Cloud Services Getting Started Guide (2024-03-26)

Table of Contents

1. Introduction & Provisioning
2. Administrator Enrolment
3. Setting Up Log Analytics
4. Setting Up Passwordless RADIUS Authentication

Chapter 1: Introduction & Provisioning

[Note] Note: Single page version

It is also available in a framed HTML version.

Introduction

This document provides a comprehensive overview of Clavister Cloud Services, specifically designed to extend the capabilities of the on-premises solutions through analytics and strong authentication as a service. By integrating with Clavister NetWall, these services offer enhanced security and insightful data analytics, ensuring a seamless transition and operation within the Clavister ecosystem.

Provisioning

The process for initiating Clavister Cloud services begins with license acquisition through relevant instances such as through Clavister sales and partners. You need at least one valid license allowing the use of Cloud Services, this can be for example either a Clavister NetWall appliance with Basics or higher or a Cloud Services add-on license with Essentials or higher. The license(s) need to be registered on MyClavister. Details about the needed license are shown in the table below.

Subscription Cloud Logging Cloud User Directory Log Analytics CyberSecurity Score Network Security Dashboards Cloud Services Specific Dashboards Passwordless RADIUS Authentication
NetWall with CSS
 Included Included Included Included Included Included  
NetWall with Basic or higher Included Included Included Included Included Included  
NetShield with Essentials or higher Included Included Included Included Included Included  
Cloud Authentication addon with Essentials or higher   Included Included Included   Included Included

Figure 1.1. Subscriptions

Following purchase, users provision a new cloud instance via MyClavister by entering administrator contact information. This triggers the automatic deployment of the cloud instance, with the primary administrator receiving an email containing further instructions for enrolment and activation of the service.

  1. Cloud Instance Provisioning

    1. Log into MyClavister.

    2. Navigate to "Cloud Services".

    3. Click "Request Provisioning".

    4. Enter the required information (email and mobile phone number) for the primary administrator.

      1. These details will be used for activation and future communications.

        [Important] Important: The phone must be able to receive SMS

        If the phone is unable to receive SMS messages, the activation will fail.

  2. Activation

    1. The cloud instance will be automatically deployed.

    2. The primary administrator will receive an email notification with instructions for the next steps, including enrolment and instance activation.

Chapter 2: Administrator Enrolment

This chapter outlines the step-by-step process for administrator enrolment in Clavister Cloud Services.

  1. Initial Email Notification

    Upon cloud instance provisioning, the primary administrator receives an email. This email contains links for both downloading the Clavister OneTouch mobile authentication app and starting the enrolment wizard.

  2. Enrolment Wizard

    Clicking the enrolment link directs the administrator to an online wizard. The first step requires entering their username, which is the email address used during the instance provisioning.

    1. One-Time Password Verification

      After submitting the email address, a one-time password (OTP) is sent to that email. The administrator must enter this OTP in the wizard to proceed. Following email verification, a second OTP is sent to the mobile phone number provided during provisioning. This OTP must also be entered to continue.

      1. Creating a Profile With the Clavister OneTouch Mobile Authentication App

        The final step in the wizard prompts the administrator to scan a QR code with the Clavister OneTouch mobile authentication app. If the app has not been downloaded, an option to download it is provided within the wizard.

        Scanning the QR code with the app creates a profile linked to the cloud instance, completing the enrolment process.

        1. Completion of Enrolment

          Upon successful profile creation in the Clavister OneTouch mobile authentication app, the enrolment process is concluded. The administrator is now ready to access the cloud services and can proceed with further configuration and user invitations.

          Chapter 3: Setting Up Log Analytics

          This chapter outlines the steps to configure Log Analytics in Clavister Cloud Services for detailed network monitoring and analysis.

          Requirements

          • Clavister NetWall or NetShield with active subscription

          Procedure

          1. Log Into Your Cloud Services Instance

            Access your account by logging into the Clavister Cloud Services platform.

          2. Navigate to Add-ons

            Once logged in, find and click on the "Add-ons" section from the menu options.

          3. Select Log Ingestion

            Within the Add-ons section, look for and click on "Log Ingestion" to begin setting up your analytics.

          4. Activate Through Configuration Wizard

            Follow the instructions provided by the configuration wizard to activate log ingestion.

          5. Copy the Generated Secret

            During the setup process, a secret key (also known as Pre-Shared-Key) will be generated. Ensure you copy and securely store this secret as it will be necessary for configuring your NetWall.

