Table of Contents

1. cOS Core Overview

1.1. Features

1.2. cOS Core Architecture

1.2.1. State-based Architecture

1.2.2. cOS Core Building Blocks

1.3. Basic Packet Flow

1.4. cOS Core State Engine Packet Flow

2. Management and Maintenance

2.1. Managing cOS Core

2.1.1. Overview

2.1.2. Configuring Network Management Access

2.1.3. Administrator Accounts

2.1.4. The Web Interface

2.1.5. CLI Access

2.1.6. Using the CLI

2.1.7. CLI Scripts

2.1.8. Using SCP

2.1.9. The Local Console Boot Menu

2.1.10. Boot Menu for the NetWall 100/300/500/6000 Series

2.1.11. RADIUS Management Authentication

2.1.12. Strong Passwords

2.1.13. Management Advanced Settings

2.1.14. Working with Configurations

2.2. System Date and Time

2.2.1. Overview

2.2.2. Setting Date and Time Manually

2.2.3. Using External Time Servers

2.2.4. Settings Summary for Date and Time

2.3. Events and Logging

2.3.1. Overview

2.3.2. cOS Core Log Messages

2.3.3. Types of Log Receiver

2.3.4. The Memory Log Receiver (memlog)

2.3.5. The Syslog Log Receiver

2.3.6. Logsnoop

2.3.7. Mail Alerting

2.3.8. The InControl Log Receiver (FWLog)

2.3.9. Severity Filter and Message Exceptions

2.3.10. SNMP Traps

2.3.11. Advanced Log Settings

2.4. Monitoring

2.4.1. Real-time Monitoring Using InControl

2.4.2. Real-time Monitor Alerts

2.4.3. The Link Monitor

2.4.4. Hardware Monitoring

2.4.5. Memory Monitoring Settings

2.5. SNMP

2.5.1. Management with SNMP

2.5.2. Persistent SNMP Interface Indexes

2.5.3. SNMP Advanced Settings

2.6. Diagnostic Tools

2.6.1. Overview

2.6.2. The ping Command

2.6.3. The stats Command

2.6.4. The connections Command

2.6.5. The dconsole Command

2.6.6. The pcapdump Command

2.6.7. The traceroute Command

2.6.8. The frags Command

2.6.9. The selftest Command

2.6.10. The techsupport Command

2.6.11. Creating an Anonymous Configuration Copy

2.6.12. The Linktest Command

2.7. Maintenance

2.7.1. Software Upgrades

2.7.2. Version Update Alerts

2.7.3. Auto-Update Mechanism

2.7.4. Backing Up Configurations

2.7.5. Restore to Factory Defaults

2.7.6. Listing and Adding Ethernet Interfaces

2.8. Licenses

2.8.1. Introduction

2.8.2. License Installation on Clavister Hardware

2.8.3. License Installation on Virtual Firewalls

2.8.4. License Updating on Clavister Hardware

2.8.5. Lockdown Mode

2.8.6. Licensing Issues

2.9. Languages

2.10. Diagnostics and Improvements

3. Fundamentals

3.1. The Address Book

3.1.1. Overview

3.1.2. IP Address Objects

3.1.3. Ethernet Address Objects

3.1.4. Address Groups

3.1.5. Auto-Generated Address Objects

3.1.6. Address Folders

3.1.7. FQDN Address Objects

3.1.8. FQDN Groups

3.2. IPv6 Support

3.3. Services

3.3.1. Overview

3.3.2. Creating Custom Services

3.3.3. ICMP Services

3.3.4. Custom IP Protocol Services

3.3.5. Service Groups

3.3.6. Custom Service Lifetime Timeouts

3.3.7. Path MTU Discovery

3.4. Interfaces

3.4.1. Overview

3.4.2. Ethernet Interfaces

3.4.3. Link Aggregation

3.4.4. VLAN

3.4.5. Service VLAN

3.4.6. PPPoE

3.4.7. GRE Tunnels

3.4.8. 6in4 Tunnels

