cOS Stream 4.00.00 Administration Guide

Chapter 1: Overview

	Note: This document is also available in other formats
A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com. It is also available in a framed HTML version.

Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.

It is also available in a framed HTML version.

1.1. Features

A Clavister NetShield Firewall running cOS Stream provides vital network security functions while providing high throughput performance by fully utilizing the parallel processing advantages of multi-core hardware platforms.

The firewall also provides seamless integration of all its subsystems, in-depth administrative control of functionality, as well as exposing a minimal attack surface which helps negate the risk from security attacks.

Configuration Objects

From the administrator's perspective the conceptual approach is to visualize operations through a set of logical building blocks or configuration objects. Combining different objects allows configuration in an almost limitless number of different ways. This granular control allows the administrator to meet the requirements of the most demanding network security scenarios.

Key Features

The list below presents the key features of cOS Stream's extensive feature set:

IP Routing

cOS Stream provides a variety of options for IP routing including static routing.

Firewalling Policies

cOS Stream provides stateful inspection-based firewalling for a wide range of protocols such as TCP, UDP and ICMP. The administrator can define detailed firewalling policies based on source/destination network/interface, protocol and ports.

VPN

cOS Stream supports IPsec based VPNs and can provide individual security policies for each VPN tunnel.

High Availability

High Availability (HA) is supported through automatic fault-tolerant failover to a secondary Clavister NetShield Firewall should a failure be detected. Two firewalls operate together in an HA cluster, with one being active while the other is passive and constantly mirroring the state of the active unit.

This feature is described in more detail in Chapter 22, High Availability.

System Documentation

Reading through the available documentation carefully will ensure that you get the most out the product. In addition to this document, the reader should also be aware of the companion reference guides:

The CLI Reference Guide details all CLI commands.
The Log Reference Guide details all log event messages.
The Statistics Reference Guide details all system statistics parameters.
The SNMP Traps Reference Guide details all system statistics parameters.
The Getting Started Guide documents describe how to set up a new installation for different platforms. This includes guides for Clavister hardware products, as well as for virtual environments.
The Use Case Guide describes how to set up the product for some specific scenarios.

Together, these documents form the essential reference material for product operation.

Product Education and Certification

For details about classroom and online education as well as certification, visit the Clavister company website at http://www.clavister.com or contact your local sales representative.

1.2. System Architecture

The Clavister NetShield Firewall architecture is centered on the concept of flows. Traditional IP routers or switches commonly inspect all packets and then perform forwarding decisions based on information found in the packet headers. With this approach, packets are forwarded without any sense of context which eliminates any possibility to detect and analyze complex protocols and enforce corresponding security policies.

Stateful Inspection

The Clavister NetShield Firewall employs a technique called stateful inspection which means that it inspects and forwards traffic on a per-flow basis. cOS Stream detects when a new flow between a source and destination is being established, and keeps information about the flow over its lifetime. By doing this, cOS Stream is able to understand the context of network traffic and this enables it to perform a variety of important functions.

The stateful inspection approach additionally provides high throughput performance with the added advantage of a design that is highly scalable. The subsystem that implements stateful inspection will sometimes be referred to in documentation as the state-engine.

All flows have a specified idle lifetime, after which they are removed from the flow table.

Basic Building Blocks

From the administrator's viewpoint, the basic firewall building blocks are:

Interfaces such as physical Ethernet interfaces or logical VPN tunnels.
Logical Objects which are individual logical definitions within cOS Stream. For example, Address objects can be defined in the Address Book to give logical names to IP and other types of addresses.
Rule Sets which make up the security policies which the administrator wants to implement. These include IP rules.

These three types of building blocks are discussed next.

Interfaces

Interfaces are the doorways through which network traffic enters or leaves the Clavister NetShield Firewall. Without interfaces, a Clavister NetShield Firewall has no means for receiving or sending traffic.

The following types of interface are supported:

Physical interfaces

These correspond to the actual physical Ethernet interface ports through which traffic arrives and leaves the Clavister NetShield Firewall.
Tunnel interfaces

Used for receiving and sending traffic through VPN tunnels. These are treated as logically equivalent to physical interfaces when configuring cOS Stream. For example, a route in a routing table could specify either a physical or tunnel interface as the destination for a particular network.

Interface Symmetry

cOS Stream interface design is symmetric, meaning that the interfaces of the device are not fixed as being on the "insecure outside" or "secure inside" of a network topology. The notion of what is inside and outside is totally for the administrator to define.

Logical Objects

Logical objects can be seen as predefined building blocks for use by the rule sets. The address book, for instance, contains named objects representing host and network addresses.

Another example of logical objects are services which represent specific protocol and port combinations.

Rule Sets

Finally, rules which are defined by the administrator in the various rule sets are used for actually implementing cOS Stream security policies. The most fundamental set of rules are the IP Rules, which are used to define layer 3 IP filtering policies.

Basic Packet Flow

This section outlines the basic flow for packets received and forwarded by cOS Stream. The following description is simplified and might not be fully applicable in all scenarios, however, the basic principles will be valid for all deployments.

An Ethernet frame is received on one of the Ethernet interfaces in the system. Basic Ethernet frame validation is performed and the packet is dropped if the frame is invalid.
The IP datagram within the packet is passed on to the consistency checker. The checker performs a number of sanity checks on the packet, including validation of checksums, protocol flags, packet length and so on. If the consistency checks fail, the packet gets dropped and the event is logged.
cOS Stream now tries to lookup an existing flow by matching parameters from the incoming packet. A number of parameters are used in the match attempt, including the source interface, source and destination IP addresses and IP protocol.

If a match cannot be found, a flow establishment process starts.
The Access Rules are evaluated to find out if the source IP address of the new flow is allowed on the received interface. If no Access Rule matches then a reverse route lookup will be done in the routing tables.

In other words, by default, an interface will only accept source IP addresses that belong to networks routed over that interface. A reverse lookup means that cOS Stream looks in the routing tables to confirm that there is a route with this network as the destination on the same interface.

If the Access Rule lookup determines that the source IP is invalid, then the packet is dropped and the event is logged.
A route lookup is made using the routing table. The destination interface for the flow has now been determined.
The IP rules are now searched for a rule that matches the packet. The following parameters are part of the matching process:
- Source and destination interfaces
- Source and destination network
- IP protocol (for example TCP, UDP, ICMP)
- TCP/UDP ports
- ICMP types
- Point in time in reference to a predefined schedule
If a match cannot be found, the packet is dropped.

If a rule is found that matches the new flow, the Action property of the rule decides what cOS Stream should do with the flow. If the action is Drop, the packet is dropped and the event is logged according to the log settings for the rule.

If the action is Allow, the packet is allowed through the system. A corresponding flow will be noted by cOS Stream for matching subsequent packets belonging to the same flow. The allowed traffic is also bidirectional so that the same IP rule also permits packets to return from the destination network.

Finally, the opening of the new flow will be logged according to the log settings of the rule. The default is for logging to be enabled.
Eventually, the packet will be forwarded out on the destination interface according to the flow. If the destination interface is a tunnel interface, additional processing such as encryption or encapsulation might occur.

Chapter 2: System Management

2.1. Management Access

2.1.1. Overview

This chapter provides details of how to work with cOS Stream's management interfaces.

Management Access Methods

The following methods are available for management access:

Command Line Interface (CLI)

The Command Line Interface (CLI) is accessible either locally via a computer's local console port or remotely to an IPv4 or IPv6 address across a network using the Secure Shell (SSH) protocol. It provides fine-grained control over all parameters in cOS Stream.

This feature is described further in Section 2.1.3, The CLI.
SCP

Secure Copy (SCP) is a widely used communication protocol for file transfer. SCP is a complement to the CLI and provides a secure means of file transfer between an external management computer and the firewall across an IP network. Various files used by cOS Stream, such as configuration backups, can be both uploaded and downloaded using SCP.

This feature is described further in Section 2.1.5, Secure Copy.

Note that there exists a wide selection of third part SCP clients for nearly all platforms.
SNMP

A Simple Network Management Protocol (SNMP) client can connect to cOS Stream to get read-only access to system statistics.

This feature is described further in Section 2.1.7, SNMP Monitoring.
InCenter

Clavister InCenter is a separate software application that runs as a server on an external computer. Through its interfaces, simultaneous management of multiple Clavister NetShield Firewalls is possible using a single unified configuration database. This software is described further in the separate InCenter Administration Guide.

2.1.2. The Local User Database

By default, cOS Stream provides a default LocalUserDatabase object which can be used to authenticate management access if this method is selected (by default, it is selected). This database contains, at a minimum, one predefined user with the following default credentials:

Username: admin
Password: admin

This account has full administrative read/write privileges to all configuration data and is always the account used for initial SSH login (console access does not require any credentials in the default configuration).

	Important: Change the default administrator password
	For security, it is strongly recommended to change the password for the predefined admin account as soon as possible following the initial configuration of cOS Stream.

Displaying the Local User Database

When using the CLI, the name of the predefined local user database can be displayed with the command:

System:/> show LocalUserDatabase

  Name
  ----------
  AdminUsers

The contents of this can be displayed by first changing the CLI context to be the database:

System:/> cc LocalUserDatabase AdminUsers

The CLI prompt will change to indicate the new context and the database contents can be displayed:

System:/LocalUserDatabase/AdminUsers> show
			
User
			
   Name   Groups          Comments
   -----  --------------  --------
   admin  Administrators  <empty>

Here, the Group membership is significant since this determines the privileges that a user has. Finally, return to the default CLI context:

System:/LocalUserDatabase/AdminUsers> cc
System:/>

Creating an Auditor Account

Extra user accounts in the local user database can be created as required with arbitrary usernames and passwords. If the group is specified as Administrators then it has full access privileges.

If, however, the group is specified as the text string Auditors, the user will only have read-only privileges and will not be able to make configuration alterations. The following commands create an auditor account with a username of audit and a password of audit:

System:/> cc LocalUserDatabase AdminUsers
System:/LocalUserDatabase/AdminUsers> add User audit
			Password=audit
			Groups=Auditors

Linking Logins to the Database

The local user database is referred to during a login because the relevant access object points to an AuthenticationProfile which then points to the database which stores the credentials.

For example, SSH logins are controlled by a RemoteMgmtSSH object. This object refers to an AuthenticationProfile object that then refers to the database to be used for authentication.

AuthenticationProfile objects are discussed further in Section 17.1, Authentication Profiles. The diagram below illustrates the relationship between the various components.

Figure 2.1. Local User Database Usage with SSH

2.1.3. The CLI

The CLI provides a comprehensive set of commands that allow the display and modification of a configuration.

This section only provides a summary for using the CLI. For a complete reference for all CLI commands, see the separate Clavister cOS Stream CLI Reference Guide.

String Delimiters, the Escape Character and Special Characters

When entering CLI commands, literal strings can be enclosed in double quotation mark characters ("..."). For example:

add User my-user Password="pass word"

However, to include the double quotation mark itself in a string, it must be preceded by a backslash (\) which is the CLI escape character:

set User my-user Password="pass\"word"

Other special characters that might be needed are the following:

\r - The carriage return character.
\n - The new line character.
\t - The tab character.
\\ - The escape character \ itself.

For example:

set RemoteManagement RemoteMgmtSSH ssh Banner="Welcome!\r\n - Type \"help\"

Note that the only other case that requires a backslash escape character is when using the dollar sign ($) in a CLI script when it is not part of a variable such as $1. When used in another context within a CLI script, it must be written as \$. This is discussed further in Section 2.1.4, CLI Scripting.

Case Sensitivity

The CLI is case-sensitive. However, the tab completion feature of the CLI does not require the correct case to perform completion and will alter the typed case if it is required (the tab completion feature is explained later in this section).

CLI Access Methods

The CLI is accessible in one of two ways:

Remotely through a network connection to an Ethernet interface, using the Secure Shell (SSH) protocol from an SSH client (optionally with public key authentication).

SSH access is controlled by a predefined RemoteMgmtSSH configuration object.
Locally through the firewall's local console. On a Clavister hardware product, direct connection is via the local console port on the unit. In a virtual environment, this is the same as the hypervisor's console.

Local console access is controlled by a predefined ComPortAccess configuration object called COM1.

Enabling SSH Access

The Secure Shell (SSH) protocol can be used to access the CLI over a network from a remote host via one of the Ethernet interfaces. SSH is enabled by default on the default management Ethernet interface.

SSH is a protocol primarily used for secure communication over insecure networks, providing strong authentication and data integrity. SSH clients are freely available for almost all platforms. cOS Stream supports version 2 of the SSH protocol.

A RemoteMgmtSSH rule controls SSH access on the default management interface. A predefined RemoteMgmtSSH rule exists in the default configuration but it is disabled. It can be displayed with the CLI command:

System:/> show RemoteManagement RemoteMgmtSSH
	
  # Name
  - -------------
o 1 RemoteMgmtSSH

To enable this rule, use the command:

System:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH -enable

All such rules also require their SourceInterface and SourceNetwork properties to be set for any traffic to be accepted:

System:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
			SourceInterface=if1
			SourceNetwork=if1_net

The following output from a show command now confirms that the rule has all the required properties set and is enabled:

System:/> show RemoteManagement RemoteMgmtSSH
	
# Name          SourceInterface Source Network
- ------------- --------------- --------------
1 RemoteMgmtSSH if1             if1_net

Authentication for SSH access is controlled by the AuthProfile property of the RemoteMgmtSSH rule. By default this is set to a predefined AuthenticationProfile object called MgmtAuthProfile. This profile points to the predefined local user database which contains a predefined administrator account with the credentials:

Username: admin
Password: admin

The AgentType property of the authentication profile for SSH access should always be set to Basic. All authentication profile properties are explained in Section 17.1, Authentication Profiles.

Processing Multiple RemoteMgmtSSH rules

If there are multiple RemoteMgmtSSH rules, to ensure that the correct rule will match, they should not use overlapping filters. Instead, each rule should only specify the particular interface and network combination that it should trigger on.

Authentication Methods for SSH Management Access

The following methods can be used to authenticate the administrator when they try to connect to the cOS Stream using SSH:

Authenticating username and password credentials against a local user database in cOS Stream. These databases are described further in Section 2.1.2, The Local User Database.
Authenticating username and password credentials against an external RADIUS database. This feature is described further in Section 2.1.6, RADIUS Management Authentication.
Authenticating using a public/private key pair. Setting this up is described next.

SSH and SCP with Public Key Authentication

As an alternative to using a password when logging in via SSH or when using SCP, it is possible to automatically authenticate the user using public key authentication. This is done by cOS Stream having the public key of a public/private key pair and the SSH or SCP client having the corresponding private key. When the client connects, cOS Stream is then able to authenticate if the connecting user really has the private key in the key pair.

Public key authentication is set up with the following steps:

Generate a new public and private key pair as two identity files. Generating identity files can be done with a number of utilities such as the ssh-keygen utility which is part of the OpenSSH suite.

Note that the RSA, ECDSA or DSA algorithms could be used for encryption. However, by default, only RSA or ECDSA are allowed and DSA is not allowed. The algorithms allowed are controlled by a property for each algorithm in the relevant RemoteMgmtSSH object. For example, allowing the DSA algorithm is controlled by the property AllowHostKeyDSA.
Use Secure Copy (SCP) to upload the .pub public key file to the root directory.
Add an SSHClientKey object to the configuration and associate this with the uploaded file. If the uploaded public key file is called my_key.pub, the CLI would be:
```
System:/> add SSHClientKey my_pub_key
			PublicKey=file://my_key.pub
```
Associate the new SSHClientKey object with a user in a local database. Note that the local database used will be the one pointed to by the AuthenticationProfile object specified by the AuthProfile property of the triggering RemoteMgmtSSH rule.

In this example, the default administration user admin will be chosen. First, change the CLI context to be the LocalUserDatabase object called AdminUsers:
```
System:/> cc LocalUserDatabase AdminUsers 
```
Now, set the SSHKeys property of the user called Admin:
```
System:/LocalUserDatabase/AdminUsers> set User admin SSHKeys=my_pub_key
```
Last, restore the CLI context to the default:
```
System:/LocalUserDatabase/AdminUsers> cc
System:/> 
```
In fact, any username could be assigned a public key in this way and not just an administrator.
The SSH or SCP client must be correctly configured to use public key authentication. Typically, this involves placing the public and private key files in a specific folder but this can vary according to the client.
Next, log on using the SSH client but without a password. If public key authentication fails, the SSH client should request the user's password instead. If it succeeds, the password will not be asked for and access will be granted.

The following should be noted about the behavior of SSH authentication using public keys:

If the SSH client attempts public key authentication but it fails because the user does not have an associated key in the database then authentication will revert to using the normal username/password method. These credentials will be looked up according to the method described by the associated AuthenticationProfile.
If public key authentication is successful then no actions specified in the AuthenticationProfile, such as RADIUS lookup, will be taken.

Troubleshooting SSH Access Problems

If the SSH console is timing out when attempting SSH access, there are a number of possible reasons:

Use the local console CLI to check that the SSH server is running:
```
System:/> sshserver
			
SSH Server   Port  Connected clients  Status
-----------  ----  -----------------  -------
ssh_allnets  22    1                  Running
```
In the output shown, the server is clearly running. If the status was not Running or if the command returned a new CLI prompt with no output then there was most likely a problem with the initial configuration of the SSH server.
Check the configuration of the RemoteMgmtSSH object. If this object is incorrectly specified on initial startup, the SSH server may not run. Check that the RemoteMgmtSSH is enabled and that a valid authentication profile has been specified and that the profile points to a valid database containing a user with the login credentials expected.

For example, the properties of a RemoteMgmtSSH object with the name ssh_allnets can be displayed using the command:
```
System:/> show RemoteManagement RemoteMgmtSSH ssh_allnets
```

Controlling Direct Console Access to the CLI

The CLI can also be accessed using a console terminal connected directly to a local console port on the firewall. Access through a console port is controlled by a predefined COMPortAccess configuration object which has the name COM1. This can be displayed with the command:

show COMPortAccess 

Port Bps    Data bits Parity Stop bits Flow control Rows Cols
---- ------ --------- ------ --------- ------------ ---- ----
COM1 115200 8         None   1         None         40   80

An AuthenticationProfile is associated with the ComPortAccess object to specify authentication. In the default configuration, no profile is specified so there is no username/password pair required for console login. The same profile used by default for SSH could be associated with console access by using the command:

System:/> set COMPortAccess COM1 AuthProfile=MgmtAuthProfile

Basic Object Management Commands

When managing a firewall configuration, the following commands will be used to perform most of the operations for creating, changing and deleting objects:

add - Adds an object, such as an IP address or a rule, to a configuration along with a set of mandatory properties for the object.
set - Sets one or more configuration object properties to given values. For example, setting the source interface for a given IP rule.
show - Displays the current values of a particular object or set of configuration objects.
delete - Deletes a specific configuration object.

CLI Command Structure

CLI commands usually have the structure:

	<command> <object_category> <object_type> <object_name>

For example, to display an IP address object called my_address, the command would be:

System:/> show Address IPAddress my_address

The object category in this case is Address and the type within this category is IPAddress.

When typing commands, the object category can be left out where the command's meaning is unambiguous. For example, the show command above could have been entered as:

System:/> show IPAddress my_address

However, tab completion will always assume that the category is included. For example, tab completion would not be able to help complete the above command if the tab is pressed during or after the IPAddress object type.

The same object name could be used within two different categories or types although this is best avoided in order to avoid ambiguity when reading configurations.

	Note: The terms Category and Context
	When describing the CLI, the term object category is also sometimes referred to as the object context.

A command such as add can also include object properties. To add a new IPAddress object with an IPv4 address of 10.49.02.01, the command would be:

System:/> add Address IPAddress my_address Address=10.49.02.01

Setting the System Name and CLI Prompt

Each firewall can have a unique system name and this name appears in the CLI prompt. The default name is System so the default CLI prompt is the following:

System:/>

If the system name is to be changed to, for example, "my-system1" then the CLI command to do this is the following:

set System Name=my-system1

After activating the change, the CLI prompt becomes the following:

my-system1:/>

CLI Help

The CLI help command will show all available command options. Typing help followed by a command name will show help information for that command, providing details about the command's function and its options. For example:

System:/> help time
COMMAND
        time (t). Display and set current system time.
		"
		"

Typing the CLI command:

System:/> help help

will give information about the help command itself.

Configuration Object Help

A second help command that provides information about a particular object type or category of objects is helpconfig. This will provide a list of all the properties of an object. For example:

System:/> helpconfig EthernetInterface

Applying a Single Command to Multiple Objects

It is possible to apply a single set or delete command to multiple objects using the -Range option. However, this option can only be applied where the object is part of a list and therefore has an index number.

An example of an object that has an index number is the IPRule object which must be a member of the rule list in an IPRuleSet. Suppose that there are 100 IPRule objects in the main IP rule set. To change the rules with an index number between 65 and 80 (inclusive) so that their LogEnabled property is disabled, the command would be the following:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> set IPRule -Range=65-80 LogEnabled=No

Instead a more complex range could be specified:

System:/IPRuleSet/main> set IPRule -Range=10,11-15,60-65 LogEnabled=No

Deletion can be specified in the same way:

System:/IPRuleSet/main> delete IPRule -Range=90-100

The CLI Command History

Just like a command console in many versions of Microsoft Windows™, the up and down arrow keys allow the user to move through the list of commands in the CLI command history. For example, pressing the up arrow key once will make the last command executed appear at the current CLI prompt. After a command appears it can be re-executed in its original form or changed first before execution.

Tab Completion

Remembering, as well as typing commands and their options, can be demanding. The CLI provides a feature called tab completion which means that pressing the tab key during command typing will cause automatic completion of the current part of the command. If completion is not possible then pressing the tab key will provide information about the available options.

For example, consider the following, incomplete command to add a LogReceiver object called my_server to the configuration:

System:/> add LogReceiver LogReceiverSyslog my_receiver
			IPAddress=my_log_server_ip
			LogSeverity=

If the tab character is now entered, a list of available options is displayed for the LogSeverity property:

System:/> add LogReceiver LogReceiverSyslog my_receiver
			IPAddress=my_log_server_ip
			LogSeverity=(tab)
       Type:  String
Description:  Specifies with what severity log events
will be sent to the specified log receivers
    Default:  Emergency,Alert,Critical,Error,Warning,Notice,Information

List of all valid choices:

Name
-----------
<empty>
Debug
Information
Notice
Warning
Error
Critical
Alert
Emergency

Tab Completion Only Displays Allowed Properties

There are some important principles that should be understood when using tab completion for object properties:

The properties of an object are either mandatory or optional. When using tab completion, optional properties are not displayed until all mandatory properties have been assigned a value.
An optional property's use can be dependent on the value specified for another property. For example, in an IPsecTunnel object, the optional ProxyARP property can only be used when the AddRouteToRemoteNetwork property has been set to Yes.

The tab completion feature is aware of these dependencies and will not display a property if it is dependent on another property which has not yet been assigned a value. Looking at the IPsecTunnel example again, tab completion will only display the ProxyARP property if the AddRouteToRemoteNetwork property has already been assigned a value of Yes.

Special Characters Used with Tab Completion

When entering the value of an object property, the tab character can be preceded by any of the following special characters:

Entering the period "." (period) character before entering tab will insert the current value of the object property.

For example, assume that there is already an object in the address book called my_address and it has the IPv4 address value 203.0.113.10. Now enter the following command:
```
System:/> set Address IPAddress my_address Address=.(tab)
```
This will cause the current IP address to be displayed:
```
System:/> set Address IPAddress my_address Address=203.0.113.10
```
Entering the " * " (asterisk/star) character before entering tab will cause the default property value to be automatically filled in.

Entering the "?" (question mark) character before tab will provide information about the value that can be entered. For example:

System:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
			LogEnabled=?(tab)
         Type:  Boolean
  Description:  Enable logging.
      Default:  Yes
Current Value:  Yes

Object Categories and Tab Completion

As mentioned above, objects are grouped by type, for example IPAddress. Types themselves are grouped by category. The type IPAddress belongs to the category Address. Categories are used by tab completion when searching for the right object type to use.

If a command such as add is entered and then the tab key is pressed, cOS Stream displays all the available categories. By choosing a category and then pressing tab again all the available object types for that category are displayed. Using categories means that there is a simple way to specify what kind of object is being sought and a manageable number of options are displayed after pressing the tab key.

Tab completion and its options are discussed further in the introduction to the separate Clavister NetShield Firewall CLI Reference Guide.

Selecting Object Categories

With some categories, it is necessary to first choose a member of that category with the cc (change category/context) command before individual objects can be manipulated. This is the case, for example, with routes. There can be more than one routing table, so when adding or manipulating a route we first have to use the cc command to identify which routing table we are interested in.

Suppose a route is to be added to the routing table main. The first command would be:

System:/> cc RoutingTable main
		
System:/RoutingTable/main>

Notice that the command prompt changes to indicate the current category/context. We can now add the route:

System:/RoutingTable/main> add Route
			Interface=if1
			Network=if1_net
			Name=new_route1

To return to the default CLI context, the command is cc on its own:

System:/RoutingTable/main> cc
		
System:/>

The categories that require an initial cc command before object manipulation have a "/" character following their names when displayed by a show command. For example: RoutingTable/.

Specifying Multiple Property Values

Sometimes a command property may need multiple values. For example, some commands use the property AccountingServers and more than one value can be specified for this property. When specifying multiple values, they should be separated by a comma (,) character. For example, if three servers server1, server2, server3 need to be specified then the property assignment in the command would be:

		AccountingServers=server1,server2,server3

Resetting to the Default Value

Where an optional object property has been changed and the administrator wants to set it back the default value, the special value <empty> can be entered. Consider the following example, where the property RouterID is set back to its default value:

System:/> add OSPFProcess Name=my_process1 RouterID=ip_ospf1
Added OSPFProcess OSPF
System:/> set OSPFProcess OSPF1 RouterID=<empty>
Updated OSPFProcess OSPF

Inserting into Rule Lists

Rule lists such as the IP rule set have an ordering which is important. When adding using the CLI add command, the default is to add a new rule to the end of a list. When placement at a particular position is crucial, the add command can include the Index= property as an option. Inserting at the first position in a list is specified with Index=1 in an add command, the second position with Index=2 and so on.

Referencing by Name

The naming of some objects is optional and is done with the Name= property in an add command. An object, such as an IP rule, will always have an Index value which indicates its position in the rule list but can optionally be allocated a name as well. Subsequent manipulation of such a rule can be done either by referring to it by its index, that is to say its list position, or by alternatively using the name assigned to it.

