NEXCOM IFA 1610 User Manual

Download

NEXCOM International Co., Ltd.

Industry Firewall Solutions

HENGE

Industry Firewall VPN Router

IFA 3610/IFA 2610/IFA 1610

User Manual

NEXCOM International Co., Ltd.

Published May 2015

www.nexcom.com

Contents

Introduction: Getting Started

Getting Started ......................................................................... 1

About this Reference Manual .................................................... 1

Conventions Used in This Document ......................................... 1

The Zones ................................................................................. 2

The IFA 3610/IFA 2610/IFA 1610 Management Interface ........... 3

Accessing the IFA 3610/IFA 2610/IFA 1610 Appliances .............. 7

Chapter 1: The System Menu

1.1 Dashboard ......................................................................... 9

1.1.1 System Information Plugin ........................................... 9

1.1.2 Hardware Information Plugin ..................................... 10

1.1.3 Service Information Plugin ......................................... 10

1.1.4 Network Information Plugin ....................................... 11

1.1.5 Signatures Information Plugin .................................... 11

1.1.6 Uplink Information Plugin .......................................... 11

1.2 Network Configuration .................................................... 12

1.2.1 1/8 - Choose Type of RED Interface ............................ 12

1.2.2 2/8 - Choose Network Zones ..................................... 12

1.2.3 3/8 - Network Preferences ......................................... 13

1.2.4 4/8 - Internet Access Preferences ............................... 14

1.2.5 5/8 - Configure DNS resolver ..................................... 16

1.2.6 6/8 - Configure Default Admin Mail ........................... 17

1.2.7 7/8 - Apply configuration ........................................... 17

1.2.8 8/8 - End ................................................................... 17

1.3 Event Notifications ........................................................... 17

1.3.1 Settings ..................................................................... 18

1.3.2 Events ....................................................................... 18

1.4 Updates ........................................................................... 19

1.4.1 Status ........................................................................ 19

1.4.2 Schedule for Retrieving the Update List ...................... 19

1.5 Support ........................................................................... 19

1.6 HENGE

1.6.1 Subscription .............................................................. 20

1.6.2 Remote Access .......................................................... 20

1.7 Passwords ........................................................................ 21

1.8 Web Console ................................................................... 21

1.9 SSH access ....................................................................... 21

1.9.1 Secure Shell Access Settings ...................................... 21

1.9.2 SSH host keys ............................................................ 22

1.10 GUI Settings ................................................................... 22

1.11 Backup .......................................................................... 22

1.11.1 Backup .................................................................... 23

1.11.2 Scheduled backups .................................................. 24

1.12 Shutdown ...................................................................... 25

1.13 License Agreement ........................................................ 25

Chapter 2: The Status Menu

2.1 System status ................................................................... 26

2.2 Network status ................................................................ 27

2.3 System graphs ................................................................. 27

2.4 Traffic graphs ................................................................... 28

2.5 Proxy graphs .................................................................... 29

Network ........................................................... 20

2.6 Connections .................................................................... 29

2.7 VPN Connections ............................................................. 30

Chapter 3: The Network Menu

3.1 Edit hosts ......................................................................... 31

3.2 Routing ............................................................................ 32

3.2.1 Static routing ............................................................. 32

3.2.2 Policy routing ............................................................ 33

3.3 Interfaces ......................................................................... 34

3.3.1 Uplink editor ............................................................. 34

3.3.2 VLANs ....................................................................... 35

Chapter 4: The Services Menu

4.1 DHCP Server .................................................................... 36

4.2 Dynamic DNS ................................................................... 39

4.3 Time server ...................................................................... 40

4.4 Intrusion Prevention ......................................................... 40

4.4.1 Intrusion Prevention System ....................................... 40

4.4.2 Rules ......................................................................... 41

4.4.3 Editor ........................................................................ 41

4.5 High Availability ............................................................... 41

4.6 Traffic Monitoring ............................................................ 43

4.7 SNMP Server .................................................................... 44

4.8 Quality of Service ............................................................. 44

4.8.1 Devices ...................................................................... 44

4.8.2 Classes ...................................................................... 45

4.8.3 Rules ......................................................................... 45

Chapter 5: The Firewall Menu

5.1 Common Configuration Items .......................................... 47

5.2 Port Forwarding / NAT ...................................................... 48

5.2.1 Port forwarding / Destination NAT ............................. 48

5.2.2 Source NAT ............................................................... 50

5.2.3 Incoming Routed Traffic ............................................. 50

5.3 Outgoing Traffic ............................................................... 51

5.4 Inter-Zone Traffic .............................................................. 52

5.5 VPN traffic ....................................................................... 53

5.6 System access .................................................................. 53

5.7 Firewall Diagrams ............................................................. 54

Chapter 6: Proxy

6.1 DNS ................................................................................. 55

6.1.1 DNS Proxy ................................................................. 55

6.1.2 DNS Routing .............................................................. 55

6.1.3 Anti-Spyware ............................................................. 56

Chapter 7: The VPN Menu

7.1 OpenVPN Server .............................................................. 57

7.1.1 Server Configuration ................................................. 57

7.1.2 OpenVPN Settings ..................................................... 57

7.1.3 OpenVPN Server Instances ......................................... 58

7.1.4 VPN Client Download ................................................ 60

7.2 OpenVPN Client (Gw2Gw) ............................................... 61

IFA 3610/IFA 2610/IFA 1610 User Manual

Contents

7.2.1 Add Tunnel Configuration ......................................... 61

7.2.2 Advanced Tunnel Configuration ................................ 61

7.2.3 Import Profile from OpenVPN Access Server ............... 63

7.3 IPsec ................................................................................ 63

7.3.1 IPsec .......................................................................... 63

7.3.2 IPsec Settings ............................................................. 64

7.3.3 Debug Options .......................................................... 64

7.3.4 Connections .............................................................. 64

7.4 L2TP ................................................................................ 66

7.5 Authentication ................................................................. 68

7.5.1 Users ......................................................................... 68

7.5.2 Groups ...................................................................... 70

7.5.3 Settings ..................................................................... 70

7.6 Certificates ...................................................................... 72

7.6.1 Certificates ................................................................ 72

7.7 Certificate Authority ........................................................ 73

7.8 Revoked Certificates ........................................................ 74

7.9 Certificate Revocation List ................................................ 74

Chapter 8: The Logs and Reports Menu

8.1 Dashboard ....................................................................... 75

8.1.1 Common elements .................................................... 75

8.1.2 Summary ................................................................... 76

8.1.3 System ...................................................................... 76

8.1.4 Web .......................................................................... 77

8.1.5 Mail ........................................................................... 77

8.1.6 Intrusion Attempts ..................................................... 77

8.1.7 Connections .............................................................. 77

8.2 Traffic Monitoring ............................................................ 78

8.2.1 Dashboard ................................................................. 78

8.2.2 Flows ......................................................................... 78

8.2.3 Hosts ......................................................................... 79

8.2.4 Interfaces .................................................................. 80

8.3 Live .................................................................................. 80

8.4 Common actions ............................................................. 81

8.5 Summary ......................................................................... 82

8.6 System ............................................................................. 82

8.7 Service ............................................................................. 82

8.8 Firewall ............................................................................ 83

8.9 Proxy ............................................................................... 83

8.9.1 HTTP and Content filter ............................................. 83

8.9.2 HTTP Report .............................................................. 83

8.9.3 SMTP ......................................................................... 83

8.10 Settings ......................................................................... 84

8.11 Trusted Timestamping .................................................... 85

iii

IFA 3610/IFA 2610/IFA 1610 User Manual

Introduction: Getting Started

Getting Started

This sections presents the conventions used in the remainder of the manual, then provides introductory notions about the concept of zones, and finally describes the GUI of the HENGE 3610/2610/1610 appliances.

products and the possible ways to access the IFA

About this Reference Manual

This manual has been written for the 1.0 release, with a Software 1.0 as guide, but it is intended for all types of the

HENGE of the displayed data or configuration options may slightly vary for some appliances or not being present at all. This guide is intended both as a contextual help and an user manual, as well as providing quick introductory descriptions to some of the concepts that lay behind the various functionalities provided by the IFA 3610/IFA 2610/IFA 1610 appliances.