3.4.9. Loopback Interfaces

3.4.10. Interface Groups

3.4.11. Zones

3.4.12. Layer 2 Pass Through

3.5. ARP

3.5.1. Overview

3.5.2. The ARP Cache

3.5.3. ARP Publish

3.5.4. ARP Issues and Settings

3.5.5. The Neighbor Cache

3.5.6. Device Intelligence

3.6. IP Rule Sets

3.6.1. IP Rule Sets Overview

3.6.2. Creating IP Policies

3.6.3. Using Geolocation

3.6.4. IP Rule Set Processing

3.6.5. Multiple IP Rule Sets

3.6.6. IP Rule Set Folders

3.6.7. Configuration Object Groups

3.6.8. Stateless Policy

3.6.9. Fallback Policy

3.6.10. Creating IP Rules

3.6.11. Convert IP Rule to IP Policy

3.6.12. Reverse Proxy

3.7. Application Control

3.8. Schedules

3.9. Certificates

3.9.1. Overview

3.9.2. Uploading and Using Certificates

3.9.3. CRL Distribution Point Lists

3.9.4. CA Server Access

3.9.5. Generating Certificates

3.9.6. ACME

3.10. DNS

3.11. Internet Access Setup

3.11.1. Static Address Setup

3.11.2. DHCP Setup

3.11.3. The Minimum Requirements to Allow Traffic Flow

3.11.4. Creating a Route

3.11.5. Creating IP Rule Set Entries

3.11.6. Defining DNS Servers

4. Routing

4.1. Overview

4.2. Static Routing

4.2.1. Static Routing in cOS Core

4.2.2. Configuring Static Routes

4.2.3. Route Failover

4.2.4. Host Monitoring for Route Failover

4.2.5. Advanced Routing Settings for Route Failover

4.2.6. Proxy ARP

4.2.7. Broadcast Packet Forwarding

4.3. Policy-based Routing

4.4. Route Load Balancing

4.5. Active-Active Setup

4.6. Virtual Routing

4.6.1. Overview

4.6.2. A Simple Virtual Routing Scenario

4.6.3. The Disadvantage of Routing Rules

4.6.4. IP Rule Sets with Virtual Routing

4.6.5. Multiple IP rule sets

4.6.6. Troubleshooting

4.7. OSPF

4.7.1. Dynamic Routing

4.7.2. OSPF Concepts

4.7.3. OSPF Components

4.7.4. Dynamic Routing Rules

4.7.5. Setting Up OSPF

4.7.6. An OSPF Example

4.7.7. OSPF Troubleshooting

4.8. Multicast Routing

4.8.1. Overview

4.8.2. Multicast Forwarding with Multicast Policies

4.8.3. IGMP Configuration

4.8.4. Advanced IGMP Settings

4.8.5. Tunneling Multicast using GRE

4.9. Transparent Mode

4.9.1. Overview

4.9.2. Enabling Internet Access

4.9.3. A Transparent Mode Use Case

4.9.4. Host Detection By Packet Flooding

4.9.5. Spanning Tree BPDU Support

4.9.6. MPLS Pass Through

4.9.7. Advanced Settings for Transparent Mode

4.10. Application-based Routing

5. DHCP Services

5.1. Overview

5.2. IPv4 DHCP Client

5.3. IPv4 DHCP Server

5.3.1. Static IPv4 DHCP Hosts

5.3.2. Custom IPv4 Server Options

5.4. IPv4 DHCP Relay

5.5. IP Pools

5.6. DHCPv6

5.6.1. DHCPv6 Client

5.6.2. DHCPv6 Server

6. Application Layer Security

6.1. ALGs

6.1.1. Overview

6.1.2. HTTP ALG

6.1.3. FTP ALG

6.1.4. TFTP ALG

6.1.5. SMTP ALG

6.1.6. POP3 ALG

6.1.7. IMAP ALG

6.1.8. PPTP ALG

6.1.9. SIP ALG

6.1.10. H.323 ALG

6.1.11. TLS ALG

6.1.12. DNS ALG

6.1.13. Syslog ALG

6.2. Web Content Filtering

6.2.1. Overview

6.2.2. WCF Setup Using IP Policies

6.2.3. WCF Setup Using IP Rules

6.2.4. WCF Categories

6.2.5. Customizing WCF HTML Pages

6.2.6. HTTPS Setup with WCF

6.2.7. Examining WCF Performance

