1. Manuals
  2. Brands
  3. Clavister Manuals
  4. Firewall
  5. Eagle E7
  6. Quick start manual

Clavister Eagle E7 Quick Start Manual

Hide thumbs Also See for Eagle E7:
Table of Contents

Advertisement

Quick Links

Clavister Eagle E7
Getting Started Guide
Clavister AB
Sjögatan 6J
SE-89160 Örnsköldsvik
SWEDEN
Phone: +46-660-299200
www.clavister.com
Published 2013-05-29
Copyright © 2013 Clavister AB

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Eagle E7 and is the answer not in the manual?

Questions and answers

Related Manuals for Clavister Eagle E7

Summary of Contents for Clavister Eagle E7

  • Page 1 Clavister Eagle E7 Getting Started Guide Clavister AB Sjögatan 6J SE-89160 Örnsköldsvik SWEDEN Phone: +46-660-299200 www.clavister.com Published 2013-05-29 Copyright © 2013 Clavister AB...
  • Page 2 Clavister. Disclaimer The information in this document is subject to change without notice. Clavister makes no representations or warranties with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for a particular purpose. Clavister reserves the right to revise this publication and to make changes from time to time in the content hereof without any obligation to notify any person or parties of such revision or changes.

  • Page 3: Table Of Contents

    Table of Contents Preface ........................ 5 1. Product Overview ....................7 1.1. Unpacking the Product ................7 1.2. Interfaces and Ports ................. 9 2. Installation ...................... 12 2.1. Installation Guidelines ................12 2.2. Rack Mounting ..................14 2.3. RJ45 Console Port Connection ..............17 2.4.
  • Page 4 List of Figures 1.1. An Unpacked Clavister E7 Appliance ..............7 1.2. Clavister E7 Connection Ports ................9 1.3. The E7 Ethernet Interface Ports ................9 2.1. The E7 Console Port ..................19 2.2. E7 Power Inlet Connector ................21...

  • Page 5: Preface

    The target audience for this guide is the administrator who has taken delivery of a packaged Clavister E7 appliance and is setting it up for the first time. The guide takes the user from unpacking and installation of the device through to power-up, including network connections and initial cOS Core configuration.
  • Page 6 Where a "See section" link is provided in the main text, this can be clicked on to take the reader directly to that reference. For example, see Section 3.6, “Setup Troubleshooting ”. Web links Web links included in the document are clickable. For example, http://www.clavister.com. Trademarks Certain names in this publication are the trademarks of their respective owners.

  • Page 7: Product Overview

    Power cable and power supply. • USB memory stick containing documentation. Note: Missing items If any items are missing from your package, please contact your reseller or distributor. All documentation can be freely downloaded in PDF format from the Clavister website.
  • Page 8 Chapter 1: Product Overview End of Life Treatment The E7 appliance is marked with the European Waste Electrical and Electronic Equipment (WEEE) directive symbol which is shown below. The product, and any of its parts, should not be discarded of by means of regular refuse disposal. At end-of-life, the product and parts should be given to an appropriate service that deals with the removal of such specialist materials.

  • Page 9: Interfaces And Ports

    Chapter 1: Product Overview 1.2. Interfaces and Ports This section is an overview of the E7 product's external design. Figure 1.2. Clavister E7 Connection Ports The E7 features the following connection ports on the front panel: • On the left there is a set of RJ45 Gigabit Ethernet interfaces which are numbered 1 to 8. All 8 interfaces are connected together by a common switch fabric and share the single logical cOS Core interface name GESW.
  • Page 10 Chapter 1: Product Overview without affecting cOS Core performance. This feature is referred to as Port Based VLAN and is described in more detail in Appendix C, Port Based VLAN Setup. Ethernet Interface Status LEDs On the E7 there are indicator lights at the top left and top right of each interface which illuminate according to link status and activity.
  • Page 11 Chapter 1: Product Overview...

  • Page 12: Installation

    • Connecting Power, page 21 • Resetting to Factory Defaults, page 22 2.1. Installation Guidelines Guidelines Follow these guidelines when installing your Clavister E7 appliance: • Safety Take notice of the safety guidelines laid out in Chapter 5, Safety Precautions. These are specified in multiple languages.
  • Page 13 Chapter 2: Installation ratings of all devices installed on the same circuit as the appliance and compare the total with the rating limit for the circuit. The maximum ratings for the E7 are listed in Appendix A, Specifications. • Surge Protection A third party surge protection device should be considered and is strongly recommended as a means to prevent electrical surges reaching the appliance.

