy Settings
Select the Enabledfailover option. Ensure the correct SIM card is selected as the Primary SIM (see 'Set Primary SIM' in "Dual SIM" on page 115). Complete the Cellular Interface options in accordance with the table below. Click Confirm to activate the failover policy settings, a green banner will confirm the settings are enabled.
Page 126 Consecutive test failures The number of times a probe must fail before the before failover. connection is considered failed. Failback Policy Never / Delayed / On Dis- Select the policy to be used to determine Fail- connect. back recovery from the Secondary SIM Card back to the Primary SIM Card.
Page 127 Dual SIM Failover 24.11.3...
Page 128: Cellular Modem Firmware Upgrade
Opengear or use a carrier that is not supported by the standard cellular modem firmware.
Page 129: Cell-Fw-Update Help
The 'defer if failed over' feature provides some protection. CELL-FW-UPDATE HELP Cellular Modem Firmware Upgrade 24.11.3...
Page 130: Update Local File List And Download Latest Firmware Files
UPDATE LOCAL FILE LIST AND DOWNLOAD LATEST FIRMWARE FILES This procedure will update the local file list and download the latest firmware files. Note: cell-fw-update can be run directly from a CLI shell as root and requires no configuration. You can combine this update action with the following download operation by providing both -u and -d simultaneously.
Page 131: List Supported Carriers
copy - localfiles.txt copy - localdb.txt copy - SHA1SUMS Note: The cell-fw-update -u and cell-fw-update -d commands may be run separately. LIST SUPPORTED CARRIERS The resulting carriers shown below are for example only (local results may vary). root@om2216-l:~# /etc/scripts/cell-fw-update -l att AT&T docomo DoCoMo generic Generic kddi KDDI...
Page 132: Automatic Firmware Update For Current Carrier
Specify a firmware set to download to the modem. This allows you to update the modem with a specific firmware set instead of one provided by Opengear FTP. The path to the firmware set specified must be relative from the directory /mnt/nvram/cellfw/.
Page 133 root@om8148-10g-tp2-p35:~# cell-fw-update --unsafe -m SWIX65C_ 02.13.08.00.cwe -m SWIX65C_02.13.08.00_GENERIC_030.047_001.nvu Waiting for clients to stop using the modem... The modem is now locked === INFO === The modem is locked by client cellfw No clients want to use the modem UIM failover status is disabled Active UIM slot is 1 (ICCID: 89610180003137049629) Operator is telstra corp.
Page 134: Modem Update Troubleshooting Guide
FW info from modem: Model ID : EM7565 FW Version : SWIX65C_02.13.08.00 Carrier Name : GENERIC Carrier PRI Revision: 030.047_001 Firmware download process completed successfully. INFO: QDL Port: /dev/wwan0qdl0 INFO: Device Path: /dev/wwan0qmi0 INFO: FW Path: /tmp/cell-fw-update.4045 Waiting for modem to disconnect from the host ... Modem disconnected from host.
Page 135: Determine If Modem Is Ready & Available
DETERMINE IF MODEM IS READY & AVAILABLE The service ModemManager is an essential dependency for all cellular modem operations. Please ensure it is running. root@om8196-10g:~# systemctl start ModemManager If the modem is running correctly, it should be able to be detected by ModemManager within 60 seconds of the service starting.
Page 136 root@om2216-l:~# ps aux | grep cell root 122965 0.2 0.0 4780 3992 pts/0 S+ 23:42 0:00 /bin/bash /usr/bin/cell-fw-update -aud root 125966 0.0 0.0 3332 1756 pts/1 S+ 23:47 0:00 grep cell The following example shows that there is no upgrade running: root@om2216-l:~# ps aux | grep cell-fw root 126417 0.0 0.0 3332 1776 pts/1 S+ 23:48 0:00 grep cell-fw Cellular Modem Firmware Upgrade...
Page 137: Bonds And Bridges
BONDS AND BRIDGES BONDS Network bonds allow combining two or more network interfaces together into a single logical "bonded" interface for load balancing, redundancy or improved performance depending on the bond mode used. Definitions of the bond details as in the Bond Form Definitions table later in this topic.
Page 138: Edit An Existing Bond
5. Click the Create button to finalize the creation of the new bond. Network connections from non-primary interfaces will be deleted when the new bond is created. EDIT AN EXISTING BOND To edit an existing bond: 1. Navigate to the Configure > Network Connections > Network Interfaces page on the WebUI.
Page 139 the bonded interface is dispersed over the real interfaces. Available modes are: Round Robin Balancing - Packets are sequentially transmitted/received through each interface, one by one. Active Backup - If the active secondary interface is changed during a failover, the bond interface’s MAC address is then changed to match the new active sec- ondary’s MAC address.
Page 140: Bridges
quency in milliseconds. This determines how often the link state of each secondary is inspected for link failures. A value of zero will disable MII link monitoring. Network Inter- Click the checkbox of each network interface you want to face Selection include in the bridge.
Page 141: Create A New Bridge
Operations Manager models with an integrated switch (OM1204-4E, OM1208-8E and OM2224-24E) have a bridge configured by default that includes all switch ports, which can be edited or deleted as required. Definitions of the bridge details as in the Bridge Form Definitions table later in this topic.
Page 142: Edit Bridge - Form Definitions
1. Navigate to the Configure > Network Connections > Network Interfaces page on the WebUI. 2. Click on the bridge that you would like to edit, the bridge details are expanded. Click on the bridge Edit button that is located next to the Enable / Disable toggle buttons.
Page 143 interfaces that are not part of another bond or bridge. Bond interfaces can be included in a bridge by using the ogcli tool. See Support for Bonds in Bridges in the Knowledge Base. Primary Interface Select the interface that is to be used for selecting the MAC address of the aggregate.
Page 144: Spanning Tree Protocol
SPANNING TREE PROTOCOL Spanning Tree Protocol (STP) allows an Operations Manager to discover and eliminate loops in network bridge links, preventing broadcast radiation and allowing redundancy. When STP is implemented on switches to monitor the network topology, every link between switches, and in particular redundant links, are cataloged. The spanning- tree algorithm blocks forwarding on redundant links by setting up one preferred link between switches in the LAN.
Page 145: Bridge With Stp Enabled - Ui
BRIDGE WITH STP ENABLED - UI CONFIGURE > NETWORK CONNECTIONS > Network Interfaces > Select the target interface > New Bridge page 1. In the Network Interfaces page, click the Create New Bridge button. 2. Click to select the Enable Spanning Tree Protocol option. BRIDGE WITH STP ENABLED - OGCLI admin@om2248:~# ogcli get physif system_net_physifs-5 bridge_setting.id="system_net_physifs-5"...
Page 146: Bridge With Stp Disabled - Ogcli
BRIDGE WITH STP DISABLED - OGCLI admin@om2248:~# ogcli update physif system_net_physifs-5 bridge_ setting.stp_enabled=false bridge_setting.id="system_net_physifs-5" bridge_setting.stp_enabled=false description="Bridge" device="br0" enabled=true id="system_net_physifs-5" media="bridge" name="init_br0" slaves[0]="net2.3" Spanning Tree Protocol 24.11.3...
Page 147: Configure A Vlan
CONFIGURE A VLAN The OM Series has flexible Ethernet capabilities, including support for VLANs. More specifically, it supports 802.1Q VLAN tagging to allow a trunked connection into an external switch or other device. It also supports the Linux logical "bridge group" feature which is the ability to group physical and virtual interfaces together.
Page 148 router. A VLAN is mainly used to form groups among the hosts regardless of where the hosts are physically located. In a bigger network, the configured VLANs with interfaces assigned as access and trunk ports on switches could look like this: Switch Ports For models with built-in switch ports, by default these are configured in a single bridge group called "Switch", which effectively puts all the switch ports into one...
Page 149 In order to communicate with an Ethernet interface, VLAN or bridge group, the OM must have a configured IP address on what is called a connection or "conn". This is similar in concept to a layer 3 subinterface or virtual interface on other networking equipment.
Page 150 Configure OM Switch Ports as VLAN access ports (untagged ports) To map the OM switch ports as "Access Ports" into a trunked VLAN, the OM uses a Bridge Group to join the switch port(s) to the same Layer 2 bridge domain as the VLAN subinterface, effectively bridging them together.
Page 151 Configure a VLAN 24.11.3...
Page 152: Ipsec Tunnels
(sometimes referred to as host to site, or host to host). IPsec does not make a formal distinction between initiator and responder, however the Opengear OM can both initiate tunnels (as the "initiator") and have other devices initiate tunnels to it (as a "responder").
Page 153: Name And Status
NAME AND STATUS 3. In the Name section of the page, give your new tunnel a unique name and click the Enabled button. 4. Set the Console Server to be the Initiator or Responder. Note:When Initiatoris selected, the node will actively initiate the tunnel by sending IKE negotiation packets to the remote end.
Page 154: Authentication
6. Select the Algorithm Proposal. This is a set of algorithms used for negotiation when attempting to establish the IPsec tunnel. By default, the node will attempt to negotiate the tunnel using a list of common algorithms which are considered safe. Alternatively, a set of default proposals that guarantee Perfect Forward Secrecy (PFS) can be selected.
Page 155: Addressing
ADDRESSING 13. Enter the Local Address to be used as the source address of the tunnel. If left blank, IPsec will automatically use a default. 14. Enter a Local Subnet. Specify local traffic to be tunneled. When no subnets are specified, only traffic originating from this device will be tunneled.
Page 156: Enable The Ipsec Tunnel
Delay - the time interval between polling the peer (default is 60 seconds). Timeout - the waiting time before deciding that a peer connection is not live (default is 90 seconds). Action - the action to be performed when a connection is timed-out. (default is Restart).
Page 157: Static Routes
STATIC ROUTES Static routes are predefined paths that traffic can be configured to take through the network for purposes such as security, cost or to override the default route. The list of configured static routes is displayed in a table with their current status indicated by the status column.
Page 158: Configure Static Routes
Status Meaning The network The route cannot be installed as there are no active interface has no connections on this interface. active connections CONFIGURE STATIC ROUTES On the Static Routes page, you can add, edit, or delete static routes. Note:Only basic validation is performed when static routes are saved. Check the status column to ensure your route is installed and working correctly.
Page 159: Edit A Static Route
Destination Default Address Metric IPv4 IPv6 1024 Click the Apply button to save the changes. If the changes are saved successfully you are returned to the Static Routes list page. If there is an error with the configuration and the route fails to install, a red banner is displayed.
Page 160: Manage Static Routes Via Command Line
Click Yes to confirm the action. If the route was removed from the routing table as expected, a green success banner is displayed. MANAGE STATIC ROUTES VIA COMMAND LINE Administrative users can also view the status and perform configuration of static routes via the command line interface.
Page 161 Description Command Get static route ogcli get static_routes configuration via ogcli Create static ogcli create static_route << END route via ogcli destination_address="1.1.1.1" destination_netmask=32 gateway_address="1.1.1.1" interface="net1" metric=0 Update static ogcli update static_route "1.1.1.1" << END route via ogcli interface="net2" metric=100 Delete static route ogcli delete static_route "1.1.1.1"...
Page 162: Network Resilience
NETWORK RESILIENCE Under the NETWORK RESILIENCE menu, you can manage Out-of-Band (OOB) and IP Passthrough settings. Network Resilience 24.11.3...
Page 163: Out-Of-Band Failover
OUT-OF-BAND FAILOVER Out-Of-Band (OOB) Failover detects network disruption via the probe interface, and automatically activates a cellular or ethernet interface connection to re-establish network access. OOB failover requires an IPv4 address (in dotted decimal format), or an IPv6 address, or a domain name, which is always reachable and unlikely to change. When OOB failover is enabled, the node regularly pings this address, using the probe interface, to check for network connectivity.
