3.3. The Management Interface

The KVM Console

When cOS Core starts, KVM will display a console which represents the console that is normally directly connected to the local console port of a physical firewall. This console is accessed by using VNC to connect to the IP address and port previously specified when running the script prepare.sh.

This console displays output from cOS Core exactly as it would be displayed with a non-virtual firewall. It will show the initial startup sequence output and this can be interrupted, if required, by key presses in order to enter the boot menu. After startup, the KVM console can be used to issue CLI commands to configure cOS Core further and this is described in Section 6.4, Manual CLI Setup.

[Tip] Tip: Changing focus back from the KVM console
KVM will keep focus in the console window after clicking it. Use the key combination Ctrl-Alt to release this focus.

The Default Virtual Ethernet Interfaces

By default, the standard cOS Core installation provides three virtual Ethernet interfaces. To function, these virtual NICs must be mapped to the correct bridge or physical Ethernet interface by changing the Source device property for the interface using Virtual Machine Manager (virt-manager). Doing this is described in Chapter 4, Configuring Virtual Machines. The Device model property will remain as the default value of virtio

cOS Core assigns the following default logical names to the virtual interfaces:

Connecting to the Virtual Firewall

By default, cOS Core enables a DHCP client on all the Ethernet interfaces so they can receive an IP address from a suitably configured external DHCP server. If DHCP is not used, an IP address must be assigned to the management interface manually and doing this is described in Section 6.4, Manual CLI Setup. Once assigned, this IP address can be used for a network connection using the cOS Core CLI over SSH or using the cOS Core WebUI over HTTPS.

The management computer running the web browser or SSH client can be one of the following:

In both the above cases, the real or virtual management computer needs its connecting Ethernet interface configured with an IP address on the same network as the cOS Core interface. Once this is done, the management computer and the firewall can communicate and initial cOS Core setup can then be performed in exactly the same way as a non-virtual firewall. This is described next in Chapter 6, Configuring cOS Core.

Setup with Multiple Virtual Firewalls

When there are multiple virtual machines running cOS Core under one KVM host, the IP address of the management virtual Ethernet interface must be different for the different virtual machines if administration is to be done through the Web Interface or an SSL client.

The recommended way to change the management interface IP address is to enter CLI commands into the cOS Core console which is displayed by KVM after cOS Core starts. The commands to do this for the If1 interface are the following:

  1. By default, a DHCP client is enabled on all interfaces so this must be first disabled:

    Device:/> set Interface Ethernet If1 DHCPEnabled=No
  2. Set the IP address of the default management interface If1_ip. In this example, it will be set to

    Device:/> set Address IP4Address InterfaceAddresses/If1_ip
  3. Now set the network of the interface. This object has the name If1_net.

    Device:/> set Address IP4Address InterfaceAddresses/If1_net
  4. Check that the management access rules allow traffic on If1 from the desired source address using the following command:

    Device:/> show RemoteManagement
  5. If the admin password has not been changed earlier to a strong password and strong passwords are enabled (by default, they are) then activating configuration changes will not be allowed by cOS Core. One solution is to change the admin password to a strong one, for example:

    Device:/> cc LocalUserDatabase AdminUsers
    Device:/AdminUsers> set User admin Password=Mynew*pass99

    Alternatively, turn off strong passwords with the following command:

    Device:/> set Settings MiscSettings EnforceStrongPasswords=No
  6. The cOS Core configuration changes can now be activated:

    Device:/> activate

    Following activation, the changes must be committed permanently within 30 seconds using the commit command otherwise the system will revert back to the original configuration and all changes will be lost. This acts as a check by cOS Core that the administrator has not been locked out by any change:

    Device:/> commit