  • Page 14: Rack Mounting

    Chapter 2: Installation 2.2. Rack Mounting An optional Rack Mount Kit is available for the E7 that is suitable for mounting the product in a 19 inch rack. This must be ordered as a separate product and is not included as standard. Included with the kit is the following: •...
  • Page 15 Chapter 2: Installation Take a Hex screw driver and secure the bracket by screwing in the 2 preinstalled screws. These screws will engage with the corners of the fan vents. Take the second bracket without the PSU space and attached it to the other side of the E7 furthest from the power inlet in the same way.
  • Page 16 Chapter 2: Installation Finally, plug the PSU power cord into the E7 power inlet. The E7 with the attached mounting bracket is now ready to be mounted in a rack. Following mounting, a power cable can be plugged into the E7 PSU.

  • Page 17: Rj45 Console Port Connection

    Chapter 2: Installation 2.3. RJ45 Console Port Connection On the first generation of the E7 appliance, the serial console port is a physical RJ45 RS-232 port on the front panel of the hardware. The second generation of E7 provides a micro-USB port instead and connection with this is described in Section 2.4, “Micro-USB Console Port Connection”.
  • Page 18 Chapter 2: Installation • An RS-232 cable with appropriate terminating connectors. The E7 package includes an RS-232 null-modem cable. Connection Steps To connect a terminal to the console port, follow these steps: Check that the console connection settings are configured as described above. Connect one of the connectors on the RS-232 cable directly to the console port on the E7.

  • Page 19: Micro-Usb Console Port Connection

    Chapter 2: Installation 2.4. Micro-USB Console Port Connection On the second generation of the E7 appliance, the console port is a physical micro-USB port on the front panel of the hardware. This port allows direct management connection to the appliance from a separate computer running console emulation software.
  • Page 20 Chapter 2: Installation Connection Using SSH An alternative to using the console port for CLI access is to connect via a physical Ethernet interface and using a Secure Shell (SSH) client on the management workstation to issue CLI commands. This is discussed further in Section 3.1, “Management Workstation Connection”. Note: Setting a console password is recommended A console password need not be set.

  • Page 21: Connecting Power

    Chapter 2: Installation 2.5. Connecting Power This section describes connecting power. As soon as power is applied, the E7 will boot-up and cOS Core will start. Important Please review the electrical safety information in Chapter 5, Safety Precautions. Connecting AC Power To connect power, follow these steps: Plug the end of the power adapter's power cord into the power receptacle on the E7.

  • Page 22: Resetting To Factory Defaults

    Chapter 2: Installation 2.6. Resetting to Factory Defaults In some circumstances, it may be necessary to reset the E7 hardware to the state it was in when it left the factory. This is known as a reset to factory defaults. Resetting the E7 The E7 does not provide a hardware reset button on the unit itself.
  • Page 23 Chapter 2: Installation...

  • Page 24: Cos Core Configuration

    It is assumed that the E7 unit is now unpacked, positioned and powered is applied. If not, the earlier chapters in this manual should be referred to before continuing. Clavister's cOS Core network security operating system is preloaded on the E7 and will automatically boot up after power is applied. An external management computer workstation can now be used to configure cOS Core.
  • Page 25 Chapter 3: cOS Core Configuration • Through a web browser. A standard web browser running on a standalone computer (also referred to as the management workstation) can be used to access the cOS Core Web Interface. This provides an intuitive graphical interface for cOS Core management. When this interface is accessed for the first time, a setup wizard runs automatically to guide a new user through key setup steps.
  • Page 26 Chapter 3: cOS Core Configuration The default management Ethernet interface for the E7 is any of the GESW interfaces (the first is normally used) and this should be connected to the same network as the management workstation (or a network accessible from the workstation via one or more switches). Typically, the connection is made via a switch in the network, as shown in the illustration above, using regular Ethernet cables.