Page 164 2. In the Failover Interface section, select the failover interface from the drop-down list. Configurable probe (failover from) and failover (failover to) interfaces are shown below: NET1 - the default probe interface. Cellular - the default failover interface for cellular-capable models. NET2 - the default failover interface for non-cellular models.
Page 165: Dns Queries On A Dormant Failover Interface
Note:The shortcut button Enabled/Disabled is disabled or removed when an interface is in active failover. DNS QUERIES ON A DORMANT FAILOVER INTERFACE The Dormant DNS option allows DNS queries on the failover interface to be disabled in normal operation so that DNS queries can be paused. The option configures how the DNS name servers and search domains configured for the failover interface are used by the system.
Page 166: Oob Failover Types & Failover Behavior
OOB FAILOVER TYPES & FAILOVER BEHAVIOR Failover Mode Description Setting Interface Disabled Enabled Always up When OOB Failover is disabled, the default out- going interface cannot be specified, the default route is selected auto- matically. Outbound network con- nections (e.g. VPN client tunnels, SNMP alerts) are established accord- ing to the main static...
Page 167 tunnels, SNMP alerts) are established or re- established over net- work or cellular con- nection during failover. The advantage of this mode is the secondary connection is com- pletely inactive during normal operation which may be advantageous where the goal is to keep the interface off the Internet as much as possible, e.g.
Page 168 cedence over the failed “probe” interface. Out- bound network traffic (e.g. VPN client tunnels, SNMP alerts) are estab- lished or re-established over the network or cel- lular connection during failover. The advantage of this mode is the network or cellular connection is available for inbound out-of-band access dur- ing normal operation.
Page 169: Ip Passthrough
IP PASSTHROUGH Nodes with dialout support and an Ethernet port can enable a special DHCP service called IP Passthrough. When IP Passthrough is enabled, other devices (e.g. the "passthrough target" or "downstream host") that are plugged into the Ethernet port will operate as if they are directly connected to the dialout network.
Page 170: Service Intercepts
SERVICE INTERCEPTS Tip: When IP Passthrough is enabled, access to this node directly via the cellular interface will no longer work. You can configure specific ports below which will be redirected to this node instead of the downstream device. Enter the port number that is to be used for HTTPS Intercepts. Enter a port to be redirected to this node's SSH service.
Page 171 When you have completed the IP Passthrough Settings and Service Intercept form, ensure the IP Passthrough status is set to Enabled, then, click Apply. IP Passthrough 24.11.3...
Page 172: User Management
USER MANAGEMENT Under the User Management menu, you can create, edit, and delete groups and users, as well as assign users to groups. You can also set up remote user authentication. User Management 24.11.3...
Page 173: Groups
GROUPS Groups are used to grant privileges to users. When a user is a member of a group, defined privileges may be granted to the group by an Administrator. When editing a group, the (authorized) user selects from a list of devices, all of which are under the heading SERIALLY CONNECTED DEVICES.
Page 174: Defined Access Rights
A User inherits all Access Rights from all the Groups they are a member of. Some features may require the user to hold multiple access rights to access the feature through a specific interface. For example, a user needs the “right to use the web UI”...
Page 175: Admin Access Rights (Admin)
only to those that are added to the same group con- Restricted CLI taining the pmshell rights. Port Config Permits access to configure serial ports. This access right gives the holder the ability to configure serial ports. This right does not give the holder the ability to access the serial port.
Page 176: Portmanager Shell Access Rights (Pmshell)
log into the WebUI. see a listing of serial ports (The “Access → Serial Ports” menu item). edit a restricted set of user configuration such as changing their own password. PORTMANAGER SHELL ACCESS RIGHTS (PMSHELL) Any user who was previously a Console User role now inherits the pmshell access rights and there are no functional changes for this user.
Page 177: Configure > Serial Ports View
CONFIGURE > SERIAL PORTS VIEW The Configure Serial Ports page is accessible to users with the port_config and web_ui access rights appear in the navigation sidebar menu. This page lists ports that the user has both port_config and web_ui access rights. Tip: It is possible to edit all details on these ports, however, changing the “mode”...
Page 178: Protected Groups And Users
PROTECTED GROUPS AND USERS Certain types of groups and users have protected status, meaning that they cannot be changed or deleted. Protected groups comprise the following: root - The root user is hard-coded member of the Admin group. As such, the root user cannot be deleted.
Page 179 Group Name Accounts Admin Port #03 User Access Rights port_config pmshell web_ui web_ui Serial Ports port-03 port-01 port-02 The effective rights for a user in one or both of those groups is shown in the following table. It shows how access rights assigned to one group will only apply to the serial ports assigned to that same group: The following table shows the effective rights for a user in one or both of those groups, Accounts Admin and Port #03 User:...
Page 180 Access port-02 Access port-03 Note:Note the highlighted cell; a user with pmshell access to port-03 (from the Port #03 user group) does not also get port_config for that port, even though that access right is inherited from the Accounts Admin group. The access rights of a group only apply to the serial ports in that same group.
Page 181: Create A New Group
CREATE A NEW GROUP 1. Select CONFIGURE > USER MANAGEMENT > Groups. Add a new group. admin Click on the group name to edit an existing group. In the EDIT GROUP window - Enable/Disable an existing group. Grant administrative access rights and full control of this console, and all attached devices, to all users of this group.
Page 182 2. Click the Add New Group button. The CREATE GROUP page opens. 3. Enter a Group Name, Description, and set Admin Access to Enabled or Disabled. Specific access rights can be selected in the ACCESS RIGHTS area. Note:Group Name is case sensitive. It can contain numbers and some alphanumeric characters.
Page 183: Edit An Existing Group
Click the Submit button to save the group. After creation, group Status and Admin Access may be enabled or disabled from the CONFIGURE > USER MANAGEMENT > Groups > EDIT GROUP page. EDIT AN EXISTING GROUP 1. Select CONFIGURE > USER MANAGEMENT > Groups. 2.
Page 184: Local Users
LOCAL USERS The Local Users feature allows a single point for the creation or management of local user accounts. The Local Users feature can use SSH authorized keys to control user access by using their local password; it is a point of control for: Authentication and authorization.
Page 185: Create A New User With Password
Manage SSH Authorized Keys. Disable an existing user (or disable selected users). Delete a user (or delete selected users). CREATE A NEW USER WITH PASSWORD Note:Users are prevented from using the word “default” as their password. The factory default password automatically expires after a factory reset and users must choose a new password.
Page 186: Create A New User With No Password (Remote Authentication)
CREATE A NEW USER WITH NO PASSWORD (REMOTE AUTHENTICATION) To create a new user with no password. Note:If a new user is created with no password, this will cause the user to fall- back use remote authentication. 1. Select CONFIGURE > User Management > Remote Authentication 2.
Page 187: Manage Ssh Authorized Keys For A User Account
The Edit Users dialog allows the user’s Description to be changed, Group Memberships modified, and the user’s Password to be reset. The username cannot be changed. To disable a user, uncheck the Enabled checkbox. Note:Users of disabled accounts cannot log in to the Operations Manager using either the Web-based interface or via shell-based logins.
Page 188: Delete A User's Account
5. To delete a key, click CONFIGURE > USER MANAGEMENT > Local Users and click the Manage SSH Authorized Key button for the user. 6. Click the Delete button next to the key you wish to remove. DELETE A USER'S ACCOUNT To delete a user's account: 1.
Page 189: Remote Authentication
REMOTE AUTHENTICATION The Operations Manager supports three AAA systems. Select the remote authentication mode to be applied (DownLocal, or Local apply for all modes): "Configure RADIUS Authentication " on the next page "Configure TACACS+ Authentication " on page 192 "Configure LDAP Authentication " on page 194 Navigate to CONFIGURE >...
Page 190: Configure Radius Authentication
Tip: All fields in the Remote Authentication form have tooltips that provide additional information to assist with completing the form fields. CONFIGURE RADIUS AUTHENTICATION 1. Under CONFIGURE > User Management > Remote Authentication, select RADIUS from the Mode drop-down menu. Select the preferred Radius Remote Authentication policy to be applied: Radius DownLocal, or Radius Local (see the tips below).
Page 191 3. Enter the authentication Timeout value to apply. The timeout value specifies the number of seconds to wait for a response from the server before trying the next server. Note:The timeout value is global and applied to all authentication methods when you set the value on one authentication method.
Page 192: Configure Tacacs+ Authentication
CONFIGURE TACACS+ AUTHENTICATION 1. Under CONFIGURE > USER MANAGEMENT > Remote Authentication, select TACACS+ from the Mode drop-down menu. Select the preferred TACACS+ Remote Authentication policy to be applied: TACACS+ DownLocal, or TACACS+ Local (see the tips below). Tip: TACACS+ DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down.
Page 193 Accounting server. However, one or more Accounting Servers can be specified. To disable Remote Accounting, select Disable To enable Remote Accounting, select Enable. Click Apply. Note:For Cisco ACS, see Setting up permissions with Cisco ACS 5 and TACACS+ on the Opengear Help Desk. Remote Authentication 24.11.3...
Page 194: Configure Ldap Authentication
CONFIGURE LDAP AUTHENTICATION 1. Under CONFIGURE > User Management > Remote Authentication, select LDAP from the Mode drop-down menu. 2. Select the preferred LDAP Remote Authentication policy to be applied: LDAP DownLocal, or LDAP Local (see the tips below for explanation). Tip: LDAP DownLocal: Users are authenticated through their local account only if the remote AAA server is unreachable or down.
Page 195: Configure Ldap Over Ssl
4. Add the LDAP Bind DN. This is the distinguished name of a user with privileges on the LDAP system to perform the lookups required for retrieving the username of the users, and a list of the groups they are members of. 5.
Page 196 At the SSL section of the LDAP page select the required server protocol: Note:The default setting is LDAP only. Selecting 'LDAP over SSL will use the ldaps://server. Selecting 'LDAP over SSL preferred' will use both ldaps://server and ldap://server. Provide a CA Certificate by dragging the CA Cert file into the CA certificate drop box.
Page 197: Ldap And Ldaps Port Settings
Note:The CA Certificate filename is correct when the certificate is initially uploaded. The filename is not maintained or stored, if the page is later revisited the filename is always shown as “cacert.pem”. Click Apply to load and apply your settings. LDAP AND LDAPS PORT SETTINGS The default ports for LDAP and LDAPS are: LDAP: Port 389...
Page 198: Limitations For Ldaps Implementation
LIMITATIONS FOR LDAPS IMPLEMENTATION UPGRADE LIMITATIONS Previously, the port for LDAP servers had a default value. When upgrading, this port is not cleared. When enabling LDAP over SSL, it may be necessary to clear the port so that the LDAP over SSL default port can be used. Remote Authentication 24.11.3...
Page 199: Local Password Policy
LOCAL PASSWORD POLICY A Password Complexity policy allows network Administrators to implement and enforce a password policy that meets the customers' security standards for local users (including root). This functionality enables Administrators to mandate the setting of complex passwords thus making it difficult for malicious agents to succeed in password attacks.
Page 200 Note:Users are prevented from using the word “default” as their password. The factory default password automatically expires after a factory reset and users must choose a new password. This password policy applies to the WebUI, Config Shell and CLI. users configured on the system using software versions prior to 23.10 with password “default”...
Page 201: Set Password Expiration Interval
SET PASSWORD EXPIRATION INTERVAL CONFIGURE > USER MANAGEMENT > Local Password Policy See also "Password Policy Implementation Rules" below Password Expiration schedules the expiry of passwords to enforce regular password updates. When this feature is applied and a password becomes expired, an expired password prompt is displayed at login.
Page 202 If there are existing user passwords when the expiry is enabled, the expiry time will be applied from when the pass- word was initially set by the user. If a password falls out- side the new expiry period, the user will be immediately prompted to change the password.
Page 203 (e.g., #,$,%) (enabled/disabled separately). The password cannot contain your username. Complexity requirements will apply when a user next tries to update their password. An Administrator can force the expiry of a user's password by running the ogcli command: passwd --expire {username} to force a user to change their password.
