| Home Prev |  cOS Core 14.00.17 Administration Guide
|
Next |
|---|
Overview
A number of cOS Core features are subscription based meaning that they require the relevant valid subscription to use them. Subscriptions are in addition to the basic cOS Core license and can be added separately but usually they are part of a license package. The expiry date for each subscription feature is shown inside the cOS Core license file.The Clavister Service Provisioning Network
Features that require access to external information or database updates, will make use of the Clavister Service Provisioning Network (SPN) which consists of a set of servers distributed geographically around the globe.The functioning of this network is discussed both here and also in a Clavister Knowledge Base article at the following link:
https://kb.clavister.com/354847906
Connection to the network when cOS Core is running in transparent mode is discussed in another article at the following link:
https://kb.clavister.com/324736326
Access to the Service Provisioning Network
cOS Core will try to access the SPN through the Internet so the firewall should have Internet access configured, includíng a DNS server for FQDN resolution.![[Important]](images/important.png) |
Important: DNS servers must be configured in cOS Core |
|---|---|
|
Make sure at least one external DNS server is correctly configured in cOS Core (see Section 3.10, DNS) so that the Clavister network servers that provide updates can be located by cOS Core. However, this is not needed if the HTTP proxy feature is used and this is described next. |
Using an HTTP Proxy Instead of Direct Internet Access
In some circumstances, Internet access may not be available directly from the firewall. cOS Core provides a solution to this by allowing an HTTP proxy to be configured for SPN access. This is done using the cOS Core CLI. For example, if the proxy IPv4 address is 10.6.101.179, the CLI command to direct SPN traffic to the proxy would be the following:Device:/> set UpdateCenter EnableProxy=Yes
HTTPProxyIP=10.6.101.179
HTTPProxyPort=8080The proxy server could be an NGINX or Squid server. Alternatively, the on-premises Clavister InCenter server can act, if correctly configured, as such the HTTP proxy. See the separate InCenter Administration Guide for further details on using InCenter as the proxy. Also note that this HTTP proxy feature is only for traffic flowing between the firewall and the SPN. It cannot be used for non-SPN related HTTP traffic.
cOS Core Features Requiring a Subscription
The following cOS Core features require a subscription:Intrusion Detection and Prevention (IDP)
A database of known threat signatures is stored locally in the Clavister firewall. This local database needs to be updated regularly with the latest threat signatures by automatically downloading updates from the SPN.
This feature is described fully in Section 7.8, Intrusion Detection and Prevention.
Like IDP, a database of known virus signatures is stored locally. This local database also needs to be updated regularly with the latest virus signatures by automatically downloading updates from the SPN.
This feature is described fully in Section 6.4, Anti-Virus Scanning.
For each website accessed with WCF configured, cOS Core queries a URL database server over the Internet via the SPN. This server categorizes URLs allowing cOS Core to implement the configured filtering policies. cOS Core locally caches recently categorized URLs to maximize lookup performance.
A subscription for WCF also includes the Malicious Link Protection feature of email filtering. This feature is described in Section 6.3.1, Email Control Profiles with IP Policies.
The DCC (Distributed Checksum Clearinghouses) feature in cOS Core email filtering (see Section 6.3.1, Email Control Profiles with IP Policies) is subscription based.
The DCC feature has its own parameter and expiry date in a Clavister license file. For this reason, if cOS Core is upgraded from a version that does not have DCC (prior to version 11.00) to a version that does (11.00 or later), a new cOS Core license must be created and installed.
This is also part of a Clavister support agreement but does not currently make use of the SPN.
IP reputation queries are matched against the IP reputation database which is accessible through the SPN. A copy of the high threat portion of the reputation database is kept locally for improved performance. Every 24 hours this local portion is updated in its entirety via the SPN. Between 24 hour updates, partial updates can occur and these are also delivered via the SPN.
This feature is described fully in Section 7.2, IP Reputation.
Device intelligence relies on client information being matched against the fing™ database which is accessible through the SPN. A cache of the most recent matches is kept locally for improved performance.
This feature is described fully in Section 3.5.6, Device Intelligence.
Subscription Agreement Renewal
When a subscription is approaching its expiry date, the administrator is notified in the following ways:cOS Core will issue an alert in the Web Interface that warns subscription expiry is approaching. The alert will start appearing between 30 days and 23 days prior to expiry. The expiry check is done by cOS Core every 7 days.
A reminder email will be sent by Clavister to the email address associated with the license.
Providing a log server has been configured, a log message will be sent which indicates that subscription renewal is required.