  • Page 27: Web Interface And Wizard Setup

    Chapter 3: cOS Core Configuration 3.2. Web Interface and Wizard Setup This chapter describes the setup when accessing cOS Core for the first time through a web browser. The user interface accessed in this way is called the Web Interface. It assumes that a physical network connection has been set up from a management computer to the default management Ethernet interface as described in Section 3.1, “Management Workstation Connection”.
  • Page 28 Chapter 3: cOS Core Configuration It is possible to configure cOS Core to use a CA signed certificate instead of self-signed certificate for the management login and doing this is described in the cOS Core Administration Guide. The Login Dialog cOS Core will next respond like a web server with the initial login dialog page as shown below.
  • Page 29 Chapter 3: cOS Core Configuration the Clavister Security Gateway is being used in Transparent Mode between two internal networks, then the configuration setup is best done with individual Web Interface steps or through the CLI instead of through the wizard.
  • Page 30 Chapter 3: cOS Core Configuration Wizard step 3: Select the WAN interface Next, you will be asked for the WAN interface that will be used to connect to an ISP for Internet access. Wizard step 4: Select the WAN interface settings This step selects how the WAN connection to the Internet will function.
  • Page 31 Chapter 3: cOS Core Configuration These four different connection options are discussed next in the subsections 4A to 4D that follow. • 4A. Static - manual configuration Information supplied by the ISP should be entered in the next wizard screen. All fields need to be entered except for the Secondary DNS server field.
  • Page 32 DNS servers are set automatically after connection with PPTP. Wizard step 5: DHCP server settings If the Clavister Security Gateway is to function as a DHCP server, it can be enabled here in the wizard on a particular interface or configured later.
  • Page 33 Chapter 3: cOS Core Configuration Wizard step 6: Helper server settings Optional NTP and Syslog servers can be enabled here in the wizard or configured later. Network Time Protocol servers keep the system date and time accurate. Syslog servers can be used to receive and store log messages sent by cOS Core.
  • Page 34 Wizard step 8: License Activation This optional step is to install a license which is fetched from the Clavister website. Internet access will have been set up in previous wizard steps for this option to function. The only input required is a customer username and password.

  • Page 35: Manual Web Interface Setup

    Core. Ethernet Interfaces The physical connection of external networks to the Clavister Security Gateway is through the various Ethernet interfaces which are provided by the hardware platform. On first-time startup, cOS Core scans for these interfaces and determines which are available and allocates their names.
  • Page 36 Chapter 3: cOS Core Configuration shown below. Note: The time server URL requires the "dns:" prefix When specifying a URL in cOS Core for the time server, the URL must have the prefix "dns:". Once the values are set correctly, we can press the OK button to save the values while we move on to more steps in cOS Core configuration.
  • Page 37 Reconfiguration is a process that the cOS Core administrator may initiate often. Normally, reconfiguration takes a brief amount of time and causes only a slight delay in traffic throughput. Active user connections through the Clavister Security Gateway should rarely be lost. Tip: How frequently to commit configuration changes It is up to the administrator to decide how many changes to make before activating a new configuration.
  • Page 38 IPv4 address 10.5.4.1. The ISP's gateway is the first router hop towards the public Internet from the Clavister Security Gateway. Go to Objects > Address Book in the Web Interface. The current contents of the address book will be listed and will contain a number of predefined objects created by cOS Core after it scans the interfaces for the first time.
  • Page 39 Chapter 3: cOS Core Configuration By default on initial startup, two IPv4 address objects are create automatically for each interface detected by cOS Core. One IPv4 address object is named by combining the physical interface name with the suffix "_ip" and this is used for the IPv4 address assigned to that interface. The other address object is named by combining the interface name with the suffix "_net"...
  • Page 40 At this point, the connection to the Internet is configured but no traffic can flow to or from the Internet since all traffic needs a minimum of the following two cOS Core configuration objects to exist before it can flow through the Clavister Security Gateway: •...
  • Page 41 Chapter 3: cOS Core Configuration The empty main IP rule set will now appear. Press the Add button at the top left and select IP Rule from the menu. The properties for the new IP rule will appear. In this example, we will call the rule lan_to_wan. The rule Action is set to NAT (this is explained further below) and the Service is set to http-all which is suitable for most web browsing (it allows both HTTP and HTTPS connections).
  • Page 42 For the Internet connection to work, a route also needs to be defined so that cOS Core knows on which interface the web browsing traffic should leave the Clavister Security Gateway. This route will define the interface where the network all-nets (in other words, any network) will be found. If the default main routing table is opened by going to Network >...
  • Page 43 DHCP client. Usually, a DHCP Host Name does not need to be specified but can sometimes be used by an ISP to uniquely identify this Clavister Security Gateway as a particular DHCP client to the ISP's DHCP server.
  • Page 44 Chapter 3: cOS Core Configuration C. PPPoE setup For PPPoE connection, we must create a PPPoE tunnel interface associated with the physical Ethernet interface. Assume that the physical interface is G2 and the PPPoE tunnel object created is called wan_pppoe. Go to Network > Interfaces and VPN > PPPoE and select Add > PPPoE Tunnel.
  • Page 45 DHCP Server Setup If the Clavister Security Gateway is to act as a DHCP server then this can be set up in the following way: First create an IP4 Address object which defines the address range to be handed out. Here, it is assumed that this has the name dhcp_range.
  • Page 46 Chapter 3: cOS Core Configuration In addition it is important to specify the Default gateway for the server. This will be handed out to DHCP clients on the internal networks so that they know where to find the public Internet. The default gateway is always the IPv4 address of the interface on which the DHCP server is configured, in this case, G3_ip.
  • Page 47 As a further example of setting up IP rules, it can be very useful to allow ICMP Ping requests to flow through the Clavister Security Gateway. As discussed earlier, the cOS Core will drop any traffic unless an IP rule explicitly allows it. Let us suppose that we wish to allow the pinging of external hosts with the ICMP protocol by computers on the internal G3_net network.
  • Page 48 The IP rule again has the NAT action and this is necessary if the protected local hosts have private IPv4 addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the IP address of the interface connected to the ISP as the source interface. Responding hosts will send back ICMP responses to this single IP and cOS Core will then forward the response to the correct private IPv4 address.
  • Page 49 Chapter 3: cOS Core Configuration Logging can now be enabled on this rule with the desired severity. Click the Log Settings tab, and click the Enable logging box. All log messages generated by this rule will be given the selected severity and which will appear in the text of the log messages. It is up to the administrator to choose the severity and depends on how they would like to classify the messages.
  • Page 50 Chapter 3: cOS Core Configuration limitation. Doing this is described in Section 3.5, “Installing a License”.