Page 204: Services
SERVICES CONFIGURE > SERVICES The CONFIGURE > SERVICES menu lets you manage services that work with the Operations Manager. Services 24.11.3...
Page 205: Fips Compliance
CONFIGURE FIPS Enable FIPS mode at the CLI as follows: ENABLE FIPS ENABLE FIPS VIA CONFIG SHELL: root@<device name>:~# config Welcome to the Opengear interactive config shell. Type ? or help for help. config: system/fips config(system/fips): enabled true config(system/fips): apply Updating entity system/fips.
Page 206: Enable Fips Via Ogcli
ENABLE FIPS VIA OGCLI: ogcli update system/fips enabled=true DISABLE FIPS DISABLE FIPS VIA CONFIG SHELL: root@<device name>:~# config Welcome to the Opengear interactive config shell. Type ? or help for help. config: system/fips config(system/fips): enabled false config(system/fips): apply Updating entity system/fips.
Page 207 name: OpenSSL FIPS Provider version: 3.0.8 status: active Check that the digest algorithms provided by OpenSSL is limited to FIPS compliant ciphers/algorithms. root@<device name>:~# openssl list -digest-algorithms Provided: { 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default { 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default { 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default { 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default...
Page 208: Considerations For Using The Fips Feature
{ 2.16.840.1.101.3.4.2.7, SHA3-224 } @ fips { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ fips { 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ fips { 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ fips { 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ fips { 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ fips { 2.16.840.1.101.3.4.2.9, SHA3-384 } @ fips { 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ fips { 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ fips { 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @...
Page 209 Feature Affected Process/Service Impact Lighthouse enroll- OpenVPN OpenVPN is not ment compliant with FIPS standards; this issue is a recognized problem specifically when OpenSSL 3.x is being used. Once OpenVPN addresses this issue, it will also meet FIPS compliance standards. However, for compatibility with Lighthouse...
Page 210 ating FIPS mode to connect. Remote authen- freeradius, tacacs, ldap These are not FIPS tication compliant. chrony Authenticated NTP servers with MD5 will not connect. Use an algorithm that is FIPS com- pliant. SNMP ogtrapd, snmpd, snmptrapd Authentication and Encryption should be used as the security policy as V1 and V2 have no...
Page 211 See the note below: gre (Secure Provisioning) NetOps Modules Opengear NetOps nom-ipaccess-lhvpn (IP access) Modules are not nom-ag-lhvpn (Access Gateway) functional when FIPS mode is enabled. Note: SSH will require the cipher to be manually specified when FIPS is enabled. e.g.
Page 212 Routing protocols Routing protocols (eg. BGP), should not select an MD5 cipher. FIPS Compliance 24.11.3...
Page 213: Brute Force Protection
BRUTE FORCE PROTECTION A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until the one correct combination that works. Brute Force Protection offers an essential defense mechanism by automatically blocking access from offending source IP addresses.
Page 214: Viewing Current Bans
Field Values Description HTTPS Protection Enabled / Disabled Enable Brute Force Protection for WebUI login attempts. Maximum failed attempts Attempts: 3 The number of failed access (minimum) attempts permitted within the given time period before Time period in preventing access. minutes: 1 (minimum) Lockout period 60 (minimum)
Page 215: Managing Brute Force Protection Via Command Line
MANAGING BRUTE FORCE PROTECTION VIA COMMAND LINE For more control over Brute Force Protection, administrative users can use the command line to configure the service and remove bans manually. Description Command Notes Display Brute ogcli get services/brute_ Force Protection force_protection configuration Update Brute Ban time in...
Page 216 Description Command Notes find_time=1 https_enabled=false max_retry=4 ssh_enabled=true Un-ban an fail2ban-client unban IP address <ipaddress> Un-ban all current fail2ban-client unban --all bans List SSH bans SSH protection fail2ban-client status sshd must be enabled. List HTTPs bans HTTPs fail2ban-client status protection must https be enabled.
Page 217: Https Certificate
HTTPS CERTIFICATE The Operations Manager ships with a private SSL Certificate that encrypts communications between it and the browser. To examine this certificate or generate a new Certificate Signing Request, select CONFIGURE > SERVICES > HTTPS Certificate. The details of the Current SSL Certificate are shown on the landing page.
Page 218 HTTPS Certificate 24.11.3...
Page 219: Network Discovery Protocols
NETWORK DISCOVERY PROTOCOLS The Operations Manager displays LLDP/CDP Neighbors when enabled for a connection. See CONFIGURE > SERVICES > Network Discovery Protocols to enable/disable. The CONFIGURE > SERVICES > Network Discovery Protocols > LLDP/CDP NEIGHBORS page allows you to enable this service by clicking the Enabled checkbox.
Page 220 Network Discovery Protocols 24.11.3...
Page 221: Routing
WebUI and configured using standard Free Range Routing interfaces (e.g., vtysh). Note: Configuration set via vtysh (or other FRR interfaces) will need to be manually backed up in addition to a standard Opengear configuration export. DYNAMIC ROUTING To enable Dynamic Routing on the OM, navigate to the CONFIGURE > SERVICES >...
Page 222: Static Routing (Via The Ogcli)
STATIC ROUTING (VIA THE OGCLI) To enable Static Routing on the OM, open an ogcli terminal by navigating to ACCESS > Local Terminal. STATIC ROUTING OGCLI HELP For Help on implementing a Static Route protocol via ogcli, enter the command: ogcli help static_routes CREATE STATIC ROUTE - EXAMPLE: ogcli create static_route <<...
Page 223: Static Routing Arguments
STATIC ROUTING ARGUMENTS Argument Description Get a list of static routes. create Add a static route. replace Similar to the "Create Static Route" example given on the pre- vious page. Creates a single static route by specifying its UUID; or a list of static routes. Overwrites existing routes. delete Delete all static routes.
Page 224: Ospf Configuration
OSPF CONFIGURATION Open Shortest Path First (OSPF) is a link-state routing protocol used to discover routes on a network. It is used to dynamically adjust routes on the Console Server so that subnets connected to different interfaces can reach each other by routing through the Console Server.
Page 225: New Fields In Rest Api & Config Shell
Routing OSPF WireGuard Tunnels If a firewall zone, policy or WireGuard tunnel is managed, this does not affect sister contexts, for example, if the WireGuard tunnel is managed, any other WireGuard tunnels configured separately by the user are not managed. However, there is only one OSPF configuration file and users will need to bypass the managed_by field in Config Shell in order to edit the configuration.
Page 226: Config Shell
"redistribute_kernel": false, "interfaces": [], "neighbors": [], "networks": [] } } CONFIG SHELL The services/routing OSPF context has new fields similar to the REST API: config(services/routing ospfd): show Entity services/routing field ospfd enabled false redistribute_connected false redistribute_static false router_id "" interfaces (array) neighbors (array) networks (array) Field...
Page 227: Interfaces, Neighbors And Networks
routes will be broadcast to OSPF neighbours. redistribute_static (true / false) Network routes can be statically defined (in OSPF, not the Linux Kernel) by editing the ospfd.conf file or through vtysh . If this option is enabled, redistribute_ routes broadcasts any static routes that are managed by OSPF.
Page 228: Interfaces Context
INTERFACES CONTEXT The services/routing OSPF interfaces context is an array in which each element holds the specific individual interface related parameters for OSPF. Each interface has the following fields: Entity services/routing field ospfd interfaces 0 auth_method "" (required) cost "" priority ...
Page 229: Neighbors Context
manually in the range of 1 to 65535. priority The priority of a router on an OSPF interface mainly is used to determine the designated router/backup designated router (DR/BDR) for a network. OSPF forwards all messages to the designated router, reducing the amount of repetitive routing traffic on the network.
Page 230: Networks Context
NETWORKS CONTEXT The services/routing OSPF networks context is an array where each element holds IP network configurations to enable the system OSPF service for: config(services/routing ospfd networks): add config(services/routing ospfd networks 0): show Entity services/routing field ospfd networks 0 address_with_mask "" (required) area ""...
Page 231 file for OSPF. If the first line contains only the text ! autogen, the configuration system will overwrite the file, otherwise, the configuration system will have no effect. To verify the OSPF configuration, the configuration file generated can be found in /etc/quagga/ospfd.conf: ! autogen ! This configuration file has been autogenerated.
Page 232: Confirm Ospf Neighbours
line vty CONFIRM OSPF NEIGHBOURS Use the vtysh command line tool to see if OSPF neighbours have been discovered: root@<device name>-q:~# vtysh -c 'show ip ospf neighbor' Neighbor ID Pri State Dead Time Address Interface RXmtL RqstL DBsmL - 0 Attempt/DROther 33.007s 10.0.0.1 wg-smf-1:10.0.0.2 0 0 0 (Where wg-smf-1 is a user-named interface).
Page 233: Wireguard Configuration
WireGuard . Refer to the WireGuard online tools index page: index : wireguard-tools Note:Opengear does not own or operate the WireGuard tools web page and is not responsible for its content or maintenance. The link is provided only for the reader's convenience.
Page 234 Provide a name for the interface (wg0 in the example below). Set enabled. Set the private_key of your WireGuard interface. Add an address (at least one) for your WireGuard interface (10.0.0.1/24 in this case). Add a peer with the following parameters: endpoint_address, endpoint_port, public_key.
Page 235: Config Shell Wireguard Configuration
config(wireguard wg0 peers 0): endpoint_port 51820 config(wireguard wg0 peers 0): up config(wireguard wg0 peers): top CONFIG SHELL WIREGUARD CONFIGURATION The following shows a typical WireGuard configuration in Config Shell: config: show wireguard wg0 Entity wireguard item wg0 description "" enabled true mtu 1420 name wg0 port 51820...
Page 236: Rest Api Wireguard Configuration
post_up_hooks (array) pre_down_hooks (array) pre_up_hooks (array) REST API WIREGUARD CONFIGURATION The following shows a typical WireGuard configuration in Config Shell: "wireguards": [ "enabled": true, "post_down_hooks": [], "id": "wireguard_tunnels-1", "pre_up_hooks": [], "post_up_hooks": [], "private_key": "AGiZvFHY+r/dD0rHSKU5ZCrHNdLM0W/h29VxobxWgFo=", "name": "wg0", "pre_down_hooks": [], "addresses": [ "10.0.0.1/24"...
Page 237: Configurable Wireguard Fields
"o+quB4sbUAG2hEGSPpMNTnO0YSaQTP7dD+Q4IVjiCW8=", "endpoint_address": "192.168.1.2", "endpoint_port": 51820 } ] } ] CONFIGURABLE WIREGUARD FIELDS The WireGuard <interface-name> context holds the configuration for a WireGuard connection. The following fields can be configured: WireGuard Field Description description This can be any user text to describe the WireGuard interface.
Page 238: Wireguard Context Sub-Objects
only contain letters, numbers, hyphens or underscores. port The port the local instance of WireGuard will listen on. The range is 1 to 65535 and defaults to 51820. private_key The private key to use to authenticate the local WireGuard interface. This is obtained by running the wg genkey command.
Page 239: Peers
PEERS The following list defines the WireGuard settings for WireGuard-capable remote peers. Each peer has the following fields: config(wireguard wg0 peers 0): show Entity wireguard item wg0 field peers 0 endpoint_address "" endpoint_port "" keep_alive "" public_key "" (required) allowed_ips (array) (required) Peer Field Description endpoint_address...
Page 240: Hooks
routes traffic. For multiple WireGuard interfaces on the same device, the addresses must not overlap. The IP addresses specified here are the addresses of the peer’s WireGuard interface(s) - this is where the peer “routes traffic”. These are specified as IPv4 addresses in a.b.c.d/<cidr_mask>...
Page 241: Adding A Wireguard Interface To A Firewall Zone
ADDING A WIREGUARD INTERFACE TO A FIREWALL ZONE The WireGuard interface can be added to a firewall zone as in the following example: Entity firewall/zone item zone description "" (required) label "" (required) masquerade "" (required) name zone permit_all_traffic "" (required) address_filters (array) custom_rules (array) physifs (array)
Page 242: Ssh
To modify the properties of the port used for connecting to serial consoles via SSH, navigate to CONFIGURE > SERVICES > SSH . The following table gives the definitions of the configurable SSH properties. Parameter Definition Serial Port Delim- The delimiting character used to separate the username iter with port selection information.
Page 243: Unauthenticated Ssh To Serial Ports
Usually, you would need to authenticate on the Opengear appliance, followed by any log in to a device you are connecting to via the serial port.
Page 244: Enable Ssh
ENABLE SSH Note: This feature may be enabled using the default settings without the need for configuration. 1. Open the SSH form, Configure > Services > SSH > SSH (form). 2. Complete the SSH form (if this is the first time Unauthenticated SSH has been used), a description of the input data is provided at "Properties and Settings"...
Page 245: Connecting Directly To Serial Ports
TCP port 3000, so SSH to TCP port 3001 directly con- nects you to serial port 1 SSH to the Opengear node, # SSH to serial log in adding +portXX to your username (e.g. port 1 by port root+port01 or operator+port01).
Page 246: Feature Persist
SSH to the Opengear node, # SSH to serial log in adding the +port-label to your username (e.g. port labelled root+Router or operator+Router). Router ssh -l operator+Router 70.33.235.190 Note: For additional reading on connecting to serial ports see: Communicating with serial port connected devices Note:Serial ports in the Local Console and Disabled ports modes are not available for SSH connection.
Page 247 port selection information. The default value is the + character. Default is ‘+’, maximum length is 1. The prohibited characters are ‘\’, ‘ ” ’, ‘ ` ’, ‘ ‘, ‘=’ and ‘#’. Source: schema required ssh_delimiter: string (default = "+"; minimum = 1;...
Page 248 Port Number for Direct This port number will be used for direct SSH links SSH Links on the serial ports page. Set this option if you have configured SSH to be reachable on a non- standard port. Max Startups Start The number of connections pending authentication before new connections begin to be refused.
Page 249 connections are refused. Unauthenticated Access This is the feature Enable/Disable button. to Serial Ports Unauthenticated SSH to Serial Ports 24.11.3...
Page 250: Syslog
SYSLOG Administrative users can specify multiple external servers to which the Syslog can be exported via TCP or UDP. There is a drop-down on each serial port to enable the logging and to define the “scope” of logging. The Syslog page lists any previously added external syslog servers. ADD A NEW SYSLOG SERVER Note:The combination of server address, protocol and port should be unique.
Page 251: Global Serial Port Settings
6. Enter the correct Port. If no port is entered, UDP defaults to port 514 and TCP defaults to 601. 7. From the drop-down list, select the required severity level to be logged, eight levels of log severity are supported. 8.
Page 252: Syslog Facility Definitions
Port The Syslog Server IP address. Minimum Log Log entries with a value equal or greater than the level Severity Level specified are sent to the server. Send Serial Port Click to enable serial port logging. Logs Add Button Click to initiate the syslog, wait for confirmation banner. SYSLOG FACILITY DEFINITIONS Facility Definition...
Page 253: Syslog Severity Definitions
uucp UUCP subsystem Cron Clock daemon Authpriv Security/authentication messages FTP daemon Local Locally used facilities SYSLOG SEVERITY DEFINITIONS Severity Definition 0- Emergency System is unusable. 1 - Alert Action must be taken immediately. 2 - Critical Critical conditions. 3 - Error Error conditions.
Page 254: Edit Or Delete An Existing Syslog Server
EDIT OR DELETE AN EXISTING SYSLOG SERVER To edit an existing syslog server, click the hyperlinked Red Text server name in the server list (see the Syslog page image above). Make the required changes, then click the Submit button. Delete a server by clicking the Delete icon at the top-right of the Edit Syslog Server page.
Page 255: Session Settings
SESSION SETTINGS Use Session Settings to set timeouts for console sessions where the users have been idle for a specified time. At timeout, the user’s Web, CLI or Serial Port sessions are terminated, thus excluding authorized users with physical access to the node that has been left connected.
Page 256 Serial Port Session Timeout: Set the timeout from 1 to 1440 minutes or set it to 0 to disable the timeout. Click the Apply button to save the settings. The new session timeout will take immediate effect on all pmshell sessions, including ones in use.
Page 257: File Server
FILE SERVER The Operations Manager can be configured to serve files to clients via Trivial File Transfer Protocol (TFTP). TFTP can be used by nodes on the network to perform a network boot, or to allow backup and restore of configuration files. Note: Limitations The user is responsible for disk space management.
Page 258: Modify Firewall Zones To Allow The Tftp Service To Be Used
MODIFY FIREWALL ZONES TO ALLOW THE TFTP SERVICE TO BE USED The TFTP service must be allowed through a firewall zone so that clients may upload and retrieve files. Navigate to the Firewall Management page via CONFIGURE > FIREWALL > Management. Expand the desired firewall zone and click the Edit Zone button. Allow the "tftp"...
Page 259 Note:The storage location must be an existing directory before running ogcli update. Caution: Using a storage volume other than /mnt/nvram is not recommended. Data may be lost after reboot, or be inaccessible when switching boot slots. As an administrative user, run: ogcli update services/tftp path=\"<new path>\"...
Page 260: Snmp Service
SNMP SERVICE Navigate to the CONFIGURE > SNMP > SNMP Service to open the SNMP Service page. SNMP Service allows you to specify which SNMP services to enable. When you click on ENABLED for SNMP V1 & V2 or SNMP V3, a detail form appears where you can add service specific settings.
Page 261: Snmp Alert Managers
SNMP ALERT MANAGERS Navigate to CONFIGURE > Services > SNMP Alert Managers to open the SNMP Alert Managers page. See the "Multiple SNMP Alert Managers" on the next page feature for information about configuring more than one SNMP manager. To create or configure SNMP Alert Manager, click the Add New SNMP Alert Manager button at the top-right of the page.
Page 262: Multiple Snmp Alert Managers
MULTIPLE SNMP ALERT MANAGERS The Multiple SNMP Alert Managers feature provides the option to configure more than one SNMP manager. Multiple SNMP Alert Managers can receive, trap and inform events that can be used to trigger remedial action; events can be sent to multiple SNMP Alert Managers.
Page 263: New Snmp Alert Manager Definitions
Note:For SNMP V3 TRAPS, an Engine ID will be provided by default if none is specified. This is generated by the snmpd service and can be found in the SNMPD RUNTIME CONF /var/lib/net-snmp/snmpd.conf. Traps will be sent for Alerts added in Configure > SNMP Alerts. Traps will also be sent to all the configured SNMP Alert Managers for a Playbook SNMP Reaction.
Page 264 TCP - A commonly used protocol used to transmit data from other higher-level pro- tocols that require all transmitted data to arrive. UDP6 - Similar to UDP but uses IPv6. TCP6 - Similar to TCP but uses IPv6. Version The version of SNMP protocol to use. The default value is v2c.
Page 265: Firewall
FIREWALL In the CONFIGURE > FIREWALL menu you can configure: "Firewall Guide" on the next page "Firewall Management" on page 274 "Firewall Policies" on page 281 "Firewall Services" on page 289 "Adding WireGuard Zones to a Firewall" on page 290 Firewall 24.11.3...
Page 266: Firewall Guide
FIREWALL GUIDE INTRODUCTION Opengear firmware is equipped with a powerful firewall stack based on leading open source firewalld and nftables tools. The default firewall rule set is configured with a default-deny policy. The firewall is based on the concept of configurable Zones. Zones enable operators to create multiple “firewall segments”...
Page 267: Firewall Rules
Note:To access services on the device, a user must have both access through the firewall and the appropriate authorization, e.g., via a local user account or remote AAA. There are several kinds of rules and policies that may be applied to Zones. FIREWALL RULES Permitted Services Rules allow access to Services for requests arriving on interfaces in the Zone –...
Page 268: Example Webui Configuration
EXAMPLE WEBUI CONFIGURATION The following examples use Permitted Services Rules and Custom Rules features Note:Some aspects of the WebUI may change in future releases. EXAMPLE 1: DISALLOW WAN ZONE ACCESS TO HTTPS The default configuration is to allow HTTPS (i.e. the WebUI & API) on the WAN Zone.
Page 269: Example 2: Permit Access To Wan Zone Https From A Trusted Source Network Only
EXAMPLE 2: PERMIT ACCESS TO WAN ZONE HTTPS FROM A TRUSTED SOURCE NETWORK ONLY When a service is permitted using a Permitted Services Rule, connections to the service in that Zone are permitted regardless of the originating network the connection is coming from. To disallow connections from all but a trusted source network, use Custom Rules (examples below) instead.
Page 270: Custom Rules (Firewalld "Rich-Rules")
Note:It is not recommended to mix firewall configurations between the UI (WebUI/CLI) and firewalld commands (firewall-cmd) from Linux shell. Commands may be overwritten. Recommended to use either WebUI or CLI for all supported functionality instead of firewall-cmd CUSTOM RULES (FIREWALLD “RICH-RULES”) This feature enables users to define fine-grained control of services inside a zone.
Page 271: Useful Templates For Use In Webui Or Cli
Example 4: Drop Specific Service (HTTP) rule family="ipv4" service name="http" drop Example 5: Permit specific source subnet and log connection attempts rule family="ipv4" source address="10.0.0.0/16" accept log Example 6: Permit IPv6 packets with source address, TCP port number 4000. Log the packets rule family="ipv6"...
Page 272: Sample Rich Rules Templates
In ogcli: ogcli replace firewall/zones << 'END' firewall_zones[0].custom_rules[0].description="allow rule" firewall_zones[0].custom_rules[0].rule_content="rule family='ipv4' source address='192.168.67.101/32' service name='telnet' accept" … SAMPLE RICH RULES TEMPLATES 1. rule family="ipv4" source address="<user-to-fill>" accept|drop|reject 2. rule family="ipv4" destination address="<user-to-fill>" accept|drop|reject 3. rule family="ipv4" destination address="<user-to-fill>" accept|drop|reject 4. rule family="ipv4" source address="<user-to-fill>" accept|drop|reject 5.
Page 273 8. rule family="ipv4" source address="<user-to-fill>" destination address="<user-to-fill>" accept|reject|drop log 9. rule family="ipv4" source address="<user-to-fill>" port port=<usr-to-fill> protocol=tcp|udp accept|reject|drop 10. rule family="ipv4" source address="<user-to-fill>" protocol value="tcp|udp" accept|reject|drop Note: Ordering of rules is important. See this public article: Firewalld Rich Rules Explained. In the Template: Choose one of the actions accept|reject|drop [Drop action does not send any response back to source, reject does].
Page 274: Firewall Management
FIREWALL MANAGEMENT Navigate to the Firewall Management page, CONFIGURE > FIREWALL > Management, from here you can: Add a new firewall zone. Add a firewall service. Edit a firewall zone - manage the zone setup. Manage port forwarding. Manage custom rules for firewalls. Firewall Management main page.
Page 275: Zone Setup
Note:The application of any custom rules will result in Permit All Traffic being enabled in a zone. ZONE SETUP You can inspect details of any zone by clicking the Expand icon to the right of the zone. Once expanded, you can click Edit Zone to change settings for a particular zone.
Page 276: Manage Port Forwarding
MANAGE PORT FORWARDING The MANAGE PORT FORWARDING tab allows you to add, edit, and delete forwarding rules for the particular zone you are editing. MANAGE CUSTOM RULES Note:The application of any custom rules will result in Permit All Traffic being enabled in a zone.