The remainder of this section contains some basic information about this guide and how to move your first steps within the IFA 3610/IFA 2610/IFA 1610 appliances, introducing some important concepts and describing the most significant parts of GUI.

series. Since the functionalities and abilities may differ between the various appliances, the description of some

Conventions Used in This Document

To improve the readability and clarity of this document, several conventions are used:

Besides for emphasis, italics is used to denote non-interactive objects or labels within the web GUI, while a bolded word(s) indicates objects that require user interaction, i.e., clicking on a button or to open a hyperlink.

Admonitions are employed to mark items, actions, or tasks that require special attention:

Warning: Changing this value will cause the service to restart!

Note: Remember that you can modify this later.

Hint: Tips about configuration of options

This is an example box.

Boxes like this one contain example of configurations or short how-tos for the quick setup of some feature or service described in the main document.

A relevant subject or an example

In boxes like this one (“topic”), you can find the explanation of some subject that requires a not-so-short explanation and is relevant to the topic of the section or to the configuration of some setting. Also, quick how-tos or examples may appear in it. At their bottom there might be present one or more hyperlinks to online resources.

A sequence like Menubar ► Firewall ► Port forwarding/DNAT ► Show system rules requires to click on each of the items, in the sequence shown, to reach a particular page or configuration item. This example shows how to reach the page that shows the configuration of the system rules for the firewall’s DNAT.

Alternatively, in a sequence like Menubar ► Firewall ► Port forwarding/DNAT ► [Rule list] ► Edit, the [...] means that there is a large number of objects (in this case there is a list of firewall’s rules) from which one should be chosen to carry out on it the action (Edit).

Introduction: Getting Started

The Zones

One of the most important concepts on which the IFA 3610/IFA 2610/IFA 1610 appliances is grounded, the Zone, finds its root in IPCOP’s idea to protect the networks it can reach by grouping them into different segments -the zone, indeedand allowing the traffic to be exchanged only in certain directions among these segments. The four main zones are identified by a color and may group together a number of servers of workstation that have a same purpose.

Ethernet (Static, DHCP)

Zone Default Assignment

Red Internet (WAN)

Green LAN (Most Protected)

Orange DMZ (Least Protected)

Blue WiFi (Wireless / Hotspot)

Green Orange Blue

Red

Uplink2

(Failover)

PPPoE

ISDN

ADSL (USB, PCI)

▪ RED, this is the so-called Untrusted segment, i.e., the WAN: It encompasses all the networks outside the IFA 3610/IFA

2610/IFA 1610 appliances or, broadly speaking, the Internet, and is the source of incoming connections. This is the only zone that can not be managed: but only access to and from it can be granted or limited.

▪ GREEN, the internal network, i.e., the LAN. This zone is the most protected one and is dedicated to the workstations

and should never be directly accessed from the RED zone. It is also the only zone that by default can access the management interface.

▪ ORANGE, The DMZ. This zone should host the servers that need to access the Internet to provide services (e.g., SMTP/

POP, SVN and HTTP and so on). It is a good practice that the ORANGE zone be the only zone directly accessable from the RED zone. Indeed, if an attacker manages to break into one of the servers, she will be trapped within the DMZ and will not be able reach the GREEN zone, making impossible for her to gain sensitive information from local machines in the GREEN zone.

▪ BLUE, the WiFi zone, i.e., the zone that should be used by wireless clients to access the Internet. Wireless networks

are often not secure, so the idea is to trap by default all the wireless connected clients into their own zone without access to any other zone except RED.

Introduction: Getting Started

For the appliance to correctly operate, it is not necessary to configure the ORANGE and BLUE zones. Indeed, it suffices to define the GREEN zone, since also the RED zone can be in some cases left unconfigured.

The appliance has pre-defined firewall rules that forbid the network traffic to flow between some of the zones. Besides the four main zones, two more zones are available, but are used only in advanced setups: The OpenVPN clients zone (sometimes called PURPLE), and the HA zone. These are two special zones that are used as networks for the OpenVPN remote users that should connect to the IFA 3610/IFA 2610/IFA 1610 appliances and for the HA service. By default, they use the 192.168.15.0/24 and 192.168.177.0/24 networks respectively, so those networks ranges should not be used in the main zones, especially when planning to use either of these services. Indeed, those networks would overlap, possibly causing undesirable effects. The IP ranges of these two zones can however be modified during the set up of the OpenVPN or HA services.

To each zone corresponds an (network) interface and an IP address. The interface is the (ethernet or wireless) port through which the network traffic flows to the zone, so RED interface it the port through which you can reach the RED zone and the Internet. The IP address of the interface is the <Zone>IP. For example, the factory setting for the GREEN zone is the 192.168.0.15/24 network, hence the GREEN interface will have IP 192.168.0.15, which is referenced to as the GREENIP.

The IFA 3610/IFA 2610/IFA 1610 Management Interface

The GUI of the IFA 3610/IFA 2610/IFA 1610 appliances has been designed to be easy to use, and consists of five main parts: The header, the main menubar, the sub-menu, the main area, and the footer. A sample screenshot of the Service module can be seen below.

Introduction: Getting Started

Status: Connecting... main Uptime: 00:06:53 up 6 min, 0 users, load average: 1.73, 1.28, 0.71

The Footer

Nexcom Appliance release 0.5.alpha1 (Deployset #0) (c) NEXCOM International Co., Ltd.

The footer is placed at the very bottom of the page. It consists of two lines of text with a few infomation on the running IFA 3610/IFA 2610/IFA 1610 appliances. The top line shows (Status:) whether an uplink is connected of connecting and which one (if there are more than one uplinks defined) and the time elapsed (Uptime:) since the last time the connection was established and the uptime of the machine, which is reported as the output of the uptime command, i.e., the time since last boot, the number of users and the load average. When you change page, the information are updated. The bottom line shows the version of the appliance with the deployset, and the copyright.

The Main Navigation Bar

The main navigation bar, situated right below the header, is a menu bar with a black background and a green bottom line that displays all the available sections of the IFA 3610/IFA 2610/IFA 1610 appliances. When clicking on one of the modules (e.g., Services), its background becomes green, to emphasise the current open module. Upon clicking on a menu item, the sub-menu on the left of the page and the title at the top of the main area change, since they are contextdependant. By default, the GUI opens on the System menu.

The Sub-Menu

The sub-menu appears on the left-hand side of the GUI and changes depending on the module selected on the menubar. It appears as a vertical list of items that can be clicked to change the content of the main area and to access all the functionalities included in the appliance‘s module.

Introduction: Getting Started

The Main Area

The main area contains all the information and settings encompassed by the current selection of the menu/sub-menu combination. Some of the pages (e.g., the Dashboard or parts of the Service and Logs modules) are simply informative, showing the current status of the appliance either graphically or textually, in the latter case conveying the output of linux commands on the screen. The vast majority of the pages, however, shows a table containing various information about the current configured settings, allowing to modify or delete existing items and settings and to add new ones. Particularly elaborate services like e.g., the HTTP proxy or the firewall, contain so many configuration options that a single page does not suffice to present them all, so the available settings are grouped together and organised in tabs.

Within tabs, often the configuration options are packed in one or more boxes, that gather together settings that refer to a common part of the overall configuration.

The Icons

Many icons are used throughout the pages served by the IFA 3610/IFA 2610/IFA 1610 appliances to denote either an action that can be quickly carried out, or convey some meaning to the settings shown.