![[Tip]](images/tip.png) |
Tip: Renew subscriptions early |
|---|---|
|
Renew a subscription well before the expiry date! Do not leave it to the last minute. |
IDP and Anti-Virus Database Updating
The IDP and Anti-Virus subsystems function by regularly downloading "signature" updates which are then used by cOS Core to scan for the most recently recognized threats.New threats are being identified every day and the signature databases in these subsystems needs to be updated regularly. Having a valid subscription means that cOS Core will periodically access a central server and update the local copy of the database on the firewall with the latest signatures. Database updates can involve as many as 20 signature changes or more in a single day.
Frequency of Database Updating
By default, cOS Core will check for updates every 12 hours. The frequency of checking for updates can be explicitly set. However, there is always a small random delay of up to 10 minutes which is added to the set period so all cOS Core installations do not try to update at the same time and overload Clavister's servers. Note that the update period can be set to zero if updates are to be done manually.Updating with Transparent Mode
If transparent mode is being used then special considerations have to be made so that cOS Core has a way to access the Internet. This involves setting up "normal" non-switch routes in the routing tables to allow this. This is described further in Section 4.9.2, Enabling Internet Access.![[Note]](images/note.png) |
Note: Updating the database causes a pause in processing |
|---|---|
|
Some database updates such as for anti-virus can require a brief processing delay once an update is downloaded. This can cause the firewall traffic flow to momentarily pause. It can therefore be best to set the timing of updates to be at times with minimal traffic, such as in the early hours of the morning. Deleting a database can cause a similar pause in processing. |
Pre-empting Database Updates
An IDP database update can be forced at any time by using the command:
Device:/> updatecenter -update=idpAn Anti-Virus update can similarly be initiated with the command:
Device:/> updatecenter -update=antivirus
Querying Update Status
To get the status of IDP updates use the command:
Device:/> updatecenter -status=idpTo get the status of AV updates:
Device:/> updatecenter -status=antivirus
Querying Server Status
To get the status of the Clavister network servers use the command:
Device:/> updatecenter -serversThis command shows the following information for all available servers:
Server IP - The IPv4 address of the server.
Response time - The current response time in milliseconds from a test communication with each server.
Packet loss - The packet loss seen in the test for that server.
Precedence - One server will be designated as Primary and the others Backup. The Primary will always be the one used for downloads to cOS Core. If it becomes unavailable, one of the backup servers will become the primary.
Deleting Local Databases
Some technical problems in the operation of either IDP or the anti-virus subsystems may be resolved by deleting the database and reloading. For IDP this is done with the command:
Device:/> updatecenter -removedb=idpTo remove the anti-virus database, use the command:
Device:/> updatecenter -removedb=antivirusOnce removed, cOS Core should be restarted and a database update initiated. Removing the database is also recommended if either IDP or anti-virus is not used for long periods of time.
|
Note: An equals sign or space can be used with updatecenter |
|---|---|
|
In the updatecenter command options, the equals sign between the option and its value can be a space or an equals sign. For example: update center -update=antivirus Can be written as: update center -update antivirus
|
Subscription expiry results in anti-virus scanning following the action of the Fail Mode property of the ALG. By default, this is Deny and the affected traffic will therefore be dropped. This default is always used with IP Policy objects.
An alert message appears in the Web Interface to indicate that the subscription has expired. In addition, cOS Core will generate the following log message to indicate that scanning cannot be performed:
no_valid_license_av_scanning_aborted
Subscription expiry can be checked with the following CLI command:
Device:/> updatecenter -update=antivirus
No valid subscription exists for this service
Subscription expiry results in IDP scanning being disabled and no database updates are performed. No traffic will be dropped because of this. Subscription expiry can be checked with the following CLI command:
Device:/> updatecenter -update=idp
No valid subscription exists for this service
Subscription expiry results in the feature being disabled and all websites being allowed. The following log message is generated by cOS Core if the subscription expires:
content_filtering_disabled no_valid_license
DCC in Email Filtering
The Web Interface will display the following message when displaying the Email Control Profile definition:
Warning: No valid DCC License exists
DCC checking will be bypassed.
A log message will be generated for every email not checked with DCC.
Subscription expiry results in all applications being tagged as unknown. Traffic will be allowed or dropped depending on how the administrator has configured application control to behave with the unknown tag.
In addition, a warning expiry message is shown on the CLI console and log messages are generated indicating that traffic is being tagged unknown because of subscription expiry.
Subscription expiry results in no IP reputation lookups being done and normal traffic flow will continue. IP reputation logging will not be done even if it is enabled. If any threat prevention objects such as DoS Protection or Botnet Protection are enabled, no IP lookups will be done for those objects, no blacklisting will take place and no connections will be dropped.
Subscription expiry results in the device intelligence information not appearing when the neighbor discovery cache contents are examined.
For all these features, the current status of the relevant subscription along with the expiry date can be viewed in the Web Interface by going to Status > Maintenance > License.
Note that the behavior of the firewall when subscriptions expire is also discussed in an article in the Clavister Knowledge Base at the following link:
