cOS Core 15.00.01
Administration Guide
Table of Contents
1. cOS Core Overview
1.1. Features
1.2. cOS Core Architecture
1.2.1. State-based Architecture
1.2.2. cOS Core Building Blocks
1.3. Basic Packet Flow
1.4. cOS Core State Engine Packet Flow
2. Management and Maintenance
2.1. Managing cOS Core
2.1.1. Overview
2.1.2. Configuring Network Management Access
2.1.3. Administrator Accounts
2.1.4. The Web Interface
2.1.5. CLI Access
2.1.6. Using the CLI
2.1.7. CLI Scripts
2.1.8. Using SCP
2.1.9. The Local Console Boot Menu
2.1.10. Boot Menu for the NetWall 100/300/500/6000 Series
2.1.11. RADIUS Management Authentication
2.1.12. Strong Passwords
2.1.13. Management Advanced Settings
2.1.14. Working with Configurations
2.2. System Date and Time
2.2.1. Overview
2.2.2. Setting Date and Time Manually
2.2.3. Using External Time Servers
2.2.4. Settings Summary for Date and Time
2.3. Events and Logging
2.3.1. Overview
2.3.2. cOS Core Log Messages
2.3.3. Types of Log Receiver
2.3.4. The Memory Log Receiver (memlog)
2.3.5. The Syslog Log Receiver
2.3.6. Logsnoop
2.3.7. Mail Alerting
2.3.8. The InControl Log Receiver (FWLog)
2.3.9. Severity Filter and Message Exceptions
2.3.10. SNMP Traps
2.3.11. Advanced Log Settings
2.4. Monitoring
2.4.1. Real-time Monitoring Using InControl
2.4.2. Real-time Monitor Alerts
2.4.3. The Link Monitor
2.4.4. Hardware Monitoring
2.4.5. Memory Monitoring Settings
2.5. SNMP
2.5.1. Management with SNMP
2.5.2. Persistent SNMP Interface Indexes
2.5.3. SNMP Advanced Settings
2.6. Diagnostic Tools
2.6.1. Overview
2.6.2. The
ping
Command
2.6.3. The
stats
Command
2.6.4. The
connections
Command
2.6.5. The
dconsole
Command
2.6.6. The
pcapdump
Command
2.6.7. The
traceroute
Command
2.6.8. The
frags
Command
2.6.9. The
selftest
Command
2.6.10. The
techsupport
Command
2.6.11. Creating an Anonymous Configuration Copy
2.6.12. The
Linktest
Command
2.7. Maintenance
2.7.1. Software Upgrades
2.7.2. Version Update Alerts
2.7.3. Auto-Update Mechanism
2.7.4. Backing Up Configurations
2.7.5. Restore to Factory Defaults
2.7.6. Listing and Adding Ethernet Interfaces
2.8. Licenses
2.8.1. Introduction
2.8.2. License Installation on Clavister Hardware
2.8.3. License Installation on Virtual Firewalls
2.8.4. License Updating on Clavister Hardware
2.8.5. Lockdown Mode
2.8.6. Licensing Issues
2.9. Languages
2.10. Diagnostics and Improvements
3. Fundamentals
3.1. The Address Book
3.1.1. Overview
3.1.2. IP Address Objects
3.1.3. Ethernet Address Objects
3.1.4. Address Groups
3.1.5. Auto-Generated Address Objects
3.1.6. Address Folders
3.1.7. FQDN Address Objects
3.1.8. FQDN Groups
3.2. IPv6 Support
3.3. Services
3.3.1. Overview
3.3.2. Creating Custom Services
3.3.3. ICMP Services
3.3.4. Custom IP Protocol Services
3.3.5. Service Groups
3.3.6. Custom Service Lifetime Timeouts
3.3.7. Path MTU Discovery
3.4. Interfaces
3.4.1. Overview
3.4.2. Ethernet Interfaces
3.4.3. Link Aggregation
3.4.4. VLAN
3.4.5. Service VLAN
3.4.6. PPPoE
3.4.7. GRE Tunnels
3.4.8. 6in4 Tunnels
3.4.9. Loopback Interfaces
3.4.10. Interface Groups
3.4.11. Zones
3.4.12. Layer 2 Pass Through
3.5. ARP
3.5.1. Overview
3.5.2. The ARP Cache
3.5.3. ARP Publish
3.5.4. ARP Issues and Settings
3.5.5. The Neighbor Cache
3.5.6. Device Intelligence
3.6. IP Rule Sets
3.6.1. IP Rule Sets Overview
3.6.2. Creating IP Policies
3.6.3. Using Geolocation
3.6.4. IP Rule Set Processing
3.6.5. Multiple IP Rule Sets
3.6.6. IP Rule Set Folders
3.6.7. Configuration Object Groups
3.6.8. Stateless Policy
3.6.9. Fallback Policy
3.6.10. Creating IP Rules
3.6.11. Convert IP Rule to IP Policy
3.6.12. Reverse Proxy
3.7. Application Control
3.8. Schedules
3.9. Certificates
3.9.1. Overview
3.9.2. Uploading and Using Certificates
3.9.3. CRL Distribution Point Lists
3.9.4. CA Server Access
3.9.5. Generating Certificates
3.9.6. ACME
3.10. DNS
3.11. Internet Access Setup
3.11.1. Static Address Setup
3.11.2. DHCP Setup
3.11.3. The Minimum Requirements to Allow Traffic Flow
3.11.4. Creating a Route
3.11.5. Creating IP Rule Set Entries
3.11.6. Defining DNS Servers
4. Routing
4.1. Overview
4.2. Static Routing
4.2.1. Static Routing in cOS Core
4.2.2. Configuring Static Routes
4.2.3. Route Failover
4.2.4. Host Monitoring for Route Failover
4.2.5. Advanced Routing Settings for Route Failover
4.2.6. Proxy ARP
4.2.7. Broadcast Packet Forwarding
4.3. Policy-based Routing
4.4. Route Load Balancing
4.5. Active-Active Setup
4.6. Virtual Routing
4.6.1. Overview
4.6.2. A Simple Virtual Routing Scenario
4.6.3. The Disadvantage of Routing Rules
4.6.4. IP Rule Sets with Virtual Routing
4.6.5. Multiple IP rule sets
4.6.6. Troubleshooting
4.7. OSPF
4.7.1. Dynamic Routing
4.7.2. OSPF Concepts
4.7.3. OSPF Components
4.7.4. Dynamic Routing Rules
4.7.5. Setting Up OSPF
4.7.6. An OSPF Example
4.7.7. OSPF Troubleshooting
4.8. Multicast Routing
4.8.1. Overview
4.8.2. Multicast Forwarding with Multicast Policies
4.8.3. IGMP Configuration
4.8.4. Advanced IGMP Settings
4.8.5. Tunneling Multicast using GRE
4.9. Transparent Mode
4.9.1. Overview
4.9.2. Enabling Internet Access
4.9.3. A Transparent Mode Use Case
4.9.4. Host Detection By Packet Flooding
4.9.5. Spanning Tree BPDU Support
4.9.6. MPLS Pass Through
4.9.7. Advanced Settings for Transparent Mode
4.10. Application-based Routing
5. DHCP Services
5.1. Overview
5.2. IPv4 DHCP Client
5.3. IPv4 DHCP Server
5.3.1. Static IPv4 DHCP Hosts
5.3.2. Custom IPv4 Server Options
5.4. IPv4 DHCP Relay
5.5. IP Pools
5.6. DHCPv6
5.6.1. DHCPv6 Client
5.6.2. Prefix Delegation
5.6.3. DHCPv6 Server
6. Application Layer Security
6.1. ALGs
6.1.1. Overview
6.1.2. HTTP ALG
6.1.3. FTP ALG
6.1.4. TFTP ALG
6.1.5. SMTP ALG
6.1.6. POP3 ALG
6.1.7. IMAP ALG
6.1.8. PPTP ALG
6.1.9. SIP ALG
6.1.10. H.323 ALG
6.1.11. TLS ALG
6.1.12. DNS ALG
6.1.13. Syslog ALG
6.2. Web Content Filtering
6.2.1. Overview
6.2.2. WCF Setup Using IP Policies
6.2.3. WCF Categories
6.2.4. Customizing WCF HTML Pages
6.2.5. HTTPS Setup with WCF
6.2.6. Examining WCF Performance
6.3. Email Control
6.3.1. Email Control Profiles with IP Policies