The cOS Stream CLI Reference Guide lists the options available for each object, including Name= and Index=.

To make reading configurations easier, it is strongly advised to always add unique a unique name to important objects in a configuration. For example, IP rules should always have an appropriate name specified so that their purpose can be immediately understood.

Where the Name property is optional, it can also have duplicates but this is never recommended and can be confusing.

Logging On to the CLI

When access to the CLI has been established to cOS Stream through the serial console with a console client or through an Ethernet interface with an SSH client, the administrator will need to log on to the system before being able to execute any CLI commands. This authentication step is needed to ensure that only trusted users can access the system, as well as providing user information for auditing purposes.

After SSH communication is established, cOS Stream will respond with a login prompt to pressing the Enter key. Type in the username the login prompt followed by the Enter key. Type the password followed by the Enter key again. After the first startup, cOS Stream will allow administrator login with the username admin and the password admin. This default password should be changed as soon as possible.

If accessing the CLI through a local console connection to the firewall, authentication will only be required if an AuthenticationProfile is explicitly associated with the console's COMPortAccess object.

After a successful logon, the CLI command prompt will appear:

System:/>

The default welcome message will also be displayed directly after the logon. This SSH welcome message can be removed with the CLI command:

System:/> set RemoteManagement RemoteMgmtSSH ssh Banner=

Where ssh is the name of the RemoteMgmtSSH object. To reset the message:

System:/> set RemoteManagement RemoteMgmtSSH ssh Banner="Welcome!"

SSH Connection Timeout

When connecting to cOS Stream with SSH, there is a default inactivity timeout of 30 minutes. This may be inconvenient. To increase this timeout to a higher value, the following CLI command can be used:

System:/> set RemoteManagement RemoteMgmtSSH ssh
			SessionIdleTime=1000000

Changing the admin User Password

It is recommended to change the default password of the admin account from admin to something else as soon as possible after initial startup. User passwords can be any combination of characters and cannot be greater than 256 characters in length. It is recommended to use only printable characters.

To change the password, for example to my-password, the following CLI commands are used. First, change the current CLI context to be the relevant LocalUserDatabase object:

System:/> cc LocalUserDatabase AdminUsers

The password of the admin user can now be changed:

System:/LocalUserDatabase/AdminUsers> set User admin Password="my-password"

Finally, return to the default CLI context:

System:/LocalUserDatabase/AdminUsers> cc

Activating and Committing Changes

If any changes are made to the current configuration through the CLI, those changes will not become active until the following command is issued:

System:/> activate

To make the changes permanent, this should be immediately followed by:

System:/> commit

Uncommitted changes in CLI listings of configuration objects are indicated by a plus "+" or "*" symbol appearing to the left of the object.

If the commit command is not issued within 30 seconds (the default time period) then the activated changes are automatically undone and the old configuration restored.

Symbols Indicating Object Status

When configuration objects are displayed with a show command, a symbol to the left of the object's output indicates a change of status that has not yet been committed. Two symbols are mentioned above. The complete list is:

- means the object has been deleted.
o means the object has been disabled.
! means the object has errors.
+ means the object has been newly created.
* means the object has been modified.

Checking Configuration Integrity

After changing a configuration and before issuing the activate and commit commands, it is possible to explicitly check for any problems in a configuration using the command:

System:/> show -errors

This will cause cOS Stream to scan the configuration about to be activated and list any problems. A possible problem that might be found in this way is a reference to an IP object in the address book that does not exist in a restored configuration backup.

All the changes made to a configuration can be shown before activation with the command:

System:/> show -changes

Examining the Configuration Log

Major system events such as deploying a new configuration as well as system starts are recorded in the Configuration Log. This is examined using the cfglog command as shown in the following example:

System:/> cfglog -all
		
Notice  vsinit/Configure:1805  2011-06-17 13:53:40
  - Beginning system reconfigure. System starting.
		
Notice  vsinit/Configure:1805  2011-06-17 15:59:30
  - Beginning system reconfigure. Activating new configuration.

Notice  vsinit/Configure:2033  2011-06-17 15:59:31
  - Reconfigure completed successfully.

If the command is used on its own, without the -all option, only those major system events that occurred from and including the last system start or reconfigure are shown.

The output from this command also shows if cOS Stream is running in demonstration mode, without a valid license.

System Performance Commands

When viewing system performance, the administrator is typically concerned about the CPU utilization on the data plane since overly high CPU usage can affect packet forwarding performance. This is viewed by accessing the statistical values found under /system/cpu/ and this is done using either the CLI or an SNMP client.

Using the CLI, the statistics command provides a means to examine individual or groups of values. To see all values for system cpu usage, a wild card can be used as in this example with some typical output:

System:/> statistics -add /system/cpu/*
		
Name | 2013-03-05 13:36:11              Value  Unit
--------------------------------------  -----  ----
/system/cpu/control_plane_usage         1      %
/system/cpu/cpus/ControlPlane_01/usage  1      %
/system/cpu/cpus/FastPath_01/usage      3      %
/system/cpu/cpus/FastPath_02/usage      11     %
/system/cpu/cpus/FastPath_03/usage      5      %
/system/cpu/cpus/FastPath_04/usage      31     %
/system/cpu/cpus/SlowPath_01/usage      7      %
/system/cpu/cpus/SlowPath_02/usage      3      %
/system/cpu/cpus/SlowPath_03/usage      23     %
/system/cpu/cpus/SlowPath_04/usage      14     %
/system/cpu/fast_path_usage             50     %
/system/cpu/slow_path_usage             47     %

The above output comes from a hypothetical processor with four cores. For each core, the fast path and slow path usage is shown with the total for each path at the bottom. The Control Plane handles configuration management and logging functions. The Slow Path deals with the setup of new flows. The Fast Path deals with packet forwarding functions.

The memory command provides a snapshot of memory utilization.

System:/> memory
			
	"
	"
  Free:                                   121306 KB
  Total (In listing + free):              135892 KB

The bulk of the above memory usage output has been omitted except for the final two lines. These give a summary of overall memory utilization.

The top command provides details of CPU utilization by control processes only. An example with truncated output is shown below.

System:/> top

Load avg: 0.94, 0.51, 0.35
CPU usage: 24.8%  CPUs: 1
Name          Time   CPU(%)
------------  -----  ------
statd         14:04  6.3
mdpd          12:52  5.1
vsinit        07:17  2.7
		"
		"

The format of this CPU usage summary follows the convention of the same command in UNIX. The Load avg figures are for the last 1, 5 and 15 minutes respectively. This list is ordered by CPU usage, with the most active processes placed at the top.

Multiple Administration Logins

The Clavister NetShield Firewall allows more than one user from the Administrators group to be logged in at the same time and change the configuration simultaneously. A change made by one such user is visible immediately to all others.

For example, if one user deletes a configuration object then another user who tries to change it will receive a message to say that the operation is invalid.

Logging Out from the CLI

After finishing working with the CLI, it is recommended to log out in order to avoid letting anyone getting unauthorized access to the system. This is done with the command:

System:/> exit

Changing the Command View

There are a number of different command "views". Each view provides access to a different subset of all available CLI commands. The names of these views are listed below:

default
advanced
debug
all
service

The currently enabled views can be listed by using the cmdview command with no parameters. For example:

System:/> cmdview
Command view(s) enabled: default

In normal operation the Default view is sufficient. However, some situations may require the use of commands that should be used cautiously and for that reason they are hidden in alternate command "views".

For example, to turn on the Advanced view, enter the command:

System:/> cmdview advanced

Entering the Help command will now show that an additional set of commands are available to the administrator in addition to the default set. These additional commands include, for example, ruledb which provides a technically detailed listing of the current IP rules.

Similarly, an extra set of diagnostic commands becomes available with the command:

System:/> cmdview debug

The Debug, Default and Advanced command views all become available if the parameter all is used:

System:/> cmdview all

The original, default command view is returned by using the following command:

System:/> cmdview default

The service Command View

The service command view is a special command view that provides access to commands that should be used with extreme caution because they can cause harm to the configuration if used incorrectly. Normally, only qualified support personnel should have access to this view.

For this reason, the service view is protected by an additional one time password (OTP) which must be requested from Clavister support.

2.1.4. CLI Scripting

To allow the administrator to easily store and execute sets of CLI commands, the Clavister NetShield Firewall provides a feature called CLI scripting. A CLI script is a predefined sequence of CLI commands which can be executed after they are saved to a file and the file is then uploaded to the Clavister NetShield Firewall.

The steps for creating a CLI script are as follows:

Create a text file with a text editor containing a sequential list of CLI commands, one per line.

The recommended convention is for these files to use the file extension .sgs (Security Gateway Script).
Upload the file to the Clavister NetShield Firewall using Secure Copy (SCP). Script files must be stored in a directory under the root called /scripts. SCP uploading is discussed in detail in Section 2.1.5, Secure Copy.
Use the CLI command script -run to run the script file.

The CLI script command is the tool used for script management and execution. The complete syntax of the command is described in the cOS Stream CLI Reference Guide and specific examples of usage are detailed in the following sections. See also Section 2.1.3, The CLI in this manual.

	Note
	Uploaded CLI script files are not held in permanent memory and will disappear after system restarts.

All CLI Commands are Allowed in Scripts

There are no restrictions on which CLI commands can appear in a script. Any valid command can be used.

Executing Scripts

As mentioned above, the script -run command launches a named script file that has been previously uploaded to the Clavister NetShield Firewall. For example, to execute the script file my_script.sgs which has already been uploaded, the CLI command would be:

System:/> script -run my_script.sgs

Script Variables

A script file can contain any number of script variables which are called:

$1, $2, $3, $4......$n

The values substituted for these variable names are specified as a list at the end of the script -run command line. The number n in the variable name indicates the variable value's position in this list. $1 comes first, $2 comes second and so on.

	Note: The symbol $0 is reserved
	Notice that the name of the first variable is $1. The variable $0 is reserved and is always replaced before execution by the name of the script file itself.

For example, a script called my_script.sgs is to be executed. The IPv4 address 126.12.11.01 is to replace all occurrences of $1 in the script file and the string if1 address is to replace all occurrences of $2.

The file my_script.sgs contains the single CLI command line:

add Address IPAddress if1_ip Address=$1 Comments=$2

To run this script file after uploading to cOS Stream with the given substitutions, the CLI command would be:

> script -run my_script.sgs 126.12.11.01 "if1 address"

Notice how the "if1 address" parameter is enclosed in quotes so any spaces can be included.

When the script file runs, the replacement of the variables means that the command becomes:

add Address IPAddress if1_ip Address=126.12.11.01 Comments="if1 address"

Escaping Characters

Sometimes, there is a requirement to escape certain characters in a command so they are treated as ordinary characters when the command is executed. This is particularly true for the dollar-sign "$" character. Consider the string: "te$t". In order to have the dollar-sign treated as a normal character, it can be escaped in the normal way by using a back-slash "\" character. The string would become "te\$t" and the dollar-sign is no longer treated as special.

Script Validation and Command Ordering

CLI scripts are not, by default, validated and the ordering of the commands does not matter. There can be a reference to a configuration object at the beginning of a script which is only created at the end of the script. Although this might seem illogical, it is done to improve the readability of scripts. If something always has to be created before it is referred to then this can result in a confused and disjointed script file and in long scripts it is often preferable to group together similar CLI commands.

Error Handling

If an executing CLI script file encounters an error condition, the default behavior is for the script to terminate. This behavior can be overridden by using the -force option. To run a script file called my_script2.sgs in this way, the CLI command is:

System:/> script -run my_script2.sgs -force

If -force is used, the script will continue to execute even if errors are returned by a command in the script file.

Script Output

Any output from script execution will appear at the CLI console. Normally this output only consists of any error messages that occur during execution. To see the confirmation of each command completing, the -verbose option should be used:

System:/> script -run my_script2.sgs -verbose

Scripts Are Lost After Restart

When a script file is uploaded to the Clavister NetShield Firewall, it is kept in temporary memory. If the system restarts then any uploaded scripts will be lost from memory and must be uploaded again before they can run.

Listing Scripts

The script on its own, command without any parameters, lists all the scripts currently available and indicates the size of each script.

System:/> script
		
Name            Size
--------------  ----
my_script.sgs   8
my_script2.sgs  10

To list the content of a specific uploaded script file, for example my_script.sgs the command would be:

System:/> script -show my_script.sgs

Creating Scripts Automatically

When the same configuration objects needs to be copied between multiple Clavister NetShield Firewalls, then one way to do this with the CLI is to create a script file that creates the required objects and then upload to and run the same script on each device.

If an installation already has the objects configured that need to be copied, then running the script -create command on that installation provides a way to automatically create the required script file. This script file can then be downloaded to the local management workstation and then uploaded to and executed on other Clavister NetShield Firewalls to duplicate the objects.

For example, suppose the requirement is to create the same set of IPAddress objects on several Clavister NetShield Firewalls that already exist on a single firewall. The administrator would connect to the single firewall with the CLI and issue the command:

System:/> script -create Address IPAddress -filename=new_script.sgs

This creates a script file called new_script_sgs which contains all the CLI commands necessary to create all IPAddress objects in that firewall's configuration. The created file's contents might, for example, be:

add Address IPAddress if1_ip Address=10.6.60.10
add IPAddress if1_net Address=10.6.60.0/24
add IPAddress if1_br Address=10.6.60.255
add IPAddress if1_dns1 Address=141.1.1.1
		"
		"
		"

Note that with the -create option, the output file must be specified with the -filename= parameter. This is the only time that -filename= is used.

The file new_script_sgs can then be downloaded with SCP to the local management workstation computer and then uploaded and executed on other Clavister NetShield Firewalls. The end result is that all units will have the same IPAddress objects in their address book.

In order to preserve any script files created in this way between system restarts, they must downloaded to the local storage of the management workstation using SCP and then uploaded again later.

	Note: Automatically created scripts omit the object category
In the created script example above, adding an IP address is done with the command: add IPAddress... This is instead of the usual way of qualifying the object with its group name: add Address IPAddress... Both are valid forms of the command. If an object type can be uniquely identified with its name, its object category need not be specified. With automatically generated scripts, this is always the case. This shortened form can also be used when typing the entire command in a CLI console although tab completion will always include the object category.

Note: Automatically created scripts omit the object category

In the created script example above, adding an IP address is done with the command:

			add IPAddress...

This is instead of the usual way of qualifying the object with its group name:

			add Address IPAddress...

Both are valid forms of the command. If an object type can be uniquely identified with its name, its object category need not be specified. With automatically generated scripts, this is always the case. This shortened form can also be used when typing the entire command in a CLI console although tab completion will always include the object category.

Objects Excluded from Script Files

Certain aspects of a configuration which are platform dependent cannot have a script file entry created when using the -create option. This is true when the CLI node/object type in the script -create command is one of:

COMPortDevice
EthernetDevice

These node types are skipped when the script file is created and cOS Stream gives the message No objects of selected category or type.

	Tip: Listing commands at the console
	To list the created CLI commands on the console instead of saving them to a file, leave out the -filename= parameter in the script -create command.

Commenting Script Files

Any line in a script file that begins with the # character is treated as a comment. For example:

# The following line defines the if1 IPv4 address
add Address IPAddress if1_ip Address=10.6.60.10

Scripts Running Other Scripts

It is possible for one script to run another script. For example, the script my_script.sgs could contain the line:

		script -run my_script2.sgs

cOS Stream allows the script file my_script2.sgs to execute another script file and so on. The maximum depth of this script nesting is 5 levels.

2.1.5. Secure Copy

To upload and download files to or from the Clavister NetShield Firewall, the Secure Copy (SCP) protocol can be used. SCP is based on the SSH protocol and many freely available SCP clients exist for almost all platforms. The command line examples given below are based on the most common command format found with SCP client software. Some SCP clients might use different syntax.

	Note: SFTP is not supported
	Currently, cOS Stream does not support SFTP which means that transfers with later versions of the OpenSSH client may fail. This is solved by including the OpenSSH -O legacy option.

SCP Command Format

SCP command syntax is straightforward for most console based clients. The basic command used here is scp followed by the source and destination for the file transfer.

Upload is performed with the command:

> scp <local_filename> <destination_firewall>

Download is done with the command:

> scp <source_firewall> <local_filename>

The source or destination Clavister NetShield Firewall is specified using the format:

		<user_name>@<firewall_ip_address>:<filepath>

For example:

		admin@10.62.11.10:config.bkp

The <user_name> must be a defined user belonging to the administrator user group.

	Note: SCP examples do not show the password prompt
	SCP will normally prompt for the user password after the command line but that prompt is not shown in the examples given in this document.

Examples of SCP Uploading and Downloading

In some cases, a file is located in the system root. In other cases, it is located within a particular folder. All backup files are located in the root folder.

Uploading/Downloading Backup Files

If an administrator username is admin1 and the IPv4 address of the Clavister NetShield Firewall is 10.5.62.11 then to upload a configuration backup file called config.bkp from the local disk, the SCP command would be:
```
> scp config.bkp admin1@10.5.62.11:.
```
To download a configuration backup to the current local directory, the command would be:
```
> scp admin1@10.5.62.11:config.bkp .
```

Uploading Certificate Files

The following command lines show how a typical SCP utility might upload a host certificate consisting of the two files called cert-1.cer and cert-1.key to a firewall which has the management IP address 192.168.3.1:
```
 > scp C:\cert-1.cer admin@192.168.3.1:
```
```
 > scp C:\cert-1.key admin@192.168.3.1:
```
In each case, the uploaded file will retain its original file name.

Uploaded certificate files are stored in volatile memory and must be associated with a Certificate object to become a non-volatile part of the configuration. Doing this is described in Section 16.1, Configuring Certificates.

Using Wildcards with SCP

The use of the wildcard asterisk "*" character with SCP is supported. For example, to download all the files with a filetype of .MIB, the following command can be used:

 > scp admin@192.168.3.1:*.mib .

To download all the downloadable files:

 > scp admin@192.168.3.1:* .

Wildcards can also be used when uploading. For example, to upload all the backup files in the current directory:

 > scp *.bkp admin@192.168.3.1:.

2.1.6. RADIUS Management Authentication

For system management tasks in the default configuration, the administrator logs in to the CLI via SSH using a username and password that are checked against the credentials stored in a local database.

An alternative to using a local database is to have cOS Stream perform authentication of the entered credentials against an external RADIUS server. This is done by changing the properties of the AuthenticationProfile object assigned to the RemoteManagementSSH object used for CLI access via SSH. The option exists to use either a local database or a RADIUS server as the authentication source, or a combination of both. If a combination is selected, the administrator can then select which source to try first.

	Caution: RADIUS is ignored with public key authentication
	If cOS Stream is able to use public key authentication when an SSH client connects then RADIUS authentication will not also be attempted even though it might be configured in an associated AuthenticationProfile object.

Configuration Steps

Configuring the AuthenticationProfile for RADIUS authentication consists of the following steps:

If only RADIUS is to be used then set the LocalUserDB property to have no value:
```
	LocalUserDB=""
```
Otherwise, leave this property set to be the database that will be used with RADIUS authentication.
Set the RemoteServer property of the AuthenticationProfile object to be a RadiusServer object that already exists in the configuration:
```
	RemoteServer=my_radius_server1
```
More than one server can be specified:
```
	RemoteServer=my_radius_server1,my_radius_server2
```
See Section 17.2, RADIUS Authentication for how to define a RadiusServer object.
Set the RemoteLoadBalance property of the AuthenticationProfile object to specify how to behave if more than one RADIUS server is specified for the RemoteServer property. The available options are the following:
1. None - This is the default value and means that the first server in a list will always be tried first. If it does not respond then the second will be tried, and so on. This choice ensures that the first server is always the preferred one and any other in the list are backups.
2. RoundRobin - The first query goes to the first server in the list, the next query goes to next server, and so on until the list is exhausted and the next query goes to the first server in the list again. This option provides the best balancing of the load across all servers.
3. TryAll - The authentication request is sent to all RADIUS servers. If any one of the servers replies and authenticates the user then other replies are ignored. This option can provide the fastest authentication since the fastest server in the list of servers will respond first.
Select the AuthOrder property to be one of the following:
1. LocalLast - The local database is only queried if none of the configured RADIUS servers responds to an authentication request. If no RADIUS servers are configured then only the local database is used. This is the default value of the property.
2. LocalFirst - The login credentials are first looked up in the local user database. If not found in the local database, the configured RADIUS servers are queried.

RADIUS Servers Must Be Correctly Configured

For RADIUS authentication to work, any RADIUS servers being used must be correctly configured to return the group membership of a user as a vendor specific attribute. The Clavister specific settings for this attribute are as follows:

Vendor-ID - 5089.
Vendor-assigned attribute number - 1.
Attribute format - String.
Attribute value - Clavister-User-Group.

The Login Message Changes for a Group Mismatch

Once set up, the login actions taken by the administrator are the same as with non-RADIUS authentication and there is usually no indication in the CLI that RADIUS is being used for authentication.

However, there is one exception. When the user credentials are correct but the group name returned by the RADIUS server does not match a valid group (it is not Administrators or Auditors) the CLI will display the following message:

	Access denied.

Generated Log Event Messages

Log messages indicate a successful or unsuccessful login by the administrator. With RADIUS management authentication, all the related messages belong to the AUTHSYS log category and can include the following parameter values:

The event parameter indicates the type of event.
The usergroups parameter is the group membership allowed by the authenticating RADIUS server.
The user parameter is the username used for login.
The userdb parameter will show the name of the LocalUserDatabase object or the RadiusServer object being used for authentication.
The ip parameter is the IP of the client computer that the user is trying to login from.

The types of log event messages that cOS Stream might generate are as follows:

Successful RADIUS Authentication

A successful login using a RADIUS server with the user being part of the Administrators group.

 AUTHSYS: prio=notice id=00000 event=user_logged_in
 userid=33 user=jdoe ip=192.168.1.1 profile=MgmtAuthProfile agent=Basic
 userdb=RadiusServer1 usergroups="Administrators" action=none

Successful Local Database Authentication

A successful login using the local database called AdminUsers with the user being part of the Administrators group. In this case, the usedb parameter will change.

AUTHSYS: prio=notice id=00000 event=user_logged_in
 userid=32 user=admin ip=192.168.1.1 profile=MgmtAuthProfile agent=Basic
 userdb=AdminUsers usergroups="Administrators" action=none

Insufficient Access Rights

The user entered a correct username and password but the group name returned by the RADIUS server was neither Administrators or Auditors.

 AUTHSYS: prio=warning id=00000 event=received_radius_access-reject_message
 userid=33 user=jdoe ip=192.168.1.1 profile=MgmtAuthProfile
 agent=Basic userdb=RadiusServer1 action=none

Servers Unreachable

All configured RADIUS servers were unreachable and a timeout condition occurred.

 AUTHSYS: prio=warning id=00000 event=authentication_source_did_not_respond
 userid=33 user=jdoe ip=192.168.1.1 profile=MgmtAuthProfile
 agent=Basic userdb=RadiusServer1 action=none

Use the Local Console as a Fallback Option

It is possible that the administrator could be locked out from logging on via the CLI over SSH because a RADIUS server will not authenticate the entered credentials and authentication using a local database is not enabled either. In such cases, the local console port on the Clavister NetShield Firewall can still be used for management access. However, if the password has been set for the local console then that password must still be given to get CLI management access (note that the local console password is totally separate from other management passwords).

Example 2.1. Enabling RADIUS Management Authentication

This example will change the current default rule for CLI SSH management access so that authentication is only performed using two RADIUS servers. It is assumed that the RADIUS server objects are already defined in the configuration and have the names my_radius_auth1 and my_radius_auth2. The authentication load will be shared between the two servers.

The authentication order will be set to LocalLast. The local database will never be used so it will be set to be null. Multiple logins will not be allowed.

Command-Line Interface

First, create an AuthenticationProfile object:

System:/> add AuthenticationProfile my_mgmt_auth_profile
			LocalUserDB=""
			RemoteServer=my_radius_auth1,my_radius_auth2
			RemoteLoadBalance=RoundRobin
			AuthOrder=LocalLast
			MultipleLogins=AllowOne

Now, use this profile with the default RemoteMgmtSSH object:

System:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
			AuthProfile=my_mgmt_auth_profile

2.1.7. SNMP Monitoring

Overview

Simple Network Management Protocol (SNMP) is a standardized protocol for management of network devices. Any SNMP compliant client can connect to a network device which supports the SNMP protocol to query it for system status. cOS Stream allows such access by an SNMP client and a large range of statistical values to be queried. By default, SNMP access is not permitted and a suitable remote management rule must be configured to allow it.

Supported SNMP Versions

cOS Stream supports the following SNMP versions:

Version 1.
Version 2c.
Version 3 (SNMPv3).

This section discussed overall MIB file support and setting up version 1 or 2c access. SNMPv3 access is described in Section 2.1.8, SNMPv3 Polling.

Supported Request Operations

These are the supported SNMP request operations:

GET REQUEST
GET NEXT REQUEST
GET BULK REQUEST (SNMP version 2c and 3 only)

MIB Files

A Management Information Base (MIB) file is a database, in the form of a text file, which defines the parameters on a network device that an SNMP client can make queries for.

An SNMP client connecting to cOS Stream can use two different types of MIB files:

The Clavister provided MIB files.

These are CLAVISTER-STREAM.mib and CLAVISTER-SMI.mib. These are needed for accessing the proprietary Clavister firewall statistical values.
Supported Standard MIBs.

cOS Stream supports a subset of the statistical values defined in standard MIBs to provide a common set of values applicable across different network equipment manufacturers. These MIB files are freely available on the Internet. For details on what is supported, see the separate Statistics Reference Guide.

Downloading MIB Files

The Clavister MIB files are included in cOS Stream itself in its top-level directory and can be extracted to a management computer's local disk using Secure Copy (SCP). For example, a typical management console command to download both .mib files via the admin user might be the following:

> scp admin@192.168.1.17:/*.mib .

The selected MIB file should be transferred to the hard disk of the workstation that will run the SNMP client so it can be imported by the client software. When the SNMP client runs, the MIB files are read and they tell the client which values can be queried.