  • Page 51: Cli Setup

    Chapter 3: cOS Core Configuration 3.4. CLI Setup This chapter describes the setup steps using CLI commands instead of the setup wizard. The CLI is accessible using either one of two methods: • Using an SSH (Secure Shell) client, across a network connection to the IPv4 address 192.168.1.1 on the default management Ethernet interface.
  • Page 52 Ethernet Interfaces The connection of external networks to the Clavister Security Gateway is via the various Ethernet interfaces which are provided by the hardware platform. On first-time startup, cOS Core scans for these interfaces and determines which are available and allocates their names. The first interface detected in the scan becomes the initial default management interface and this can only be changed after initial startup.
  • Page 53 Chapter 3: cOS Core Configuration Note: Private IPv4 addresses are used for example only Each installation's IP addresses will be different from the example IP addresses but they are used here only to illustrate how setup is done. Also, these addresses are private IPv4 addresses and in reality an ISP would use public IPv4 addresses instead.
  • Page 54 Chapter 3: cOS Core Configuration EthernetDevice: 0:G2 1:<empty> AutoSwitchRoute: AutoInterfaceNetworkRoute: AutoDefaultGatewayRoute: ReceiveMulticastTraffic: Auto MemberOfRoutingTable: Comments: <empty> Setting the default gateway on the interface has the additional effect that cOS Core automatically creates a route in the default main routing table that has the network all-nets routed on the interface.
  • Page 55 Chapter 3: cOS Core Configuration Device:/> set DNS DNSServer1=dns1_address Assuming a second IP object called dns2_address has been defined, the second DNS server is specified with: Device:/> set DNS DNSServer2=dns2_address B. DHCP - automatic configuration Alternatively, all required IP addresses can be automatically retrieved from the ISP's DHCP server by enabling DHCP on the interface connected to the ISP.
  • Page 56 Chapter 3: cOS Core Configuration source interface and source network (in this example, the network G3_net and interface G3) to flow to the destination network all-nets and the destination interface which is the PPPoE tunnel that has been defined. D. PPTP setup For PPTP connection, first create the PPTP tunnel interface.
  • Page 57 Chapter 3: cOS Core Configuration DHCP Server Setup If the Clavister Security Gateway is to act as a DHCP server then this can be set up in the following way: First define an IPv4 address object which has the address range that can be handed out. Here, we will use the IPv4 range 192.168.1.10-192.168.1.20 as an example and this will be available on the...
  • Page 58 The IP rule again has the NAT action and this is necessary if the protected local hosts have private IPv4 addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the IP address of the interface connected to the ISP as the source interface. Responding hosts will send back ICMP responses to this single IP and cOS Core will then forward the response to the correct private IP address.