6.3. Email Control

6.3.1. Email Control Profiles with IP Policies

6.3.2. DNSBL Processing

6.3.3. SMTP Anti-Spam with IP Rules

6.4. Anti-Virus Scanning

6.4.1. Overview

6.4.2. Anti-Virus Processing in cOS Core

6.4.3. Activating Anti-Virus Scanning

6.4.4. Anti-Virus with ZoneDefense

6.5. File Control

7. Threat Prevention

7.1. Access Rules

7.1.1. Overview

7.1.2. IP Spoofing

7.1.3. Access Rule Settings

7.2. IP Reputation

7.3. Botnet Protection

7.4. DoS Protection

7.4.1. Overview

7.4.2. Setting up DoS Protection

7.4.3. DoS Attack Examples

7.5. Scanner Protection

7.6. Phishing Protection

7.7. Spam Protection

7.8. Intrusion Detection and Prevention

7.8.1. Overview

7.8.2. IDP Configuration Components

7.8.3. IDP Signatures and Signature Groups

7.8.4. Insertion/Evasion Attack Prevention

7.8.5. Setting Up IDP

7.8.6. Updating IDP Signatures

7.8.7. Best Practice Deployment

7.9. Threshold Rules

7.10. Blacklisting/Whitelisting IP Addresses

7.11. ZoneDefense

8. Address Translation

8.1. Overview

8.2. NAT

8.3. NAT Pools

8.4. SAT

8.4.1. Introduction

8.4.2. One-to-One IP Translation

8.4.3. Many-to-Many IP Translation

8.4.4. Many-to-One IP Translation

8.4.5. SAT with Stateless IP Rule Set Entries

8.4.6. Combining SAT with NAT

8.4.7. Port Translation

8.4.8. Protocols Handled by SAT

8.4.9. SAT Setup Using IP Rules

8.5. Automatic Translation

8.5.1. NAT Only Translation

8.5.2. NAT/SAT Translation

9. User Authentication

9.1. Overview

9.2. Authentication Setup

9.2.1. Authentication Setup Summary

9.2.2. Local User Databases

9.2.3. External RADIUS Servers

9.2.4. External OpenID Connect Provider

9.2.5. External LDAP Servers

9.2.6. Authentication Rules

9.2.7. HTTP Authentication

9.2.8. MAC Authentication

9.3. Customizing Authentication HTML

9.4. IP Policies Requiring Authentication

9.5. Brute Force Protection

9.6. User Identity Awareness

9.6.1. Overview

9.6.2. Setting Up Identity Awareness

9.6.3. Monitoring Identity Awareness Activity

9.7. Multi-Factor Authentication

9.8. RADIUS Accounting

9.8.1. Overview

9.8.2. RADIUS Accounting Messages

9.8.3. Interim Accounting Messages

9.8.4. Configuring RADIUS Accounting

9.8.5. RADIUS Accounting Security

9.8.6. RADIUS Accounting and High Availability

9.8.7. Handling Unresponsive RADIUS Servers

9.8.8. Accounting and System Shutdowns

9.8.9. Limitations with NAT

9.8.10. Advanced RADIUS Settings

9.9. Radius Relay

9.10. Internal Radius Servers

10. VPN

10.1. Overview

10.1.1. VPN Usage

10.1.2. VPN Encryption

10.1.3. VPN Planning

10.2. VPN Quick Start

10.2.1. IPsec LAN-to-LAN with Pre-shared Keys

10.2.2. IPsec LAN-to-LAN with Certificates

10.2.3. IPsec Roaming Clients with Pre-shared Keys

10.2.4. IPsec Roaming Clients with Certificates

10.2.5. L2TP/IPsec Roaming Clients with Pre-Shared Keys

10.2.6. L2TP/IPsec Roaming Clients with Certificates

10.2.7. PPTP Roaming Clients

10.3. IPsec

10.3.1. IPsec Principles

10.3.2. IPsec Tunnels in cOS Core

10.3.3. IPsec Tunnel Properties

10.3.4. Proposal Lists

10.3.5. Pre-shared Keys