MIB Entries

Each entry in the MIB includes a textual explanation of what the value is and a complete list is not reproduced in this guide. A typical MIB file entry for the total number of packets transmitted by an interface appears as follows:

IfPktsTotCnt OBJECT-TYPE
    SYNTAX      Counter32
    MAX-ACCESS  read-only
    STATUS      current
    DESCRIPTION 
        "Total number of packets transmitted by the interface"
    ::= { clvIfStatsEntry 10 }

All statistical values that can be accessed by SNMP are listed in the separate Statistics Reference Guide which provides all available information for each. This includes the description of the values together with the MIB OID, MIB name and MIB type.

Setting Up Version 1 or 2c SNMP Access

Version 1 or 2c SNMP access is enabled by creating RemoteMgmtSNMP rules with filters matching traffic for the SNMP requests that should be allowed. This is done using these filtering properties:

SourceInterface - The interface on which SNMP requests will arrive.
SourceNetwork - The IP address or network from which SNMP requests will come.

To ensure that the correct RemoteMgmtSNMP object triggers, different objects should not use overlapping filters. Instead, each object should specify a unique source interface and network combination. In addition, the source interface and network filters of RemoteMgmtSNMP and RemoteMgmtSNMP3 objects should also not overlap.

In addition to the filter parameters above, each RemoteMgmtSNMP rule also needs to have these two properties configured:

Name - A symbolic name for the rule.
GetCommunity - The SNMP community string to use for traffic matching this particular RemoteMgmtSNMP rule.

Other optional properties for the RemoteMgmtSNMP rule can be found in the separate CLI Reference Guide.

The Community String

Both SNMP Versions 1 and 2c use the SNMP community string as a way for the client and server to "authenticate" each other. It should however be noted that this provides no security as the string is transmitted in plain text. Instead, it limits the chances of clients accidentally connecting to the wrong server. For this purpose, it is advised to choose a community string that identifies the particular firewall. That way, the risk that a client accidentally connects to the IP of the wrong firewall is minimized.

Example 2.2. Enabling SNMP Version 1 or 2c Monitoring

This example enables SNMP access through the internal lan interface from the network mgmt-net using the community string "my-community-string".

Command-Line Interface

System:/> add RemoteManagement RemoteMgmtSNMP my_snmp
			SourceInterface=lan
			SourceNetwork=mgmt-net
			GetCommunity=my-community-string

IP Rules are not Required with SNMP

Any type of SNMP access does not require any IP rules to be defined to allow SNMP related traffic to flow. Such traffic is automatically allowed by cOS Stream.

Security Concerns with Version 1 and 2c

It should be noted that SNMP Version 1 or 2c communication has no built-in security. All request and response data, including the community string, will be sent as plain text over a network. This is clearly insecure if a remote client is communicating over the public Internet. If this is the case, it is advisable to have remote access take place over an encrypted VPN tunnel or similarly secure means of communication.

However, SNMPv3 polling can provide both encryption and authentication and this is described in the next section.

2.1.8. SNMPv3 Polling

cOS Stream supports SNMPv3 polling by an external SNMPv3 client with an IPv4 or IPv6 address. SNMPv3 differs from the earlier SNMP versions in that it can provide both encryption and/or authentication.

Setting Up SNMPv3 Polling

The SNMPv3 polling feature is enabled by creating one or more RemoteMgmtSNMP3 objects in the firewall configuration. The mandatory properties for this object type will filter the incoming client requests and they are the following:

SourceInterface - The interface on which SNMPv3 client requests will arrive.
SourceNetwork - The IP address or network from which client SNMPv3 requests will come.
LocalUserDB - The local database to use for authentication. This must be specified, regardless of the security options used. This is because the SNMPv3 client must specify a user which is present in a local user database. The user does not need administrator or auditor privileges.

Note that the passwords used for SNMPv3 authentication must be at least 8 characters long.
PrivacyPassword - This must be specified if the SecurityLevel is not set and left at the default value of AuthPriv. This value must be at least 8 characters long.

All the available properties are listed under the RemoteMgmtSNMP3 object entry in the separate CLI Reference Guide.

To ensure that the correct RemoteMgmtSNMP3 object triggers, different objects should not use overlapping filters. Instead, each object should specify a unique source interface and network combination. In addition, the source interface and network filters of RemoteMgmtSNMP and RemoteMgmtSNMP3 objects should also not overlap.

SecurityLevel Property Options

The SecurityLevel property of a RemoteMgmtSNMP3 object determines the type of security used. One of the following values can be chosen:

AuthPriv - This is the default setting. It enables both authentication and encryption.
AuthNoPriv - This enables authentication using the local user database but disables encryption.
NoAuthNoPriv - This disables both authentication and encryption.

SNMPv3 Encryption

When enabled, the AES-CFB algorithm is used by cOS Stream for encryption of SNMPv3 traffic and the value of the PrivacyPassword property is used as the key.

SNMPv3 Authentication

When enabled, authentication is always performed against the local user database specified by the LocalUserDatabase property. The password is not sent in clear text but instead a cryptographic hash of the password is sent.

By default, the algorithm used for creating the hash of the password is HMAC-SHA1-96. This can be changed by setting the property AuthenticationMethod to the alternative value of HMAC-MD5-96. However, HMAC-SHA1-96 is the recommended setting for strong security.

Note that SNMPv3 polling with authentication enabled will cease to function if the reboot counter has reached its maximum value. The reboot counter and how it is reset is explained further in Section 20.5, SNMP Traps.

Multiple Clients Are Allowed

A single RemoteMgmtSNMP3 object will allow multiple SNMPv3 clients to connect at the same time. Similarly, multiple RemoteMgmtSNMP3 objects with different interface and source network property values will allow multiple SNMPv3 clients to connect at the same time.

However, it is important that the SourceNetwork property for multiple RemoteMgmtSNMP3 objects do not have IP addresses assigned to them which overlap. If overlapping occurs, the behavior will be unpredictable.

Example 2.3. Setting Up SNMPv3 Polling

This example creates a RemoteMgmtSNMP3 object to allow SNMPv3 polling of the cOS Stream from an external SNMPv3 client on the network if1_net assigned to the if1 interface. A request limit will be imposed of 20 SNMPv3 client requests per second.

The user will be authenticated against the local database AdminUsers. The password mysecretpassword needs to be specified because the default value of the SecurityLevel property is AuthPriv.

Command-Line Interface

System:/> add RemoteManagement RemoteMgmtSNMP3 my-snmp3-rule
			SourceInterface=if1
			SourceNetwork=if1_net
			LocalUserDB=AdminUsers
			PrivacyPassword=mysecretpassword
			RequestLimit=20

2.2. Date and Time

2.2.1. Overview

Correctly setting the date and time is important for cOS Stream to operate properly. For example, certificates used in certificate based VPN tunnels depend on the system clock being accurately set.

In addition, log messages are tagged with time-stamps in order to indicate when a specific event occurred. Not only does this assume a working clock, but also that the clock is correctly synchronized with other equipment in the network.

The administrator can set the date and time manually and this is recommended when a new system installation is started for the first time.

The Local System Time

For access to the current date and time, cOS Stream makes use of the local hardware real-time hardware clock. Depending on the platform, this clock can be equipped with a battery backup so that a loss of power will not affect the clock.

The system time is set with the following CLI command:

System:/> time -set YYYY-mm-DD HH:MM:SS

Where YYYY-mm-DD HH:MM:SS is the new date and time. Note that the date order is year, then month and then day.

Example 2.4. Setting the Current Date and Time

To adjust the current date and time to 9:25 in the morning on April 27th, 2015 :

Command-Line Interface

System:/> time -set 2015-04-27 09:25:00

	Note: A reconfigure is not required
	A new date and time will be applied by cOS Stream as soon as it is set. There is no requirement to reconfigure or restart the system.

Time Zones

The world is divided up into a number of time zones with Coordinated Universal Time (abbreviated as UTC and interchangeable with GMT) as the base time zone. All other time zones going east and west are taken as being UTC plus or minus a number of hours (either whole or fractional). All locations counted as being inside a given time zone will then have the same local time and this will be one of the integer offsets from UTC.

The DateTime object property TimeZone must be set to a value which reflects the time zone where the Clavister NetShield Firewall is physically located.

Example 2.5. Setting the Time Zone

To modify the time zone to be UTC plus 1 hour (Central European Time), the CLI would be the following:

Command-Line Interface

System:/> set DateTime Timezone=UTC+01:00

Note that CLI tab completion can present a list of all time zone value options.

Daylight Saving Time

Many regions follow Daylight Saving Time (DST) (or "Summer-time" as it is called in some countries) and this means clocks are advanced for the summer period. Unfortunately, the principles regulating DST vary from country to country, and in some cases there can be variations within the same country.

There is no specific setting for enabling DST in cOS Stream. Instead, DST is implicitly enabled by selecting the appropriate value for the Timezone property. For example, UTC+01:00 is the value for UTC plus one hour. However, UTC+01:00-EU is the value for UTC plus one hour which includes daylight saving. Tab completion can be used to identify all available values in the CLI.

Example 2.6. Enabling the Time Zone with DST

To modify the system time zone to be UTC plus 1 hour and to include the daylight saving applicable for the European union, the CLI would be the following:

Command-Line Interface

System:/> set DateTime Timezone=UTC+01:00-EU

	Note: Switching off DST
	Even though DST is implicitly enabled through the time zone value specified, it is still possible to turn it off by disabling the DSTAutoAdjust property of the Timezone object. The same property can be used to then re-enable it. This might be done, for example, for testing purposes.

2.2.2. Time Servers

The system clock which cOS Stream uses can sometimes become fast or slow after a period of operation. This is normal behavior in most network and computer equipment and is solved by utilizing Time Servers.

cOS Stream is able to adjust the clock automatically based on information received from one or more time servers which provide a highly accurate time, usually using atomic clocks. Using time servers is highly recommended as it ensures the system will have its date and time aligned with other network devices.

For hardware platforms without battery backup of the system clock, using time servers is a useful way to automatically set the correct time after initial startup.

The SNTP Protocol

Time Synchronization Protocols are standardized methods for retrieving time information from external time servers. The Clavister NetShield Firewall supports the Simple Network Time Protocol (SNTP) as defined by RFC 5905 (SNTPv4).

Configuring Time Servers

More than one time servers can be configured to query for time information. By using more than a single server, situations where an unreachable server causes the time synchronization process to fail can be prevented. cOS Stream always queries all configured servers and then computes an average time based on all responses. The configure servers, the steps are:

Set the TimeSyncEnable option on the DateTime object to be Yes.
Add each configured server as a new TimeServer object to the DateTime object.

Example 2.7. Enabling Time Synchronization using SNTP

In this example, time synchronization will be enabled and two time servers will be configured with IPv4 addresses 10.5.4.36 and 10.5.4.76. The created TimeServer objects will be given the names my_tsrv1 and my_tsrv2.

Command-Line Interface

First, change the context to be DateTime:

System:/> cc DateTime

Next, add a TimeServer object with the name my_tsrv1:

System:/DateTime> add TimeServer IP=10.5.4.36 Name=my_tsrv1

Now add the second server:

System:/DateTime> add TimeServer IP=10.5.4.76 Name=my_tsrv2

Then return to the default, root context:

System:/DateTime> cc

Finally, activate and commit the configuration changes.

Manually Triggering Time Synchronization

If there is a need to manually force the system clock to be updated then this can be done with the time -sync CLI command.

Example 2.8. Manually Triggering Time Synchronization

Time synchronization can be triggered from the CLI.

Command-Line Interface

System:/> time -sync

Time synchronization requested

System:/>

Maximum Time Adjustment

To avoid situations where a faulty Time Server causes the clock to be updated with a extremely inaccurate time, a Maximum Adjustment value (in seconds) can be set. If the difference between the current system time and the time received from a Time Server is greater than this Maximum Adjustment value, then the Time Server response will be discarded.

For example, assume that the maximum adjustment value is set to 60 seconds and the current system time is 16:42:35. If a Time Server responds with a time of 16:43:38 then the difference is 63 seconds. This is greater than the maximum adjustment value so no update occurs for this response. The default value for the maximum adjustment is 600 seconds (ten minutes).

Example 2.9. Modifying the Maximum Adjustment Value

Command-Line Interface

System:/> set DateTime TimeSyncMaxAdjust=4000

Forcing Synchronization

Sometimes it might be necessary to override the maximum adjustment. For example, if time synchronization has just been enabled and the initial time difference is greater than the maximum adjust value. It is then possible to manually force a synchronization and disregard the maximum adjustment parameter.

Example 2.10. Forcing Time Synchronization

This example demonstrates how to force time synchronization, overriding the maximum adjustment setting.

Command-Line Interface

System:/> time -sync -force

The Time Synchronization Interval

The interval between each synchronization attempt can be adjusted if needed. By default, this value is 86,400 seconds (1 day), meaning that the time synchronization process is executed once in a 24 hour period.

Example 2.11. Changing the Time Synchronization Interval

Command-Line Interface

System:/> set DateTime TimeSyncInterval=3600

2.3. Licensing

Overview

To use the Clavister NetShield Firewall in a live environment, a license file must be deployed to the Clavister NetShield Firewall and associated with the configuration. The purpose of the license file is to define the capabilities and limitations that an installation has.

Demo Mode

Without a valid license, cOS Stream operates in Demo Mode. In this mode, cOS Stream has full functionality but will only operate for a limited amount of time before going into lockdown mode. The amount of time that demo mode lasts can vary, depending on the type of software distribution. The total time period allowed can be seen in the output from the CLI license command (with no options) as the value for the Demo parameter (this parameter has a value of <empty> with a valid license).

While cOS Stream operates in demo mode, the following will be true:

On initial startup, the console will indicate that demo mode is active and how much time is remaining before lockdown occurs.
A message will then appear in the CLI console after approximately 50%, 75% and 87.5% of the demo period has passed and this will indicate how much time remains.
A log event message called Remaining demo period will be periodically generated indicating that demo mode is active. The time remaining is shown in the explanation field of the log message.
The amount of time remaining before lockdown can be displayed at any time using the CLI command about.
When the demo period expires, the following message will be printed on the console:
```
	Demo license timed out. System entering lockdown.
```
If the about command is now entered, it will show the following message:
```
	No license installed – DEMO mode expired
```

After the demo mode time period has expired, cOS Stream goes into lockdown mode so normal operation ends and only the following becomes possible:

The only access permitted to cOS Stream is management access by an administrator.
In addition to management access using the CLI, access is also possible using SCP and SNMP.
cOS Stream can be configured, including uploading and activating a license.

Log event and console messages indicate when lockdown mode goes into effect and when it ends.

License Files

A license file is a plain text file that defines all the capabilities allowed by the license plus a digital signature to ensure the file cannot be altered. The file can be opened and read in a normal text editor. It is generated and supplied by Clavister.

Associating Licenses

Associating a license file with cOS Stream is a two step process:

Step 1: Upload a License File

First, upload a license file to cOS Stream using SCP. More than one license can be uploaded but they must have different names. Files with the same name will overwrite each other. All license files will be lost after a system reboot except the currently activated license.

For example, the SCP command under Linux to upload a file called my_license.lic to a firewall called fw_name might be:

> scp license.lic user@fw_name:my_license.lic

Under windows the SCP upload would be done using an appropriate utility with SCP support.

Step 2: Activate the License File

Assuming that a license file called my_license.lic has already been uploaded using SCP, the CLI command to activate this license is:

System:/> license activate my_license.lic

This command causes a reconfigure to take place. If the reconfigure is successful then the capabilities of the new license will come into effect. If the reconfigure is not successful, cOS Stream will revert to its previous state which will either be to using the previously activated license or to lockdown mode.

Managing License Files

As stated above, a number of license files can be present in local temporary storage, however, only one can be active at any time. The CLI provides the license command to manage the active license. The options for this command are:

Activate

As discussed above, the activate option causes a previously uploaded license to become the current license associated with cOS Stream. A copy of the license selected is made by cOS Stream and saved in non-volatile storage. It is this copy that is used during system operation and it is not lost after a system reboot.

Remove

This option deactivates the currently activated license file:
```
System:/> license remove
```
After deactivation, cOS Stream enters lockdown mode. Previously uploaded license files are unaffected by this command and remain available for activation (although they will be lost after a system reboot).

No options

If the license command is used without any options, it provides a summary of the currently activated license's properties. Some typical output from this command is shown below:

System:/> license
				
           Property  Value
-------------------  -------------------
           IsValid:  Yes
                OS:  1
      RegisteredTo:  Clavister
   RegistrationKey:  0324-5761-7527-1384
             OEMId:  0
      DisplayModel:  Generic
  RegistrationDate:  2018-04-27 00:00:00
      LastModified:  2019-05-24 10:24:46
        IssuedDate:  2019-05-24 00:00:00
UpgradesValidUntil:  2021-04-27 00:00:00
        MACAddress:  01-91-FB-1A-A0-30
        IKETunnels:  2000
               GTP:  Yes
               BGP:  Yes
              OSPF:  Yes
           CGNAT64:  Yes
            DetNAT:  No
          IPSUntil:  2021-04-27 00:00:00
              Demo:  <empty>
       SiteLicense:  <empty>

The MAC address in a valid license must match one of cOS Stream's Ethernet interfaces.

License Validity Expiration Behavior

There is no true expiration date for licenses where the firewall stops working. Instead, there is a Upgrades Valid Until date. When this date has passed, cOS Stream will continue to function but software upgrades will not be available.

However, note that after the upgrade validity date has passed, the IPS and Application control subsystems will no longer function. If enabled, they will no longer scan traffic and they will also not block any traffic.

Binding to a MAC Address

When a license file is created it is bound to the MAC address specified in the license. This means that the license is only valid if cOS Stream can detect that the MAC address of one of the hardware's Ethernet addresses is the same as the MAC address of the license.

For this reason, a license is not portable between different hardware units. If hardware is replaced so that the license Ethernet MAC address is no longer present then a new license will need to be generated.

The Current License is a Configuration Object

The current license for a configuration is also a configuration object called License and this can be accesses through the CLI. The following command will give the same output as the license command:

System:/> show License

2.4. Backup and Restore

The administrator has the ability to take a snapshot of a Clavister NetShield Firewall system at a given point in time and restore it if necessary. Backups can be one of the following two types:

Configuration Backup

This is a backup of the entire current configuration but does not include a copy of the system software itself. This backup is the default type. Restoring this backup will only restore the original configuration.
System Backup

This is a backup of the current configuration and includes a copy of the system software itself. This requires using the -system option when creating the backup. When the backup is restored, the current software version will be replaced by the version in the backup.

Creating a Backup

Backups are created in two steps:

Step 1:

A backup is first created as a single file in local volatile memory. A configuration only backup is created with the following CLI command:
```
System:/> backup -create
```
Alternatively, a full system backup consisting of the current configuration as well as the current software version is created with the command:
```
System:/> backup -create -system
```
The file created will be placed in the root folder and it will have the default name config-YYYYMMDD.bkp where YYYYMMDD indicates the current date.

If a specific filename is desired for the backup file then the command form is:
```
System:/> backup -create <filename>
```
Step 2:

Once created, backup files are transferred to an external computer by downloading the files from the Clavister NetShield Firewall using SCP (Secure Copy). As stated above, all backup files are saved in the root folder.

It is important to note which Clavister NetShield Firewall hardware the backup file came from so that it can be restored to a processor that has the same logical interface names.

SCP usage is described further in Section 2.1.5, Secure Copy.

	Note: Backup files are temporary
	Any backup files created are not held in permanent memory and will disappear after system restarts.

Restoring a Backup

Restoring a backup is also a two step process:

Step 1:

Use SCP to upload the backup file to the root folder of the target Clavister NetShield Firewall. For example:
```
> scp config.bkp admin1@10.5.62.11:.
```
SCP usage is described further in Section 2.1.5, Secure Copy.
Step 2:

To make the uploaded configuration the current configuration, the following CLI command is used:
```
System:/> backup -restore <filename>
```
Where <filename> is the name of the file in cOS Stream's root folder.

To list all the backup files, use the CLI command:
```
System:/> backup -list
```
When a restore begins, the selected file is validated before it replaces the current configuration. For the new configuration to become active, the CLI commands Activate followed by Commit are required after the restore is complete.

	Caution: Do not perform a restore with live traffic
	A restore operation should not be attempted with live traffic flowing through the firewall. Any traffic flows will be disrupted.

Reverting to a Backup

After performing a restore operation, cOS Stream retains a copy of the original configuration (that is to say, the configuration that the restore replaced). This copy can be reactivated at any time with the CLI command:

System:/> backup -revert

A revert operation always uses the configuration in effect previous to the last restore if there was one. If no restore has been performed, a revert operation will have no effect.

Restoring to a Dissimilar Processor

It is important to restore a backup to a configuration which has the same interface names as the original hardware from which the backup was taken. The reason for this is that the backup may refer to logical interface names that do not exist on the new hardware.

Interface ID Collisions

Every interface in a backup file has a unique ID assigned to it which is based on the ordering of the interface in the system. In some unusual circumstances, the IDs of the interfaces in a backup might not agree with the IDs of the physical system. This might occur if an interface was deleted from a configuration and then later added back in.

When such a mismatched backup is restored, the restore will fail with a message that includes the line:

In VLAN vl: Interface ID change of 'vl'(nnnn->mmmm) is not supported.

Where nnnn and mmmm are the conflicting IDs. To force the restore so these ID mismatches are ignored, use the command:

System:/> backup -restore <filename>.pkg -reboot

This forces the system to reboot and then use the backup file.

Resetting to Factory Defaults

A special case of backup command usage exists for restoring the current configuration to the original factory default configuration:

System:/> backup -factoryreset

The following points should be noted about this operation:

Since the default configuration will be restored, this should only be done via an SSH client which is connected to the default management interface using the default management IP address or from a console which is connected to the firewall's local console interface. Otherwise, connection to the CLI will be lost after the command is issued.
The current configuration will be lost after a reset and cannot be recovered. For this reason, this operation should be used with caution.

To remind the administrator that the command is irreversible, a prompt appears to ask if cOS Stream should proceed:
```
System:/> backup -factoryreset
This will reset the current configuration to factory default
and reboot the system.
This change is not reversible.
Are you sure you want to continue? [yes/no]: yes
Resetting configuration to factory default...
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Reset configuration to factory default successfully.
The system is going down NOW!
```
In CLI scripts, the -force option must be used to ignore any prompts since a script cannot respond to a prompt.

If both the configuration and the current version of the software are to be restored to the factory defaults, the CLI command becomes:

System:/> backup -factoryreset -system

This will similarly reboot the system once the reset process has completed. All upgrades of cOS Stream performed since hardware delivery will be lost as well as the current configuration.

Factory Resets on Clavister Hardware Products

Where cOS Stream is running on a Clavister hardware product, it is possible to reset to factory defaults by keeping a switch on the hardware appliance depressed for a given length of time. This procedure is fully explaining in the factory reset section in the Getting Started Guide for the relevant hardware guide.

An additional way to perform a factory reset on Clavister hardware products is to use the hardware's boot menu. This menu is entering by repeatedly pressing the Esc key at the local console as the hardware powers up. This menu is explained further in a dedicated section of the Getting Started Guide for the relevant hardware product.

2.5. Upgrading Software

From time to time Clavister will release new cOS Stream software versions. All version releases are provided in the form of a single file with the filetype .upg and a filename indicating the target platform and version number. All releases are installed in the same way.

The following should be noted about new releases:

Notifications about new releases is sent by email to registered MyClavister users. Email preferences should be set accordingly in the relevant MyClavister account.
It is recommended to always upgrade to the latest cOS Stream release.
The .upg file for a specific upgrade should be downloaded from the relevant MyClavister account before beginning the upgrade process.
Upgrades should be performed during a maintenance window when there is no live traffic. The upgrade process will disrupt any traffic flowing through the NetShield firewall.
As a precaution, it is recommended to take a full system backup before beginning the upgrade process.
The progress of the upgrade process will be displayed on the cOS Stream console, as described later in this section.
If the upgrade process fails then cOS Stream will automatically roll back any changes so the system will be unchanged.
Success of an upgrade will be displayed in the console at the end of the process but it can be reconfirmed manually using the about command.

Applying a .upg Upgrade File

Applying an upgrade file requires the following steps:

Upload the relevant .upg file to firewall disk storage using SCP.
Use the CLI upgrade command to apply the upgrade.
cOS Stream verifies the checksum and signature of the upgrade file and then installs it.

For a high availability (HA) cluster, the above procedure is repeated on each cluster node but with some extra considerations. This is described further in Section 22.4, Upgrading an HA Cluster.

The Upgrade Command

The CLI upgrade command is used to install an already uploaded .upg file. For example, if the file uploaded with SCP is called cos_stream_3_30_01.upg, the upgrade command with example output would be:

System:/> upgrade cos_stream_3_30_01.upg

This will upgrade the system using cos_stream_3_30_01.upg
Are you sure you want to continue? [yes/no]: yes
|0%Validating                     |50%Extracting                   |100%
|||||||||||||||||||||||||

The CLI displays a progress bar consisting of lines which will gradually increase to 100% completion.

The following should be noted:

After successful installation, the system will automatically restart itself.
If the system fails to configure with the new software version, the old version is automatically restored and the system is restarted.
When running a CLI script, the -force option should be used to suppress the continuation question. The full CLI command would be:
```
System:/> upgrade <filename> -force
```

Managing Package Files

To check which .upg files have been uploaded and are available to be used with an upgrade, the following command is used:

System:/> upgrade -list

Wildcards cannot be used with the -list option.

To delete a package file, the following command can be used:

System:/> upgrade -delete <filename>

With the -delete option, the asterisk wildcard character ("*") can be used to represent filenames. For example, the delete all files:

System:/> upgrade -delete *.upg

2.6. Crashdumps

In the event of a serious system malfunction, cOS Stream generates a Crashdump and stores it in non-volatile system memory as a set of files. The files generated by a crashdump consist of critical data that can assist in troubleshooting the cause of the malfunction.

Crashdumps are for Technical Support

The files generated by crashdumps are not intended to be read and interpreted by the administrator. Instead, they are intended to be sent to product support personnel and all relevant files should be sent.

Downloading Crashdump Files

Any of the files generated by a crashdump can be downloaded using SCP. All files are kept in the storage folder called crashdumps. A typical SCP command to download a single file would take the form:

	scp  <user>@<fw-address>:/crashdumps/<crashdump-file>

To download all files in one operation, a typical SCP command would be:

	scp -r <user>@<fw-address>:crashdumps

Listing Crashdump Files

The CLI provides the command crashdump to manage the crashdump files stored in non-volatile memory. The -list option provides a list of all files currently stored along with their sizes in bytes plus the total memory used and available. For example, a typical listing might be:

System:/> crashdump -list
		
Size   Name
-----  -------------------------------
46142  2011-01-01_00.00.36_rtbld.dump
886    2011-01-01_00.00.52_dpcore.dump

Used space:     47028 Bytes
Free space:  24211456 Bytes

	Tip: The default option is -list
	If no option is specified after the crashdump command, the option -list is assumed.