Page 277: Firewall Source Address Filtering
To add a new custom rule: 1. Click Add custom rule. 2. Enter an optional description for this rule. 3. Enter the rule content, custom rule content formatted with firewall-cmd syntax. 4. Click Apply. Note:All rules will be wrapped as follows: firewall-cmd --permanent --zone=lan --add-rich-rule=RULE CONTENT FIREWALL SOURCE ADDRESS FILTERING Source address filtering provides an interface by which users can permit access to...
Page 278 This feature removes generic or global permitted services within firewall zones, and instead allows users to permit a service on a specified source address (or address range) within the firewall zone. Source address filters configured in a zone apply to all the interfaces within that zone.
Page 279 You can choose to enable permit all traffic, which will permit all traffic in the zone (unless there is a custom rule configured overwriting this behavior). If the permit all traffic option is disabled, you will have the option to configure permitted services for any allowed source address.
Page 280: Firewall Source Address Bulk Services
FIREWALL SOURCE ADDRESS BULK SERVICES PERMITTED SERVICES The firewall source ip field allows you to assign permitted services to specified source ip addresses in bulk rather than needing individual rich rules to add each specific service. This change allows you to easily target specific IP Addresses with permitted services.
Page 281: Firewall Policies
FIREWALL POLICIES Firewall egress filtering may be used to allow or deny traffic leaving a device. This feature allows you to create firewall egress rules, which govern outgoing traffic leaving the device. Firewall egress filtering extends the firewall/policies endpoint, allowing customization over both incoming (ingress) and outgoing (egress) traffic, thus allowing greater control of the device’s security.
Page 282: Egress Policy Details
EGRESS POLICY DETAILS New policies are created by first clicking on the Add Policy button at the top-right of the Firewall Policies page of the WebUI. New policies can have a user-defined default action, either ACCEPT, CONTINUE, DROP, or REJECT, which describes how traffic moving through the ingress and egress zones will be treated.
Page 283: Create A New Firewall Policy
REJECT Rejects every packet (a message warns that the connection was rejected and that packets will not be allowed through): ssh: connect to host 10.236.3.7 port 22: Connection refused DROP Drops every packet (users will not get a message, the con- nection will hang).
Page 284: Editing Policies Or Rules
EDITING POLICIES OR RULES Rules associated with a policy can be edited. When saving their changes after editing, you are prompted to double check their changes using the Confirm Action window, which presents an overview of the policy changes. Note:Editing a firewall policy or rule may interrupt access to the device. Firewall Policies 24.11.3...
Page 285: Configure Egress Policies In The Config Shell
CONFIGURE EGRESS POLICIES IN THE CONFIG SHELL Firewall policies may be created through Config Shell an example is given below: config: firewall/policy config(firewall/policy): add incoming config(firewall/policy incoming): default_action accept config(firewall/policy incoming): egress_zones config(firewall/policy incoming egress_zones): add host config(firewall/policy incoming egress_zones): up config(firewall/policy incoming): ingress_zones config(firewall/policy incoming ingress_zones): add any config(firewall/policy incoming ingress_zones): up...
Page 286: Create Rules Under A Policy - Config Shell
don't match any rule. priority The priority of the policy dictates when it is applied compared to other policies and zones. Policies with negative priorities are applied before rules in zones; policies with positive priorities are applied after. A priority of 0 is reserved for Rules and is not used for policies.
Page 287: Logging And Debugging Firewall Policies
priority 0 source_address "" services (array) Rule Configurable Fields action The action that will be applied to matching packets. destination_address The destination address to which this rule will apply. log_prefix This sets the prefix of the info level log that is sent when this rule is hit.
Page 288 Check the journal for firewall related messages: journalctl -xeu firewalld Note: firewalld is used to create firewall rules, firewalld is discussed in Interzone Policies and in "Firewall Guide" on page 266. Firewall Policies 24.11.3...
Page 289: Firewall Services
FIREWALL SERVICES The Firewall Services page of the WebUI provides a list of existing, predefined Firewall services and provides a means of creating, defining and editing services. Firewall Services 24.11.3...
Page 290: Adding Wireguard Zones To Afirewall
ADDING WIREGUARD ZONES TO A FIREWALL The WireGuard interface can be added to a firewall zone as in the following example: Entity firewall/zone item zone description "" (required) label "" (required) masquerade "" (required) name zone permit_all_traffic "" (required) address_filters (array) custom_rules (array) physifs (array) port_forwarding_rules (array)
Page 291: System
SYSTEM The CONFIGURE > SYSTEM menu lets you change the Operations Manager hostname, perform system upgrades, and reset the system. CHECK SYSTEM DETAILS To ascertain current system details click on the System link at the top-right of the OM window. System 24.11.3...
Page 292: Administration
ADMINISTRATION To set the hostname, add a contact email, or set a location for the Operations Manager: Click CONFIGURE > SYSTEM > Administration. Edit the Hostname field. Click Apply, the new settings are saved. Administration 24.11.3...
Page 293: Date And Time Setting
DATE AND TIME SETTING It is important to set the local Date and Time in your Opengear device as soon as it is configured. Features such as Syslog and NFS logging use the system time for time- stamping log entries, while certificate generation depends on a correct Timestamp to check the validity period of the certificate.
Page 294 Select the NTP option. Enter the NTP server address and select whether Authentication is required. Click on Add NTP Server if another NTP server is required and complete the address for the second NTP server. Click Apply NTP Settings. Date and Time Setting 24.11.3...
Page 295: Time Setting Manually
TIME SETTING MANUALLY Navigate to the CONFIGURE > DATE & TIME > Time Settings page. Select the Operations Manager’s time zone from the Time Zone drop-down list. A filter is provided to make selection easier. Select the Manual option. Under Configure Date and Time, click on the calendar icon to open the Date and Time Picker.
Page 296 Date and Time Setting 24.11.3...
Page 297: Factory Reset
FACTORY RESET You can perform a factory reset at the UI by pressing the Factory Reset button (CONFIGURE > SYSTEM > Factory Reset) or at the external Erase button, or from the CLI. All three methods are covered in this topic. During a factory reset the device is reset to the factory default.
Page 298 If you still wish to proceed with the reset, Select the Proceed with the factory reset checkbox. 5. Click Reset. Warning: This operation performs the same operation as the hard factory erase button. This resets the appliance to its factory default settings. Any modified configuration information is erased.
Page 299: Reset At The External Erase Button
RESET AT THE EXTERNAL ERASE BUTTON Press the external physical Erase button on the device once. Note:On most devices the button is at the front panel, near the LEDs. On the OM1200 the button is on the rear, near the power inlet). CONFIRM all LEDs come on.
Page 300: Reset From The Cli Terminal
RESET FROM THE CLI TERMINAL Log in at the CLI terminal, then enter: root@om2248-l-tp1-p14:~# factory_reset Confirm: Factory reset system? [yes/no]: Follow the procedure from step 2 in the 'Erase button' procedure above. Factory Reset 24.11.3...
Page 301: Reboot
REBOOT PERFORM A SIMPLE REBOOT FROM THE WEBUI To reboot the Operations Manager: Navigate to CONFIGURE > SYSTEM > Reboot. Select Proceed with the reboot, Click Reboot. See also "Factory Reset" on page 297 for detailed information about device behavior that may occur during a factory reset procedure. Reboot 24.11.3...
Page 302: Export/Restore Configuration
EXPORT/RESTORE CONFIGURATION EXPORT CONFIGURATION The current system configuration can be downloaded as a plain text file. It contains all configuration performed via the WebUI and the ogcli tool. It does not contain log files, user scripts, docker containers, service configuration or other files stored via other means.
Page 303: Export Configuration Via Ogcli
To export the system configuration, click the Download button and save this file. Sensitive data such as passwords and tokens will be obfuscated in the configuration export. Note:The default filename includes the system hostname and a timestamp. For example, om2248_20210910_config.txt em8000_20210910_config.txt EXPORT CONFIGURATION VIA OGCLI The system configuration can also be exported using the ogcli tool.
Page 304: Restore Configuration
Caution: Configuration exported with --secrets=mask cannot be used to import configuration. RESTORE CONFIGURATION An exported system configuration can be imported to the node using the WebUI or ogcli tool. Note:If the configuration was exported using --secrets=mask, it cannot be used for configuration import. Note:It may take up to ten minutes to import a config file with a large amount of configuration.
Page 305: Import Configuration Via Ogcli
Click the Restore tab Select the configuration file to import. Review the configuration by clicking the arrow to display the file content. Click the Upload File button to start the import process. A green banner will display when the configuration import is successful. IMPORT CONFIGURATION VIA OGCLI The system configuration can also be imported using the ogcli tool.
Page 306: Import Configuration
IMPORT CONFIGURATION Configuration that is imported using the ogcli import command will be merged with the current system configuration, preserving the current values, and adding missing entries from the exported configuration where required. As an administrative user, run the following command: ogcli import <file_path>...
Page 307: Updating The Import/Restore File
Rollback maintains operational stability, ensuring the system does not become partially upgraded due to some error during upgrade. The ability to roll back to a previously safe configuration minimizes downtime and service disruption, making it a vital addition to the system's resilience. Rollback behavior in the event of a detected restore failure: The system automatically detects a configuration update failure.
Page 308: Rollback Capabilities
config replace system/session_timeout <<'END' cli_timeout=0 serial_port_timeout=0 webui_timeout=20 ROLLBACK CAPABILITIES When the system initiates a rollback, it will log to syslog, print a message in the CLI and display a pop up “toast” notification in the WebUI. This system is resilient to network issues; once Rollback is started it will continue without the user being connected to the network.
Page 309: Lighthouse Node Backup
Rollback cannot be initiated once import/restore is complete. LIGHTHOUSE NODE BACKUP Configuration export can be scheduled to be performed periodically using the Lighthouse Node Backup feature. For more details, consult the Lighthouse User Guide: https://opengear.com/support/documentation/ Export/Restore Configuration 24.11.3...
Page 310: System Upgrade
PERFORM A SYSTEM UPGRADE 1. Navigate to the CONFIGURE > System > System Upgrade page. 2. Select the Upgrade Method, either Fetch image from HTTP/HTTPS Server or Upload Image. Note:See https://opengear.com/support/device-updates/ for firmware updates. System Upgrade 24.11.3...
Page 311: Upgrade Via Fetch From Server
4. Click Perform Upgrade. Note:The Advanced Options section should only be used if a system upgrade is being performed as part of an Opengear Support call. Once the upgrade has started, the System Upgrade page displays feedback as to the state of the process.
Page 312: Advanced Options
ADVANCED OPTIONS The Operations Manager supports a number of command line interface (CLI) options and REST API. # address : Primary Lighthouse address to enroll with # api_port : Optional port to use for the primary address when requesting enrollment # password : LH global or bundle enrollment password # bundle : Name of LH enrollment bundle Advanced Options...
Page 313: Communicating With The Cellular Or Pots Modem
COMMUNICATING WITH THE CELLULAR OR POTS MODEM Interfacing with the cellular modem is currently only available via CLI. Usage: mmcli [OPTION?] - Control and monitor the ModemManager Options: -h, --help Show help options --help-all Show all help options --help-manager Show manager options --help-common Show common options --help-modem...
Page 314 --help-location Show Location options --help-messaging Show Messaging options --help-voice Show Voice options --help-time Show Time options --help-firmware Show Firmware options --help-signal Show Signal options --help-oma Show OMA options --help-sim Show SIM options --help-bearer Show bearer options --help-sms Show SMS options --help-call Show call options Application Options:...
Page 315: Internal Modem (Pots)
--timeout=[SECONDS] Timeout for the operation INTERNAL MODEM (POTS) The OM2200-10G-M-DDC-L is fitted with an internal POTS modem. The POTS modem can be used to obtain CLI access to the OM, which allows users to dial into a device and obtain a command prompt by using the modem. The modem is configured at the WebUI, Config Shell or CLI.