Switches

Switches are used to entirely enable or disable a service and are present on the top of the main area. The gray switch suggests that the service is disabled and inactive, with the main area showing no settings or configuration options. Upon clicking on it, the service and the daemons that are necessary for its proper functioning are started and initialised. After a few seconds, the switch’s color turns azure and all the configuration options available will appear. To disable the service, click again on the switch: This causes all the daemons to be stopped, the switch to turn grey, and the settings to disappear.

Policies

These icons are found in those services that require some form of access policies or traffic control, like, e.g., firewall rules or proxy specifications. Whenever a packet matches a rule, the policy specified for that rule is applied, determining if and how the packet can pass or not.

accept the access with no restriction.

allow the access but only after the packets have positively passed the IPS. This policy is only available in firewall rules.

Introduction: Getting Started

blocks the packets and discards it.

blocks the packets, but a notification is sent to the source.

partial accept the rules. This is only found on the heading of a list of policies, to give at a glance the idea that some of the policies in the list are accepted and some are rejected, like e.g., in Menubar ► Proxy ► HTTP ► Contentfilter.

Other Icons

Additional icons that can be found on the appliance.

expands a panel, revealing its content.

closes a panel, hiding its content.

Navigation bar

In most places where a long list of item appears, a navigation bar appears to ease the listing of the items, which is composed of several cells: First │◄ and Previous ◄ on the left, Next ► and Last ►│on the right, which enclose the page number. Clicking on these buttons will lead to either the first or last page, or to the previous or next page.

Common Actions and Tasks

There are two types of actions that can be performed within the GUI: Actions on a single item in a list of configuration settings (i.e., one firewall rule), and ‘global’ actions to save, store, and apply all the settings in a list, a box, or a page.

Actions and icons

These icons are placed in the Actions column on the right of the various tables that appear on the pages and usually show a list of the items defined, like e.g., the firewall rules or the OpenVPN users. The actions’ icons allow to execute one task on the element of the list to which they correspond. Some action is only available on some type of lists:

and indicate the status of an item, enabled and disabled respectively. You can change the status by clicking on the icon. After that, a callout may notify you to restart service, if this is needed, to let the daemons reload the configuration and activate the changes.

and are available only in lists where the order is important, e.g., firewall rules, and allow to modify the order by moving up or down the corresponding item.

allows to modify the current item. Clicking on this icon will open the appropriate editor for that item.

causes the selected item to be removed from the list and from the configuration. A message will appear, asking for confirmation before the item is definitely deleted.

allows to download the item (usually an archive).

is used in limited locations, e.g., in Menubar ► Services ► Spam Training to test the connection of an item to a remote servers.

appears in the IPS (Menubar ► Services ► Intrusion Prevention) and allows to log the packets that are allowed to pass or are blocked after they have matched a rule.

‘Global’ Actions

At the bottom of every page that allows the customisation of one or more options, there is the option to Save and store the new configuration on disk or to cancel the customisation done so far. In the latter case, no further action is required, since the configuration did actually not change. In the former case, however, it proves necessary to restart the service just modified, and perhaps also a few other related or dependant services, for the new settings to be reloaded and used in the running configuration. For the sake of convenience, when this action is required, a callout is displayed after the settings have been saved, with an Apply button, to be clicked to restart the service.

Whenever a Multiselect box is used (e.g., in Menubar ► Hotspot Settings), Add all and Remove all can be clicked as shortcut to add or remove all the available entries from the list of the available items or the selected and active items, respectively.

Introduction: Getting Started

Multiple entries in one configuration option

In several places, several values can be entered for a single configuration item, for example the source or destination of a firewall rule. In those cases, either a textarea or a drop-down menu is shown. In the former case it is possible to enter one value per line, like e.g., it a MAC address, a network range (in CIDR notation), or an OpenVPN user. In the latter case, the choice is limited among a number of predefined values, that can be selected by holding the Control key on the keyboard and clicking on the values to be selected.

IPv4 and CIDR notation.

An IPv4 address is a network address whose length is 32 bits, divided in four, 8-bits long octets. In decimal, each octet can assume any value between 0 and 255 (2

When specifying a network range, the IP address of the first host on the network along with the subnet mask, or netmask for short, is given, which defines the number of hosts available in that network. The subnet is defined as the length of the network prefix, i.e., that part of the address shared by all the hosts in a network.

There are two possibilities to denote the network/netmask pair:

▪ Explicitly, i.e., both are given in quad dotted notation. For example:

network 192.168.0.0 netmask 255.255.255.0

= 256).

This is a network starting at the address 192.168.0.0 with 256 host available, i.e., the network range from 192.168.0.0 to 192.168.0.255. The first three octet in the netmask are 255, showing that there are no free host (or that this part of the address is the network prefix), while the fourth is 0, meaning that all hosts (256 - 0 = 0) are available.

▪ In CIDR notation, a more compact way to show the network range, in which the free bits instead of the free hosts

are given. The same network range as above is expressed as:

192.168.0.0/24

This notation shows the length in bits of the shared part of the IP address. 24 means that the first three octets (each consisting of 8 bits) are shared, while the fourth octet is free, giving a number of free hosts that is equivalent to 32 - 24 = 8 bits, i.e., 256 hosts.

The same line of reasoning can apply to an IPv6 address, with the only difference that IPv6 addresses are 128 bits long.

Accessing the IFA 3610/IFA 2610/IFA 1610 Appliances

There are several ways to access the IFA 3610/IFA 2610/IFA 1610 appliances: The most intuitive and straightforward one is from the web-based GUI. There are also console-based access via SSH and serial console, although they are suggested to advanced users only.

The Appliance GUI of IFA 3610/IFA 2610/IFA 1610

Hint: The default IP address of the IFA 3610/IFA 2610/IFA 1610 appliances is 192.168.0.15.

The recommended access to the IFA 3610/IFA 2610/IFA 1610 appliances GUI is very simple: Start the browser and enter the GREENIP address, whether or not this is the first time the IFA 3610/IFA 2610/IFA 1610 appliances are used.

The browser will be redirected to a secure HTTPS connection on port 10443. Since IFA 3610/IFA 2610/IFA 1610 appliances use a self-signed HTTPS certificate, the browser might ask to accept the certificate during the first connection. The system will then ask for username and password. Specify “admin” as the username and provide the password received from the reseller or, if the IFA 3610/IFA 2610/IFA 1610 appliances have already been customised, insert the password that provided during the installation.

Introduction: Getting Started

Console-based access

Console-based access to the IFA 3610/IFA 2610/IFA 1610 appliances is suggested only to users that are acquainted with the Linux command line.

Two possibilities are available to reach the CLI: Using SSH access or via serial console. SSH access is by default disabled, but can be activated under Menubar ► System ► SSH access, while Serial Console access is enabled by default on all appliances with the following parameters:

▪ port: ttyS0 ▪ bit, parity bit, stop bit: 8, N, 1 ▪ speed: 115200 baud in newer appliances.

The connection using the serial console requires:

▪ A suitable terminal program like minicom for Unix/Linux boxes or putty for MS Windows. ▪ A workstation with a serial interface ▪ A nullmodem cable to connect a workstation to the appliance

▪ Terminal program. ▪ Networked Serial-to-Ethernet adapter. ▪ Serial-to-Ethernet cable to connect the appliance to the adapter.

Note: In case the network is not configured properly, the serial console may represent the only way to access the IFA 3610/IFA 2610/IFA 1610 appliances.

Chapter 1: The System Menu

The System menu provides several information about the IFA 3610/IFA 2610/IFA 1610 appliances and their status, and allows to define the network setup and some access modalities (e.g., via SSH or for the NEXCOM support).

The sub-menu on the left-hand side contains the following items, which allow for some basic administration tasks and to monitor the running activities of the IFA 3610/IFA 2610/IFA 1610 appliances.

▪ Dashboard - overview of the system and of the connections status ▪ Network configuration - network and network interface configuration ▪ Event notifications - set up of notification via e-mail ▪ Updates - management of system updates ▪ Support - support request form ▪ HENGE ▪ Passwords - set system passwords ▪ Web console - a console shell on the browser ▪ SSH access - enable/configure SSH access to the IFA 3610/IFA 2610/IFA 1610 appliances ▪ GUI settings - web interface language settings ▪ Backup - backup or restore IFA 3610/IFA 2610/IFA 1610 appliance settings as well as reset to factory defaults ▪ Shutdown - shutdown or reboot the IFA 3610/IFA 2610/IFA 1610 appliances ▪ Credits - acknowledgement to all contributors ▪ License Agreement - a copy of the User License Agreement

Network - HENGETM Network registration information

The remainder of this section will describe the various parts that compose the System menu items.

1.1 Dashboard

The Dashboard is the default page, the one that is displayed upon every login. It encompasses several boxes (“plugins”) organised in two columns that provide a complete overview of the running system and of its health. The top of each box reports the name of the box. The Dashboard has lately undergone some changes in its usability and new features have been added to improve the interaction with the user. The information visible on screen are updated at regular intervals.

The available plugins and the information they display are described here.

1.1.1 System Information Plugin

It shows several information about the installed system. It usually presents the hostname and domain name of the appliance in the title.

Appliance: The appliance type.

Version: The version of the firmware.

Kernel: The current running kernel.

Uptime: The time since the last reboot.

Update status: A message depending on the appliance status:

▪ “up to date”. No updates are available. ▪ “update required”. New packages can be installed: A click on the message leads to the Updates page where it is

possible to review the list of new packages.

▪ “Register for enterprise”. The system has not yet been registered to HENGE

open the HENGE

Network page, in which to compile a form to complete the registration.

Network: A click on the message will

Chapter 1: The System Menu

Maintenance: The remaining days of validity of the maintenance support.

Support access: Whether the support team can access the IFA 3610/IFA 2610/IFA 1610 appliances or not. In the former

case, it also shows the date until the access is granted.

This plugin also shows the remaining days of validity of the additional modules Panda Antivirus and Commtouch, if purchased.

1.1.2 Hardware Information Plugin

It shows the main hardware information of the appliance and the resource availability. All the information are provided with the absolute value (graphically with a small bar and in number at the end of a line) and the percentage of their use. The only exception is the CPU load, which shows only the percentage of use, in graphic and numbers.

CPU x: The load of the CPU, where x represents the CPU number, for those appliance that have more than one CPU.

Memory: The amount of the RAM memory used.

Swap: How much swap disk space is used. A high percentage here usually means there is something not working

correctly.

Main disk: The usage of the root partition.

Temp: The space used in the /tmp partition.

Data disk: the usage of the /var partition.

Configuration disk: The space occupied by the partition containing all the services and settings of the IFA 3610/IFA

2610/IFA 1610 appliances.

Log disk: The amount of space used in the partition containing the logs.

The latter values, showing disk space availability, can vary depending on the appliance, since the data, system, and log partitions may be located in different places.

Warning: A partition on the hard disk (e.g., main disk, data disk, /var/log) shall never have a usage of 95% or more, as

this can cause malfunctioning and data loss.

1.1.3 Service Information Plugin

Information about the most important services installed on the IFA 3610/IFA 2610/IFA 1610 appliances, along with their actual status, are displayed by this plugin. For each service is shown the status, either ON or OFF, and a summary of the tasks accomplished during the last hour and the last days. A click on the service’s name expands or collapses additional information on the tasks carried out by the service. For running services, there is the possibility to open in a new window the respective Live Logs. Hence, if some number in the summaries sounds strange (e.g., a number of email rejected that is twice as normal) or not common compared to the normal activities (e.g., the IDS has detected some attack), the logs can be controlled to search for some useful message that has been recorded. The services currently supported by this plugin are:

Intrusion Detection: The number of attacks logged by snort.

SMTP Proxy: Statistics about the e-mails processed. The number of e-mail currently in the postfix-queue, of the

received e-mails and how many of them were clean, the number of viruses found, and how many e-mails were blocked.

HTTP Proxy: The numbers of cache misses and hits of squid and of the viruses found.

POP3 Proxy: Statistics about the received, blocked, and virus-containing e-mails that went through the POP3 Proxy.

Hint: Inactive services are marked with a red OFF message.

Chapter 1: The System Menu

1.1.4 Network Information Plugin

It shows information about the network interfaces of the firewall and the traffic. The upper part of this plugin shows several data about the network interfaces of the appliance: Their name, type, link (Up if a connection is established, Down otherwise) and status (Up if the device is activated, Down if not), and the In- and Outgoing traffic. The latter two data are updated in real-time. When ticking the checkbox near the device name, that device is shown in the graphs underneath. The devices’ name is coloured according to the zone they serve.

The lower part of the plugin contains two charts: The first one shows the incoming traffic, while the second one the outgoing traffic on each of the interfaces chosen. The traffic of each interface is coloured according to the zone it belongs to, different interfaces serving the same zone have different nuances. Bridges built on one device are shown in the same colour as the device. Like the traffic data in the upper part, both charts are updated in real-time.

Hint: Up to six interfaces can be selected and shown in the charts.

1.1.5 Signatures Information Plugin

This plugin shows information about the actual status of those services requiring the download of signatures that are installed and enabled on the appliance. In case no signature has been downloaded and no service has already been enabled, the message No recent signature updates found is displayed, otherwise the plugin presents the signatures installed for the variuos daemons and the timestamp (date and time) of the last download. The list includes the signatures for the anti-spyware, antivirus, contentfilter, and intrusion prevention services.

1.1.6 Uplink Information Plugin

This plugin shows a table detailing the uplinks’ connection status. For each defined uplink are shown name, IP address, status, uptime, whether it is active or not , managed  or manual . The circular arrow , when clicked, allows to immediately reconnect the corresponding uplink. Of particular interest is the Status field of each individual uplink, which can be:

Stopped: Not connected.

Inactive: Not connected.

Connecting: Not yet connected, but a connection is ongoing.

Connected or UP: The connection has been established and it is fully operational.

Disconnecting: The uplink is closing the connection. The appliance keeps pinging the gateway and announces when it

becomes available.

Failure: There was a failure while connecting to the uplink.

Failure, reconnecting: There was a failure while connecting to the uplink, but the appliance is now trying again.

Dead link: The uplink is connected, but the hosts that were defined in the uplink configuration (Menubar ► Network ► Interfaces, option Check if these hosts are reachable in the Uplink editor) to check the connection could not be reached.

In other words, the uplink is not operational.

Managed and manual uplink.

Each uplink can be operated in either managed mode, which is the default, or manual mode. In managed mode, the appliance monitors and restarts the uplink automatically when needed. If managed mode is disabled, the uplink has to be activated or deactivated manually: This implies that there will be no automatic reconnection attempt if the connection is lost, but clicking on Reconnect is required to restart a nonoperational uplink. The management mode of an uplink can be selected under Menubar ► Network ► Interfaces.

While an uplink should always be managed to allow for a quick reconnection in case of a connection loss, the manual mode proves useful for troubleshooting or testing connections before actually establishing them.

Chapter 1: The System Menu

1.2 Network Configuration

The configuration of the networks and of the network interfaces serving the zones is fast and easy with this 8-step wizard. It is possible to freely navigate back and forth the step, using the <<< and >>> buttons and even decide at any moment to cancel the actions done so far. Only at the last step it is required to confirm the new settings: In that case, all the changes made will be applied. Note that while applying the new settings, the web interface might not respond for a short period.