          6. Wait for Activation or Return Later

            After completing the activation steps, you have two options:

            1. Wait for the Activation to Conclude

              If you opt to wait, stay on the deployment screen until the activation process is fully completed. This approach not only confirms that you can move forward with configuring your NetWall but also ensures you receive the configuration script. This script significantly simplifies the setup by automating the integration process, eliminating the need for manual configuration.

              It's important to note that this script is only available at the end of the deployment process and will not be offered if you navigate away and return to the page after deployment has finished.

            2. Come back later

              If you don't want to wait for activation, you can exit and go back to the Log Ingestion page any time you want. When you return, you can get the extra connection details needed to set up your NetWall.

              [Note] Note: Drawback of leaving

              If you leave the page, you won't get the automatic setup script that makes things easier. This script is only given out right after activation finishes, so you'll have to set up your NetWall by hand.

          7. Configure Your NetWall

            With the generated secret and connection information in hand, proceed to configure your NetWall. This can be done in two ways:

            1. Manually

              Enter the connection details into your NetWall configuration manually.

            2. Using the Provided Script

              If you stayed on the deployment screen until the deployment finished, a script would be offered. This script automates the configuration process, simplifying the integration of your NetWall with the log ingestion service.

          Optional: Details About the Provided Script

          The provided script performs the following operations in the cOS Core once loaded and activated.

          1. Creates a folder in the address book

          2. Creates three objects in the address folder:

            1. An FQDN object for the Remote Endpoint address of the IPsec tunnel. This object will be used by the IPSec tunnel to find the server to connect to.

            2. A single host IP address for the Local Network of the IPsec tunnel. This IP address will also be used by the Log Receiver as the source IP when generating logs.

            3. A single host IP address for the Remote Network of the IPsec tunnel. This IP address will also be used by the Log Receiver as the target IP to send generated logs to, see further down.

          3. Creates a key-ring entry for the generated secret (Pre-Shared-Key).

          4. Creates a new routing table.

          5. Creates an IPsec tunnel that uses the above created objects and make the IPsec tunnel a member of the newly created routing table (for traffic inside the tunnel).

          6. Creates a Log Receiver configured to send logs to Clavister Cloud Services using the IPsec tunnel. The logs will be sent to the IP address defined as the Remote Network prevously. The newly created routing table will be used.

          [Note] Note: Using a different routing table.

          To make sure that NetWall uses the newly created IPsec tunnel and to avoid potential conflicts with any existing configuration objects and routes, a new routing table is created and used in the script.

          Chapter 4: Setting Up Passwordless RADIUS Authentication

          This chapter details the process for implementing Passwordless RADIUS Authentication.

          Requirements

          • Clavister Cloud Authentication with active subscription

          Procedure

          1. Log Into Your Cloud Services Instance

            Access your account by logging into the Clavister Cloud Services platform.

          2. Navigate to Add-ons

            Once logged in, find and click on the "Add-ons" section from the menu options.

          3. Select Passwordless RADIUS Authentication

            Within the Add-ons section, look for and click on "Passwordless RADIUS Authentication" to begin setting up your Passwordless RADIUS Authentication.

          4. Activate Through Configuration Wizard

            Follow the instructions provided by the configuration wizard to activate Passwordless RADIUS Authentication.

          5. Copy the Generated Secret

            During the setup process a secret key will be generated. Make sure you copy and securely store this secret as it will be necessary for configuring your NetWall.

          6. Wait for Activation or Return Later

            After completing the activation steps, you have two options:

            1. Wait for the Activation to Conclude

              If you opt to wait, stay on the deployment screen until the activation process is fully completed. This approach not only confirms that you can move forward with configuring your NetWall but also ensures you receive the configuration script. This script significantly simplifies the setup by automating the integration process, eliminating the need for manual configuration.

              It's important to note that this script is only available at the end of the deployment process and will not be offered if you navigate away and return to the page after deployment has finished.

            2. Come Back Later

              If you don't want to wait for activation, you can exit and go back to the Passwordless RADIUS Authentication page any time you want. When you return, you can get the extra connection details needed to set up your NetWall.

              [Note] Note: Drawback of leaving

              If you leave the page, you won't get the automatic setup script that makes things easier. This script is only given out right after activation finishes, so you'll have to set up your NetWall by hand.

          7. Configure Your NetWall

            With the generated secret and connection information in hand, proceed to configure your NetWall. This can be done in two ways:

            1. Manually

              Enter the connection details into your NetWall configuration manually.

            2. Using the Provided Script

              If you stayed on the deployment screen until the deployment finished, a script would be offered. This script automates the configuration process, simplifying the integration of your NetWall with the Passwordless RADIUS Authentication service.