Page 316: Configuration Via The Webui
and automatically answer, providing a serial console to the requester. Baud rate The baud rate to use between the modem and the internal serial port. Custom AT Command Sequence This is a single-line, multi-command string to use to initialize the modem with specific behavior.
Page 317 CONFIG SHELL COMMAND EXAMPLES The fields listed in the configurable options table can be configured via the Config Shell: Required Action Command Example show pots_modem modem01 Show the POTS modem con- figuration edit pots_modem modem01 mode Enable the POTS modem dialin edit pots_modem modem01 mode dis- Disable the POTS modem...
Page 318: Pots Configuration Via The Cli
AT+GCI=09 POTS CONFIGURATION VIA THE CLI CLI access to the (OM2200-10G-M-L) can be obtained using a POTS (aka dialup modem) connection. Connection requires a terminal program that can interact with a dialup modem and support VT102 terminal emulation. On Linux, ‘tip’ is commonly used.
Page 319: Logging
LOGGING At modem start-up, the following log is printed to syslog: Jul 26 02:37:22 (OM2200-10G-M-L) systemd[1]: Started Serial Getty on modem01. Mgetty logs are redirected to rsyslog, which include the logging of what is received and sent from the pots modem.
Page 320: Config Cli Guide
CONFIG CLI GUIDE The Config Command Line Interface(CLI) provides users with an interactive and familiar environment similar to other networking devices that users may be familiar with. The result is a user-experience that feels like an Interactive CLI . Advantages of the Config CLI are: Interactive CLI makes everyday operations such as configuration changes and troubleshooting activities easier for users.
Page 321: Navigation In Config Cli
NAVIGATION IN CONFIG CLI STARTING A SESSION IN CONFIG CLI Start the Config Shell by typing config at a bash prompt. The bash prompt is presented to root and Administrator users when they log in via SSH or on the management or local console.
Page 322 Starting at the root, enter endpoint names to descend down to lower endpoints. Similarly, type 'up' to ascend towards the root or type 'top' to reset to the root context. Note:Every endpoint name is an operation that descends into that endpoint. When using the config CLI, it is possible to navigate ‘downwards’...
Page 323: Understanding Fields, Entities And Contexts
UNDERSTANDING FIELDS, ENTITIES AND CONTEXTS The Config CLI allows you to configure the device settings through a number of required fields, which provide the settings for the device. These fields are grouped in entities that describe a small set of functionality, for example, there is a ‘user’...
Page 324 You select a context by typing the name of the target entity and pressing Enter/Return; the new context is shown in the prompt between brackets. In the following example, the ‘user’ context is accessed and then the ‘john’ sub-entity is accessed causing the context to become ‘user john’.
Page 325 config: monitoring/alerts/power power_supply_voltage_alert syslog config(monitoring/alerts/power power_supply_voltage_alert syslog): Navigation in Config CLI 24.11.3...
Page 326: Global & Entity-Context Commands
GLOBAL & ENTITY-CONTEXT COMMANDS GLOBAL CONTEXT COMMANDS The table below lists commands available on any context: Global Command Description help (or '?') Show help which is context sensitive. It will list some special details about the current context, the list of sub entities (or fields) and a list of available commands.
Page 327 Entity Command Description <field> Show the value of a field. help <entity> Displays short-form help for the specific entity. <field> <value> Set the value of a field. delete Deletes the current enitity. This is available when the context entity is an item in a list. Append a sub-entity or field to the current entity.
Page 328: Config Cli Entities
CONFIG CLI ENTITIES The Config Shell allows the user to configure a number of fields which are the settings for the device. These fields are grouped in entities that describe a small set of functionality. For example, there is a ‘user’ entity which is used to access user settings.
Page 329 auto_response/reaction Read and manipulate the Auto-Response reactions on the NetOps Console Server appliance. auto_response/status Read the AutoResponse Status on the NetOps Con- sole Server appliance. auto_response/status/ Read the AutoResponse Status of Beacon Modules beacon-module on the NetOps Console Server appliance. cellfw/info Retrieve cellular modem version and related inform- ation.
Page 330 status. firewall/policy A collection of policies defined for the NetOps Con- sole Server appliance's firewall. A policy specifies which zones traffic is allowed to route between. firewall/predefined_service A collection of predefined services for the NetOps Console Server appliance's firewall. A service is a named grouping of one or more TCP or UDP ports for a particular networking protocol.
Page 331 information about what part of the IP Passthrough connection process the device is currently at and information about the connected downstream device. ipsec_tunnel Read and manipulate the IPsec tunnels on the NetOps Console Server appliance. lighthouse_enrollment View and control enrollment to a lighthouse. local_password_policy Configure the password policy for local users.
Page 332 monitoring/ Retrieve and configure Networking Alert Group set- alerts/networking tings. monitoring/alerts/power Retrieve and configure Power Alert Group settings. monitoring/alerts/system Retrieve and configure System Alert Group settings. Configure, monitor and control PDUs connected to the device. pdus/drivers Read the PDU driver list. physif Read and manipulate the network physical interfaces on the NetOps Console Server appliance.
Page 333 services/lldp Provides access to the Network Discovery Protocols (LLDP/CDP) configuration. services/ntp Provides access to the NTP client configuration on the system. services/routing Retrieve and configure routing services on the NetOps Console Server appliance. services/ SNMP Alert Managers are used to receive and log snmp_alert_manager SNMP TRAP and INFORM messages sent by the NetOps Console Server.
Page 334 ssh/authorized_key Configure the SSH authorized keys for a specific user. static_route Configuring and viewing static routes. system/admin_info Retrieve or change the NetOps Console Server appli- ance system's information (hostname, contact and location). system/banner Retrieve or change the appliance system's banner text.
Page 335 system/ssh_port The SSH port used in Direct SSH links. system/ Configure the SSH authorized keys for all users. system_authorized_key system/time Retrieve and update the NetOps Console Server's time. system/timezone Retrieve and update the system's timezone. system/version Retrieve the appliance's most recent firmware and REST API version.
Page 336: Config Cli Commands
CONFIG CLI COMMANDS Command Definition Add a new item for an entity. apply Apply changes on just the current entity. changes View a list of config areas with unapplied changes. delete Delete an item for an entity. diff Show additions, removals, changes and functional dif- ferences between the input and running configurations.
Page 337: Add
import/export Copy a config file from a specific network location to the console server and run the file. The import/export commands operate in bash, ie. outside of config CLI. You must exit config to operate the import/export features. show Display information relevant to the configuration section, highlighting changes.
Page 338: Apply
Syntax add <entity> <optional-entity> <label> <optional-field> <optional-value> Example add user aconsoleuser description "I am a console user" APPLY Description The apply command allows users to stage configuration changes by allowing proposed changes to be held in memory, separate from active configuration until they are applied.
Page 339: Apply All Changes
apply all – When the ‘all’ parameter is added, the command will apply all changes to all items that have been changed in this session. Syntax apply [all] Examples Apply changes to a single item These commands change a user. Then the apply command is used while still in the “user myuser”...
Page 340: Apply Changes To Specific Sections Of Configuration
config(port port01): label "Port for my group" config(port port01): top config: apply all APPLY CHANGES TO SPECIFIC SECTIONS OF CONFIGURATION From within a specific section of hierarchy. For example: config users johnsmith apply This will apply any changes made specifically within the user’s configuration section. Apply changes from a different section in the hierarchy: For example, if changes have been made in config users johnsmith...
Page 341: Changes
apply all CHANGES Description The changes command allows users to view a list of config areas with unapplied changes. This will be a list, ordered alphabetically. Users should be able to copy and paste items from the list and use it in conjunction with the show command to view details. Parameters none Syntax...
Page 342: Delete
DELETE Description The delete command is used to delete an item or entity or remove a config section or sub-section. The command requires a unique value to identify the record. This will be used for the entity's label field. Similar to the add command, delete makes the change in a temporary state and will affect configuration only once applied.
Page 343: Diff
Note: The config diff tool performs the diff functionality in the same way as ogcli diff, and can be used interchangeably using export files in either format. See config diff in the "Opengear CLI Guide" on page 398. Diff tool behavior Diff shows additions, removals and changes clearly in the a streamlined format with only functional differences between the input and running configurations.
Page 344 If any section, list item or sub-property is out of order between the input configuration and the running configuration, it is not shown in the diff unless the values have actually changed. If the input configuration file is missing properties or sections of configuration, it shows the differences between running configuration and the default values for those properties.
Page 345: Discard
3. Configuration differs from template with defaults: Differences between active configuration and default configuration because the input file was empty. 4. Configuration matches template with defaults: No differences between active configuration and default configuration with empty input file. Positional arguments <input_file>...
Page 346 The discard command is used to remove unapplied changes. This can be used to discard specific or configuration wide changes including: Updates to configuration items. Additions not applied. Items designated for deletion. Parameters discard - when used on its own discard the current item when in an item context, otherwise it will be an error.
Page 347: Discard Groups Of Changes
The following commands discard changes to an existing item. The item isn’t removed in this case since it has been applied previously. The description field will revert back to whatever it was before. config: user root config(user root): description "Root user" config(user root): discard The following commands discard changes to multiple entities, the group and port entities.
Page 348: Discard Specific Changes
If “username” is an existing user but with no changes, the user will be informed that there are no configuration changes to discard. DISCARD SPECIFIC CHANGES port port01 discard If the entity has unapplied changes it will be discarded. If there are no unapplied changes an information message is displayed. Confirmation Discarding changes at a section, or configuration wide level will give a warning that multiple changes will be discarded.
Page 349: Exit
Examples Consider the following change to a port label: config port port_01 label "Office-switch" Alternatively, consider making the change from the root of configuration mode. config edit port port_01 label "Office-switch" EXIT Description The exit command can be run at any level in the configuration structure and will allow you to leave config mode.
Page 350: Help (Or ?)
HELP (OR ?) Description Note:Config mode will accept either help or a question mark ? input. Can be used in the following ways: A standalone command to view available options for the configuration section. In combination with a command to access help documentation. In combination with a configuration option to access help documentation and examples.
Page 351: Help Command Used Standalone
config(port port01): ? The following will print help for the baudrate field when in the “port port01” context: config(port port01): help baudrate config(port port01): baudrate ? HELP COMMAND USED STANDALONE When used by itself, help or ? returns a list of available commands or configuration options.
Page 352: Import/Export
pinout ? This will display a list of available options. label ? This will display expected format and a sample. IMPORT/EXPORT Description Note:The import / export and associated commands operate in bash, ie. outside of config CLI. You must exit config to operate the import/export features. The Import / Export feature allows you to export the current configuration to a file and import or restore the configuration from that file.
Page 353 This command can be run at any level in the hierarchy and used to export either: The configuration across the node Configuration specific to the users’s location in the hierarchy. export all current config Will display all config on the console server before it has been applied for copying. export all saved config Will display all saved config on the console server for copying.
Page 354 config import /tmp/console_server.config Positional arguments {export,import,restore,merge,replace,get} Positional Argument Description export Export the current configuration. import Import config from a file. restore Restore config from a file. merge Merge a provided list with existing config. replace Replace a list or item. Display an entity's associated values.
Page 355: Show
Export in json format. --entities Display entities and exit. Exporting to a file Note:The import/export and associated commands operate in bash, ie. outside of config CLI. You must exit config to operate the import/export features. SHOW Description The show command displays information relevant to the configuration section, including the highlighting of changes.
Page 356 entity The entity to display, or to show details of. item The item to display or show details of. field The field to show the value of. Syntax show <optional entity> <optional item> <optional field> Context Examples using context The following examples show how the output of the show command changes in accordance with context as it may be used at the config, physif, net1 contexts: show - at the config context: Config CLI Commands...
Page 357 show - at the physif context: Config CLI Commands 24.11.3...
Page 358 show - at the net1 context: Examples using parameters The following examples show the output of the show command when used with different parameters: Config CLI Commands 24.11.3...