Crashdump File Naming

Every crashdump file has a filetype of .dump and the complete filename has the form:

			<date><time><module>.dump

Where the <module> identifies the module which is the source of the crashdump, preceded by the date and time of the crash occurring. For example:

			2011-01-01_00.00.36_rtbld.dump

	Note: GMT is used in crashdump timestamps
	The date and times used in crashdump timestamps are based on GMT. They are not based on local time.

Deleting a Single File

The -delete option can be used to delete files from permanent storage. For example, to remove the file 2011-01-01_00.00.52_dpcore.dump, the command would be:

System:/> crashdump -delete=2011-01-01_00.00.52_dpcore.dump

Deleting All Files

All crashdump files stored in memory can be deleted with the following command:

System:/> crashdump -delete=All

Instead of All, the wildcard asterisk character "*" can be used instead:

System:/> crashdump -delete=*

	Important: Delete crashdump files after downloading
	The size of non-volatile memory available for crashdump file storage is limited. It is therefore important to delete crashdump files as soon as they have been downloaded.

2.7. Statistics

cOS Stream maintains a large number of counters in memory that keep track of system activity. This information is kept only in memory and is mostly made up of single numerical values. The purpose of this is to be able to give the administrator an overview of the tasks being performed by the system and the counters are collectively known as Statistics.

Note that all values are reset between system restarts so that statistics are not carried over.

A separate document called the Clavister NetShield Firewall Statistics Reference Guide provides a detailed listing of all available statistical values. This section is designed to give a short introduction to their structure and use.

Accessing Statistics

There are two methods for the administrator to view statistics:

By using the statistics command in a CLI console.
Using an SNMP client that references a MIB file.

This section deals with examining statistics through the CLI. SNMP access to cOS Stream is described in Section 2.1.7, SNMP Monitoring.

The Hierarchical Statistics Structure

All statistics are part of a hierarchical tree structure which divides them into related values. This structure can be clearly seen in the contents of the Statistics Reference Guide.

An individual statistic is identified by means of a "path" which includes everything above it in the hierarchy. The form of this path is described in the Statistics Reference Guide. For example, the path definition for an interface's bytes_recv statistic is:

		/interfaces/common/[..n]/bytes_recv

Where [..n] represents the name of the interface.

For example, the bytes_recv statistic associated with the if1 interface is identified with the path:

		/interfaces/common/if1/bytes_recv

These variable references in paths are indicated in the Statistics Reference Guide using the [..n] notation.

Using the statistics Command

The CLI command statistics is used to display the value of one or many statistics at a moment in time or at a regular interval. Entering this command without options will initially give the following response:

System:/> statistics
		
The list of polled values is empty

The command maintains a list of statistics that can be polled and it is necessary to first add to the list using the -add option. Suppose that there is a requirement to see the number of active system users every 10 seconds. The command to add this to the list is:

System:/> statistics -add /authentication/system/active_users

The new contents of the list can now be displayed and at the same time all statistics on the list are polled:

System:/> statistics
		
Name | 2018-12-22 18:05:01                  Value  Unit
------------------------------------------  -----  -----
/authentication/system/active_users         1      users

A list of all statistics that can be polled is output from the command:

System:/> statistics -listall

Starting and Stopping Interval Polling

To begin polling the values in the list at a regular interval, the -poll and -interval options are used:

System:/> statistics -poll -interval=<number>

This turns on interval polling with new console output appearing every <number> seconds. In the example output below, more users appear after 10 seconds:

System:/> statistics -poll -interval=10
		
Name 2017-12-22 18:12:15                    Value  Unit
------------------------------------------  -----  -----
/authentication/system/active_users         2      users

Name 2017-12-22 18:12:25                    Value  Unit
------------------------------------------  -----  -----
/authentication/system/active_users         5      users

To stop interval polling use the following command:

System:/> statistics -stop

Using Wildcards

When adding statistics to the polling list, the asterisk "*" character can be used to specify all statistics within a particular category. For example, the statistic bytes_recv for the Ethernet interface if1 can be polled with the command:

System:/> statistics -add /interfaces/common/if1/bytes_recv

To poll all interfaces, the command would be:

System:/> statistics -add /interfaces/common/*/bytes_recv

Note, however, that the actual interface name specified as part of the path can vary from platform to platform.

Removing Polled Statistics

The -remove option can remove individual statistics from the polled list:

System:/> statistics -remove /authentication/system/active_users

If everything on the polled list is to be removed, this can be done using the wildcard character:

System:/> statistics -remove *

To remove specific groups of statistics, the wildcard character can be used with the -remove option in the same way as it is used with the -add option. For example:

System:/> statistics -remove /interfaces/common/*/bytes_recv

Logging Statistics Output to a File

The potential demands on memory make it impractical to log statistics polling output to a file on the firewall. However, it is possible to save the console output to a file in many SSH clients and this is the recommended way to do it.

Statistics and High Availability

Statistics are HA node specific and are therefore not synchronized between HA cluster nodes. This topic is discussed further in Section 22.5, HA Issues.

2.8. Diagnostic Tools

cOS Stream provides a set of CLI commands to help with troubleshooting problems. These commands are described in this section.

2.8.1. The Ping Command

When troubleshooting networking problems, one of the most useful tools is the CLI ping command. This command can send one of more ICMP ECHO, TCP or UDP packets to a specified IPv4 or IPv6 address and reports the reply that is received.

A Simple ICMP Example

The simplest example of ping usage is sending an ICMP ping message to the IPv4 address 10.4.0.2. The CLI command would be:

System:/> ping 10.4.0.2

In the above command, the source interface is not explicitly specified so cOS Stream derives this by looking up the destination IP in the relevant routing table. The routing table used defaults to main but could be specified in the command using the -routingtable=<table> option. For example:

System:/> ping 10.4.0.2 -routingtable=my-rtable

Note that when the source interface is not explicitly specified in this way, the configuration's rule sets are not checked to see if the traffic is allowed. Therefore the message is always sent and cannot be blocked or have address translation applied by the configured IP rules.

Specifying the Protocol and the Message Load

The ICMP ECHO, TCP or UDP protocols can be used when sending a message, with ICMP being the default. The protocol option is specified immediately following the ping command. For example, to send a UDP message to 10.4.0.2, the command would be:

System:/> ping -udp 10.4.0.2

When relevant, the message load can be specified using the -request option, so the response from an HTTP server could be tested with the following command:

System:/> ping -tcp 203.0.113.10 -port=80 -request="GET /HTTP/1.0\n\n"

Sending to IPv6 Addresses

A message can be sent to an IPv6 address in the same way that it is sent to an IPv4 address. Any of the other options discussed previously can be used with IPv6 addresses. Below is an example of pinging the c1a1::1:2 IPv6 address:

System:/> ping c1a1::1:2

Sending 4-byte ICMP ping to c1a1::1:2:61083 from c1a1::1:1:128
4-byte ICMP reply from c1a1::1:2:61083 to c1a1::1:1:129

The -verbose Option

Extra information about traffic sent and received can be displayed when the -verbose option is used (this can be shortened to -v). For example:

System:/> ping 10.4.0.2 -v

In some cases, extra information is available if the -vv (more verbose) option is used.

The verbose options are required when performing ping traffic simulation (described next) in order to see the configuration elements that are triggered during the simulation.

Incoming Packet Simulation Using the -srciface and -srcip Option

In addition to testing the responsiveness of a remote host, the ping command can be used to simulate incoming traffic on a given interface and thereby test how the current configuration responds to different types of traffic. This is done by using the -srciface option to specify the interface that will appear to be receiving the message generated, along with the -srcip option to specify the source IP address of the message.

For example, the following command would simulate an incoming ICMP ping message arriving on the if2 interface that was coming from the source IP address 192.168.0.10:

System:/> ping 10.6.58.10 -srciface=if2 -srcip=192.168.0.10 -verbose

This command will construct an ICMP packet with a destination IP of 10.6.58.10 and cOS Stream will behave as though that packet had arrived at the interface if2 and had come from the external IP address 192.168.0.10.

Note that the simulated traffic received in this way will be treated by the configuration as normal traffic. This means that such configuration elements as IP rule sets will be applied so any relevant NAT or SAT actions will also be applied. The traffic might even be dropped. Also note that the -routingtable option cannot be used with the -srciface option as it has no relevance in this context.

If there is no route that matches the combination of source IP address and receiving interface, the packet will be dropped. Some example output when this happens is listed below:

System:/> ping 192.168.14.1 -srciface=if14 -srcip=192.168.14.12 -verbose
Simulating 4-byte ICMP ping to 192.168.14.1:44434
  from (if14) 192.168.14.12:8
(Response is not displayed when '-srciface' is used)
SNOOP:  POLICY-1  : Forward lookup matched PBR rule "RoutingRule_1"
  (id 0x3039) against <ICMP if14;192.168.14.12:2048 -> 192.168.14.1:44434>
SNOOP:  POLICY-1  : Drop <ICMP
  if14;192.168.14.12:2048 -> 192.168.14.1:44434>:
	No route to source in table "Main" (ID: 0x20).

For the ping message not to be dropped, there must not only be a route that matches the source IP address and source interface combination but also an IP rule set entry that allows the traffic on that interface. If the administrator simulates the packet arriving on the if2 interface and going to some host on the network if1_net, the allowing IP rule set entry might be the following:

Action	Source Interface	Source Network	Destination Interface	Destination Network	Service
Allow/NAT	if1	if1_net	if2	all-nets	ping-inbound-ip4

If there is no IP rule set entry that allows the traffic it will also be dropped. The following example shows some example console output when this happens:

System:/> ping 192.168.14.1 -srciface=if14 -srcip=192.168.14.12 -verbose
Simulating 4-byte ICMP ping to 192.168.14.1:2524
  from (if14) 192.168.14.12:8
(Response is not displayed when '-srciface' is used)
SNOOP:  POLICY-1  : Forward lookup matched PBR rule "RoutingRule_1"
(id 0x3039) against <ICMP if14;192.168.14.12:2048 -> 192.168.14.1:2524>
SNOOP:  POLICY-1  : <ICMP if14;192.168.14.12:2048 -> 192.168.14.1:2524>:
  Found reverse route "Route_3" (ID: 0x3ead62f) 192.168.14.0/24 ->
  if14 (Gateway: none) in table "Main" (ID: 0x20).
SNOOP:  POLICY-1  : <ICMP if14;192.168.14.12:2048 -> 192.168.14.1:2524>:
  Found forward route "Route_3" (ID: 0x3ead62f) 192.168.14.0/24 ->
  if14 (Gateway: none) in table "Main" (ID: 0x20).
SNOOP:  POLICY-1  : Matched default rule "System::DefaultDrop"
SNOOP:  POLICY-1  : Dropped by default rule "System::DefaultDrop"
SNOOP:  POLICY-1  : <ICMP if14;192.168.14.12:2048 ->
  192.168.14.1:2524>: Dropped by IP rules

Once both the routing problem and the IP rule problems that were indicated in the above two output examples are fixed, the following is an example of some problem-free output:

System:/> ping 192.168.14.1 -srciface=if14 -srcip=192.168.14.12 -verbose
Simulating 4-byte ICMP ping to 192.168.14.1:24093
  from (if14) 192.168.14.12:8
(Response is not displayed when '-srciface' is used)
SNOOP:  POLICY-1  : Forward lookup matched PBR rule "RoutingRule_1"
  (id 0x3039) against <ICMP if14;192.168.14.12:2048 -> 192.168.14.1:24093>
SNOOP:  POLICY-1  : <ICMP if14;192.168.14.12:2048 -> 192.168.14.1:24093>:
  Found reverse route "Route_3" (ID: 0x3ead62f) 192.168.14.0/24 -> if14
  (Gateway: none) in table "Main" (ID: 0x20).
SNOOP:  POLICY-1  : <ICMP if14;192.168.14.12:2048 -> 192.168.14.1:24093>:
  Found forward route "Route_3" (ID: 0x3ead62f) 192.168.14.0/24 -> if14
  (Gateway: none) in table "Main" (ID: 0x20).
SNOOP:  POLICY-1  : Matched rule "iprule_all_services" with id 0xdaa96f5
SNOOP:  POLICY-1  : Allow <ICMP if14;192.168.14.12:2048 ->
  192.168.14.1:24093>: route via if14

Specifying Only the -srcip Option

The -srcip option can be used without -srciface when traffic is not being simulated. This usage allows an outgoing ping message to originate from a specific source IP address. For example, to send an ICMP ping from the IPv4 address 192.168.0.5 to 10.4.0.2, the command would be the following:

System:/> ping 10.4.0.2 -srcip=192.168.0.5

Normal route lookup determines the sending interface. However, to use -srcip in this way, one of the following conditions needs to be true:

The source IP specified is one of the addresses that is configured on the sending interface.
If a route lookup is done on the source address, it is routed on the core interface.

All ping command options are listed in the separate CLI Reference Guide.

2.8.2. Dconsole

During system operation, important troubleshooting information is saved in system memory by the Dconsole subsystem. This information takes the form of time stamped messages which record both normal events such as system restarts but also any abnormal system events. These messages can be retrieved at any time using the CLI command:

System:/> dcon

The output generated by the dcon command provides an important diagnostic tool that can help to determine the cause of a system problem. However, it should be remembered that interpreting the output is often best done by sending the information to qualified support personnel.

Message Content

Each dcon message that is written during system operation includes the following information:

A timestamp to show when the message was generated.
Uptime since the last system start.
The severity level of the event.
The category name of the application code that generated the event.
The software module that caused the event.
A textual message stating what the event was.

Some typical output from the dcon command is shown below:

System:/> dcon
Showing diagnose entries since 2012-11-09:
2015-11-07 12:02:15     01:51:29        INFO    SYSTEM,CONFIG   vsinit  
Beginning reconfigure [type=Activating new config][reason=] [09ce5f4f]
2015-11-07 12:02:16     01:51:30        INFO    SYSTEM,CONFIG   vsinit
Reconfigure completed successfully [0b1a5f4f]

Here, the dcon command is used without any parameters and by default only messages stored for today are displayed. The first message retrieved indicates the time of a reconfigure. The second indicates the reconfigure has been successfully completed.

All the recent dconsole messages could have been displayed by using the command with some previous date specified:

System:/> dcon -show -date=2016-01-01

The Message Buffering Mechanism

A finite amount of volatile memory is allocated for the buffering of dcon messages. Typically, this buffer holds around a thousand messages although this number can vary because of the variable message length. The contents of this buffer are lost between system restarts.

When the volatile memory buffer is full, the newest message overwrites the oldest message. At certain times, the entire buffer is copied to a non-volatile memory file called dcon.bin and then the buffer is cleared. These copy operations occur when:

A system event with a Critical or High priority occurs.
Or the volatile memory buffer is explicitly flushed with the command:
```
System:/> dcon -flush
```

When the copy operation occurs, the messages in the volatile memory buffer are appended to the existing messages in the non-volatile file dcon.bin. After the copying is complete, the volatile memory buffer is automatically cleared and begins to fill up again with new messages.

Messages can be appended to the non-volatile file until the configured maximum size of the file is reached. When this happens, cOS Stream erases the oldest 50% of the messages to clear space for new appended messages. The newest 50% of messages in the file are preserved.

During system startup the non-volatile file is allowed to temporarily grow beyond its configured maximum to accommodate any messages generated. This deals with the case that the file may be close to its size limit at startup but vital troubleshooting information still needs to be retained if a problem occurs.

The Volatile Memory Buffer is Circular

The volatile buffer is circular which means that new messages overwrite the oldest messages when it becomes full. When overwriting occurs, a dcon message is generated that takes a form similar to the following:

2015-11-06 13:11:26 368:23:42 INFO LOG dcon 801 Messages got Overwritten

Manually Clearing All Messages

All messages currently held in dconsole storage can be removed with the command:

System:/> dcon -clean

This clears all messages in both the volatile memory buffer and the non-volatile memory file.

Filtering Messages

When output reports are generated, dcon scans all the available messages in both volatile and non-volatile memory. The command provides a variety of options for filtering this output since the total number of available messages may be high.

For example, to show all events that have a severity of Critical or higher, use the command:

System:/> dcon -show -severity=Critical

To show all events that were generated after and including 1st June 2011, use the command:

System:/> dcon -show -date=2016-06-01

To show all events related to the system vsinit component, use the command:

System:/> dcon -show -app=vsinit

To show all events related to the system dataplane component, use the command:

System:/> dcon -show -app=dataplane

For a full list of dcon command options, refer to the separate Clavister NetShield Firewall CLI Reference Guide.

2.8.3. Pcapdump

A valuable diagnostic tool is the ability to examine the packets that enter and leave the interfaces of a Clavister NetShield Firewall. For this purpose, cOS Stream provides the CLI command pcapdump which allows the recording of packets entering and leaving all or certain interfaces. The captured packets can be stored in a file and/or displayed on the console in an easily readable text form. Filters can also be applied so that only packets meeting specific criteria are recorded.

This section focuses on some of the important options for using the command. The complete syntax of the pcapdump CLI command is described in the cOS Stream CLI Reference Guide.

	Important: Pcapdump requires sufficient control plane memory
The pcapdump command requires that the control plane free memory space to be at least 100 MBytes. If this is not available then the pcapdump command will come back with a message saying that it has insufficient memory. This problem should only occur in a virtual environment and to resolve it, the virtual machine should be stopped and the memory allocated to cOS Stream should be increased. One Gigabyte of RAM for the whole virtual machine should be a minimum. The CLI memory command can show the amount of available memory in the control plane.

Important: Pcapdump requires sufficient control plane memory

The pcapdump command requires that the control plane free memory space to be at least 100 MBytes. If this is not available then the pcapdump command will come back with a message saying that it has insufficient memory. This problem should only occur in a virtual environment and to resolve it, the virtual machine should be stopped and the memory allocated to cOS Stream should be increased. One Gigabyte of RAM for the whole virtual machine should be a minimum. The CLI memory command can show the amount of available memory in the control plane.

The Command View Needs to be Changed

The pcapdump command is not available in the default CLI view. The CLI view must be changed to at least debug with the following command:

System:/> cmdview debug

A Simple Example

An example of pcapdump usage is the following sequence which will record the packet flow on the if3 interface:

Recording is started for the if3 interface with the following command:
```
System:/> pcapdump -start if3
Starting packet capture on: if3
```
By default, output is automatically saved to a file and no output appears on the console. Only one interface name can be specified in a command. To capture a group of interfaces, a pcapdump -start command must be issued for each interface. The following command with no interface specified will record packets on all interfaces:
```
System:/> pcapdump -start
```

The total number of packets captured can be limited with the -count option. cOS Stream will total the packets arriving and the packets leaving to determine if the count specified has been reached. To capture just the first 100 packets on the if3 interface, the command would be:
```
System:/> pcapdump -start if3 -count=100
```
When the specified packet count is reached, the capture will be stopped automatically and a message will be output to the console. An example of this message for the command above could be:
```
if3: Packet capture stopped (packet count reached).
Packets have been saved to file "if3_2014-12-17_15.32.12.cap".
```

The currently enabled packet capture can be viewed along with the number of packets recorded so far by using the -status option:

System:/> pcapdump -status
             PCAP Status

Interface Mode   Packets(In)   Packets(Out) Filter
--------- ------ -----------   ------------ ------
if3       ACTIVE 9             5

Recording can then be stopped for if3 with the -stop option:
```
System:/> pcapdump -stop if3
Stopping packet capture on: if3.
Interface Pkts(In) Pkts(Out) Saved to file
--------- -------- --------- ---------------------------
if2       3        4         if3_2014-12-17_16.32.12.cap
```
The name of the file used for the saved output consists of the interface name and the date and time when the recording is stopped. The -stop option without an interface specified will stop all captures for all interfaces:
```
System:/> pcapdump -stop
```
There is always a separate file created for every interface involved in a capture. Files are saved in volatile memory in the root directory and they are deleted following a restart.

All the available saved output files can now be listed using the -list option:

System:/> pcapdump -list
       PCAP Files

Size  Name
----  ---------------------------
354  if3_2014-12-17_16.32.12.cap

To list the contents of a saved file, use the -show option with the filename:
```
System:/> pcapdump -show -filename=if3_2014-12-17_16.32.12.cap
Showing packets in file "if3_2014-12-17_16.32.12.cap":
IP 192.168.12.200->192.168.12.1  IHL:20  DataLen:12 TTL:59 Proto:ICMP
ICMP Echo request  ID:4042  Seq:0
-----------------------------------------------------------------------
IP 192.168.12.1->192.168.12.200  IHL:20  DataLen:12 TTL:128 Proto:ICMP
ICMP Echo reply  ID:4042  Seq:0
----------------------------------------------------------------------- 
```
Note that the -show option on its own will just show the packets that are in the buffer memory and have not been written yet. Buffering is discussed further later. If there is a need to stop the output from the show command, the Ctrl-S key sequence can be used to pause output and Ctrl-C can be used to break output.

The -num option can only be used with -show and it limits the number of packets displayed. For example, if only the first 20 packets were to be displayed, the above command would become:
```
System:/> pcapdump -show -filename=if3_2014-12-17_16.32.12.cap -num=20
```
By default, the -show option displays all packets.

Saved files can be deleted with the -remove option:
```
System:/> pcapdump -remove -filename=if3_2014-12-17_16.32.12.cap
```
Wildcards could also have be used when specifying the filename so that a group of matching files can be deleted with one command. For example, to delete all files beginning with "if3":
```
System:/> pcapdump -remove -filename=if3*
```
This option could be used to remove all stored files with the following command:
```
System:/> pcapdump -remove -filename=*
```

All saved files can be deleted and the memory buffer cleared with the following command:
```
System:/> pcapdump -remove
```
This buffer is automatically cleared when recording stops if the -nowrite option was not used. If the -nowrite option was used then the -remove option is needed to clear the buffer. A new recording session on the same interface will also clear that interface's buffer.

Using -snaplen to Reduce File Size

The -snaplen option can be used to truncate all packet information before it saved in the buffer and/or a file. However, it will not truncate the information displayed on the console. For example, to only store the first 100 characters of information for each packet, the following command could be used:

System:/> pcapdump -start if3 -snaplen=100

The truncation is done only when the information is stored and does not affect any filtering performed.

The -snaplen option is also useful in reducing the space needed in the pcapdump buffer by shortening the packet information stored. The allocated buffer size is discussed later in this section.

The Memory Buffer Records All Packets Stored

Except for the case of using only console output, all packet information captured is always saved in a memory buffer of a fixed size. There is one buffer allocated at the start of a capture for each interface involved. The space in the buffer occupied by packets can vary depending on the type of packets captured. The current buffer contents can be displayed with just the -show option:

System:/> pcapdump -show

The buffer contents can be explicitly written to a file with the command:

System:/> pcapdump -write

This will write all the buffer contents into as many files as there are interfaces being recorded. If only a particular interface is to be written to a file with a given name, say if3.cap, then the following command would be used:

System:/> pcapdump -write if3 -filename=if3.cap

Writing to the memory buffer can be turned off with the -nocap option. This might be used with the -out option so there is just live output to the console:

System:/> pcapdump -start -out -nocap

When the -nocap option is used, the -status option output will show the Mode as SNOOP instead of ACTIVE.

System:/> pcapdump -status
             PCAP Status

Interface Mode   Packets(In)  Packets(Out) Filter
--------- ------ -----------  ------------ ------
if3       SNOOP  124          174

The memory buffer can be cleared (along with any saved files) by using the command:

System:/> pcapdump -remove

As mentioned earlier, the buffer is usually cleared after packet recording stops and files are automatically written. However, if file writing is disabled by using the -nowrite option, the buffer is not cleared and subsequent pcapdump -start commands will append packet information to the current buffer contents.

The administrator has the option to examine the buffer contents or write the buffer contents to file. To clear the buffer when using the -nowrite option, the administrator must use the pcapdump -remove command.

Changing the Allocated Memory Buffer Size

A pcapdump -start command will allocate a buffer for each interface involved in the packet capture. By default, this buffer is 128 Kbytes. If the captured packets exceed this memory allocation, capture will stop and the following message will appear on the console:

	     Packet capture stopped (buffer size limit reached).

If this is a problem, the buffer size can be specified as larger in the command to start capture. For example, if the desired buffer size is 256 Kbytes then the command would be the following:

System:/> pcapdump -start if3 -bufsize=256

The minimum buffer size is 128 Kbytes, but it is unlikely that the buffer size needs to be reduced to this. Another approach to solving an insufficient buffer size problem is to use the -snaplen option discussed previously. This will truncate the stored packet information and so reduce the information stored in the buffer and the size of the file created.

Writing Directly to the Console

As well as writing output to a file, output can be also directed to the console with the following version of the start command:

System:/> pcapdump -start if3 -out

This will send output to the console and at the same time save output to a file. If no file should be created then the -nowrite option is used:

System:/> pcapdump -start if3 -out -nowrite

The above command will still cause a buffer to be allocated to the interface and filled with captured packets so a file could be written by saving the buffer to a file, as described previously.

As discussed earlier, if the desire was to write to the console but only to the console and not allocate and fill a buffer, the command would be:

System:/> pcapdump -start if3 -out -nocap

Filtering Output

In conjunction with the above versions of the pcapdump command where the -start option was used with an interface, further filters can be applied to further restrict the type of packet captured.

The range of filters available is large and is fully documented on the online help (type help pcapdump) as well as in the separate CLI Reference Guide. This section will show examples of some of the filters to illustrate their use.

Port Number

The general use of filters can be illustrated by looking at the filter for a specific port number:

System:/> pcapdump -start if3 -port=53

Or on a port range:

System:/> pcapdump -start if3 -port=53-95

Alternatively a list of ports could have been specified, so any of the list must match:

System:/> pcapdump -start if3 -port=53,85,92

Using -port means either the source or destination port must match the given values. However it is possible to specify these separately:

System:/> pcapdump -start if3 -portdest=45 -portsrc=85

cOS Stream provides predefined values which can be used for convenience instead of have to type integers. For example, to filter all traffic using the known FTP port numbers, the command could be:

System:/> pcapdump -start if3 -port=FTP

	Note: An AND operation is performed on multiple filters
	When more than one filter parameter is specified then all parameters must match for the packet to be recorded by pcapdump. In other words, a logical AND operation is performed between the filters.