The 8 steps in which the wizard is divided are:

1.2.1 1/8 - Choose Type of RED Interface

At installation time, the appliance receives a default GREEN IP. This screen allows to choose the type of the RED interface (i.e., the type of uplink) among those supported by the appliance.

ETHERNET STATIC

The RED interface is in a LAN and has fixed IP address and netmask, for example when connecting the RED interface to a simple router but with the convenience that the appliance be always reachable at the same IP address.

ETHERNET DHCP

The RED interface receives its network configuration via (dynamic) DHCP from a local server, router, or modem, i.e., the RED interface is connected to a simple router but without the need to have a fixed address.

PPPoE

The RED interface is connected to an ADSL modem. This option is only needed when the modem uses bridging mode and requires to use PPPoE to connect to the provider. This option should not be confused with the ETHERNET STATIC or ETHERNET DHCP options, used to connect to ADSL routers that handle the PPPoE themselves.

ADSL (USB, PCI)

The RED interface connects to an ADSL modem via a USB or PCI cable, not via an Ethernet one.

ISDN

The RED interface is an ISDN connection.

ANALOG/UMTS Modem

The RED interface is an analog (dial-up) or UMTS (cell-phone) modem.

GATEWAY

The appliance has no RED interface. While this represents an unusual situation, since a firewall normally should have at least two interfaces, this configuration may be suitable for some special scenarios, like for example when only some specific services of the appliance are needed. Another, more sophisticated example is a scenario in which the BLUE zone of an appliance is connected through a VPN to the GREEN interface of a second appliance. The second firewall’s GREEN IP address can then be used as a backup uplink on the first firewall. If this is the case, a default gateway shall be configured later on.

A small box recalling the number of network interfaces available on the system is shown to the right of the available choices. The RED interface can be fully configured during step 4.

1.2.2 2/8 - Choose Network Zones

The appliance separates the networks connected to it into four main zones, as described in this section. At this point the two most important zones - GREEN and RED - have already been encountered during the installation: This step allows to enable one or two additional zones, depending on the services that should be provided by the appliance: ORANGE -used as the DMZ network portion- and BLUE -used as segment for wireless clients. Their full configuration will be possible in the next step.

Chapter 1: The System Menu

1.2.3 3/8 - Network Preferences

This step concerns the configuration of the GREEN zone, if needed, and of any zone chosen in the previous step. For each of the zones enabled, the following options can be configured:

IP Address

The IP address (such as 192.168.0.1) of the interface, which should not be already in use in the network.

Hint: Good practice suggest that the last octet be 1, since the interface will gather the traffic of the whole subnet.

Remember also that a change in the IP addresses of an appliance, especially in a production environment, might require to adjust additional settings elsewhere, for example the HTTP proxy configuration in the workstations, otherwise the web browsers will not work correctly.

Warning: When configuring the interfaces of the GREEN zone, make sure to not remain locked out of the web interface!

This situation may occur for example when changing the GREEN IP address into one that is not reachable from the current GREEN segment and then saving the settings. In this case the only access to the appliance is via serial console.

Network Mask

Define the network mask from a drop-down menu containing the possible masks (e.g., /24 - 255.255.255.0).

Hint: All the devices connected to the same subnet shall have the same netmask to communicate properly.

Additional Addresses

Additional IP addresses for different subnets can be added to the interface here.

Interfaces

Map a network interface to a zone, with the following rules:

1. Each interface can be mapped to only one zone and each zone must have at least one interface.

2. When more than one interface is assigned to a zone, these interfaces will be bridged together and act as if they were part of a switch.

For each available interface these information are shown:

▪ A colored checkbox, showing which zone the interface serves. No color means that the interface is not assigned to any zone.

▪ Port, the number of the port. ▪ Link, shows the current status by means of icons: link  -the link is active,  -no link or no cable plugged in, ? -no

information from the driver.

▪ Description, the interface’s PCI identification string, as returned by lspci. The string is trimmed, but it can be shown

by moving the mouse on the ?.

▪ MAC, the interface’s MAC address. ▪ Device, the logical name of the device.

Note: Internally, the appliance handles all zones as bridges, regardless of the number of the assigned interfaces. Therefore, the Linux name of the interfaces is brX, not ethX.

Finally, the system’s host name and domain name can be set in the two text boxes at the bottom of the screen.

Chapter 1: The System Menu

Private IP Addresses

It is suggested to follow the standard described in RFC 1918 (which has been recently been updated by RFC 6761) and to use for the zone’s setup only the IP addresses contained in the network segments reserved for private use by the IANA, which are:

10.0.0.0 to 10.255.255.255 (10.0.0.0/8, 16,777,216 addresses)

172.16.0.0 to 172.31.255.255 (172.16.0.0/12, 1,048,576 addresses)

192.168.0.0 to 192.168.255.255 (192.168.0.0/16, 65,536 addresses)

This choice avoids incurring in DNS resolution errors, as IP addresses not falling within these ranges are likely to have been reserved by other organisations as their public IPs. Moreover, different IP ranges must be used in the different network segments for each interface, for example:

IP = 192.168.0.1, network mask = /24 - 255.255.255.0 for GREEN IP = 192.168.10.1, network mask = /24 - 255.255.255.0 for ORANGE IP = 10.0.0.1, network mask = /24 - 255.255.255.0 for BLUE

Note also the first and the last IP address of a network segment (which are usually .0 and .255) are reserved as the network address and the broadcast address respectively, and must not be assigned to any device.

1.2.4 4/8 - Internet Access Preferences

This step allows the configuration of the RED interface chosen in step 1, that connects to the Internet or to any other untrusted network outside the appliance.

Depending on the type of the selected RED interface, different configuration options will be available, as required by each interface type. At the bottom of the page appear two options that are commonly available, namely MTU and Spoof MAC address with, described below, and the choice of the DNS resolver, available for almost all interface types, which is wither Dynamic or Manual: In the latter case, one valid IP address of a DNS server must be provided manually in the next step. The other configuration options are:

ETHERNET STATIC

The IP address and network mask of the RED interface, as well as the IP address of the default gateway, that is, the IP address of the gateway that connects the appliance to the Internet or to another untrusted network. Optionally, the Ethernet hardware address (MAC address) of the interface can be specified.

ETHERNET DHCP

Only one available option, namely the DNS choice.

PPPoE

To configure PPPoE, fill in the form with the username and password assigned by the provider, and the authentication method. Optionally, the provider’s service and concentrator name can be configured, though this is usually not needed.

Hint: If unsure whether to select PAP or CHAP authentication, keep the default option.

ADSL (USB, PCI)

There are 3 sub-screens for this choice.

1. In the first one, select from the drop-down menu the appropriate driver for the modem, among the possibilities offered.

2. In the second one, choose the ADSL type from the drop-down menu among the four choices: PPPoA, PPPoE, static IP, or DHCP.

3. Finally, depending on the selection made in the previous two steps, some of the following settings are required, which can be asked to the ADSL provider:

▪ VPI/VCI numbers and the encapsulation type ▪ the username and password assigned by the provider and the authentication method (if unsure, keep the default PAP

or CHAP)

▪ the IP address and network mask of the RED interface, ▪ the IP address of the default gateway (required for static IP only);

Note: If PPPoE was chosen at point 2. above, then the configuration is exactly like explained in the previous paragraph, PPPoE.

Chapter 1: The System Menu

ISDN

To configure the ISDN connection, the modem driver, phone numbers (the provider’s number and the number used to dial out), as well as the username and password that have been assigned by the provider, and the authentication method are needed (if unsure, keep the default PAP or CHAP). Also specify whether the IP address of the DNS should be assigned automatically or set manually.