6.3.2. DNSBL Processing
6.3.3. SMTP Anti-Spam with IP Rules
6.4. Anti-Virus Scanning
6.4.1. Overview
6.4.2. Anti-Virus Processing in cOS Core
6.4.3. Activating Anti-Virus Scanning
6.4.4. Anti-Virus with ZoneDefense
6.5. File Control
7. Threat Prevention
7.1. Access Rules
7.1.1. Overview
7.1.2. IP Spoofing
7.1.3. Access Rule Settings
7.2. IP Reputation
7.3. Botnet Protection
7.4. DoS Protection
7.4.1. Overview
7.4.2. Setting up DoS Protection
7.4.3. DoS Attack Examples
7.5. Scanner Protection
7.6. Phishing Protection
7.7. Spam Protection
7.8. Intrusion Detection and Prevention
7.8.1. Overview
7.8.2. IDP Configuration Components
7.8.3. IDP Signatures and Signature Groups
7.8.4. Insertion/Evasion Attack Prevention
7.8.5. Setting Up IDP
7.8.6. Updating IDP Signatures
7.8.7. Best Practice Deployment
7.9. Threshold Rules
7.10. Blacklisting/Whitelisting IP Addresses
7.11. ZoneDefense
8. Artificial Intelligence
8.1. Anomaly Detection
8.1.1. Overview
8.1.2. Usage Considerations
8.1.3. Configuring an AI Policy
9. Address Translation
9.1. Overview
9.2. NAT
9.3. NAT Pools
9.4. SAT
9.4.1. Introduction
9.4.2. One-to-One IP Translation
9.4.3. Many-to-Many IP Translation
9.4.4. Many-to-One IP Translation
9.4.5. SAT with Stateless IP Rule Set Entries
9.4.6. Combining SAT with NAT
9.4.7. Port Translation
9.4.8. Protocols Handled by SAT
9.4.9. SAT Setup Using IP Rules
9.5. Automatic Translation
9.5.1. NAT Only Translation
9.5.2. NAT/SAT Translation
10. User Authentication
10.1. Overview
10.2. Authentication Setup
10.2.1. Authentication Setup Summary
10.2.2. Local User Databases
10.2.3. External RADIUS Servers
10.2.4. External OpenID Connect Provider
10.2.5. External LDAP Servers
10.2.6. Authentication Rules
10.2.7. HTTP Authentication
10.2.8. MAC Authentication
10.3. Customizing Authentication HTML
10.4. IP Policies Requiring Authentication
10.5. Brute Force Protection
10.6. User Identity Awareness
10.6.1. Overview
10.6.2. Setting Up Identity Awareness
10.6.3. Monitoring Identity Awareness Activity
10.7. Multi-Factor Authentication
10.8. RADIUS Accounting
10.8.1. Overview
10.8.2. RADIUS Accounting Messages
10.8.3. Interim Accounting Messages
10.8.4. Configuring RADIUS Accounting
10.8.5. RADIUS Accounting Security
10.8.6. RADIUS Accounting and High Availability
10.8.7. Handling Unresponsive RADIUS Servers
10.8.8. Accounting and System Shutdowns
10.8.9. Limitations with NAT
10.8.10. Advanced RADIUS Settings
10.9. Radius Relay
10.10. Internal Radius Servers
11. VPN
11.1. Overview
11.1.1. VPN Usage
11.1.2. VPN Encryption
11.1.3. VPN Planning
11.2. VPN Quick Start
11.2.1. IPsec LAN-to-LAN with Pre-shared Keys
11.2.2. IPsec LAN-to-LAN with Certificates
11.2.3. IPsec Roaming Clients with Pre-shared Keys
11.2.4. IPsec Roaming Clients with Certificates
11.2.5. L2TP/IPsec Roaming Clients with Pre-Shared Keys
11.2.6. L2TP/IPsec Roaming Clients with Certificates
11.2.7. PPTP Roaming Clients
11.3. IPsec
11.3.1. IPsec Principles
11.3.2. IPsec Tunnels in cOS Core
11.3.3. IPsec Tunnel Properties