Protocol

The -proto parameter looks for a specific traffic protocol at the IP level. For example, to only filter out ICMP traffic:
```
System:/> pcapdump -start if3 -proto=ICMP
```
Each string value like ICMP that can be used in the CLI is a convenience provided by cOS Stream. The actual assigned protocol number could be used instead. For ICMP, this is the number 1. Lists and ranges of protocols could be specified with either these predefined string values or the actual protocol numbers or both. For example, the following is valid:
```
System:/> pcapdump -start if3 -proto=ICMP,2,7-9
```
IP Address

The source or destination IP can be filtered. The IP specified can be IPv4 or IPv6 or a combination of both in a list. Below, is an example which specifies a single IPv4 address:
```
System:/> pcapdump -start if3 -ip=203.0.113.3
```
A range can be specified instead:
```
System:/> pcapdump -start if3 -ip=203.0.113.3-203.0.113.7
```
Or an entire network:
```
System:/> pcapdump -start if3 -ip=203.0.113.0/24
```
Here, IPv4 is mixed with IPv6:
```
System:/> pcapdump -start if3 -ip=203.0.113.3,2001:db8::1
```
Using -ip on its own means either the source or destination IPs must match the filter. However, these can be separated:
```
System:/> pcapdump -start if3 -ipsrc=203.0.113.3 -ipdest=2001:db8::1
```

	Caution: Pcapdump can degrade performance
Running pcapdump will have some impact on overall system performance. The degree of impact depends on the options chosen. The impact can be reduced by capturing on the smallest number of interfaces possible and through using filters to reduce the amount of packets captured. Raising the values of the -bufsize and/or -count options too high can have a particularly adverse effect on performance.

Caution: Pcapdump can degrade performance

Running pcapdump will have some impact on overall system performance. The degree of impact depends on the options chosen. The impact can be reduced by capturing on the smallest number of interfaces possible and through using filters to reduce the amount of packets captured.

Raising the values of the -bufsize and/or -count options too high can have a particularly adverse effect on performance.

Compatibility with Wireshark

The open source tool Wireshark (formerly called Ethereal) is a useful analysis tool for examining the logs of captured packets. The industry standard .pcap file format is used by pcapdump when it writes data to a file which means that it is compatible with Wireshark.

The administrator must use SCP in order to download the .cap files created by pcapdump from cOS Stream disk storage to a local management workstation for reading by Wireshark.

Writing in Hex and K12 Format

All files written by the pcapdump command are in the .cap format. However, it is possible to write console output in either hexadecimal or K12 format. For example, to write output to the console in hexadecimal format, the command would be:

System:/> pcapdump -start if3 -out -hex

To write output to the console in K12 format, the command would be:

System:/> pcapdump -start if3 -out -k12

cOS Stream can also perform a conversion from the current buffer contents in .cap format to hexadecimal or K12 format on the console. To display the current buffer contents in hexadecimal, the command would be:

System:/> pcapdump -show if3 -hex

Writing hexadecimal to the console provides an alternative way to get packet data into Wireshark or another tool. The hexadecimal output displayed in an SSH client console can be copy and pasted into a local text file on the management workstation and then that file can be read by Wireshark.

2.8.4. The techsupport Command

The techsupport CLI command is a general command for problem troubleshooting that combines the output from several other troubleshooting commands into a single console output. This information can then used by the administrator but is usually sent to qualified support personnel to troubleshoot problems.

The simplest form of the command is the following:

System:/> techsupport

This will create a file in the top level (root) directory of the system file system called techsupport.txt. Each usage of the command will overwrite any previous techsupport.txt file.

Once created, there are two ways of examining the file's contents:

Download the file over a network connection by using SCP from an external management computer.
Use the following CLI command to display the current file contents on the console:
```
System:/> techsupport -show
```
The output on the console will automatically be paginated with an interactive prompt to show the next page. To display the entire file at once without pagination, use the following command:
```
System:/> techsupport -show -nopages
```

The first few lines of the techsupport.text file include the system time when the contents were created. A typical example of this header is the following:

Technical Support Information
Please verify the contents before sending to Technical Support.
System Time: 2016-09-08 12:13:48 (UTC+00:00)

2.9. Hardware Monitoring

Overview

When cOS Stream is running on dedicated Clavister hardware (and not in a virtual environment), various sensors in the hardware will provide cOS Stream with information about the status of the hardware components. This information ranges from temperatures and fan speeds to indicating if components, such as power supply units, are operational.

The Sensor Polling Interval

By default, cOS Stream polls all hardware sensors every 5 seconds and stores the last retrieved sensor information until the next poll overwrites it. This 5 second interval can be changed globally by the administrator to another value between 1 and 30 seconds. For example, if the polling interval is to be changed to 20 seconds, the following CLI command would be used:

System:/> set Settings HWMONSettings SensorRefreshInterval=20

Type Of Hardware Monitoring

The Clavister NetShield Firewall provides two types of hardware monitoring that makes use of the information collected by sensor polling:

System hardware monitoring.
User hardware monitoring.

These types are explained in the sections that follow.

2.9.1. User Hardware Monitoring

In contrast to System Hardware Monitoring, the feature called User Hardware Monitoring is used to generate log event messages for specific sensors and conditions that are defined by the administrator.

Enabling User Hardware Monitoring

To enable user hardware monitoring for a sensor, a HWMONMonitor object must be created in the configuration and associated with the sensor. Only one sensor can be associated with one HWMONMonitor object.

Assume that monitoring of the CPU temperature is required. If the sensor name is CPU_Temp and the new object is to be called mon1, user monitoring for this sensor can be enabled with the following CLI command:

System:/> add HWMONMonitor mon1 SensorID=CPU_Temp

The HWMONMonitor object created will generate an event message when its sensor has a value that moves outside the thresholds defined for the object (in the case of temperatures and fan speeds) or when the status changes (in the case of a failed power supply).

Another log message is generated as the sensor value moves back to a normal value and becomes equal to the threshold value. In the above command, no minimum or maximum threshold values are specified so cOS Stream will use the default thresholds for this sensor. All sensors have default thresholds already defined. Note that the SensorID property must always be specified when creating an HWMONMonitor object.

By default, a severity of Warning is used for all log messages generated. The severity can be explicitly set by changing the Severity property of an HWMONMonitor object. For example, to set the severity to Emergency for the mon1 object, the CLI command would be:

System:/> set HWMONMonitor mon1 Severity=Emergency

Sensor Types

Sensors are of two types:

Numeric sensors - These provide numeric values. For example, temperature or fan speed.
Binary sensors - These provide a value that is either zero or one. For example, a PSU being operational or not operational.

Understanding the thresholds of a numeric sensor is straightforward but binary sensors require some additional explanation. Binary sensors have a value which is either 1 or 0. However, it depends on the sensor which value indicates a "normal" condition. For example, one sensor could indicate that a PSU is installed and its normal value is 1 (the PSU is present). Another sensor might indicate that a PSU has failed and its normal value is 0 (the PSU is operational and has not failed).

The following should be noted about HWMONMonitor object thresholds for binary sensors:

A binary sensor that has a normal value of 1 will have low and high thresholds that are both 1. When the sensor's value becomes 0, this will indicate an abnormal condition.
A binary sensor that has a normal value of 0 will have low and high thresholds that are both 0. When the sensor's value becomes 1, this will indicate an abnormal condition.

Changing Threshold Values

The lower and upper thresholds for an HWMONMonitor object associated with a numeric sensor can be changed from the default, as shown in the following example:

System:/> set HWMONMonitor mon1 LowThresh=-5 HighThresh=100

Note that negative values can be used for temperatures.

	Important: Do not change thresholds of binary sensors
	The thresholds associated with a binary sensor, such as PSU failure, should not be changed by the administrator. The default threshold values should always be used.

Changing the Monitoring Interval for the HWMONMonitor Object

The Interval property of an HWMONMonitor object decides how often, in seconds, the data from the object's associated sensor is examined. A higher value for this property will cause less log messages to be sent. For example, to examine the CPU temperature every 30 seconds, the CLI command would be as follows:

System:/> set HWMONMonitor mon1 Interval=30

Note that this interval does not affect the rate at which the sensors are polled, which is controlled by the global setting SensorRefreshInterval (described at the beginning of this topic). The Interval property only affects the frequency with which the currently stored sensor values are examined by the HWMONMonitor object to determine if a log message should be generated.

Log Messages

A message is generated when the sensor value passes outside the thresholds specified. A second log message is generated when the sensor value passes back inside the thresholds specified. Similarly, for a binary sensor, a log message is generated when the state of the sensor changes in either direction.

The log messages generated by HWMONMonitor objects all belong to the HWMON log message category. As described previously, the severity of the message is Warning by default but this can be changed by setting the Severity property of the HWMONMonitor object generating the message. Below are some examples of the log messages created by user hardware monitoring.

A sensor value above a maximum threshold:

SYSTEM,HWMON: prio=warning id=1081
event=sensor_value_above_monitor_threshold sensorid=”CPU_Temp”
description="CPU Temperature" name="n2" value=81
threshold=80 action=none

A sensor value below a minimum threshold:

SYSTEM,HWMON: prio=warning id=1079
event=sensor_value_below_monitor_threshold sensorid=”CPU_Temp”
description="CPU Temperature" name="n2" value=29
threshold=30 action=none

A sensor value crossing a threshold back to a normal value:

SYSTEM,HWMON: prio=warning id=1082
event=sensor_returned_to_normal sensorid=”CPU_Temp”
description="CPU Temperature" name="n2" value=80
action=none

The Log Repeat Interval

While the sensor value remains outside of its thresholds, a HWMONMonitor object will regenerate the log message, by default, every 6 hours so that the administrator continues to be reminded that the abnormal condition exists.

The default log repeat interval value of 6 hours can be changed by assigning a new value to the LogRepeatInterval property of the HWMONMonitor object. The value is specified as an integer number of seconds. For example, the following command would change the log repeat interval for the monitor called mon1 to become 12 hours:

System:/> Set HWMONMOnitor mon1 LogRepeatInterval=43200

Note that the minimum allowed value for the LogRepeatInterval property is 30 seconds and the maximum is 86,400 seconds (24 hours).

Displaying the Available Sensors

To see all the current available sensors, the hwmon -sensorlist command can be used. The following shows some typical output (the last two right hand columns showing lowest and highest have been truncated to fit the page width):

System:/> hwmon -sensorlist
		
Sensor ID       Description               Unit  Value  Monitor Min    Max
--------------  ------------------------  ----  -----  ------- -----  -----
CPU_Temp        CPU Temperature           C     58     yes     0      98    
System_Temp     System Temperature        C     24     no      0      55    
System_Power    System Power Consumption  W     224    no      0      500   
System_12V      System Internal Power     mV    12126  no      11500  13000 
FAN1_RPM        System FAN1 Speed         RPM   4200   no      1500   6800   
FAN2_RPM        System FAN2 Speed         RPM   4000   no      1500   6800  
FAN3_RPM        System FAN3 Speed         RPM   4100   no      1500   6800  
PSU1_Avail      PSU1 Available            -     1      no      1      1     
PSU1_Fail       PSU1 Failure Detected     -     0      no      0      0    
PSU1_Input_Lost PSU1 Power Input Lost     -     0      no      0      0     
PSU2_Avail      PSU2 Available            -     1      no      1      1   
PSU2_Fail       PSU2 Failure Detected     -     0      no      0      0   
PSU2_Input_Lost PSU2 Power Input Lost     -     0      no      0      0

The following should be noted about the above output:

The Value column indicates the value that the sensor returned when it was last polled. Here, the CPU temperature was 58 degrees when that sensor was last polled.
The Min and Max columns show the default thresholds that will be used if none are explicitly specified when an HWMONMonitor object is created. These default thresholds are fixed and cannot be changed by the administrator.
The value of no under the Monitor column means that no HWMONMonitor object is currently associated with that sensor. If there is at least one HWMONMonitor object associated with the sensor, the value in the column becomes Yes. Disabling an HWMONMonitor object will not affect its associated Yes value in this column.

Displaying the Current HWMONMonitor List

To see all the current HWMONMonitor objects, the hwmon is used with no parameters. The following shows some typical output for two configured HWMONMonitor objects called mon1 and mon2 that are monitoring CPU temperature:

System:/> hwmon
		
Name  Sensor    Description       Value  Low  High  Status  #Low  #High
----  --------  ----------------  -----  ---  ----  ------  ----  -----
mon1  CPU_Temp  CPU Temperature   59     0    98    NORMAL  0     0
mon2  CPU_Temp  CPU Temperature   59     20   70    NORMAL  0     0

Here, the Low and High columns are the currently defined thresholds for these HWMONMonitor objects. The #Low and #High columns are the total number of alarms triggered when the low and high thresholds are passed. Alarms are explained later in this section.

Note that in the above list, there are two HWMONMonitor objects defined for the same sensor. This is permissible and means that separate log messages can be generated for different sensor ranges.

The Status column in the above output indicates the status of the sensor value when it was last examined by the HWMONMonitor object and can show the following values:

NORMAL - The value is within the thresholds.
ALARM:LOW - The value has exceeded the minimum threshold and has not yet returned to normal.
ALARM:HIGH - The value has exceeded the maximum threshold and has not yet returned to normal.
WARNING: RETURN LOW - The value has just returned from being outside the minimum threshold to the normal range. The column will show NORMAL after the next reading of sensor values.
WARNING: RETURN HIGH - The value has just returned from being outside the maximum threshold to the normal range. The column will show NORMAL after the next reading of sensor values.
UNKNOWN STATUS - The possible reasons for this column entry are the following:
1. cOS Stream is in the process of restarting and no values are yet available.
2. The SensorID property of the HWMONMonitor object does not correspond to any sensor in the hardware.
3. The sensor has a fault and is not returning values.

Displaying HWMONMonitor Properties

To see all the properties for an HWMONMonitor object, the hwmon <monitor-name> command can be used. For example, to see all the values for the HWMONMonitor called mon1, the command would be:

System:/> hwmon mon1
Name                       : mon1
Sensor id                  : CPU_Temp
Log severity setting       : warning
Description                : CPU Temperature
Value                      : 58
Low Threshold              : 0
Recommended low threshold  : 0
High Threshold             : 98
Recommended high threshold : 98
Action interval (seconds)  : 5
ALARM:LOW counter          : 1
ALARM:HIGH counter         : 3
Last status                : NORMAL

Note that the Recommended low threshold and the Recommended high threshold in the above output are the default threshold values for the associated sensor.

Sensor Alarms

As shown in the output above, each HWMONMonitor object has two alarm counters associated with it, the ALARM:LOW counter and the ALARM:HIGH counter. These properties of the object can only be read and cannot be manipulated by the administrator.

The following should be noted about the alarm counters:

Alarm counters start at zero after starting cOS Stream and are incremented each time the sensor value passes one of the thresholds.
For binary sensors, such as a PSU fail/not fail sensor, the alarm is incremented when the sensor value changes from 1 to 0, or 0 to 1. It is a change of state from the normal that increments the counter. However, only ALARM:HIGH is incremented if a normal value of 0 changes to 1 and only ALARM:LOW is incremented if a normal value of 1 changes to 0.
Alarm counters are not decremented. This allows the administrator to be able to see the total number of times the alarm has been triggered. The counters are only zeroed when cOS Stream is restarted or when the hardware monitoring is disabled globally and then re-enabled.

2.9.2. System Hardware Monitoring

The sensor information that is gathered by cOS Stream is available to an SNMP client using the SNMP protocol. This type of monitoring is known as System Monitoring.

System monitoring only has one option available that can be set by the administrator, and that is if it is enabled or disabled. All hardware monitoring is enabled by default, but this can be disabled by the following CLI command:

System:/> set Settings HWMONSettings MonitorEnable=No

This will disable both system and user monitoring. Both can be re-enabled with the following command:

System:/> set Settings HWMONSettings MonitorEnable=Yes

This setting affects both system monitoring and user monitoring

2.9.3. Sensors for Clavister Products

The following are the available sensors for the current range of Clavister hardware products running cOS Stream. All fan speeds are given in RPM and temperatures are in degrees centigrade.

NetShield S10

Sensor Name	Sensor Type	Sensor Number	Minimum Limit	Maximum Limit
CPUTemp	TEMP	0	0	80

NetShield P40

Sensor Name	Sensor Type	Sensor Number	Minimum Limit	Maximum Limit
Left_PSU	GPIO	0	1
Right_PSU	GPIO	0	1
SysTemp1	TEMP	256	0	70
SysTemp2	TEMP	257	0	70
SysFan1	FANRPM	256	1500	12800
SysFan2	FANRPM	258	1500	12800
SysFan3	FANRPM	260	1500	12800
SysFan4	FANRPM	260	1500	12800
CPUTemp1	TEMP	512	0	80

NetShield 300 Series

Sensor Name	Sensor Type	Sensor Number	Minimum Limit	Maximum Limit
System Vcore Internal	VOLT	0	0.494	1.744
System 12V Internal	VOLT	1	11.4	13.9
System 5V Internal	VOLT	2	4.8	5.8
System 3.3V Internal	VOLT	3	2.976	3.632
System CMOS Battery	VOLT	4	2.704	3.632
System FAN Speed	FANRPM	5	1400	14000
System Temperature 1	TEMP	6	0	71
System Temperature 2	TEMP	7	0	75
System Temperature 3	TEMP	8	0	85
CPU Core Temperature	TEMP	9	0	85

NetShield 500 Series

Sensor Name	Sensor Type	Sensor Number	Minimum Limit	Maximum Limit
System Vcore Internal	VOLT	0	0.494	1.302
System 3.3V Internal	VOLT	1	3.135	3.465
System 12V Internal	VOLT	2	11.4	12.6
System CMOS Battery	VOLT	3	1.9	3.465
System 5V Internal	VOLT	4	4.75	5.25
System FAN Speed	FANRPM	5	1800	14000
System Temperature 1	TEMP	6	0	80
System Temperature 2	TEMP	7	0	80
CPU Socket Temperature	TEMP	8	0	95

NetShield 6000 Series

Note that where a 6000 Series sensor has maximum and minimum range values which are both zero, this means that no limits are applied and the sensor cannot trigger an alarm. An example of this is the the PSU1 Input Power sensor.

Sensor Name	Sensor Type	Sensor Number	Minimum Limit	Maximum Limit
PSU1 Installed	GPIO	0	0	1
PSU1 Power OK	GPIO	256	0	1
PSU1 Temperature	TEMP	512	0	0
PSU1 Fan Speed	FANRPM	768	5000	14000
PSU1 Output Voltage	VOLT	1024	0	0
PSU1 Output Current	CURR	1280	0	0
PSU1 Input Power	POWER	1536	0	0
PSU1 Output Power	POWER	1792	0	0
PSU2 Installed	GPIO	2048	0	1
PSU2 Power OK	GPIO	2304	0	1
PSU2 Temperature	TEMP	2560	0	0
PSU2 Fan Speed	FANRPM	2816	5000	14000
PSU2 Output Voltage	VOLT	3072	0	0
PSU2 Output Current	CURR	3328	0	0
PSU2 Input Power	POWER	3584	0	0
PSU2 Output Power	POWER	3840	0	0
System Vcore Internal	VOLT	4096	0	1.744
System 3.3V Internal	VOLT	4097	0	0
System 12V Internal	VOLT	4098	11.5	13.0
System CMOS Battery	VOLT	4099	2.9	3.2
System 5V Internal	VOLT	4100	0	0
System FAN1 Speed	FANRPM	4101	6000	14000
System FAN2 Speed	FANRPM	4102	6000	14000
System FAN3 Speed	FANRPM	4103	6000	14000
System Temperature 1	TEMP	4104	0	80
System Temperature 2	TEMP	4105	0	80
Air Intake Temp	TEMP	4105	0	50
CPU Temperature	TEMP	4352	0	95

Chapter 3: Interfaces

An Interface is an important logical building block in cOS Stream. All network traffic that transits through, originates from or is terminated in a Clavister NetShield Firewall, does so through one or more interfaces.

Source and Destination Interfaces

An interface can be viewed as a doorway through which network traffic passes to or from cOS Stream. An interface has one of two functions:

The Source Interface

When traffic arrives through an interface, that interface is referred to in cOS Stream as the source interface (also sometimes known as the receiving or incoming interface).
The Destination Interface

When traffic leaves after being checked against cOS Stream's security policies, the interface used to send the traffic is referred to in cOS Stream as the destination interface (also sometimes known as the sending interface).

All traffic passing through cOS Stream has both a source and destination interface. As explained in more depth later, the special logical interface core is used when cOS Stream itself is the source or destination for traffic.

Interface Types

The Clavister NetShield Firewall supports a number of interface types, which can be divided into the following groups:

Ethernet Interfaces

Each Ethernet interface represents a physical or virtual Ethernet port. All network traffic that originates from or enters a Clavister NetShield Firewall will pass through one of the physical interfaces.

The Clavister NetShield Firewall currently supports Ethernet as the only physical interface type.

Tunnel Interfaces

Tunnel interfaces are used when network traffic is being tunneled between the system and another tunnel end-point in the network, before it gets routed to its final destination. An IPsec tunnel object is such an interface and IPsec is described further in Section 13.2, IPsec Components.

To accomplish tunneling, additional headers are added to the traffic that is to be tunneled. Furthermore, various transformations can be applied to the network traffic depending on the type of tunnel interface. For example, when routing traffic over an IPsec interface, the payload is usually encrypted to achieve confidentiality.

All Interfaces are Logically Equivalent

Even though the different types of interfaces may be very different in the way they function, cOS Stream treats all interfaces as logically equivalent. This is an important and powerful concept and means that all types of interfaces can be used almost interchangeably in the various rule sets and other configuration objects. This results in a high degree of flexibility in how traffic can be examined, controlled and routed.

An extension of this equivalency concept is that no interface is assumed to be connected to trusted "inside" networks or to untrusted "outside" networks. The administrator makes these decisions and implements security policies accordingly.

Interfaces have Unique Names

Each interface in cOS Stream is given a unique name to be able to identify and select it for use with other objects in a configuration. Some interface types, such as Ethernet interfaces, are already provided by cOS Stream with relevant default names that are possible to modify if required.

The any and core Interfaces

In addition, cOS Stream provides two special logical interfaces which are named any and core. The meaning of these are:

any represents all possible interfaces including the core interface.
core indicates that it is cOS Stream itself that will deal with traffic to and from this interface. An example of the use of core is when cOS Stream responds to ICMP "Ping" requests. By specifying the Destination Interface of an IP rule or route as core, cOS Stream will then know that it is itself that is the ultimate destination of the traffic.

3.1. Ethernet Interfaces

The Clavister NetShield Firewall supports Ethernet, Fast Ethernet, Gigabit Ethernet and 10 Gigabit Ethernet interfaces as defined by the IEEE 802.3 standards.

Ethernet Frames

With Ethernet, devices sends data as Ethernet frames and other devices "listen" to determine if they are the intended destination for any of these frames. A frame is a sequence of bits which specify the originating device plus the destination device plus the data payload along with error checking bits. A pause between the sending of individual frames allows devices time to process each frame before the next arrives and this pause is progressively smaller with the faster data transmission speeds.

The EthernetInterface and EthernetDevice Object Types

There are two types of configuration objects that are used to manage Ethernet interface operation: EthernetInterface and EthernetDevice. The EthernetInterface object is used to configure the logical properties of Ethernet operation such as IP address.

The EthernetDevice object is used to specify low level, driver related properties such as link-speed and duplex. It is the EthernetInterface object type that is covered by this section.

Ethernet Interface Properties

The following are the principal properties for an EthernetInterface object:

Interface Name

The names of the Ethernet interfaces are predefined by the system, and are mapped to the names of the physical ports; a system with a wan port will have an Ethernet interface named wan and so on.

The names of the Ethernet interfaces can be changed to better reflect their usage. For example, if an interface named dmz is connected to a wireless LAN, it might be convenient to change the interface name to wireless. For maintenance and troubleshooting, it is recommended to tag the corresponding physical port with the new name.

IP Addresses

Each Ethernet interface is required to have an Interface IP Address. The interface IP address is used as the primary address for communicating with the system through the specific Ethernet interface.

More than one IP address can be allocated to an Ethernet interface.

IPAddress objects are usually used to define the IP addresses of Ethernet interfaces. Those objects are normally auto-generated by the system. This is discussed further in Section 5.3, Auto-generated Address Objects. When cOS Stream is first started, all unconfigured Ethernet interfaces will be assigned default addresses from the localhost sub-network (127.0.0.0/8).
MTU

This determines the maximum size of packets in bytes that can be sent on this interface. By default, the interface uses the maximum size supported.
HACritical/Sync

For HA cluster nodes it is important to identify those interfaces which are critical and those which are designated as sync interfaces. This is explained further in Chapter 22, High Availability.

Listing Ethernet Interfaces

To list all Ethernet interfaces, the CLI command is:

System:/> show Interface EthernetInterface

   Interface Name  IP Addresses  Routing Table
   --------------  ------------  -------------
   if1             10.1.50.102   main
   if2             10.6.58.100   main

The listing shows there are two interfaces. The IP address allocated to each is shown along with the routing table that is associated with them.

Changing the IP Address of an Ethernet Interface

To change the IP address on an interface, there are two methods:

Change the IP address directly on the interface. For example, if we want to change the IPv4 address of the lan interface to 10.1.1.2, we could use the CLI command:
```
System:/> set Interface EthernetInterface if1 IPAddress=10.1.1.2
```
As explained next, this way of changing the IP address is not recommended.
Instead, the if1_ip object in the Address Book should be assigned the new address since it is this object that is used by many other objects such as IP rules. The CLI command to do this would be:
```
System:/> set Address IPAddress if1_ip Address=10.1.1.2
```

Assigning Multiple IP Addresses to an Interface

To assign multiple IPv4 addresses to an interface, assign multiple addresses to the interface's IP object in the address book. Assuming that two IPv4 addresses are defined in the address book as the objects ip1 and ip2 then the CLI for assignment would be:

System:/> set Address IPAddress if1_ip Address=ip1,ip2

If these multiple addresses belong to different networks then it will also be necessary to add an additional route in the relevant routing table since a route will only be added automatically for the first address.