ANALOG/UMTS Modem

While the appliance supports most modern UMTS modems, some care is required when using them in conjunction with the appliance. On one side, some UMTS modems are USB mass storage devices as well and usually register two devices (e.g., /dev/ttyUSB0, /dev/ttyUSB1): In this case the first device /dev/ttyUSB0 is the modem, the second one is the storage. These types of modem can cause problems when restarting the firewall because the appliance tries to boot from the USB mass storage device. On the other side, some SIM cards require a personal identification number (PIN) to work, but this is not supported. To allow those cards to work with the appliance, the PIN should be removed from the card.

There are 2 sub-screens for this choice.

1. In the first one, specify to which serial port the modem is connected to and whether it is an analog modem or an UMTS/HSDPA modem.

Hint: The /dev/ttyS0 device is reserved for the serial console and is therefore not available as port for modems.

2. In the second one, configure the modem’s bit-rate, the dial-up phone number or access point name, the username and password that have been assigned by the provider and the authentication method (if unsure, keep the default PAP or CHAP). For UMTS modems it is also necessary to specify the access point name.

GATEWAY

The IP address of the default gateway - that is, the IP address of the gateway that connects the appliance to the Internet or another untrusted network.

The common options are:

MTU

The MTU size of the packets send over the network.

Spoof MAC address with

Specify a custom MAC address for the RED interface. This setting is required for the proper failover of slave devices in an HA setup. See High availability for more information about the RED address in HA setups.

Chapter 1: The System Menu

The MTU Size

While the vast majority of the ISPs uses a standard value of 1500 bytes, in some circumstances the standard MTU size results too high. If that happens, some strange network behaviours will be noticed, like e.g., downloads which always stop after a while or connections which will not work at all.

If the ISP does not use a standard MTU size, it is easy to discover the correct one, by sending special ICMP packets with a specific value, that can be lowered until no errors are encountered: At theist point, the MTU size is correct and this value should be entered in the configuration options.

In order to send the icmp packets do the following:

Log in to the EFW and choose a host which can be actually reached (e.g., the ISP’s DNS, which should always be reachable) and ping that host with the following command:

ping -c1 -M do -s 1460 <host> (please refer to the ping(8) manpage for more info).

If the MTU size 1460 is correct, ping replies like the following one are received:

PING 10.10.10.10 (10.10.10.10) 1460(1488) bytes of data. 1468 bytes from 10.10.10.10: icmp_seq=1 ttl=49 time=75.2 ms

If however the current MTU size is still too big for packets of the size 1460, an error message like this will appear:

PING 10.10.10.10 (62.116.64.82) 1461(1489) bytes of data. ping: sendmsg: Message too long

Retry with different packet sizes (i.e., the value after the -s option), until the correct size has found and no error is displayed. The value shown within brackets in the ping command’s output is the MTU size. In this example the output is 1460(1488), therefore 1488 is the value to select for the MTU size.

An MTU value lower than 1500 may cause problems also in the OpenVPN setup and require to adjust some setting there.

1.2.5 5/8 - Configure DNS resolver

This step allows to define up to two IP addresses for the DNS server, unless they are assigned automatically: In this case, no configuration option can be set and it is safe to move to the next one. If only one DNS server should be used, the same IP address must be entered twice. The IP address(es) of the DNS must be accessible from the IFA 3610/IFA 2610/IFA 1610 appliances, otherwise URL and domain resolution will not work.

See also: Changes to the RED interface, i.e., the uplink, and the DNS server can be modified later, separately from the other network configuration:

Uplink Editor

Menubar ► Network ► Interfaces ► [edit uplink]

Chapter 1: The System Menu

1.2.6 6/8 - Configure Default Admin Mail

The configuration of a global administrator e-mail address that will be used by all services to send e-mails, is done here. The administrator e-mail address is then used for notifications, in case of problems or emergencies. These email addresses will be used by the Event notifications.

There are three fields to configure.

Admin email address

A valid e-mail address to which the system e-mails should be sent.

Sender email address

A valid e-mail address that appears as the sender address. A custom sender address proves useful if the recipient wants to filter messages sent by the appliance.

Address of smarthost

The SMTP server through which the email should be sent.

Hint: Although all the fields may be left blank, it is suggested to supply at least one valid Admin e-mail address.

1.2.7 7/8 - Apply configuration

This step informs that the network setup is now finished and all the new settings have been gathered. Clicking on the OK, apply configuration button will save the settings and apply the configuration by restarting all the necessary services and

daemons.

1.2.8 8/8 - End

In the last step, all the configuration files are written to the disk, all the devices are reconfigured and the networkdepending services and daemons (e.g., the firewall and ntpd) are restarted as necessary. The whole process may take up to 20 seconds, during which the connection to the administration interface and through the appliance may not be possible.

The administration interface will then reload automatically. If the GREENIP address has changed, the GUI will be reloaded at the new IP address. In this case or in case the hostname changed, a new SSL certificate is generated to identify the new host.

Note: To change later only some of the settings in the network configuration (e.g., the hostname or the network range

of a zone), simply start the network configuration, skip all the steps until the one in which to make the desired changes, edit the appropriate values, then proceed to the last step and finally save.

1.3 Event Notifications

Whenever some critical event takes place on the appliance (e.g., a partition is filling up, or there are updates available), there is the option to be immediately informed by e-mail about it and to promptly take some actions to solve a problem, if required.

Chapter 1: The System Menu

1.3.1 Settings

The default tab serves for the configuration of the email notification:

Email notifications

Select from a drop-down menu how to use the notification system. Available options are:

▪ notify using default email address: the default administrator e-mail address (as specified in the Installation wizard or

in step 6 of Menubar ► System ► Network configuration)

▪ notify using custom email address: an alternate e-mail address to which the notification e-mail shall be sent. In this

case, three more options must be configured, namely:

Mail sender address The e-mail address that appear as the sender of the e-mail.

Mail recipient address The e-mail address to which the e-mail will be delivered.

Mail smarthost The SMTP server that will be used to send the notification e-mail.

▪ do not notify: no notifications will be sent

1.3.2 Events

This tab shows a list of all the events that can produce a notification message and allows to configure the actions to be done when each of the events takes place. Right above the list there is a small navigation bar and a search field: The latter can be used to filter only the relevant items.

The list contains three columns:

The 8-digit ID ABBCCCCD code of the event, which is built as follows:

▪ A represents the layer number, i.e., in which system’s component the event has taken place: 1 means kernel, 2 the

system itself, 3 services, 4 configlayer, and 5 the GUI.

▪ BB is the module number ▪ CCCC is a sequential number assigned to the event ▪ D is the severity of the event, i.e., the degree of badness of the event. The lower the number, the worst the severity:

0 is a critical event, 4-5 neutral, 9 is a positive event.

Chapter 1: The System Menu

Description

A short description of the event.

Actions

The actions that can be performed for each event. All e-mail notifications are enabled by default (this is shown by the

icon), but to disable notifications for one event, click on the mail icon in that event’s row (this causes also the icon to change into ). To later re-activate the notification, it suffices to click again on the icon. After changing an action, remember to click on the Apply button that appers within the green callout above the events’ list.

1.4 Updates

The management of the software updates is done from here. It is possible at any time to manually check for available updated packages, or to schedule a periodic check.

In this page there are two boxes: One with the current status of the system and one to schedule a routine check for updates.

1.4.1 Status

The Status box informs whether the system needs updates or not. In the former case, a list of available packages is presented, while in the latter the message “Your appliance is up to date!” is displayed. Moreover, additional messages inform of the last date and time when a check for updates and the last upgrade have been carried out. These options are available:

Check for new updates

A manual check for updated packages is started, and any upgradable package found is listed here. Individual packages can be chosen from the list and installed.

Start update process NOW

The update process is launched: The system downloads the updated packages which are then installed, replacing the old ones.

Note: In order to check for updates, a valid maintenance is required, otherwise no update will show up, even if available.

1.4.2 Schedule for Retrieving the Update List

The Schedule box allow to set up a periodic job, governed by the cron daemon, that retrieves the list of updated packages. The available, mutually exclusive, options are Hourly, Daily, Weekly, and Monthly. Moving the mouse over the small ? next to each option shows a tool-tip with the exact time at which the job will run.