11.3.4. Proposal Lists
11.3.5. Pre-shared Keys
11.3.6. LAN-to-LAN Tunnels with Pre-shared Keys
11.3.7. IPsec Roaming Clients
11.3.8. IPsec with Certificates
11.3.9. IPsec Tunnel Selection
11.3.10. IPsec IPv6 Support
11.3.11. Config Mode
11.3.12. IKEv2 Support
11.3.13. Setup for IKEv2 Roaming Clients
11.3.14. Setup for iOS Roaming Clients
11.3.15. Using IPsec Profiles
11.3.16. MOBIKE Support
11.3.17. IPsec Tunnel Monitoring
11.3.18. Using ID Lists with Certificates
11.3.19. DiffServ with IPsec
11.3.20. NAT Traversal
11.3.21. Using Alternate LDAP Servers
11.3.22. Creating a Layer-3 Bridge
11.3.23. IPsec Hardware Acceleration
11.3.24. IPsec Advanced Settings
11.3.25. IPsec Troubleshooting
11.4. PPTP/L2TP
11.4.1. PPTP Servers
11.4.2. L2TP Servers
11.4.3. L2TP/PPTP Server Advanced Settings
11.4.4. PPTP/L2TP Clients
11.4.5. The l2tp and pptp Commands
11.5. L2TP Version 3
11.5.1. L2TPv3 Server
11.5.2. L2TPv3 Client
11.6. SSL VPN
11.6.1. Overview
11.6.2. Configuring SSL VPN in cOS Core
11.6.3. SSL VPN Setup Examples
11.6.4. The Windows SSL VPN Client
11.6.5. The Apple MacOS SSL VPN Client
11.7. OneConnect VPN
11.7.1. Overview
11.7.2. Configuring OneConnect VPN in cOS Core
11.7.3. OneConnect Interface Setup Examples
11.7.4. OpenConnect Client Setup
12. Traffic Management
12.1. Traffic Shaping
12.1.1. Overview
12.1.2. Traffic Shaping in cOS Core
12.1.3. Simple Bandwidth Limiting
12.1.4. Limiting Bandwidth in Both Directions
12.1.5. Creating Differentiated Limits Using Chains
12.1.6. Precedences
12.1.7. Pipe Groups
12.1.8. Traffic Shaping with VPN and Tunnels
12.1.9. Traffic Shaping Recommendations
12.1.10. A Summary of Traffic Shaping
12.1.11. More Pipe Examples
12.2. IDP Traffic Shaping
12.2.1. Overview
12.2.2. Setting Up IDP Traffic Shaping
12.2.3. Processing Flow
12.2.4. The Importance of Specifying a Network
12.2.5. A P2P Scenario
12.2.6. Viewing Traffic Shaping Objects
12.2.7. Guaranteeing Instead of Limiting Bandwidth
12.2.8. Logging
12.3. Server Load Balancing
12.3.1. Overview
12.3.2. SLB Distribution Algorithms
12.3.3. Selecting Stickiness
12.3.4. SLB Algorithms and Stickiness
12.3.5. SLB Server Monitoring
12.3.6. Behavior After Server Failure
12.3.7. Setting Up SLB
13. High Availability
13.1. Overview
13.2. HA Mechanisms
13.3. Setting Up HA
13.3.1. Hardware Setup
13.3.2. Wizard HA Setup
13.3.3. Manual HA Setup
13.3.4. Verifying that the Cluster Functions Correctly
13.3.5. Unique Shared Mac Addresses
13.4. HA Issues and Troubleshooting
13.5. Upgrading an HA Cluster
13.6. Link Monitoring and HA
13.7. HA Advanced Settings
14. Advanced Settings
14.1. IP Level Settings
14.2. TCP Settings
14.3. ICMP Settings
14.4. State Settings
14.5. Connection Timeout Settings
14.6. Length Limit Settings
14.7. Fragmentation Settings
14.8. Local Fragment Reassembly Settings
14.9. SSL/TLS Settings
14.10. Miscellaneous Settings
A. Subscription Based Features
B. IDP Signature Groups
C. Verified MIME filetypes
D. The OSI Framework
E. Ports Used in cOS Core
F. Third Party Software Licenses