When ip1 and ip2 are both IPv4 addresses belonging to different networks then those networks can also be assigned to the default network object for the interface. Using the example above, the CLI would be:

System:/> set Address IPAddress if1_net Address=ip1_net,ip2_net

Suppose that ip3 is an IPv6 address that is to be assigned to the if1 interface along with the IPv4 address object ip1. Assume also that there is already a corresponding network object defined called ip3_net. In this case a new address object for the interface network must also be defined. First, set the IP addresses for the interface as before:

System:/> set Address IPAddress if1_ip Address=ip1,ip3

Now, set the pre-existing IPv4 address object for the if1 interface network:

System:/> set Address IPAddress if1_net Address=ip1_net

No IPv6 network object exists for the interface so it must be added:

System:/> add Address IPAddress if1_ip6_net Address=ip3_net

Routes for IPv6 interface addresses are not added automatically so a route will also need to be added.

There is no limit to the number of addresses that can be assigned to an interface and this is true for any interface, not just Ethernet interfaces.

Enabling the DHCP Client Function

By default, all Ethernet interfaces have their IPv4 addresses allocated manually. However, any interface can have DHCP client functionality enabled for automatic assignment of IPv4 addresses and this is discussed further in Section 21.3, DHCP Client.

Enabling and Disabling an Ethernet Interface

To disable the interface if1 so that no traffic can flow through it, the CLI command is:

System:/> set Interface EthernetInterface if1 -disable

To enable the disabled interface, the command is:

System:/> set Interface EthernetInterface if1 -enable

Null Interfaces

If the Type property of an EthernetInterface is set to the value Null then the object can be said to be a null interface.

A null interface normally occurs because of either of the following:

The physical interface hardware is no longer present. This might occur when an expansion module is removed from hardware. In a virtual environment the equivalent to this is if a virtual interface is removed from the virtual machine.
The Ethernet interface becomes part of the list of interfaces assigned to the LAGMembers when the link aggregation feature is configured. This is discussed further in Section 3.7, Link Aggregation.

Regardless how a null interface comes about, it may still be referenced by other parts of the configuration. These references will still be valid but any object, such as an IPRule, that references a null interface will usually not perform any function. For example, if traffic is routed to a null interface then the traffic would simply go nowhere.

If the Type property reverts back to Ethernet then the interface will revert back to its original function.

The ifstat command can be used to show all null interfaces but only with the parameter -type set to a value of all or null. For example:

System:/> ifstat -type=null
	
Interface  Zone  IP Address     Type      Routing
                                          Table
---------  ----  -------------  ------    --------
if2              192.168.0.1    Null

3.2. VLAN

Overview

Virtual LAN (VLAN) support in cOS Stream allows the definition of one or more Virtual LAN interfaces which are associated with a particular physical interface. These are then considered to be logical interfaces by cOS Stream and can be treated like any other interface in rule sets and routing tables.

VLANs are useful in several different scenarios. A typical use is to allow one physical Ethernet interface to appear as multiple VLAN interfaces. This means that the number of available physical interface ports need not limit the number of connected external networks.

Another usage is to group together clients and/or hosts in an organisation so that the traffic belonging to different groups is kept completely separate in separate VLANs. Traffic can then only flow between the different VLANs under the control of cOS Stream and is filtered using the security policies described by the rule sets.

As explained in more detail below, VLAN configuration with cOS Stream involves a combination of VLAN trunks from the Clavister NetShield Firewall to switches and these switches are configured with port based VLANs on their interfaces. one or multiple VLANs.

	Note: VLAN traffic can be combined with other traffic
	Any physical interface can carry both non-VLAN traffic as well VLAN trunk traffic at the same time. A physical interface does not need to be devoted to VLAN traffic.

VLAN Processing

The Clavister NetShield Firewall follows the IEEE 802.1Q specification. The specifies how VLAN functions by adding a Virtual LAN Identifier (VLAN ID) to Ethernet frame headers which are part of a VLAN's traffic.

The VLAN ID is a number between 1 and 4094 which is used to identify the specific Virtual LAN to which each frame belongs. With this mechanism, Ethernet frames can belong to different Virtual LANs but can still share the same physical Ethernet link.

The following principles underlie the processing of VLAN tagged Ethernet frames at a physical interface:

Ethernet frames received on a physical interface by cOS Stream, are examined for a VLAN ID. If a VLAN ID is found and a matching VLAN interface has been defined for that interface, cOS Stream will use the VLAN interface as the logical source interface for further rule set processing.
If there is no VLAN ID attached to an Ethernet frame received on an interface then the frame is treated in the normal way and not as coming from a VLAN.
If VLAN tagged traffic is received on a physical interface and there is no VLAN defined for that interface in the configuration with a corresponding VLAN ID then that traffic is dropped by cOS Stream and an unknown_vlanid log message is generated.
The VLAN ID must be unique for a single physical interface but the same VLAN ID can be used on more than one physical interface. In other words, the same VLAN can span many physical interfaces.
A physical interface does not need to be dedicated to VLANs and can carry a mixture of VLAN and non-VLAN traffic.

VLAN Connections

The illustration below shows the connections for a typical VLAN scenario.

Figure 3.1. VLAN Connections

With VLANs, the physical connections are as follows:

One or more VLANs are configured on a physical Clavister NetShield Firewall interface and this is connected directly to a switch. This link acts as a VLAN trunk. The switch used must support port based VLANs. This means that each port on the switch can be configured with the ID of the VLAN or VLANs that a port is connected to. The port on the switch that connects to the firewall should be configured to accept the VLAN IDs that will flow through the trunk.

In the illustration above the connections between the interfaces if1 and if2 to the switches Switch1 and Switch2 are VLAN trunks.
Other ports on the switch that connect to VLAN clients are configured with individual VLAN IDs. Any device connected to one of these ports will then automatically become part of the VLAN configured for that port. In Cisco switches this is called configuring a Static-access VLAN.

On Switch1 in the illustration above, two interfaces are configured to be dedicated to VLAN1 and the third to VLAN2.

The switch could also forward trunk traffic from the firewall into another trunk if required.
More than one interface on the firewall can carry VLAN trunk traffic and these will connect to separate switches. More than one trunk can be configured to carry traffic with the same VLAN ID.

Summary of VLAN Setup

Below are the key steps for setting up a VLAN interface.

Assign a name to the VLAN interface.
Select the interface for the VLAN. Either a physical interface or another VLAN object which has been configured as a service VLAN.
Assign a VLAN ID that is unique on the physical interface.
Optionally specify an IP address for the VLAN. If not specified, it defaults to the address of the associated interface.
Optionally specify an IP broadcast address for the VLAN.
Create the required route(s) for the VLAN in the appropriate routing table.
Create rules in the IP rule set to allow traffic through on the VLAN interface.

For a standard, non-service VLAN, the Type property does not need to be specified. This is only required for a service (QinQ or stacked) VLAN. See Section 3.3, Service VLANs for more about this topic.

It is important to understand that the administrator should treat a VLAN interface just like a physical interface in that they require both appropriate IP rules and routes to exist in the configuration for traffic to flow through them. For example, if no IP rule with a particular VLAN interface as the source interface is defined allowing traffic to flow then packets arriving on that interface will be dropped.

Enabling the DHCP Client Function

By default, all VLAN interfaces have their IPv4 addresses allocated manually. However, any interface can have DHCP client functionality enabled for automatic assignment of IPv4 addresses and this is discussed further in Section 21.3, DHCP Client.

VLAN advanced settings

There is a single advanced setting for VLAN:

Unknown VLAN Tags

What to do with VLAN packets tagged with an unknown ID.

Default: DropLog

Example 3.1. Defining a VLAN

This example defines a VLAN called vlan_1 with a VLAN ID of 1. The IP address of the VLAN is assumed to be already defined in the address book as the object vlan1_ip.

Command-Line Interface

System:/> add Interface VLAN vlan_1
			BaseInterface=if3
			IPAddress=vlan1_ip
			VLANID=1

3.3. Service VLANs

To provide a VLAN solution in certain scenarios, it is possible to wrap traffic from multiple VLANs inside a single parent VLAN. This technique is referred to Q-in-Q VLANs or Stacked VLANs.

The same VLAN object is used to implement a Q-in-Q VLAN, with the Type property set to 88a8. The Type property corresponds to the TPID setting in the VLAN tag and this is explained further at the end of this section.

After the service VLAN object is defined, a non-service VLAN object can be placed inside it by setting its BaseInterface property to be the service VLAN object. This is demonstrated in the example below.

A Service VLAN Use Case

A Clavister NetShield Firewall can act as a terminator for a service VLAN. A typical use case for service VLAN termination is illustrated in the diagram below.

Figure 3.2. A Service VLAN Use Case

Here, corporate departments A and B each use two VLANs where the VLAN IDs 10 and 20 can be duplicated. A switch in each department connects it to another central corporate switch using the unique VLAN IDs 101 and 102. This central switch can now connect to the Clavister NetShield Firewall using a single service LAN which tunnels the 101 and 102 VLANs.

Defining a Service VLAN

A standard VLAN object is used to define a service VLAN but the Type property for the object is set to 0x88a8. This Type property corresponds to the TPID setting in the VLAN tag and this is explained further below.

After the service VLAN object is defined, a non-service VLAN object can be placed inside it by setting its Base Interface property to be the service VLAN object. This is demonstrated in the example below.

Example 3.2. Defining a Service VLAN

This example defines a service VLAN called svlan_A with an ID of 100 on the physical interface if3. The IP address will default to the IP of the physical interface.

Command-Line Interface

System:/> add Interface VLAN svlan_A
			Type=88a8
			BaseInterface=if3
			VLANID=100

A VLAN object can now be added to this:

System:/> add Interface VLAN vlan1
			BaseInterface=svlan_A
			VLANID=1

The Complete List of Type Values

The complete list of values that can be used for the Type property in a VLAN object is shown below.

TPID (Hexadecimal)	Decimal Equivalent	Description
8100	33024	IEEE 802.1Q VLAN (the default)
88a8	34984	IEEE 802.1ad Service VLAN
9100	37120	0x9100 VLAN
9200	37376	0x9200 VLAN
9300	37632	0x9300 VLAN

The Type property specifies the Modified Tag Protocol Identifier (TPID) in the VLAN tag. The value is hexadecimal, so specifying 8100 for the Type corresponds to the hexadecimal number 0x8100.

Since the VLAN object defaults to a Type of 8100 (a standard VLAN), the only Type usually needed is 88a8 to specify a service VLAN. The last three entries in the list may be needed to provide interoperability with external equipment from some manufacturers.

Service VLANs within Service VLANs

The BaseInterface property of a service VLAN object can be another service VLAN object. In other words, one service VLAN can contain another service VLAN.

Although unusual beyond a couple of levels, cOS Stream permits up to 16 levels of nesting, with a VLAN object at the first level wrapped by a maximum of 15 levels of nested service VLAN objects.

3.4. Interface Groups

Any set of interfaces can be grouped together into an InterfaceGroup object. This can then be used in creating security policies in the place of a single group. When an InterfaceGroup is used, for example, as the source interface in an IP rule , any of the interfaces in the group could provide a match for the rule.

An InterfaceGroup can consist of ordinary Ethernet interfaces or it could consist of other types such as VLAN interfaces or VPN Tunnels. Also, the members of a group do not need to be the same type. For example, a group might consist of a combination of two Ethernet interfaces and a VLAN interface.

Configuration Usage of Interface Groups

An InterfaceGroup object can be referenced by the same object types and object properties that can reference the Zone object. A list of these can be found in Section 3.5, Zones.

Differences with Zones

The Zone object is similar to an InterfaceGroup object except that an interface points to a single Zone object whereas an InterfaceGroup points to one or more interfaces. Both can be used in a standalone firewall to provide a way to reference multiple interfaces with a single object. However, the Zone object is specifically designed to allow the deployment of a common configuration rule across multiple firewalls when they are under management by InCenter.

Example 3.3. Creating an Interface Group

This example creates an InterfaceGroup object with the two interface members if1 and if2.

Command-Line Interface

System:/> add Interface InterfaceGroup my_if_group Members=if1,if2

3.5. Zones

A Zone object is a means for grouping together interfaces. More specifically, it provides a means for grouping together both interfaces on a single firewall as well as interfaces across multiple firewalls when they are under management control by InCenter.

To define such a grouping of interfaces, a named Zone object is first created and then this is assigned to the Zone property of the interfaces within the zone. One interface can only reference a single zone but many interfaces may reference the same zone.

This is similar to the way InterfaceGroup objects are used. However, unlike an InterfaceGroup, which can refer to one or more interfaces, the referencing with zones is in the reverse direction and it is one-to-one; a single Zone object can be referred to by an interface.

The Intended Purpose of Zones with InCenter

The intended usage of zones, and why they are needed in addition to InterfaceGroup objects, is to be able to specify a global configuration rule in InCenter, such as an IPRule, which can then be deployed to multiple firewalls. The firewalls involved may have different interface types and naming but the zone membership of these interfaces will allow the deployed rule to be applied successfully.

When using zones in this way, the assignment of a zone to an interface should be done in InCenter after the firewall has been brought under centralized management device as a global device (which will reset the firewall's configuration to the factory default on import).

However, it is also possible for the feature to be used on a firewall not under InCenter control, as an alternative to using InterfaceGroup objects.

Object Types That Can Use Zones

Like an InterfaceGroup, a Zone can be referred to by Ethernet interfaces or it could be referred to by other interface types such as VLAN interfaces or IPsec Tunnels. In addition, different interface types can refer to the same Zone. For example, an Ethernet interface and a VLAN interface might have their Zone property set to the same Zone object.

A Zone object can be used in any of the following object types and properties:

SSLVPNServer - SourceInterface.
GRETunnel - SourceInterface.
IPsecTunnel - SourceInterface.
IPsecManualKeyedTunnel - SourceInterface.
IPRule - SourceInterface and DestinationInterface.
TrafficShapingRule - SourceInterface and DestinationInterface.
AccessRule - Interface.
RemoteMgmtSSH - SourceInterface and DestinationInterface.
RemoteMgmtSNMP - SourceInterface and DestinationInterface.
RemoteMgmtSNMP3 - SourceInterface and DestinationInterface.
BGPNeighbor - SourceInterface.
ThresholdRule - SourceInterface and DestinationInterface.
RoutingRule - SourceInterface.
WhitelistRule - SourceInterface.
IPSRule - SourceInterface and DestinationInterface.

Zones Appear in Log Messages

Where zones can be used with a configuration object, the zone settings will appear in log messages related to the object being triggered. Below is an example log message that shows this:

prio=warning id=00000 event=no_route_to_source srcip=fe80::1
pkt_flowdir=n/a pkt_srchw=00:50:56:c0:00:0b pkt_ipver=6 pkt_proto=UDP
pkt_recvif=if2 pkt_recvzone=FriendZone pkt_srcip=fe80::1
pkt_destip=ff02::1:2 pkt_srcport=546 pkt_destport=547 iface=if2
zone=FriendZone action=drop

If an interface object property has not been assigned a zone object then it will appear as "n/a" in the log message (short for Not Assigned). The example log message below illustrates this:

prio=warning id=00000 event=no_source_route_for_packet
srchw=00:50:55:c0:00:0c srcip=fc03::64 destip=ff02::1:ff00:1
targetip=fc03::1 pkt_flowdir=n/a pkt_srchw=00:50:55:c0:00:0c
pkt_ipver=6 pkt_proto=ICMPv6 pkt_recvif=if3 pkt_recvzone=n/a
pkt_srcip=fc03::64 pkt_destip=ff02::1:ff00:1 pkt_type=135
pkt_code=0 pkt_id=0 iface=if3 zone=n/a action=drop

Example 3.4. Creating a Zone and Setting a Reference to the Zone

This example creates a Zone called my_zone1 and then sets the interfaces if1 and if2 to belong to it. Finally, an IPRule object is created to allow traffic from my_zone1 to a second zone called my_zone2. It is assumed that my_zone2 has already been created and contains other interfaces.

Command-Line Interface

1. Create the new Zone object:

System:/> add Interface Zone my_zone1

2. Set interface if2 to belong to the zone:

System:/> set Interface EthernetInterface if1 Zone=my_zone1

3. Set interface if3 to belong to the zone:

System:/> set Interface EthernetInterface if2 Zone=my_zone1

4. Create an IP rule to allow traffic from my_zone1 to a second zone called my_zone2:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			Service=all_services
			SourceInterface=my_zone1
			SourceNetwork=all-nets
			DestinationInterface=my_zone2
			DestinationNetwork=all-nets
			Name=allow_zone1_to_zone2

3.6. Security/Transport Equivalence

Any interface, either physical or logical (for example, an IPsec tunnel or VLAN), has the property SecurityEquivalentInterfaces. By default, this has the value <empty> which means that both the incoming data and outgoing traffic for any data flow associated with the interface must be through that same interface, otherwise the traffic will be dropped by cOS Stream.

In some situations, however, it may be desirable that a flow's traffic leaves on one interface and arrives on a different interface. This might happen, for example, when using route failover or OSPF or with traffic to the Clavister NetShield Firewall coming from an external load-balancer. In these cases, the interfaces involved must have their SecurityEquivalentInterfaces property set to the other interfaces in the group which can be involved in a flow. All the interfaces in this group of interfaces are now said to be security/transport equivalent. Such a group must consist of at least 2 interfaces and could consist of several interfaces.

The following should be noted when using this feature:

Setting the SecurityEquivalentInterfaces interface property needs to be done only for a single interface in a group of interfaces since cOS Stream will automatically set the SecurityEquivalentInterfaces property for the other interfaces specified to the correct value.
To remove an interface from a group of security/transport equivalent interfaces, the SecurityEquivalentInterfaces interface property on just that one interface needs to be set to nothing. cOS Stream will then automatically update the other interfaces in the group so their SecurityEquivalentInterfaces property has that interface removed. If there were only two interfaces in the group to start with, both will no longer have their SecurityEquivalentInterfaces property set to a value.

Example 3.5. Setting the Security/Transport Equivalent Interface Property

Assume that the configuration has 3 Ethernet interfaces called if1, if2 and if3. All three are to be part of the same security/transport equivalent group.

Command-Line Interface

System:/> set Interface EthernetInterface if1
			SecurityEquivalentInterfaces=if2,if3

Suppose now that the interface if1 is to be removed from this group. This is done by setting the same property to no value (<empty>):

System:/> set Interface EthernetInterface if1
			SecurityEquivalentInterfaces=<empty>

The interface if2 and if3 will still be part of the same security/transport equivalent group but now with only 2 members.

3.7. Link Aggregation

Introduction

Where individual physical Ethernet interfaces of a firewall cannot provide the bandwidth required for a specific stream of traffic, it is possible to use the Link Aggregation feature to combine two or more physical interfaces together so they act as a single interface when connected to an external switch. This feature is sometimes referred to using the names Link Bundling or NIC Teaming.

Setting Up Link Aggregation

Link aggregation is configured in cOS Stream by setting the value of the LAGEnabled property of a single primary EthernetInterface object to a value of Yes. Other secondary EthernetInterface objects that will be part of this link aggregation are then assigned as a list to the primary interface's LAGMembers property. This list must also include the primary interface itself.

The following should be noted about the resulting aggregated interfaces:

The primary EthernetInterface object (with its LAGEnabled property enabled) will represent the aggregated interfaces in the configuration and can be referenced like a normal Ethernet interface. For example, the interface could be referenced by a Route or an IPRule object. cOS Stream will automatically spread traffic flows between all the physical interfaces that are part of the aggregation.
The logical name of the primary EthernetInterface object is automatically changed by cOS Stream so that it has the suffix "_lag". For example, the interface called if1 would become if1_lag.

In addition, all references in the configuration to the original primary interface name will become references to the name with the _lag suffix and the name without the suffix can no longer be used in new references.

Note that the address object names associated with the _lag interface are not changed.
The source IP address for all packets sent out on all the aggregated interfaces will be the IP address assigned to the primary _lag interface.
If the LAGEnabled property is later set to No, the primary interface name will not revert back to its original name.
The secondary aggregated interfaces that are specified in the LAGMembers property will be treated as null interfaces. This means that any other object that references them can still exist but will not have any function in the configuration.

If a secondary interface is removed from the LAGMembers list, its Type property will be reset to its original value of Ethernet and the interface can again be used as a normal Ethernet interface.

Null interfaces are discussed further at the end of Section 3.1, Ethernet Interfaces.
If desirable, it is possible to create a new logical primary EthernetInterface object that does not correspond to a physical interface, enable link aggregation on it and then add one or more actual physical interfaces as the secondary link aggregation members.

	Important: Some changes require a system restart
	The system will require a restart if changes are made to the interfaces that make up an aggregation. In other words, if a change is made to the properties LAGEnabled, LAGMembers or LAGMode.

An Example Use Case

An example use case for link aggregation is where the firewall might only have multiple one Gigabit Ethernet interfaces available but the traffic flow requirement is for a bandwidth of three Gigabits. Link aggregation can combine the capacities of separate physical interfaces into a single logical aggregated interface to meet this requirement.

The diagram below illustrates such a scenario, where three 1Gb networks need to communicate with a 10Gb network backbone through a firewall which has only 1Gb interfaces. Three of the firewall's 1Gb interfaces are connected to a single external switch and grouped into a single aggregated logical interface. The switch then provides the 10Gb link to the backbone.

Figure 3.3. A Link Aggregation Use Case

Configuring the Mode

The LAGMode property of the primary link aggregation interface can be set to one of the following communication mode types, and this should match the way the connected external switch is configured:

The LACP (IEEE 802.3ad) type which uses negotiation between the switch and cOS Stream to manage traffic loading.
One of the static mode types which does not use negotiation with cOS Stream. Instead, different load balancing strategies can be selected and then implemented by cOS Stream.

These two mode types are explained next.

Using the LACP (IEEE 802.3ad) Mode

The LACP (Link Aggregation Control Protocol) mode means that the aggregation process is negotiated directly with the connnected switch. The switch must therefore also be configured to use LACP. With LACP, if a physical link become inoperative, cOS Stream will only try to send traffic over the remaining operational links.

The advantage of using LACP over one of the static modes is that cOS Stream will try to send a limited number of packets over the failed link before it switches to an alternate, working link. This means that the flow will not be dropped and the remote endpoint will experience only minor packet loss.

There are a number of interface properties that are specific to LACP and these are listed under the EthernetInterface object section of the separate CLI Reference Guide.

Using a Static Mode

When using one of the static modes, cOS Stream cannot know if one of the interfaces in the aggregation is not working and will try to send the traffic anyway. There is no negotiation taking place between cOS Stream and the connected switch. This means that on link failure, a flow can be dropped entirely.

However, selecting one of the static modes can provide specific properties to the traffic aggregation which can be desirable in particular circumstances. Any one of the following values can be assigned to the LAGMode property to determine the mode:

RoundRobin

This provides load balancing and fault tolerance by transmission of packets in sequential order from the first available interface through to the last. Packets are bulk dequeued from devices then serviced in a round-robin manner. However, this does not guarantee the correct order and down-stream devices should be able to handle out of order packets.
ActiveBackup

With this mode, only one interface in the aggregation is active at any one time. The initial interface to use is the primary interface but another initial interface can be designated using the LAGActiveBackupPrimary property. If this property is not set, the first interface in the LAGMembers list will be chosen as the active interface.

A different interface becomes active only if the currently active interface fails. The next active interface selected is the next non-active interface in the list specified by the LAGMembers property.

Note that the single logical interface’s MAC address is externally visible on only one physical port at a time to avoid confusing the connected switch.
BalanceXOR

This provides transmit load balancing by selecting the sending interface based on a XOR calculation using the parameters specified by the LAGTxPolicy property. This means that packets with the same policy parameters are sent on the same interface. The LAGTxPolicy value choices along with the parameters that are combined to select the sending interface are the following:
1. L2 - The source and destination MAC addresses (the default).
2. L2L3 - The source and destination IP addresses.
3. L3L4 - The source and destination IP addresses plus the TCP/UDP source and destination ports.
Broadcast

This mode provides fault tolerance by transmitting packets on all aggregated interfaces.
BalanceTx

This mode provides adaptive load balancing for data transmission. It dynamically assigns the transmitting interface based on loading. Statistics are collected in 100 milliseconds intervals and interface rebalancing is performed every 10 milliseconds.
BalanceRxTx

This mode includes both adaptive transmit load balancing (described above) as well as receive load balancing. For receive load balancing, only the interface with the least load responds to the ARP message sent by the switch before the switch transmits the data.

All link aggregation related properties are listed under the EthernetInterface object section of the separate CLI Reference Guide.

Physical Interface Requirements

The following are the requirements for the physical Ethernet interfaces on the firewall that are aggregated together:

A maximum of 16 physical interfaces can be aggregated together into a single logical interface. In other words, the initial interface plus 15 other interfaces assigned as a list to the LAGMembers property.
All the physical interfaces that are aggregated together must operate at the same link speed.
All the physical interface connections for the aggregated interfaces must be connected to the same external switch.

Connecting to the External Switch

The physical cable links between the firewall and the external switch can be made either before or after defining link aggregation in a configuration and activating the changed configuration. cOS Stream will try to send data on the aggregated interfaces as soon as the configuration changes become active.

However, it is recommended that the physical cabling is in place before link aggregation is activated. This will provide the behavior which is expected from the feature and is particularly relevant if negotiated aggregation (LACP) is used.

Setting the Link Aggregation MTU Value

It is possible to set a specific MTU property value on the primary link aggregation interface and this value will then be used across all of its LAGMembers interfaces.

Setup with High Availability

When using link aggregation with HA, the flows from the Ethernet ports on each firewall in the HA cluster can connect to the same or different switches. However, if using the same switch, the switch must be configured so that the flows from each firewall are kept separate by creating two link aggregation groups in the switch.

Checking Link Aggregation Setup with the ifstat Command

When link aggregation has been set up, it is possible to check the status of the interfaces involved by using the ifstat CLI command with the interface name as a parameter. The output will be different depending on if the interface being viewed is the primary interface or if it is one of the member interfaces. The output for the primary interface will be different depending on if LACP is being used or if one of the static modes is used.