1.5 Support

In this page it is possible to manage requests for assistance to the HENGETM support.

Note: To be able to submit a support request, the system must be registered to the HENGE “Currently no running maintenance available.” message will be displayed.

If the system is not registered, support request can be made to one of the several forums or mailing lists enumerated in the NEXCOM web sites section.

Network. If not, the

The page is divided in two boxes with different purposes: The first one contains a link to open the support’s home page, while in the second one it is possible to grant SSH access to the support team.

Visit Support Web Site

This box contains only a hyperlink to the home page of the support.

Please visit our Support Web Site

By clicking on this link, a new tab in the browser will open, where it is possible to find directions on how to fill in an assistance request to the support team.

Chapter 1: The System Menu

Access for the HENGETM Support Team

Optionally, access to the firewall can be grant via SSH, a secure, encrypted connection that allows a member of the support staff to log in to the IFA 3610/IFA 2610/IFA 1610 appliances, verify its configuration and inspect it to find out where the problem lies. The box contains an informative message, the status of the access, which is either DENIED or ALLOWED. When the status is DENIED a button appears at the bottom of the box:

Allow access

Click on this button to grant 4 days of access to the appliance to the support team. When the support team access is allowed, a new message appears under the status message: Access allowed until: followed by the date and time when access to the appliance will be revoked. Moreover, there are two buttons at the bottom of the box.

Deny access

Immediately revoke the grant to access the appliance.

Extend access for 4 more days

If the support team needs more time to inspect the appliance, a click on this button extends the access grant by four more days.

Note: When enabled, the support team’s public SSH key is copied to the system and access is granted via that key. The

support team will not authenticate with username/password to the appliance. The root password of the appliance is never disclosed in any way to the support team.

1.6 HENGETM Network

If the appliance has been purchased with a maintenance package, it can be registered and connected to the HENGETM Network, the HENGE appliance systems, with just a few clicks. Note that many functionalities of the appliance (e.g., support, sms notification, and so on) require that the appliance be registered to the HENGE

This page is organised into two tabs, namely Subscription and Remote Access.

1.6.1 Subscription

If the firewall has not yet been registered to the HENGETM Network, the registration form is shown, that can be filled in before submitting the request for registration. After the registration has been completed, the Subscriptions tab shows three boxes:

System information

Basic data about the appliance: Serial number, activation code, model of the appliance, and the maintenance package chosen.

Registration Status

A summary of the HENGE system ID, and the date of the last update.

Your Activation Keys

To receive updates from and to participate in the HENGE is required. There is a key for each support channel, but typically just one, shown with the validity time and the days of maintenance left. An expired key is shown by its channel name stricken-through and by the expired string in the corresponding Days left column.

solution for an easy and centralised monitoring, managing, and upgrading of all the registered

Network.

Network support status: System name, organisation for which the appliance is registered,

Network, at least one valid (i.e., not expired) activation key

1.6.2 Remote Access

The Remote Access tab allows to choose whether the appliance can be reached through the HENGETM Network and by which protocol. To allow access, click on the grey switch on the top of the page: Its color will turn azure, and two access options can be chosen, by ticking the checkbox:

Enable HTTPS access ...

The IFA 3610/IFA 2610/IFA 1610 appliances can be reached via the web interface.

Enable SSH Access ...

Login via a secure shell to the IFA 3610/IFA 2610/IFA 1610 appliances is allowed. Activating this option automatically activates the SSH access.

Chapter 1: The System Menu

1.7 Passwords

In this page passwords can be changed for each of three default users, by writing each new password twice and then by pressing the corresponding Change Password button:

Admin

The user that can connect to the web interface for administration.

Dial

A special user that can only manage uplinks, with a limited interface access. It is not present in recent versions of the IFA 3610/IFA 2610/IFA 1610 appliances.

Root

The user that can login to the shell for administration. Logins can be made either via the serial console, or remotely with an SSH client.

Hint: Passwords need to be at least 8 characters long.

1.8 Web Console

The web console provides an applet which emulates a terminal within the browser window, that serves as a CLI to carry out administrative tasks.

The functionalities of the web console are the same found upon logging in via serial console or SSH. On the bottom left of the applet, a message shows the status of the console: Connected or Disconnected. It is possible to exit at any time by typing exit in the console and then pressing Enter on the keyboard, like in any normal console.

When disconnected, click again on the Web console sub-menu item to reconnect. On the bottom right of the applet, two hyperlinks show up:

Enable virtual keyboard.

When clicking on this link, a keyboard applet appears below the console, that can be used to type and execute commands by clicking the mouse on the various keys.

Note: When the web console is disconnected, this applet does not communicate with the console.

Disable input

This link toggles the possibility to send input from the keyboard to the web console.

Hint: This option has no effect on the virtual keyboard.

1.9 SSH access

This screens allows to enable remote SSH access to the appliance. This is disabled by default and it is the recommended setting. There are two boxes in the page: Secure Shell Access Settings and SSH host keys.

1.9.1 Secure Shell Access Settings

The SSH access is activated by clicking on the grey switch . The SSH service is started, and after a few seconds, some configuration options are displayed:

SSH protocol version 1

This is only needed for old SSH clients that do not support newer versions of the SSH protocol.

Warning: The activation of the SSH version 1 is strongly discouraged, since this version is not maintained anymore,

deprecated, and contains well known vulnerabilities that could be exploited by malicious users. SSH clients nowadays shall always use version 2 of SSH, which is more secure and reliable.

Allow TCP forwarding

Ticking this option lets other protocols be tunneled through SSH. See SYS-1 example for a sample use case.

Allow password based authentication

Permit logins using password authentication.

Chapter 1: The System Menu

Allow public key based authentication

Logins with public keys are allowed. The public keys of the clients that can login using key authentication must be added to the file /root/.ssh/authorized_keys.

Save

Click on this button at the bottom of the box to save the setting of the above four options.

Note: The SSH access is automatically activated when at least one of the following options is true:

▪ HENGE ▪ High availability is enabled in Menubar ► Services ► High Availability. ▪ SSH access is enabled in Menubar ► System ► HENGE

support team access is allowed in Menubar ► System ► Support.

Network ► Remote Access.

1.9.2 SSH host keys

At the bottom of the page, a box details the public SSH host keys of the appliance, that have been generated during the first start of the openSSH server, along with their fingerprints and their size in bits.

Example SYS-1 - Traffic Tunnelling over SSH.

Assume that a service such as telnet (or any other service that can be tunneled through SSH) is running on a computer inside the GREEN zone, say port 23 on host myhost with IP address 10.0.0.20. To setup a SSH tunnel through the IFA 3610/IFA 2610/IFA 1610 appliances to access the service securely from outside the LAN, i.e., from the RED zone. While GREEN access from the RED interface is in general not recommended, it might prove useful in some cases, for example during the testing phase of a service.

1. Enable SSH and make sure the host can be accessed, i.e., configure the firewall in Menubar ► Firewall ► System access for myhost to be reachable from the outside.

2. From an external system connect to the appliance using the command ssh -N -f -L 12345:10.0.0.20:23 root@ appliance where -N tells SSH not to execute commands, but just to forward traffic, -f makes SSH run in the background and -L 12345:10.0.0.20:23 maps the external system’s port 12345 to port 23 on myhost, as it can be seen from the appliance.

3. The SSH tunnel from port 12345 of the external system to port 23 on myhost is now established. On the external system now it suffices to telnet to port 12345 on localhost to reach myhost.

1.10 GUI Settings

Two configuration options for the GUI are present here. The first option is the language that will be used for the section names, the labels, and all the strings used in the web interface and can be selected from a drop-down menu. The languages currently supported are: English, German, Italian, Simplified Chinese, Japanese, Portuguese, Russian, Spanish, and Turkish.

The second option is to display the hostname of the appliance in the browser’s window title, activated by ticking the checkbox Display hostname in window title.

In the Community release it is also possible to click on the Help translating this project link, which will open the appliance translation page. Any help is appreciated!

1.11 Backup

In this section the management of the backups can be carried out: Creation of backups of the current appliance configuration and system rollback to one of these backups when needed. Backups can be saved locally on the appliance host, on a USB stick, or downloaded to a workstation.

It is also possible to reset the configuration to factory defaults, to create fully automated backups, and to carry out various other administrative tasks concerning backups.

This section is organised into two tabs, Backup and Scheduled backups: The former is used to manage manual backups, while the latter to set up automatic, scheduled backups.

Chapter 1: The System Menu

1.11.1 Backup

In the Backup tab there are four boxes, that allow to manage the manual backups.

Backup sets

The first box contains a list of the backups stored on the appliance - both manually and scheduled ones, an option to create a new backup, and the legend of the symbols that accompany each backup. If a USB stick is plugged in in the appliance and detected, also backups stored on it are displayed.

When clicking on the Create new Backup button, a dialogue box opens up in which to select the data to be included in the backup.

Current configuration

The backup contains all the configuration settings, including all the changes and customisation done so far, or, in other words, all the content of the /var/efw directory.

Include database dumps

The content of the database will also be backed up.

Warning: The database dumps may contain sensitive data, so whenever a backup contains a database dump, make sure that it is stored in a safe place.

Include log files

Include the current log files (e.g., /var/log/messages, but not log files of the previous days.)

Include log archives

Include also older log files, that have been rotated, like e.g., /var/log/messages.YYYYMMDD.gz, etc. Backups created with this option may become very big after some time.

Remark

A comment about the backup, that will appear in the Remark column of the table. Hence, it should be meaningful enough to allow a quick recall of the content.

At least one of the checkbox must be ticked to create a new backup.

The format and name of the backup files.

Backup files are created as tar.gz archives, using standard Linux’s tools tar and gzip. The files stored in the archive can be extracted using the tar zxf archivename.tar.gz or tar vzxf archivename.tar.gz to see all the file processed and extracted and see some informative message on the screen, the v option meaning verbose. The name of the backup file is created to be unique and it conveys the maximum information possible about its content, therefore it can become quite a long string, like e.g., backup-20130208093337-myappliance.mydomain-settings-db-logs-logarchive.tar. gz, in which 20130208093337 is the timestamp of the backup’s creation, in the form YYYYMMDDHHMMSS -in this example, 8th of February 2013 at 9:33:37 AM. This choice allows the backups to be lexicographically ordered from the oldest one to the most recent one; myappliance.mydomain is the appliances’ hostname and domain name as set in Step 3 of the Network configuration (Menubar ► System ► Network configuration), and settings-db-logs-logarchive represent the content of the backup. In this case it is a full backup, since all four parts appear in the name. For example, a backup containing only settings and logs will be identified by the string settings-logs.

In order to create a backup on a USB external drive, a USB drive (even a stick) must be plugged in the appliance. It is suggested to use a FAT32/VFAT filesystem, as this maximises portability to other systems. When the stick is detected, the message USB stick detected will appear on the right-hand side of the box, along with a new option Create backup on USB stick. The checkbox next to this option must be ticked for the backup to be stored on the stick.

Click on the Create Backup button to create the backup. After a short time, during which the files required by the backup are gathered and assembled into the archive, the new backup appears in the list. The end of the backup process is marked by a yellow callout that appears above the box, showing the message Backup completed successfully.

The list of available backups, which is initially empty, presents for every backup the creation date, the content shown by a set of letters, the remark, and the list of actions available on each backup file. Automatic backups are marked with the string Auto - backup before upgrade.

Chapter 1: The System Menu

The content of each backup is marked by at least one of the following letters or symbols, corresponding to the option specified during its creation:

A, Archive. The backup contains archived log files.

C, Cron. The backup has been created automatically by a scheduled backup job.

D, Database dumps. The backup contains a database dump.

E, Encrypted. The backup file is encrypted.

L, Log files. The backup contains today’s log files.

S, Settings. The backup contains the configurations and settings.

U, USB. The backup has been saved to a USB stick.

!, Error. Something did not succeed while sending the backup file by email.

The available actions are to export an archive to the local workstation, to delete it , or to restore it on the appliance.

Encrypt backup archives

The second box makes available the option to encrypt all the backups by providing a GPG public key. Select the GPG public key by clicking on the Choose file button to upload the key file from the local file system. Make sure the checkbox Encrypt backup archives is ticked, then upload the key file by clicking on Save.

Hint: Encrypt backup archives whenever saving sensible data in the backup file, like for example the passwords of users stored in the database or hotspot’s users data and billing information.

Import backup archive

The third box lets a previously saved backup archive be uploaded to the appliance. The backup file can be selected by clicking on the Choose file button and then choosing the backup file from the local file system. Optionally, some note to the backup can be added in the Remark field. Finally, the backup is uploaded by clicking on the Import button. The backup appears after a short period in the backup list at the top of the page, and can be restored by clicking on the restore icon .

Note: It is not possible to import encrypted backups on the appliance: Any encrypted backup must be decrypted before being uploaded.

Reset configuration to factory defaults and reboot

The fourth box allows to wipe out all configurations and settings done so far and reboot the system with the default configuration. This result is achieved by clicking on the Factory defaults button: The configuration of the appliance is reset to the factory defaults and rebooted immediately, right after a backup copy of the current settings has automatically been saved.

1.11.2 Scheduled backups

Automated backups of the system can be enabled and configured in the Scheduled backups tab, which contains two boxes.

Scheduled automatic backups

In the first box, automatic backups are enabled and configured. When enabled, the elements of the IFA 3610/IFA 2610/ IFA 1610 appliances to be included in the backup can be chosen as seen in the Backup Sets box in the other tab. The only difference is that for scheduled backups there is no possibility to specify a remark. Additional options are:

Enabled

Enable scheduled backups.

Keep # of archives

Choose from the drop-down how many backups to keep on the IFA 3610/IFA 2610/IFA 1610 appliances (from 2 up to 10, but they can be exported to save space).

+ 61 hidden pages

NEXCOM IFA 1610 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Introduction: Getting Started

Getting Started

About this Reference Manual

Conventions Used in This Document

The Zones

The IFA 3610/IFA 2610/IFA 1610 Management Interface

Accessing the IFA 3610/IFA 2610/IFA 1610 Appliances

Chapter 1: The System Menu

1.1 Dashboard

1.1.1 System Information Plugin

1.1.2 Hardware Information Plugin

1.1.3 Service Information Plugin

1.1.4 Network Information Plugin

1.1.5 Signatures Information Plugin

1.1.6 Uplink Information Plugin

1.2 Network Configuration

1.2.1 1/8 - Choose Type of RED Interface

1.2.2 2/8 - Choose Network Zones

1.2.3 3/8 - Network Preferences

1.2.4 4/8 - Internet Access Preferences

1.2.5 5/8 - Configure DNS resolver

1.2.6 6/8 - Configure Default Admin Mail

1.2.7 7/8 - Apply configuration

1.2.8 8/8 - End

1.3 Event Notifications

1.3.1 Settings

1.3.2 Events

1.4 Updates

1.4.1 Status

1.4.2 Schedule for Retrieving the Update List

1.5 Support

1.6 HENGETM Network

1.6.1 Subscription

1.6.2 Remote Access

1.7 Passwords

1.8 Web Console

1.9 SSH access

1.9.1 Secure Shell Access Settings

1.9.2 SSH host keys

1.10 GUI Settings

1.11 Backup

1.11.1 Backup

1.11.2 Scheduled backups