Page 359 Config You can view the content of all configuration in JSON format. You can also view the config of a specific section of the hierarchy you are in. show-config Directed Usage You will also be able to look into a config sections using the show command. For example: show auth user Will display a flat list of users.
Page 360: Up / Exit
show auth user “username” Will display the configuration for the user specified. UP / EXIT / .. Description These commands allow users to traverse the configuration hierarchy. The position will move one level up in the hierarchy. If used at the root configuration level, it should point trigger the exit command. Parameters No parameters.
Page 361 config: port port01 config(port port01): up config(port): port02 config(port port02): Config CLI Commands 24.11.3...
Page 362: Config Cli Use Case Examples
‘//’ prefix. Where sessions continue onto the next page, this is shown with the comment "// session continues here:" # config Welcome to the Opengear interactive config shell. Type ? or help for help. // Move to the user entity config: user config(user): help add Add a new item for entity user.
Page 363 description // Session continues here: enabled true no_password false password (required) ssh_password_enabled true username matt groups (array) // Fill out some fields config(user matt): password topsecretpassword config(user matt): description scrum master config(user matt): show Entity user item matt description scrum master * enabled true password...
Page 364: Configuring A Port
admin myuser netgrp config(user matt groups): add admin config(user matt groups): up // Exit the groups list // Session continues here: // Show and apply config(user matt): show Entity user item matt description scrum master * enabled true password topsecretpassword * ssh_password_enabled true username ...
Page 365 Names (type <name> or help <name>) ================================== USB-A USB-E USB-front-lower port03 port07 port11 port15 port19 port23 USB-B USB-F USB-front-upper port04 port08 port12 port16 port20 port24 USB-C USB-G port01 port05 port09 port13 port17 port21 USB-D USB-H port02 port06 port10 port14 port18 port22 Commands (type help <command>) ============================== exit help show up...
Page 366: Configure A Single Session On A Port
parity none pinout X2 stopbits 1 control_code (object) break a * chooser pmhelp portlog power quit ip_alias (array) config(port port01): apply Updating entity port item port01. config(port port01): CONFIGURE A SINGLE SESSION ON A PORT The feature is enabled by typing single_session true, then apply the change. config(port port01): single_session true config(port port01):...
Page 367: Create Or Configure A Loopback Interface
CREATE OR CONFIGURE A LOOPBACK INTERFACE Loopbacks are not physical interfaces and as such cannot be attached to a firewall zone; firewall zone or policy rules must be created for whatever interface you are connecting over. Service translations can be created through the firewall/service_translation endpoint to change the source address of outbound packets to the loopback address.
Page 368 To add an address to a loopback interface, navigate to the conns endpoint and attach an ipv4 or ipv6 static address to the loopback (dhcp and ipv6_automatic are invalid for loopbacks): ADD AN ADDRESS IN CONFIG SHELL config: conn config(conn): add new config(conn new): mode static config(conn new): physif loop config(conn new): ipv4_static_settings...
Page 369: Create Source Nat Rules
CREATE SOURCE NAT RULES Note: When referring to service translation rules, we refer to translating the source ip of traffic to a desired source ip address. To change the source address of outbound packets for a particular service, a service_ translation rule must be added, see the following example: The following rule contains a list of outbound services along with the changed source address for the service packets.
Page 370: Rest Api
If required, source NAT may be used for all tcp and udp traffic leaving the box by adding the service all-tcp-udp to the service list: config(firewall/service_translation 10.0.0.1): show Entity firewall/service_translation item 10.0.0.1 address 10.0.0.1 services (array) 0 all-tcp-udp Note: There must be either a static or dynamic route to the loopback address from which you are connecting to the device.
Page 371: Logging And Debugging
The address can be ipv4 or ipv6 (no netmask required), and does not need to exist on the box (a warning is presented if the address does not exist). The list of services is a list of strings of service names. The outbound services must already be defined on the box, either as a predefined firewalld service or as a custom user service.
Page 372: Configure Net2 Static Ipv4
CONFIGURE NET2 STATIC IPV4 add conn net2-static-1 mode static physif net2 conn net2-static-1 ipv4_static_settings address 192.168.3.58 gateway 192.168.3.1 netmask 255.255.255.0 CONFIGURE NET3 STATIC IPV4 FOR OM2224-24E UNITS add conn net3-static-1 mode static physif net3 conn net3-static-1 ipv4_static_settings address 192.168.4.58 gateway 192.168.4.1 netmask 255.255.255.0 CONFIGURE WIREGUARD THROUGH CONFIG SHELL WireGuard is configured through Config Shell (or REST API).
Page 373 Set the private_key of your WireGuard interface. Add an address (at least one) for your WireGuard interface (10.0.0.1/24 in this case). Add a peer with the following parameters: endpoint_address, endpoint_port, public_key. Add an allowed_ip for your peer. At least one - this is the WireGuard address(es) (as it can also accept an address range) of the other interface to which you are connected.
Page 374: Root User Password - Cleartext
ROOT USER PASSWORD - CLEARTEXT edit user root password newpassword ROOT USER PASSWORD = PASSWORD VIA SHA256 openssl passwd -5 password Note:This operation is not available in Config Shell. DEFINE PASSWORD COMPLEXITY RULES edit local_password_policy password_complexity_enabled true password_expiry_interval_enabled true edit local_password_policy password_disallow_username true password_must_contain_number true password_must_contain_special true...
Page 375: Contact Info
CONTACT INFO edit system/admin_info contact "fred.bloggs@opengear.com" hostname "om2216-l.lab" location "Happy Valley Lab" TIME ZONE AND NTP edit system/timezone timezone "America/New_York" edit services/ntp enabled true services/ntp servers add value "74.207.242.234" Config CLI Use Case Examples 24.11.3...
Page 376: Create Admin User
CREATE ADMIN USER add user admin description "admin" enabled true no_password false password "password" user admin groups add "admin" CREATE BREAKGLASS USER (BELONGS TO NETGRP) add user breakglass description "breakglass" enabled true no_password false password "password" user breakglass groups add "netgrp" Config CLI Use Case Examples 24.11.3...
Page 377: Enable Netgrp - Set To Consoleuser
ENABLE NETGRP - SET TO CONSOLEUSER edit group netgrp enabled true group netgrp ports add port01 add port02 add port03 add port04 group netgrp access_rights add web_ui add pmshell delete admin CHANGE SSH DELIMIITER TO : DEFAULT IS + edit services/ssh ssh_url_delimiter ":" CHANGE PORT LABELS edit port port01 label "cisco1"...
Page 378: Enable Tacacs - Set Mode To Remotelocal
ENABLE TACACS - SET MODE TO REMOTELOCAL edit auth mode "tacacs" edit auth tacacsMethod "pap" tacacs Password "tac_tests" policy "remotelocal" tacacsService "raccess" auth tacacsAuthenticationServers add hostname "192.168.2.220" port 49 ENABLE LLDP ON NET1 & NET2 edit services/lldp enabled true services/lldp physifs add "net1"...
Page 379: Enable Boot Messages
ENABLE BOOT MESSAGES Displays on local console port. edit managementport ttyS0 kerneldebug true DEFINE SESSION TIMEOUTS edit system/session_timeout cli_timeout 100 serial_port_timeout 100 webui_timeout 100 Note:The inactivity timer starts only after you exit Config Shell, ie. it begins the count when you have left config and are at the bash command prompt. DEFINE MOTD Enter banner text within quotations.
Page 380: Enable Simm 1 Complete End Points
ENABLE SIMM 1 COMPLETE END POINTS edit physif wwan0 enabled true physif wwan0 cellular_setting active_sim 1 apn hologram iptype IPv4v6 sim_failback_disconnect_mode ping sim_failback_policy never sim_failover_disconnect_mode ping sim_failover_policy never physif wwan0 cellular_setting sims 0 fail_probe_address 8.8.8.8 fail_probe_count 3 fail_probe_interval 600 fail_probe_threshold 1 failback_delay 60 iptype "IPv4v6"...
Page 381: Enable Failover
iptype IPv4v6 slot 2 ENABLE FAILOVER edit failover/settings enabled true probe_address 192.168.2.1 probe_physif net1 ADD A SYSLOG SERVER services/syslog_server add server1 address 192.168.34.113 protocol TCP port 610 description "my syslog server" Add Five Syslog Servers Note:Due to page width limitations, in the following example, some command lines break over two lines.
Page 382: Set Port Logging Remote Syslog Settings
port 514 port_logging_enabled true protocol UDP add services/syslog_server server3 address 192.168.34.116 min_severity info port 514 port_logging_enabled true protocol UDP add services/syslog_server server4 address 192.168.128.1 description "lighthouse-remote-syslog" min_severity info port 514 port_logging_enabled true protocol UDP SET PORT LOGGING REMOTE SYSLOG SETTINGS edit logs/portlog_settings facility daemon severity infoEnable system monitor snmp traps Config CLI Use Case Examples...
Page 383: Enable System Monitor Snmp Traps
ENABLE SYSTEM MONITOR SNMP TRAPS monitoring/alerts/power power_supply_voltage_alert millivolt_lower 11000 millivolt_upper 13000 snmp enabled true up monitoring/alerts/networking cell_signal_strength_alert enabled true threshold_lower 33 threshold_upper 66 monitoring/alerts/system authentication_alert enabled true up config_change_alert enabled true up temperature_alert enabled true threshold_lower 35 threshold_upper 67 up Config CLI Use Case Examples 24.11.3...
Page 384: Enable Snmp V2 Service For Polling
ENABLE SNMP V2 SERVICE FOR POLLING edit services/snmpd enable_legacy_versions true enable_secure_snmp false enabled true port 161 protocol UDP edit services/snmpd rocommunity "TkcxJAAAABBfDsigaxdDf7whb3sxKQKnjtCuuy/0COC6rE3lUu9ghg==" ENABLE 2 SNMP TRAPS AND TRAP SERVERS Note:Due to page width limitations, in the following example, some command lines break over two lines.
Page 385: Create A Static Route
CREATE A STATIC ROUTE Note:Due to page width limitations, in the following example, some command lines break over two lines. add static_route "static route test" destination_address 10.0.0.0 destination_netmask 8 interface net2 EDIT LAN (NET2) FIREWALL ZONE (allow only source address traffic) firewall/zone lan custom_rules add description "source_net4-1"...
Page 386: Custom_Rule Example For Port And Protocol
firewall/zone wan custom_rules add description "source_net4-1" rule_content "rule family=ipv4 source address=192.168.2.0/24 accept" up add description "source_net4-2" rule_content "rule family=ipv4 source address=192.168.4.0/24 accept" up CUSTOM_RULE EXAMPLE FOR PORT AND PROTOCOL add firewall/service myports label "My Serial Ports" firewall/service myports add port 3001 protocol tcp up apply...
Page 387: Enroll Into Lighthouse
up up ENROLL INTO LIGHTHOUSE add lighthouse_enrollment lh1 address 2.21.99.188 bundle om2216-l token password Config CLI Use Case Examples 24.11.3...
Page 388: How Changes Are Applied Or Discarded
HOW CHANGES ARE APPLIED OR DISCARDED When fields and entities are changed, the changes are not immediately applied to the system configuration but remain in a staged status. Items that are staged are indicated by an ‘*' (asterisk) when the ‘show’ command is used. In addition, the 'changes’...
Page 389 When any changes have been made to a single or multiple entities, the following commands become available. These commands are described in detail in the Config CLI Commands section: Command Description changes Show staged changes on all entities. apply Apply changes only on the current entity. discard Discard changes only on the current entity.
Page 390 groups (array) config(user john): changes Entity user item john (edit) description Scrum Master config(user john): How Changes Are Applied or Discarded 24.11.3...
Page 391: Multi-Field Updates
MULTI-FIELD UPDATES DESCRIPTION Within Config Shell, it is possible to update multiple fields with one command line. This is restricted to ‘flat’ fields within the current context ie arrays and sub-objects cannot currently be updated all in one command line. For example, the following port fields can all be changed in a single command: baudrate, databits, escape_char, label, logging_level, mode, parity, pinout and stopbits.
Page 392: Error Messages
config(port port01 ip_alias 1): up config(port port01 ip_alias): up config(port port01): changes Entity port item port01 (edit) control_code (object) break b chooser c ip_alias (array) 1 (object) interface net1 ipaddress 10.83.0.6/24 config(port port01): If certain fields are hidden and only visible by first configuring other fields, these hidden fields need to be set in another line.
Page 393 staged changes will not be affected. In the following example, the user description was previously changed to “my user” config(user consoleuser): show Entity user item consoleuser description my user * enabled true no_password false password "" ssh_password_enabled true groups (array) 0 consoleuser If a bad field name or value is supplied on the command line, then the existing staged value is retained.
Page 394 ssh_password_enabled true groups (array) 0 consoleuser The bad value for the field is indicated by an error message hinting the expected type of the value: config(user consoleuser): description "My console user" enabled bad Value bad for field enabled cannot be parsed as a boolean. config(user consoleuser): show Entity user item consoleuser description my user *...
Page 395: Error Messages
ERROR MESSAGES When an error is made in the command line an error message which identifies the error is returned. For example, if the first token of the command is mistyped, the unknown command message is displayed. config: usear root There is no command usear root.
Page 396: String Values In Config Commands
STRING VALUES IN CONFIG COMMANDS DESCRIPTION The syntax for the use of string values has changed. It was previously possible to enter values containing spaces without using quotes. Multiple fields can now be assigned in one command line, quotes are required to keep field values together. EXAMPLE The following example shows setting multiple fields where the field value for the description has spaces.
Page 397: Error Messages
If the value itself must contain quotes, there is a triple quote form for entering string values: config(user consoleuser): description """My "console" user""" enabled true config(user consoleuser): changes Entity user item consoleuser (edit) description My "console" user enabled true The triple quoted string is used for entering multi-line strings: config(system/banner): banner """...
Page 398: Opengear Cli Guide
OPENGEAR CLI GUIDE The ogcli command line tool is used for getting and setting configuration, and for retrieving device state and information. The purpose of ogcli is perform a single operation and exit. Operations are performed on a single entity, a list of entities, or all entities.
Page 399 A description and example usage of a specific ogcli operation. ogcli help <entity> A description of a specific entity and the operations it supports. ogcli help <entity> An example of how to perform a specific operation <operation> on a specific entity. Opengear CLI Guide 24.11.3...
Page 400: Basic Syntax
Show additions, removals, changes and functional dif- ferences between the input and running configurations. See also config diff . Retrieve a list or single item. help Display ogcli help. import Import system configuration, merging with current system configuration. Opengear CLI Guide 24.11.3...
Page 401: Supplying Data To Ogcli
HERE DOCUMENT A here document (heredoc) is a form of input redirection that allows entering multiple lines of input to a command. The syntax of writing heredoc takes the following form: ogcli [command] << 'DELIMITER' HEREDOC DELIMITER Opengear CLI Guide 24.11.3...
Page 402: Inline Arguments
The data can also be entered via stdin by piping the data to the ogcli command. echo 'enabled=true description="operator"' | ogcli update user <username> Alternatively, you can provide a file via input redirection with <. echo 'enabled=true description="operator"' > partial_record Opengear CLI Guide 24.11.3...
Page 403: Quoting String Values
When entering the start of a command, press the <tab> key to complete the phrase to the nearest match. If there are multiple matches, all options will be displayed for your reference. Opengear CLI Guide 24.11.3...
Page 404: Displaying Secrets In Ogcli
This behavior can be overridden to display sensitive fields in clear text, obfuscated form, or masked form using the --secrets option. The clear text and obfuscated forms are also accepted when supplying a sensitive field. # ogcli --secrets=cleartext get snmpd auth_password="my_secret" Opengear CLI Guide 24.11.3...
Page 405: Common Configuration Examples
UPDATE ITEM WITH FIELD WHERE VALUE IS A STRING ogcli update user <username> description=\"operator\" UPDATE ITEM WITH FIELD WHERE VALUE IS NOT A STRING For example, a numeric or boolean value ogcli update user <username> enabled=true Opengear CLI Guide 24.11.3...
Page 406: Compare Current Configuration With A Proposed Configuration
<file_path> COMPARE CURRENT CONFIGURATION WITH A PROPOSED CONFIGURATION The updated ogcli diff tool enables Opengear users to compare a proposed configuration with an existing configuration so that they may understand any prospective changes to the config. The diff function performs a comparison of active configuration and an input configuration file, which must be in the format an export file produced by either a config export <template-file>...
Page 407 (+). For example, the new_user user does not exist in the active configuration, but is present in the input file supplied. If the input file was imported, this user would be added. ogcli --secrets=obfuscate merge users <<'END' + users[1].enabled=true + users[1].groups[0]="admin" + users[1].no_password=false + users[1].ssh_password_enabled=true + users[1].username="new_user" Opengear CLI Guide 24.11.3...
Page 408 If the input configuration file is missing properties or sections of configuration, the diff function will instead consider the differences between active configuration and the default values for those properties. Missing sections or properties from the input Opengear CLI Guide 24.11.3...
Page 409 Type ogcli diff --help for more information. This behaviour is the same for config: root@om2248:~# config --secrets=cleartext export config_file oot@om2248:~# config --secrets=cleartext diff config_file root@om2248:~# config --secrets=mask diff config_file The secrets flag provided doesn't match the flag in the proposed Opengear CLI Guide 24.11.3...
Page 410 Comments must start with #. These will be ignored by the diff tool. See also "diff" on page 343 ENABLE LOCAL CONSOLE BOOT MESSAGES ogcli get managementports Opengear CLI Guide 24.11.3...
Page 411 CHANGE ROOT PASSWORD ogcli update user root password=\"oursecret\" CREATE NEW ADMINISTRATIVE USER ogcli create user << 'END' username="adal" description="Ada Lovelace" enabled=true no_password=false groups[0]="groups-1" password="oursecret" MANUALLY SET DATE AND TIME ogcli update system/timezone timezone=\"America/New_York\" Opengear CLI Guide 24.11.3...
Page 412 << 'END' enabled=true servers[0].value="0.au.pool.ntp.org" UPDATE SYSTEM HOSTNAME ogcli update hostname hostname=\"system-hostname\" ADJUST SESSION TIMEOUTS ogcli update system/cli_session_timeout timeout=180 ogcli update system/webui_session_timeout timeout=180 SETUP REMOTE AUTHENTICATION WITH TACACS+ ogcli update auth << 'END' mode="tacacs" tacacsAuthenticationServers[0].hostname="192.168.250.21" tacacsMethod="pap" tacacsPassword="tackey" Opengear CLI Guide 24.11.3...
Page 413 CREATE USER GROUP WITH LIMITED ACCESS TO SERIAL PORTS ogcli create group << 'END' description="Console Operators" groupname="operators" role="ConsoleUser" mode="scoped" ports[0]="ports-10" ports[1]="ports-11" ports[2]="ports-12" VIEW AND CONFIGURE NETWORK CONNECTIONS ogcli get conns ogcli get conn system_net_conns-1 ogcli update conn system_net_conns-1 ipv4_static_ settings.address=\"192.168.0.3\" Opengear CLI Guide 24.11.3...
Page 414: Configure A Dns
(FQDN). When adding an interface to a Bond or Bridge, it will use the DNS configuration of the aggregate interface. Note:Interfaces must have at least one network connection to be able to perform DNS resolution. Opengear CLI Guide 24.11.3...
Page 415 "net1" << END an interface dns.nameservers[0]="1.1.1.1" dns.nameservers[1]="1.0.0.1" dns.search_domains[0]="example.net" dns.search_domains[1]="example.com" Check unbound service systemctl status unbound.service status List forward-zones in use unbound-control list_forwards CONFIGURE SERIAL PORTS ogcli get ports ogcli get ports | grep label ogcli get port ports-1 Opengear CLI Guide 24.11.3...
Page 416 ENABLE CELLULAR MODEM INTERFACE ogcli get physifs ogcli update physif wwan0 << 'END' enabled=true physif.cellular_setting.apn="broadband" physif.cellular_setting.iptype="IPv4v6" DISABLE CELLULAR MODEM INTERFACE ogcli update physif physif wwan0 enabled=false Opengear CLI Guide 24.11.3...
Page 417: Advanced Portmanager Pmshell Guide
ADVANCED PORTMANAGER PMSHELL GUIDE The Portmanager program allows you to access any serial port on the console server using pmshell commands. Routes network connection to serial ports. Checks permissions. Monitors and logs all the data flowing to/from the ports. Allows you to run power commands if the serial port is associated with a PDU outlet.
Page 418 Options Name Result The Single Session feature can be enabled or disabled by editing the single_session field in a given port. When a user port level admin- istration access is logged in via pmshell, the port configuration menu can be accessed via any port by pressing the escape character (~ by default) followed by c (~c).
Page 419: Custom Control Codes For Serial Ports
CUSTOM CONTROL CODES FOR SERIAL PORTS Custom control codes can be defined for ease of use per port or can be applied to all ports. For example, users could define a different Power Menu control code for every port, while having a single control code for View History that applies to all ports.
Page 420: Configure Control Codes For A Specified Port (Cli Examples)
CONFIGURE CONTROL CODES FOR A SPECIFIED PORT (CLI EXAMPLES) Control Codes Action CLI Examples Set control codes for a ogcli update port port02 << given port. In this example, 'END' the user sets multiple con- control_code.break="b" trol codes for port 2 control_code.chooser="c"...
Page 421: Configure A Control Code Value For All Ports
CONFIGURE A CONTROL CODE VALUE FOR ALL PORTS To set a particular control code to one value across all serial ports, Admin users can use the script set-serial-control-codes from the CLI as follows: set-serial-control-codes CONTROL_CODE KEY where: CONTROL_CODE - Must be one of the following values: break, chooser, pmhelp, portlog, power or quit.
Page 422 DOCKER Docker is a tool designed to make it easier to create, deploy, and run applications by distributing them in containers. Developers can use containers to package up an application with all of the parts it needs, like libraries and dependencies, and then ship it out as one package.
Page 423 CRON Cron service can be used for scheduled cron jobs runs. Daemon can be managed via the /etc/init.d/crond interface, and cron tables managed via crontab. Crontab supports: Usage: crontab [options] file crontab [options] crontab -n [hostname] OPTIONS: -u <user> define user -e ...
Page 424 Cron doesn't need to be restarted when crontab file is modified, it examines the modification time on all crontabs and reload those which have changed. To verify the current crond status: /etc/init.d/crond status To check current cron jobs running with the following command to list all crontabs: crontab -l To edit or create a custom crontab file: crontab -e...
Page 425 INITIAL PROVISIONING VIA USB KEY Also known as “ZTP over USB”, this feature allows provisioning an unconfigured (factory erased) unit from a USB storage device like a thumb drive. The USB device must contain a filesystem recognized by the OM (currently FAT32 or ext4) with a file named manifest.og in the root directory.
Page 426 EULA AND GPL The current Opengear End-User License Agreement and the GPL can be found at http://opengear.com/eula. EULA and GPL 24.11.3...
Page 427 UI BUTTON DEFINITIONS The table below provides a definition of the button icons used in the UI. Button Icon Definition Edit buttons Add item (eg. SNMP Manager) VLAN interface or create VLAN interface. Bonded interfaces or create new bond Bridged interfaces or create new bridge Standard network interface Cellular interface UI Button Definitions...
Page 428 Interface with bridge Interface with bond Bin widget. Delete selected object. UI Button Definitions 24.11.3...

This manual is also suitable for:

Om1200