For example, suppose that the interface called lag1 is the primary interface and the other secondary members are the interfaces called if8 and if9. The following might be the first part of the output from the ifstat command for the primary interface when LACP is being used:

System:/> ifstat lag1
Interface lag1:
  IP Address     : 172.27.0.90
  Private IP     : 172.27.0.240
  Peer IP        : 172.27.0.249
  MAC            : 00:50:56:32:b6:89
  MAC HA Private : 10:00:00:0e:00:9d
  MAC HA Shared  : 10:00:00:0e:00:5d
  Driver         : bond
  Mode           : LACP (IEEE 802.1AX)
  Members        : if8 (link up) (up) [active, aggregation,
			synchronization, collecting, distributing]
                 : if9 (link up) (up) [active, aggregation,
			synchronization, collecting, distributing]
  Chksum offload : Unsupported
  Receive mode   : Promiscuous
  MTU            : 1500
  Routing Table  : main
  Zone           : <empty>
  Status         : 2 Gbps full duplex

The Mode line above indicates that LACP is being used. The Members line indicates the status of each of the members in the aggregation. The initial 3 fields in the line for each member are the following, in order with possible values:

Member interface name.
Physical link status - link up / link down.
LACP negotiation state - down / negotiating / mismatch / up.

When LACP is used, LACP flags are output inside square brackets (as shown above) and these can include any of the following in order:

active (initiating) / passive (listening).
aggregation - LCAP is enabled.
synchronization - Partner parameter synchronization.
defaulted - Partner parameters are defaulted.
collecting - Receiving.
distributing - Sending.
expired - Timed out.

For the interface if8, the ifstat command output indicates link aggregation membership with the LAG line. This is shown at the end of the partial ifstat output below:

System:/> ifstat if8
Interface if8:
  IP Address     : 0.0.0.0
  MAC            : 00:50:56:32:b6:89
  MAC HA Private : 10:00:00:0c:00:9d
  MAC HA Shared  : 10:00:00:0c:00:5d
  Device         : if8
  Driver         : em
  LAG            : lag1
  Chksum offload : Supported
  Receive mode   : Promiscuous
  MTU            : 1500
  Routing Table  : main
  Zone           : <empty>
  Status         : Link aggregation member (sink)

The LAG line does not indicate if LACP or a non-LACP mode is being used, only which primary interface it is an aggregated member of.

The following partial output from ifstat for the primary interface called lag2 shows how only the link status for each member is shown when a non-LACP (static) mode is used (in this case Balance XOR):

System:/> ifstat lag2
Interface lag2:
  IP Address     : 172.27.0.90
  Private IP     : 172.27.0.240
  Peer IP        : 172.27.0.249
  MAC            : 00:50:56:32:b6:89
  MAC HA Private : 10:00:00:0e:00:9d
  MAC HA Shared  : 10:00:00:0e:00:5d
  Driver         : bond
  Mode           : Balance XOR
  Members        : if8 (link up)
                 : if9 (link up)
  Chksum offload : Unsupported
  Receive mode   : Promiscuous
  MTU            : 1500
  Routing Table  : main
  Zone           : <empty>
  Status         : 2 Gbps full duplex

Example 3.6. Link Aggregation Setup

In this example, the Ethernet interface if1 will be the primary link aggregation interface. The secondary interfaces if2 and if3 will be aggregated as members with if1.

The distribution method over the three interfaces will be BalanceXOR based on the L2 policy (use source and destination MAC addresses).

Command-Line Interface

System:/> set Interface EthernetInterface if1
			LAGEnabled=Yes
			LAGMembers=if1,if2,if3
			LAGMode=BalanceXOR
			LAGTxPolicy=L2

Any existing references to if1 will now become references to if1_lag and any new references should be to if1_lag. After activating the above change, the system must also be restarted.

To undo the aggregation, the command would be:

System:/> set Interface EthernetInterface if1_lag LAGEnabled=No

Note that after the above command, the if1_lag interface name will be unchanged and will not revert to if1. Note also that after activating this change, the system must also be restarted.

3.8. GRE Tunnels

Overview

The Generic Router Encapsulation (GRE) protocol is a simple, encapsulating protocol that can be used whenever there is a need to tunnel traffic across networks and/or through network devices.

Using GRE

GRE is typically used to provide a method of connecting two networks together across a third network such as the Internet. The two networks being connected together communicate with a common protocol which is tunneled using GRE through the intervening network. Some examples of reasons to use GRE might be the following:

Traversing network equipment that blocks a particular protocol.
Tunneling IPv6 traffic across an IPv4 network or tunneling IPv4 traffic across an IPv6 network.
Where a UDP data stream is to be multicast and it is necessary to transit through a network device which does not support multicasting, GRE can allow tunneling through the device.

GRE Security and Performance

A GRE tunnel does not use any encryption and is therefore not, in itself, secure. Any security must come from the protocol being tunneled. The advantage of GRE's lack of encryption is the high performance which is achievable because of the low traffic processing overhead.

The lack of encryption might be acceptable in some circumstances if the tunneling is done across an internal network that is not public.

Creating a GRE Tunnel

In cOS Stream, a GRE tunnel can be treated as a logical interface and has the same filtering, traffic shaping and other configuration capabilities as, for example, an Ethernet interface. Setting up a GRE tunnel requires the following steps:

Create a new GRETunnel object. This requires at minimum, an IP address for both the local endpoint and the remote endpoint of the tunnel.
Add a Route to the main routing table that routes traffic destined for the remote network into the tunnel.
If required, add a Route that routes the tunnel endpoint IP address on the correct interface. This route is added to the routing table specified by the tunnel property RoutingTableMembership if it has been set. If it is not set, the main routing table is used by default.

	Caution: Check for possible looping in added routes
	When configuring GRE routing, it is important to check that routes do not lead to looping of traffic. For example, outer GRE tunnel traffic routed back into the same tunnel.

Mandatory GRETunnel Properties

The following properties are required as a minimum when configuring a GRETunnel object:

LocalEndpoint

This is the IP address of the tunnel's local endpoint. The address type can be IPv4 or IPv6 but the type must match the type of the RemoteEndpoint property. However, the traffic inside the tunnel could be either IPv4 or IPv6, regardless of the endpoint IP type.
RemoteEndpoint

This is the IP address of the remote device which the tunnel will connect with.

Optional GRETunnel Properties

Some of the important optional properties that might be used with a GRE tunnel are the following:

IPAddress

This is the IP address (either IPv4 or IPv6) of the local endpoint inside the tunnel on the local side. If not set, the default value is a zero address.

The specified IP address could be used for any of the following example purposes:
1. An ICMP Ping can be sent through the tunnel to this endpoint.
2. The source IP address of log messages sent through the tunnel from the local tunnel interface.
3. If NAT is being used then it will not be necessary to set the source IP on the IP rule that performs NAT on traffic going into the tunnel. This IP address will automatically be used as the source address for the outgoing traffic.
SourceInterface

The interface or interfaces on which to listen for incoming GRE flows. More than one interface can be specified by using an InterfaceGroup object.

If not specified, a value of any will be used for this property.
SessionKey

A unique integer number can optionally be specified for a tunnel. This allows more than one GRE tunnel to run between the same two endpoints with this value used to distinguish between them. The session key used by each tunnel peer must match.
RoutingTableMembership

This defines the routing table to be used for the traffic inside the tunnel. The Route object that is added to send the relevant traffic through the tunnel must be added to this routing table. If not specified, the main routing table will be used.
OuterRoutingTable

This defines the routing table to be used for the outer tunnel traffic. In other words, for the tunnel setup itself. If not specified, the main routing table will be used.

A list of all properties can be found under the GRETunnel entry in the separate CLI Reference Guide.

GRE Tunnels and IP Rule Sets

Network traffic coming from the GRE tunnel will be transferred to the cOS Stream IP rule set for evaluation. The source interface of the network traffic will be the name of the associated GRE Tunnel.

The same is true for traffic in the opposite direction, that is, going into a GRE tunnel. Furthermore a Route has to be defined so that cOS Stream knows which traffic should be sent through the tunnel.

A Typical GRE Scenario

The diagram below shows a typical GRE scenario, where two firewalls labeled A and B must communicate with each other through the intervening internal network 172.16.0.0/16.

Figure 3.4. A Typical GRE Scenario

Any traffic passing between A and B is tunneled through the intervening network using a GRE tunnel. Since the network is internal and not passing through the public Internet, there is no need for encryption.

The setup for the two firewalls are described next.

Part 1. Setup for firewall A

Assuming that the network 192.168.10.0/24 is lannet on the lan interface, the steps for setting up cOS Stream on A are:

In the address book set up the following IP objects:
- remote_net_B: 192.168.11.0/24
- local_gw: 172.16.0.1
- remote_gw: 172.16.1.1
- ip_GRE: 192.168.10.1
Create a GRE Tunnel object called GRE_to_B with the following parameters:
- IPAddress: ip_GRE
- LocalEndpoint: local_gw
- RemoteEndpoint: remote_gw
- SessionKey: 1
Define a route in the main routing table which routes all traffic to remote_net_B on the GRE_to_B GRE interface.
Create the following entries in the IP rule set that allow traffic to pass through the tunnel:

Name	Action	Src Int	Src Net	Dest Int	Dest Net	Service
To_B	Allow	lan	lannet	GRE_to_B	remote_net_B	all_services
From_B	Allow	GRE_to_B	remote_net_B	lan	lannet	all_services

The CLI commands for firewall A setup are given in Example 3.7, “GRE Tunnel Setup”.

Part 2. Setup for firewall B

Assuming that the network 192.168.11.0/24 is lannet on the lan interface, the steps for setting up cOS Stream on B are as follows:

In the address book set up the following IP objects:
- remote_net_A: 192.168.10.0/24
- local_gw: 172.16.1.1
- remote_gw: 172.16.0.1
- ip_GRE: 192.168.11.1
Create a GRE Tunnel object called GRE_to_A with the following parameters:
- IPAddress: ip_GRE
- LocalEndpoint: local_gw
- RemoteEndpoint: remote_gw
- SessionKey: 1
Define a route in the main routing table which routes all traffic to remote_net_A on the GRE_to_A GRE interface.
Create the following entries in the IP rule set that allow traffic to pass through the tunnel:

Name	Action	Src Int	Src Net	Dest Int	Dest Net	Service
To_A	Allow	lan	lannet	GRE_to_A	remote_net_A	all_services
From_A	Allow	GRE_to_A	remote_net_A	lan	lannet	all_services

Checking GRE Tunnel Status

IPsec tunnels have a status of being either up or not up. With GRE tunnels this does not apply. The GRE tunnel is considered established if it exists in the configuration.

However, it is possible to get more information about a GRE tunnel by using the ifstat CLI command. For example, if a tunnel is called gre_interface then the following command can be used:

System:/> ifstat my_gre_interface

Example 3.7. GRE Tunnel Setup

This example shows how to configure the GRE tunnel for firewall A from the setup scenario described previously in this section. The raw IP addresses will be used instead of references to address book objects.

Command-Line Interface

Add the GRE tunnel:

System:/> add Interface GRETunnel GRE_to_B
			LocalEndpoint=172.16.0.1
			RemoteEndpoint=172.16.1.1
			RoutingTableMembership=my_gre_rt
			IPAddress=192.168.11.1
			SessionKey=1

Add a route to send traffic to the remote network:

System:/> cc RoutingTable my_gre_rt
System:/RoutingTable/my_gre_rt> add Route Interface=GRE_to_B
			Network=192.168.11.0/24

The tunnel GRE_to_A would be configured in a similar way on firewall B.

3.9. Using Jumbo Frames

By default, Ethernet interfaces in cOS Stream operate with a default maximum packet payload size of 1500 bytes. By changing the global packet buffer size for cOS Stream, this maximum payload size can be increased for all interfaces. The size can be increased up to a maximum value of 9 kilobytes (9216 bytes), which corresponds to a maximum payload of 9000 bytes.

This ability to handle extra large packet sizes is a feature which is sometimes referred to as jumbo frames.

	Note: Only virtual environments support jumbo frames
	The jumbo frames feature is applicable only to virtual environments. Clavister hardware products do not support the feature.

Jumbo Frames Can Increase Throughput

Changing the packet buffer size to a value that matches the larger packet size of surrounding network equipment can increase overall firewall throughput since large packets may no longer need to be fragmented. However, increasing the buffer size will also increase the memory resources used.

It should also be noted that if packets much less than the increased packet buffer size need to be frequently processed, this could reduce throughput, so understanding the expected packet sizes is important.

Setting Up an Increased Packet Buffer Size

The following steps should be used to increase the packet buffer size:

Change the global setting PacketBufferSize to a new value. For example, the following command will increase the buffer size for the system to the maximum value of 9 kilobytes:
```
System:/> set Settings InterfaceSettings PacketBufferSize=9kB
```
The value 9kB is a predefined value for this setting which can be used instead of specifying the number 9216. The other predefined values are 4kB (4096 bytes), and the value Default which is the standard size of 1522 bytes.
Change the MTU on interfaces that will transmit the larger packet size. For example:
```
System:/> set Interface EthernetInterface if1 MTU=9000
```
Note that an MTU of 9000 would be used with the maximum packet buffer size of 9 kilobytes.

Increase the maximum packet length for the relevant protocols. For example, to change the maximum TCP payload:

System:/> set TCPSettings TCPMSSMax=8960

To change IP payloads:

System:/> set LengthLimSettings MaxTCPLen=8980

System:/> set LengthLimSettings MaxOSPFLen=8980

System:/> set LengthLimSettings MaxOtherSubIPLen=8980

Following activation of these configuration changes, the system must be restarted so that memory is correctly reallocated.

Verified Features

The following cOS Stream features have been verified to function correctly with a larger packet buffer size:

Packet forwarding.
IPS scanning.
Threshold rules.
BGP.
OSPF.
VLANs.

Verified Ethernet Interface Hardware

The following Ethernet interfaces have been verified to function with the packet buffer sizes of 4 kilobytes and 9 kilobytes.

Intel™ 82599ES 10 GbE Controller (Dual-Port SFP+).
NVIDIA ConnectX™-4 Lx EN MCX4121A-ACAT 25GbE Adapter (Dual-Port SFP28).
VirtIO.

Chapter 4: ARP

4.1. Overview

The ARP Protocol

Address Resolution Protocol (ARP) allows the mapping of a network layer protocol (OSI layer 3) address to a data link layer hardware address (OSI layer 2). In data networks it is used to resolve an IPv4 address into its corresponding Ethernet MAC address. ARP operates at the OSI layer 2, data link layer, and is encapsulated by Ethernet headers for transmission.

IP Addressing Over Ethernet

A host in an Ethernet network can communicate with another host only if it knows the MAC address of that host. Higher level protocols such as IP make use of IPv4 addresses which are fundamentally different from a lower level hardware addressing scheme like the MAC address. ARP is used to retrieve the Ethernet MAC address of a host by using its IP address.

ARP Resolution

When a host needs to resolve an IPv4 address to the corresponding Ethernet address, it broadcasts an ARP request packet. The ARP request packet contains the source MAC address, the source IPv4 address and the destination IPv4 address. Each host in the local network receives this packet. The host with the specified destination address, sends an ARP reply packet to the originating host with its MAC address.

4.2. The ARP Cache

The ARP Cache in network equipment, such as switches and firewalls, is an important component in the implementation of ARP. It consists of a dynamic table that stores the mappings between IPv4 addresses and Ethernet MAC addresses.

cOS Stream uses an ARP cache in exactly the same way as other network equipment. Initially, the cache is empty at startup and becomes populated with entries as traffic flows.

The typical contents of a minimal ARP Cache table might look similar to the following:

Type	IPv4 Address	MAC Address	Expires
Dynamic	192.168.0.10	08:00:10:0f:bc:a5	45
Dynamic	193.13.66.77	0a:46:42:4f:ac:65	136
Static	10.5.16.3	4a:32:12:6c:89:a4	-

The explanation for the table contents are as follows:

The first entry in this ARP Cache is a dynamic ARP entry which tells us that IPv4 address 192.168.0.10 is mapped to the MAC address 08:00:10:0f:bc:a5.
The second entry in the table dynamically maps the IPv4 address 193.13.66.77 to the MAC address 0a:46:42:4f:ac:65.
The third entry is a static ARP entry binding the IPv4 address 10.5.16.3 to the MAC address 4a:32:12:6c:89:a4.

The arp Command

The CLI provides the arp command to view entries in the ARP cache. The simplest form is used to view all entries:

System:/> arp -show

Using the arp command with no parameters is equivalent to this. A specific interface name can be included to show just entries for that interface. For example, the following command would show cache entries just for the if1 interface:

System:/> arp -show if1

All options for this command are described in the separate Clavister NetShield Firewall CLI Reference Guide.

Example 4.1. Displaying the ARP Cache

This example displays all current ARP cache entries for all interfaces.

Command-Line Interface

System:/> arp -show
				
                            ARP Cache

Iface  Type     Address           HWaddress          Expiration  
-----  -------  ----------------  -----------------   ----------  
if1    Dynamic  192.168.10.200    00:50:56:2c:5f:5b         389  
if2    Dynamic  192.168.20.1      00:50:56:d0:0f:01         580 
if3    Dynamic  192.168.30.1      00:50:56:d0:00:03         487

The Expiration Value

The last column in the example table and CLI output, Expiration, is used to indicate how much longer, in seconds, the ARP entry will be valid for.

For example, the first entry in the above CLI output has an expiry value of 389 which means that this entry will be rendered invalid and removed from the ARP Cache in 389 seconds from the current time. If traffic needs to be sent to the IPv4 address 192.168.10.200 after expiration, cOS Stream will issue a new ARP request and update the cache with a new entry.

The default expiration time for dynamic ARP entries is 900 seconds (15 minutes). This can be changed by modifying the advanced setting ARPExpire.

Example 4.2. Changing the ARPExpire Setting

This example shows how to change the number of seconds for the ARPExpire setting.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPExpire=1800
					
Modified ARPTableSettings.

The advanced setting ARP Expire Unknown specifies how long cOS Stream will remember addresses that cannot be reached. This limit is needed to ensure that cOS Stream does not continuously request such addresses. The default value for this setting is 3 seconds.

Example 4.3. Changing the ARPExpireUnknown Setting

This example shows how to change the number of seconds for the ARPExpireUnknown setting.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPExpireUnknown=6
					
Modified ARPTableSettings.

Flushing the ARP Cache

If a host in a network is replaced with new hardware and retains the same IP address then it will probably have a new MAC address. If cOS Stream has an old ARP entry for the host in its ARP cache then that entry will become invalid because of the changed MAC address and this will cause data to be sent to the host over Ethernet which will never reach its destination.

After the ARP entry expiration time, cOS Stream will learn the new MAC address of the host but sometimes it may be necessary to manually force the update. The easiest way to achieve this is by flushing the ARP cache. This deletes all dynamic ARP entries from the cache and forces cOS Stream to issue new ARP queries to discover the MAC/IP address mappings for connected hosts.

Flushing can be done with the CLI command arp -flush.

Example 4.4. Flushing the ARP Cache

This example shows how to flush the ARP Cache from within the CLI.

Command-Line Interface

System:/> arp -flush
					
ARP cache of all interfaces flushed.

The Size of the ARP Cache

By default, the ARP Cache is able to hold 4096 ARP entries at the same time. This is adequate for most situations but on rare occasions, such as when there are several very large LANs directly connected to the firewall, it may be necessary to adjust this value upwards. This can be done by modifying the setting ARPCacheSize property in the ARPTableSettings object.

Example 4.5. Changing the ARP Cache Size

This example shows how to change the size of the ARP cache to hold 8192 entries.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPCacheSize=8192
					
Modified ARPTableSettings.

Hash tables are used to rapidly look up entries in the ARP Cache. For maximum efficiency, a hash table should be twice as large as the entries it is indexing, so if the largest directly connected network contains 500 IP addresses, the size of the ARP entry hash table should be at least 1000. The administrator can modify the setting ARPHashSize to reflect specific network requirements. The default value of this setting is 512.

Example 4.6. Changing the ARP Hash Size

This example shows how to change the ARP hash size.

Command-Line Interface

System:/> set Settings ARPTableSettings ARPHashSize=1024
					
Modified ARPTableSettings.

4.3. Creating ARP Entries

To change the way ARP is handled on an interface, the administrator can create ARP objects, each of which has the following properties:

Mode

The type of ARP object. This can be one of:

Static - Create a fixed mapping in the local ARP cache.
Publish - Publish an IP address on a particular MAC address (or this interface).

Interface

The local physical interface for the ARP object.

IP Address

The IPv4 address for the MAC/IP mapping.

MAC Address

The MAC address for the MAC/IP mapping.

Static ARP Objects

A static ARP object can be used to insert a particular MAC/IP address mapping into the ARP cache.

The most frequent use of static ARP objects is in situations where some external network device is not responding to ARP requests correctly and is reporting an incorrect MAC address. Some network devices, such as wireless modems, can have such problems.

A frequent source of confusion is that this mode is not for publishing the address for external devices. Instead, static entries allow the administrator to tell cOS Stream how to reach external devices. The entry tells cOS Stream that a specific IPv4 address can be reached through a specific interface using a specific MAC address. This means, that when the firewall needs to communicate with the address it consults the ARP table static entries and can determine it can be reached at a specific MAC address on a specific interface.

This feature may also be used to lock an IP address to a specific MAC address for increasing security or to avoid denial-of-service if there are rogue users in a network. However, such protection only applies to packets being sent to that IP address. It does not apply to packets being sent from the IP address since the source MAC address can be forged.

Example 4.7. Creating a Static ARP Entry

This example will create a static mapping between IPv4 address 192.168.10.15 and MAC address 4b:86:f6:c5:a2:14 on the if2 interface:

Command-Line Interface

First, change the context to be ARPEntries:

System:/> cc ARPEntries

Next, add an ARPEntry object to ARPEntries:

System:/ARPEntries> add ARPEntry
			Interface=if2
			IP=192.168.10.15
			Mode=Static
			MACAddress=4b-86-f6-c5-a2-14

Finally return to the default, root context:

System:/ARPEntries> cc
System:/>

ARP Publish

The Clavister NetShield Firewall supports publishing IP addresses on a particular interface. This can optionally be done along with a specific MAC address instead of the actual interface MAC address. cOS Stream will then send out these as ARP replies for any ARP requests received on the interface related to the published IP addresses.

This can be done for a number of reasons:

To give the impression that an interface has more than one IP address.

This is useful if there are several separate IP spans on a single LAN. The hosts on each IP span may then use a gateway in their own span when these gateway addresses are published on the corresponding firewall interface.
Another use is publishing multiple addresses on an external interface, enabling cOS Stream to statically address translate traffic to these addresses and send it onwards to internal servers with private IPv4 addresses.
A less common purpose is to aid nearby network equipment responding to ARP in an incorrect manner.

Example 4.8. Publishing an ARP Entry

This example will create an ARPEntry that publishes the IPv4 address 192.168.10.1 on the if1 interface:

Command-Line Interface

As in the previous example, change the context to be ARPEntries:

System:/> cc ARPEntries

Next, add an ARPEntry object to ARPEntries:

System:/ARPEntries> add ARP Interface=if1 IP=192.168.10.1 Mode=Publish

Finally return to the default, root context:

System:/ARPEntries> cc
System:/>

Other ARP States

For troubleshooting purposes it is useful to understand some other possible ARP states. These can appear when using the ARP snoop feature, in log messages and also when looking at the ARP cache. Below is a summary:

Reslvng

Processing an ARP request. A host with this IP has not yet been found.
Unknown

No host with the IP was found.
Dynamic

A host with the IP address was found.
Probing

Currently testing that the host with the IP address is still available.

Chapter 5: IP Address Management

5.1. The Address Book

The Address Book contains named objects representing various types of IP addresses, including single IPv4 and IPv6 addresses, networks as well as ranges of addresses. Ethernet MAC addresses can also be defined in the address book.

	Note: Network and prefix are synonymous
	An IPv6 Prefix will often be referred to as the IPv6 Network in this guide. This is done to be consistent with the usage of the word Network with IPv4.

Address Book Benefits

Using address book objects has a number of important benefits:

It increases understanding of the configuration by referencing meaningful symbolic names.
Using address object names instead of entering numerical addresses reduces errors.
By defining an address object just once in the address book and then referencing this definition, changing the definition automatically also changes all references to it.

5.2. Address Types

The address book can contain the following Address object types:

IPAddress objects can contain IPv4 and/or IPv6 addresses.
EthernetAddress objects can contain MAC addresses. This can be further grouped together into EthernetAddressGroup objects.

IPAddress Objects

IPAddress objects are used to define symbolic names for various types of IP addresses, either IPv4 or IPv6 or mixed IPv4/IPv6. Depending on how the address is specified, an IP Address object can represent either a single IPv4 or IPv6 address (a specific host), a network or a range of IP addresses and even a DNS name.

Values for the Address Property of an IPAddress

The Address property holds the IP address values of an IPAddress object. The property can be set to a list of addresses which can be any mixture of the following types:

A Single Host

A single host is represented simply by its IP address. This can be either an IPv4 or IPv6 address. For example, 192.168.0.14.

It is also possible to specify a comma separated list of hosts and these can be a mixture of IPv4 and IPv6 addresses. For example, 192.168.0.14,10.15.0.50,2001:DB8::1.
IP Network

An IPv4 Network is represented using Classless Inter Domain Routing (CIDR) form. CIDR uses a forward slash and a number (0-32) to denote the size of the network as a postfix. This number corresponds to the number of binary ones in the netmask.

The suffix /24 corresponds to a class C net with 256 addresses (netmask 255.255.255.0). The suffix /27 corresponds to a 32 address net (netmask 255.255.255.224) and so on.

For IPv6, the IPv6 prefix corresponds to the network. For example, 2001:db8::/32.
IP Ranges

A range of IPv4 addresses is represented with the form a.b.c.d-e.f.g.h.

Note that ranges are not limited to IPv4 netmask boundaries. They may include any span of IP addresses.
For example, 192.168.0.10-192.168.0.15 represents six IPv4 hosts in consecutive order.

A range of IPv6 addresses is specified in the same way. For example, 2001:DB8::1-2001:DB8::6

	Note: A maximum of 256 address items are allowed
	The Address property of a single IPAddress object can hold a maximum of 256 address items, which can be any combination of the types listed above. A range or network is counted as a single item.

Adding and Displaying IPAddress Objects

The CLI command format for adding an IP address is:

System:/> add Address IPAddress <name> Address=<ip-address>

To display the value(s) assigned to an address object:

System:/> show Address IPAddress <name>

Alternatively, the netobjects command can be used:

System:/> netobjects <name>

Using the netobjects command without any options will display all IP address objects in the address book.