  • Page 59: Installing A License

    Activate. The license is fetched automatically across the public Internet and installed. This option is also only available once and that is when installing a license in a Clavister hardware product for the first time. Automatically through the CLI In the CLI, enter the command: Device:/>...
  • Page 60 Chapter 3: cOS Core Configuration Important: A reboot is recommended after installing a license Some license changes, such as increasing the number of allowed VPN tunnels, change memory requirements and will not take effect until after cOS Core is rebooted. Rebooting will disrupt traffic flows but is recommended in order that all license parameters become active.

  • Page 61: Setup Troubleshooting

    If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the Clavister Security Gateway in the first place. This can be confirmed with a packet sniffer if it is available.
  • Page 62 Chapter 3: cOS Core Configuration A final diagnostic test is to try using the console command: Device:/> arpsnoop all This will display console messages that show all the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces. To look at the ARP activity only a particular interface, follow the command with the interface name: Device:/>...

  • Page 63: Going Further With Cos Core

    IP rules identify the targeted traffic using combinations of the source/destination interface/network combined with protocol type. By default, no IP rules are defined so all traffic is dropped. At least one IP rule needs to be defined before traffic can traverse the Clavister Security Gateway.
  • Page 64 Staying Informed Clavister maintains an RSS feed of announcements that can be subscribed to at https://forums.clavister.com/rss-feeds/announcements/. It is recommended to subscribe to this feed so that you receive notifications when new releases of cOS Core versions are available for download and installation.
  • Page 65 Chapter 3: cOS Core Configuration...

  • Page 66: Warranty Service

    Start Date (as defined below). The warranty will only apply to failure of the product if Clavister is informed of the failure not later than two (2) years from the Start Date or thirty (30) days after that the failure was or ought to have been noticed by the customer.
  • Page 67 Sjögatan 6J 891 60 Örnsköldsvik SWEDEN If the product has not yet been registered with the Clavister through it's client web, a proof of purchase (such as a copy of the dated purchase invoice) must be provided with the shipped product.

  • Page 68: Safety Precautions

    Chapter 5: Safety Precautions Safety Precautions Clavister E7 devices are Safety Class I products and have protective ground terminals. There must be an uninterrupted safety earth ground from the main power source to the product’s input wiring terminals, power cord, or supplied power cord set. Whenever it is likely that the protection has been impaired, disconnect the power cord until the ground has been restored.
  • Page 69 Chapter 5: Safety Precautions Informations concernant la sécurité Cet appareil est un produit de classe I et possède une borne de mise à la terre. La source d’alimentation principale doit être munie d’une prise de terre de sécurité installée aux bornes du câblage d’entree, sur le cordon d’alimentation ou le cordon de raccordement fourni avec le produit.
  • Page 70 Chapter 5: Safety Precautions • se la vostra LAN copre un’area servita da più di un sistema di distribuzione elettrica, accertatevi che i collegamenti a terra di sicurezza siano ben collegati fra loro; • i cavi LAN possono occasionalmente andare soggetti a pericolose tensioni transitorie (ad esempio, provocate da lampi o disturbi nella griglia d’alimentazione della società...

  • Page 71: Specifications

    Appendix A: Specifications Below are the key hardware specifications for Clavister E7 installation. E7 Dimensions, Weight and MTBF Height x Width x Depth (mm) 40 x 280 x 200 Hardware Weight 1.735 kg Hardware Form Factor Desktop 19 inch Rack Mountable...

  • Page 72: Declarations Of Conformity

    Appendix B: Declarations of Conformity...
  • Page 73 Appendix B: Declarations of Conformity...

  • Page 74: Port Based Vlan Setup

    Appendix C: Port Based VLAN Setup VLAN support on the E7 is divided into two types: • On the Ethernet interfaces G1, G2 and G3, VLANs are created by configuring them normally in cOS Core. It is cOS Core that then takes on the task of adding and recognizing VLAN tags in packets.
  • Page 75 Appendix C: Port Based VLAN Setup A screenshot of how the resulting VLAN list might look in the Web Interface is shown below. 2. Associate the VLANs with GESW interfaces Go to Network > Interfaces and VPN > VLAN > Switch Management, enable port based VLAN and set each GESW interface value to be associated with the relevant VLAN to get the desired configuration.
  • Page 76 Clavister AB Sjögatan 6J SE-89160 Örnsköldsvik SWEDEN Phone: +46-660-299200 www.clavister.com...

Table of Contents