10.3.6. LAN-to-LAN Tunnels with Pre-shared Keys

10.3.7. IPsec Roaming Clients

10.3.8. IPsec with Certificates

10.3.9. IPsec Tunnel Selection

10.3.10. IPsec IPv6 Support

10.3.11. Config Mode

10.3.12. IKEv2 Support

10.3.13. Setup for IKEv2 Roaming Clients

10.3.14. Setup for iOS Roaming Clients

10.3.15. Using IPsec Profiles

10.3.16. MOBIKE Support

10.3.17. IPsec Tunnel Monitoring

10.3.18. Using ID Lists with Certificates

10.3.19. DiffServ with IPsec

10.3.20. NAT Traversal

10.3.21. Using Alternate LDAP Servers

10.3.22. Creating a Layer-3 Bridge

10.3.23. IPsec Hardware Acceleration

10.3.24. IPsec Advanced Settings

10.3.25. IPsec Troubleshooting

10.4. PPTP/L2TP

10.4.1. PPTP Servers

10.4.2. L2TP Servers

10.4.3. L2TP/PPTP Server Advanced Settings

10.4.4. PPTP/L2TP Clients

10.4.5. The l2tp and pptp Commands

10.5. L2TP Version 3

10.5.1. L2TPv3 Server

10.5.2. L2TPv3 Client

10.6. SSL VPN

10.6.1. Overview

10.6.2. Configuring SSL VPN in cOS Core

10.6.3. SSL VPN Setup Examples

10.6.4. The Windows SSL VPN Client

10.6.5. The Apple MacOS SSL VPN Client

10.7. OneConnect VPN

10.7.1. Overview

10.7.2. Configuring OneConnect VPN in cOS Core

10.7.3. OneConnect Interface Setup Examples

10.7.4. OpenConnect Client Setup

11. Traffic Management

11.1. Traffic Shaping

11.1.1. Overview

11.1.2. Traffic Shaping in cOS Core

11.1.3. Simple Bandwidth Limiting

11.1.4. Limiting Bandwidth in Both Directions

11.1.5. Creating Differentiated Limits Using Chains

11.1.6. Precedences

11.1.7. Pipe Groups

11.1.8. Traffic Shaping with VPN and Tunnels

11.1.9. Traffic Shaping Recommendations

11.1.10. A Summary of Traffic Shaping

11.1.11. More Pipe Examples

11.2. IDP Traffic Shaping

11.2.1. Overview

11.2.2. Setting Up IDP Traffic Shaping

11.2.3. Processing Flow

11.2.4. The Importance of Specifying a Network

11.2.5. A P2P Scenario

11.2.6. Viewing Traffic Shaping Objects

11.2.7. Guaranteeing Instead of Limiting Bandwidth

11.2.8. Logging

11.3. Server Load Balancing

11.3.1. Overview

11.3.2. SLB Distribution Algorithms

11.3.3. Selecting Stickiness

11.3.4. SLB Algorithms and Stickiness

11.3.5. SLB Server Monitoring

11.3.6. Behavior After Server Failure

11.3.7. Setting Up SLB

12. High Availability

12.1. Overview

12.2. HA Mechanisms

12.3. Setting Up HA

12.3.1. Hardware Setup

12.3.2. Wizard HA Setup

12.3.3. Manual HA Setup

12.3.4. Verifying that the Cluster Functions Correctly

12.3.5. Unique Shared Mac Addresses

12.4. HA Issues and Troubleshooting

12.5. Upgrading an HA Cluster

12.6. Link Monitoring and HA

12.7. HA Advanced Settings

13. Advanced Settings

13.1. IP Level Settings

13.2. TCP Settings

13.3. ICMP Settings

13.4. State Settings

13.5. Connection Timeout Settings

13.6. Length Limit Settings

13.7. Fragmentation Settings

13.8. Local Fragment Reassembly Settings

13.9. SSL/TLS Settings

13.10. Miscellaneous Settings

A. Subscription Based Features

B. IDP Signature Groups

C. Verified MIME filetypes

D. The OSI Framework

E. Ports Used in cOS Core

F. Third Party Software Licenses