Example 5.1. Adding a Single IP Address

This example adds the IP host www_srv1 with IPv4 address 192.168.10.16 to the address book:

Command-Line Interface

System:/> add Address IPAddress www_srv1 Address=192.168.10.16

Example 5.2. Adding an IP Network

This example adds an IP network named wwwsrvnet with address 192.168.10.0/24 to the address book:

Command-Line Interface

System:/> add Address IPAddress wwwsrvnet Address=192.168.10.0/24

Example 5.3. Adding an IP Range

This example adds a range of IPv4 addresses from 192.168.10.16 to 192.168.10.21 and names the range wwwservers:

Command-Line Interface

System:/> add Address IPAddress wwwservers
			Address=192.168.10.16-192.168.10.21

Example 5.4. Deleting an Address Object

To delete an object named wwwsrv1 in the address book, do the following:

Command-Line Interface

System:/> delete Address IPAddress wwwsrv1

Deleting Referenced IP Address Objects

If an IP address object is deleted that is in use by another object, the deletion will appear successful. However, cOS Stream will not subsequently allow the configuration to be deployed and will generate an error message.

The CLI -references option can be used when displaying an IP address to list references to the address. For example, to find all references to the address object if1_ip, the CLI command would be:

System:/> show IPAddress if1_ip -references

EthernetAddress Objects

EthernetAddress objects are used to define symbolic names for MAC addresses. This is useful, for example, when populating the ARP table with static ARP entries, or for other parts of the configuration where symbolic names are preferred over hexadecimal MAC addresses.

When specifying an Ethernet MAC address, the format aa-bb-cc-dd-ee-ff should be used. Ethernet MAC addresses are also displayed using this format.

EthernetAddress objects can be further grouped together into EthernetAddressGroup objects.

Example 5.5. Adding an Ethernet Address

The following example adds an Ethernet Address object named wwwsrv1_mac with the numerical MAC address 08-a3-67-bc-2e-f2.

Command-Line Interface

System:/> add Address EthernetAddress wwwsrv1_mac
				Address=08-a3-67-bc-2e-f2

5.3. Auto-generated Address Objects

To simplify the configuration, a number of address objects in the address book are automatically created by cOS Stream when the system starts for the first time and these objects are used in various parts of the initial configuration.

Generated Objects

The following address objects are auto-generated by cOS Stream:

Interface Addresses

For each Ethernet interface in the system, two IPv4 Address objects are predefined; one object for the IP address of the actual interface, and one object representing the local network for that interface.

Interface IPv4 address objects are named <interface-name>_ip and network objects are named <interface-name>_net. As an example, an interface named if1 will have an associated interface IP object named if1_ip, and a network object named if1_net.

all-nets-ip4

The all-nets-ip4 IPv4 address object is initialized to the IPv4 address 0.0.0.0/0, which represents all possible IP4 addresses. The all-nets-ip4 IP object is used extensively in the configuration and it is important to understand its significance.

all-nets-ip6

The all-nets-ip6 object performs the same function as all-net-ip4 but for the IP6 address space.

all-nets

The all-nets object includes all IP4 and IP6 addresses.

The netobjects command shows the current address book contents. For example:

System:/> netobjects
				
all-nets      0.0.0.0/0, ::/0  
all-nets-ip4  0.0.0.0/0        
all-nets-ip6  ::/0

Assigning Multiple IP Addresses to an Interface

As discussed in Section 3.1, Ethernet Interfaces, it is possible to assign multiple addresses to a single Ethernet interface. This is done by assigning the addresses to the interface's address object. For example:

System:/> set Address IPAddress if1_ip Address=10.1.1.2,198.10.2.1

There is no limit to the number of addresses that can be assigned to a single Ethernet interface.

5.4. IPv6 Support

The IP address standard IPv6 is designed as a successor to IPv4 with the principal advantage of providing a much larger address space. Among many other benefits, the large number of available global IPv6 addresses means that NAT should no longer required for sharing a limited number of public addresses.

IPv6 is usable with most configuration objects. A list of usage restrictions can be found later in this section.

IPv6 is Enabled by Default

By default, the Clavister NetShield Firewall supports IPv6 and this does not need to be explicitly enabled. If all IPv6 traffic is to be ignored, the following command can be used:

System:/> set Settings IPSettings AllowIPVersion=IPv4

This allows only IPv4 packets to be processed and all IPv6 packets will be dropped. Conversely, if all IPv4 packets are to be dropped and only IPv6 recognized, the CLI command would be:

System:/> set Settings IPSettings AllowIPVersion=IPv6

To return to the original, default situation where both IPv4 and IPv6 are processed, the command would be:

System:/> set Settings IPSettings AllowIPVersion=Any

Adding an IPv6 Address

IPv6 address objects are created in the address book in a similar way to IPv4 addresses.

For IPv6, only the all-nets-ip6 object (IPv6 address ::/0) exists by default in the address book. This means that the IPv6 address and network objects associated with interfaces must be created manually.

Example 5.6. Adding an IPv6 Address

This example adds a new address object called my_ip6_address to the address book with the single IPv6 address 2001:DB8::1.

Command-Line Interface

System:/> add Address IPAddress my_ip6_address Address=2001:DB8::1

	Note: The prefix 2001:DB8::/32 is reserved for documentation
	As described in RFC3849, the IPv6 prefix 2001:DB8::/32 is specifically reserved for documentation. All IPv6 examples in this guide use this network or addresses from it.

Enabling IPv6 on an Interface

Predefined address book objects already exist for each Ethernet interface. To enable IPv6 on an interface, an IPv6 address and network (prefix) are added to the associated address book objects.

This could be done specifying a comma separated list of the IPv4 address and the IPv6 address for the interface. However, the recommendation is to create a separate IPAddress object for the IPv6 address and add that to the interface.

If an IPv6 address and network are not assigned, IPv6 packets arriving at the interface are always dropped.

Example 5.7. Enabling IPv6 on an Interface

Assume that the interface if1 is to have the IPv4 address 10.15.0.50 with network 10.15.0.0/24. IPv6 is to be enabled on the interface with the IPv6 address 2001:DB8::1 from the network 2001:DB8::/32.

Command-Line Interface

Set the default address object for the interface to the IPv4 address.

System:/> set Address IPAddress if1_ip Address=10.15.0.50

Add an IPv6 address object for the interface:

System:/> add Address IPAddress if1_ip6_ip Address=2001:DB8::1

Set the IPv4 and IPv6 addresses directly on the interface:

System:/> set Interface EthernetInterface if1 IPAddress=if1_ip,if1_ip6_ip

Set the IPv4 network for the interface:

System:/> set Address IPAddress if1_net Address=10.15.0.0/24

Add a new object for the IPv6 network associated with the interface:

System:/> add Address IPAddress if1_ip6_net Address=2001:DB8::/32

The route for the IPv6 must now be added manually:

System:/> cc RoutingTable main
System:/RoutingTable/main> add Route Interface=if1 Network=if1_ip6_net
System:/RoutingTable/main> cc
System:/>

	Tip: Use period plus tab when appending an address
When using the CLI set Address IPAddress command, the objective can be to append a new IP address value to any existing values. All the existing values can be displayed by using the key sequence of a period ( . ) followed by a tab after Address=. A comma ( , ) can then be typed followed by the new address to be added to the list.

Tip: Use period plus tab when appending an address

When using the CLI set Address IPAddress command, the objective can be to append a new IP address value to any existing values.

All the existing values can be displayed by using the key sequence of a period ( . ) followed by a tab after Address=. A comma ( , ) can then be typed followed by the new address to be added to the list.

IPv6 Interface Routes are Not Added Automatically

When an IPv6 address and network are assigned to an Ethernet interface (both are required) then an IPv6 route for that interface should be added manually to the main routing table. The route cannot be added automatically.

IP Rules Can Mix IPv4 and IPv6

There is no requirement in cOS Stream to have separate IP rules that refer to IPv4 and IPv6 address objects. It is valid to use an IPAddress that combines both IPv4 and IPv6 addresses in a single IP rule.

However, an IP rule that has only IPv4 as its source and only IPv6 as its destination will not have any useful function. It is not possible, however, to mix IPv4 and IPv6 on a single route. Separate routes must be created.

Grouping IP Addresses

Since an IPAddress object can contain any number of IPv4 or IPv6 addresses as well as references to other IPAddress objects, these are used to create grouping of IP addresses. There is no special group address object in cOS Stream.

The all-nets Address Object

The preconfigured all-nets-ip4 address object is a catch-all object for all IPv4 addresses. Similarly, all-nets-ip6 represents all IPv6 addresses and only IPv6 addresses.

To represent all IPv4 and IPv6 addresses, all-nets-ip4 is combined with all-nets-ip6 in the single predefined object all-nets.

IPv6 Neighbor Discovery

IPv6 Neighbor Discovery (ND) is the IPv6 equivalent of the ARP protocol with IPv4 (see Chapter 4, ARP).

When IPv6 is enabled for a given Ethernet interface, cOS Stream will respond to any IPv6 Neighbor Solicitations (NS) sent to that interface with IPv6 Neighbor Advertisements (NA) for the IPv6 address configured for that interface.

Enabling neighbor discovery for other IP addresses on an interface can be achieved by adding an NDEntry object to the NDEntries list. The NDEntries object exists by default as an empty list and does not need to be created. The example below demonstrates adding an NDEntry to the list.

Example 5.8. Enabling Interface Neighbor Discovery

This example will create an NDEntry that publishes the IPv6 address my_ipv6 on the if3 interface:

Command-Line Interface

First, change the context to be NDEntries:

System:/> cc NDEntries

Next, add an NDEntry object to NDEntries:

System:/NDEntries> add NDEntry Interface=if3 IP=my_ipv6

Note that the default value for the Mode property is Publish.

Finally, return to the default, root context:

System:/NDEntries> cc
System:/>

Enabling IPv6 Router Advertisements

An additional option for an Ethernet or VLAN interface is to enable IPv6 Router Advertisement. This is the IPv6 equivalent of an IPv4 DHCP server and it means that any external client connected to the interface can solicit and receive IPv6 messages to perform Stateless Address Auto-Configuration (SLAAC). The SLAAC process allows the client to create its own unique global IPv6 address based on the MAC address of its interface and the prefix of the IPv6 address for the interface it is connected to.

Enabling router advertisements in cOS Stream is done by enabling the AdvertiseIP property for a single Route object in a routing table. This enables advertisements on the interface specified in that route and only for the host or network specified in that route.

Example 5.9. Enabling IPv6 Advertisements

This example enables IPv6 advertisements on the route if1_route in the routing table main.

Command-Line Interface

First, change the current context to be the main routing table:

System:/> cc RoutingTable main

Now, enable router advertisements on the target route:

System:/RoutingTable/main> set if1_route AdvertiseIP6=yes

Finally, return to the default CLI context:

System:/> cc

Some of the values in the router advertisement are controlled by an object called a RouterAdvertisementProfile. This is assigned to the RouterAdvertisementProfile property of the interface. Initially, the value DefaultProfile is always assigned to this property for all interfaces. This uses the default values for a new RouterAdvertisementProfile object but does not correspond to an editable object in the system.

If the default values provided by the DefaultProfile value are not satisfactory, the following steps must be used:

Create a new RouterAdvertisementProfileTable object.
Add a new RouterAdvertisementProfile object to the table with the desired settings.
Associate this profile object with the interface.

Note that the value of the RouterAdvertisementProfile property for an interface only has meaning if the AdvertiseIP6 property of an associated route is enabled. It is enabling the AdvertiseIP6 property of the Route object that turns on router advertisements and not a profile assigned to the interface.

Enabling Automatic Interface Address Configuration

Another option for an Ethernet or VLAN interface is to enable automatic IPv6 Address Configuration of the interface. This is essentially the reverse of the Router Advertisement feature described above and can provide a means to automatically assign IPv6 addresses. When enabled, the following properties of the interface object can be automatically assigned by an external device that is sending out router advertisements:

IPAddress (address book object ifn_ip).
IPv6Network (address book object ifn_ip6_net).
IPv6DNS (address book object ifn_ip6_dns).
IPv6Gateway (address book object ifn_ip6_gw).

This option is enabled by setting the IPv6AddressConfiguration property to the value SLAAC. The default value for this property is Static which means that the properties listed above must get their values assigned manually by changing the corresponding address objects (these are also listed above). Out of these address book objects, only ifn_ip exists by default. The other address objects listed are automatically created by cOS Stream at the time that the IPv6AddressConfiguration property is set to SLAAC.

Example 5.10. Enabling Automatic Address Configuration

This example shows how to enable automatic address configuration on the if1 interface.

Command-Line Interface

System:/> set Interface EthernetInterface if1
			IPv6AddressConfiguration=SLAAC

The ND Cache and ndp Command

Like ARP, the IPv6 neighbor discovery mechanism in cOS Stream maintains a Neighbor Discovery Cache (ND cache). This cache can be displayed and managed using the ndp CLI command.

To display the entire cache use the command:

System:/> ndp -show
			
Neighbor cache of iface if1:
    Stale  fc01:6:13::1   = 77:2b:cb:8d:72:de   Expire=5033

Neighbor cache of iface if2:
     Good  fc01:22:13::1  = 00:1b:23:b1:d7:4f   Expire=28

To flush the entire cache use the command:

System:/> ndp -flush

A gratuitous neighbor discovery can be sent on an interface with a specified IP address with the command:

System:/> ndp -notify <if> -ip=<address>

The ndpsnoop Command

The ndpsnoop command will provide real-time logging at the console of both router advertisements and router solicitations. For example, to view all activity on the if1 interface.

System:/> ndpsnoop if1

All the options for the ndp and ndpsnoop commands can be found in the separate Clavister NetShield Firewall CLI Reference Guide.

IPv6 and IPsec

The Clavister NetShield Firewall supports the transport of either IPv4 or IPv6 over ESP. The ESP packets may themselves use either IPv4 or IPv6. This means that the local network and the remote network for an IPsec tunnel can be specified as IPv4 or IPv6 addresses. However, the local network and remote network must use the same IP version.

IPv6 and High Availability

The High Availability (HA) feature fully supports IPv6. Any IPv6 configuration objects will be mirrored on both the HA master and slave units including the NDP cache. If a failover occurs, state information will not be lost when one unit takes over processing from the other and IPv6 connections will not be lost.

In an HA configuration where interfaces have IPv6 enabled and IPv6 addresses assigned, there can be both a private and shared IPv6 address for each pair of interfaces. Each interface pair will have different private IPv6 addresses on the master and slave but will have the same shared IPv6 IP.

It is possible to have both an IPv4 and IPv6 shared IP address for the same interface. If this is the case, there must also be a private IPv4 and private IPv6 address for the individual interfaces in the pairing.

5.5. IPv6 With Embedded IPv4

cOS Stream allows the creation of IPv6 address objects in the address book which contain embedded IPv4 addresses. These IPv6 addresses can then be used anywhere in cOS Stream configuration where a normal IPv6 address would be used.

Embedding means that IPv6 addresses can be used on an IPv4 routing infrastructure that supports IPv6 tunneling.

Example 5.11. Adding an IPv6 Address with Embedded IPv4

This example adds two IPv6 addresses with the prefix 2001:db8::/32 (the documentation prefix) to the address book. The first has has the embedded IPv4 network 203.0.113.0/24 and the second has the embedded host address 2013.0.113.10.

Command-Line Interface

System:/> add Address IPAddress my_mixed_net Address=2001:db8::203.0.113.0/120

Next, add the IPv6 address 2013.0.113.10 from this network:

System:/> add Address IPAddress my_mixed_addr Address=2001:db8::203.0.113.10

Specifying an IPv4 Mapped IPv6 Address

When IPv4 embedding is used, cOS Stream creates an IPv4 compatible IPv6 address object which consists of 96 zeros followed by the IPv4 address and this address type should be used as the addresses for IPv6 capable network devices.

However, if a network device is not IPv6 capable then it should have an IPv4 mapped IPv6 address which consists of 80 zeros followed by 16 ones followed by the IPv4 address. These preceding 16 ones for this type of address must be explicitly specified when creating the address object in cOS Stream. For example, by specifying the embedded IPv4 address 203.0.113.10 as 2001:db8::ffff:203.0.113.10.

5.6. FQDN Address Objects

Overview

Instead of specifying an address object to be an IP address, it can instead be specified as an FQDN (for example: server1.example.com). cOS Stream will then automatically resolve the FQDN to an IP address at runtime if the FQDN address object is referenced by another configuration object.

Specifying FQDN Address Objects

An FQDN address object is created by assigning the FQDN value to the IP property of an IPAddress object:

System:/> add Address IPAddress my_fqdn_ip Address=server.example.com

The requirement for DNS resolution of an FQDN can also be written explicitly:

System:/> add Address IPAddress my_fqdn_ip Address=dns:server.example.com

Instead of the FQDN, just the domain name could be used but it requires the dns: prefix:

System:/> add Address IPAddress my_fqdn_ip Address=dns:example

The dns: Prefix Disables Format Checking

The dns: prefix seen in the examples above has a secondary function which is to turn off format checking of the FQDN. Without the prefix, cOS Stream will reject any FQDN that appears to be malformed, for example, because of unusual characters. Using the dns: prefix will force cOS Stream to accept any string value.

	Note: Wildcarding in FQDNs is not supported
	Wildcards cannot be used when specifying the FQDN in an FQDN address object. The reason is that cOS Stream populates the FQDN cache by itself sending queries to a DNS server. If an FQDN with wildcards, such as *.example.com, is sent to a DNS server, the server would not be able to resolve it.

Only IPRule Objects Can Use FQDN Address Objects

Currently, only IPRule objects can contain a reference to an FQDN address object.

It should be noted that as with any IPRule, it is not possible to have only IPv4 addresses on one side (source or destination) of the rule and only IPv6 addresses on the other side (destination or source). However, since FQDN resolution occurs at runtime, an FQDN address object may become an IP address type that contravenes this rule. If this happens there will a configuration error and the IPRule will be disabled with the following warning message generated:

   Inconsistent IP versions for source and destination IP Addresses

Direct FQDN Address References

It is possible to use FQDN address references in an IPRule object without first creating an intermediate IPAddress object. For example, consider the following addition of an IPRule that allows flows to server.example.com:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule SourceInterface=lan
			SourceNetwork=lan_net
			DestinationInterface=any
			DestinationNetwork=dns:server.example.com
			Service=all_services
			Name=deny_lan_to_example
			Action=Allow

Here, the FQDN can be specified using the same rules that are described earlier for creating FQDN address objects.

FQDN Resolution Requires a Configured DNS Server

For FQDN address objects to function correctly, at least one external DNS server must be configured in cOS Stream by creating at least one DNS Server object in the cOS Stream configuration. For a description of configuring DNS servers in cOS Stream, see Chapter 12, DNS

The DNS Lookup Should Be Consistent

The administrator should ensure that the DNS lookup used for FQDN address objects referenced by IPRule objects returns the same results as the DNS lookup used by hosts that are affected by those policies. The best way to do this is to ensure that cOS Stream is using the same DNS server as the hosts it is protecting.

FQDN Address Object Activation Triggers FQDN Resolution

cOS Stream will try to perform the DNS resolution of FQDN address objects when a configuration is activated. This will happen even if no other object has a reference to the FQDN object.

If no DNS server is configured, cOS Stream will generate a warning when attempting to deploy a configuration with a reference to an FQDN address object.

FQDN Address Objects Can Store Multiple IPs

Depending on the FQDN, the DNS lookup can return both IPv4 and IPv6 addresses and there can up to 8 IPs of each type (16 in total) stored in the cache for a single FQDN.

FQDN Address Caching

cOS Stream uses a DNS cache to ensure that the same FQDN does not need to be resolved every time it is referenced. The current cache contents can be examined using the following command:

System:/> dns -list

However, a better method of displaying all the IP addresses being used for a particular FQDN address object is to display the full object properties:

System:/> show Address IPAddress <fqdn-address-object>

Alternatively, the netobjects command can be used:

System:/> netobjects <fqdn-address-object>

Cache Lifetimes

FQDN address objects differ to other types of cached DNS entries in that when the entry's TTL (Time To Live) expires, cOS Stream will refresh the cache entry by issuing a new DNS query. Setting the global minimum TTL and maximum TTL value is described in Chapter 12, DNS.

The global DNS object property called FQDNValidAfterTTLDefault is used only for FQDN address objects and it determines the minimum amount of time after the TTL has expired that an entry will stay in the cache. It has a default value of 86,400 seconds (one day). This can be relevant for consecutive DNS queries for the same FQDN which return different IP addresses because it ensures the multiple addresses will coexist.

The value of FQDNValidAfterTTLDefault can be overridden for an individual address object by setting the object's FQDNValidAfterTTL property:

System:/> add Address IPAddress my_fqdn_ip
			Address=server.example.com
			FQDNValidAfterTTL=15000

Example 5.12. Adding an FQDN Address Object

This example shows how an FQDN address object called my_fqdn_ip1 is added to the cOS Stream address book.

The FQDN address object will contain the address for the FQDN server.example.com. It is assumed that a least one DNS server is already configured in cOS Stream so that the FQDN can be resolved to an IP address.

Command-Line Interface

System:/> add Address IPAddress my_fqdn_ip1 Address=server.example.com

Example 5.13. Using FQDN Address Objects with an IP Rule

In this example, connections from internal clients on the if1_net network to the web site www.example.com will not be allowed.

Command-Line Interface

A. Create the FQDN address object for www.example.com:

System:/> add Address IPAddress my_website_fqdn Address=www.example.com

B. Drop connections to the site:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule SourceInterface=lan
			SourceNetwork=lan_net
			DestinationInterface=any
			DestinationNetwork=my_website_fqdn
			Service=all_services
			Name=deny_lan_to_example
			Action=Deny

Chapter 6: Routing

6.1. Principles of Routing

IP routing is one of the most fundamental functions of cOS Stream. Any IP packet flowing through a Clavister NetShield Firewall will be subjected to at least one routing decision at some point in time, and properly setting up routing is crucial for the system to function as expected.

Routers

IP routing is the mechanism used in TCP/IP based networks for delivering IP packets from their source to their ultimate destination through a number of intermediary network devices. These devices are most often referred to as routers since they perform the task of routing packets to their destination.

Routing Tables

In each router, one or more routing tables contain a list of routes and these are consulted to find out through which interface to send a packet so it can reach its intended destination.

There can be one or more routing tables. At a minimum, there is a single, predefined routing table called main. The interfaces of routes in these tables may be a physical Ethernet interface or it might be a configuration object that behaves like an interface such as a VPN tunnel.

Example 6.1. Listing the Routing Table main Contents

This example shows how to list the contents of the default routing table main.

Command-Line Interface

First, change the current context to be the main routing table:

System:/> cc RoutingTable main

Now, list the contents of the table:

System:/RoutingTable/main> show

   #  Interface  Network      Gateway  Local IP
   -  ---------  -----------  -------  -----------
   1  if2        10.6.0.0/16  <empty>  10.6.58.100

This shows that the main table contains a single route, which says that the network 10.6.0.0/16 can be found on the interface if2.

The components of a single route in a routing table are discussed next.

The Components of a Route

When a route is defined it consists of the following properties:

Interface

The interface to forward the packet on in order to reach the destination network. In other words, the interface to which the destination IP range is connected, either directly or through a router.

The interface can be any logical interface. This includes Ethernet interfaces as well as VPN tunnels.
Network

This is the destination network IP address range which is reached via the specified interface. The route chosen from a routing table is the one that has a destination IP range which includes the IP address being sought. If there is more than one such matching route, the route chosen is the one which has the smallest IP address range and lowest metric.

The destination network all-nets-ip4 is usually always used in the route for public Internet access via an ISP. As its name suggests, all-nets-ip4 corresponds to all IP4 internet addresses and the route for this address is sometimes referred to as the default route since it is chosen when no other match can be found.

It is not possible to mix IPv4 and IPv6 for this property.
Gateway

The IP address of the gateway which is the next router in the path to the destination network. This is optional. If the destination network is connected directly to the interface, this is not needed.

When a router lies between the Clavister NetShield Firewall and the destination network, a gateway IP must be specified. For example, if the route is for public Internet access via an ISP then the public IP address of the ISP's gateway router would be specified.
LocalIP

This property usually does not need to be specified. If it is, cOS Stream responds to ARP queries sent to this address. A special section below explains this property in more depth.
Metric

This is a metric value assigned to the route and is used as a weight when performing comparisons between alternate routes. If two routes are equivalent but have different metric values then the route with the lowest metric value is taken.

A Typical Routing Scenario

The diagram below illustrates a typical Clavister NetShield Firewall usage scenario.

Figure 6.1. A Typical Routing Scenario

In the above diagram, the LAN interface is connected to the network 192.168.0.0/24 and the DMZ interface is connected to the network 10.4.0.0/16. The WAN interface is connected to the network 195.66.77.0/24 and the address of the ISP gateway to the public Internet is 195.66.77.4.

The associated routing table for this would be as follows:

Route #	Interface	Destination	Gateway
1	if1	192.168.0.0/24
2	dmz	10.4.0.0/16
3	wan	195.66.77.0/24
4	wan	all-nets-ip4	195.66.77.4

The above routing table provides the following information:

Route #1

All packets going to hosts on the 192.168.0.0/24 network should be sent out on the if1 interface. As no gateway is specified for the route entry, the host is assumed to be located on the network segment directly reachable from the if1 interface.
Route #2

All packets going to hosts on the 10.4.0.0/16 network are to be sent out on the dmz interface. For this route also, no gateway is specified since there is no "hop" via another router to the destination network.
Route #3

All packets going to hosts on the 195.66.77.0/24 network will be sent out on the wan interface. No gateway is required to reach this network.
Route #4

All packets going to any host (the all-nets-ip4 network will match all hosts) will be sent out on the wan interface and to the gateway with IPv4 address 195.66.77.4. That gateway will then consult its routing table to find out where to send the packets next.

A route with its Network property set to all-nets-ip4 is often referred to as the Default Route since it will match all packets for which no specific route has been configured. This route usually specifies the interface which is connected to the public internet via an ISP.

An equivalent default route for IPv6 traffic would have its Network property set to all-nets-ip6.

The Narrowest Routing Table Match is Selected

When a routing table is evaluated, the ordering of the routes is not important. Instead, all routes in the relevant routing table are evaluated and the most specific route is used. In other words, if two routes have destination networks that overlap, the narrower network definition will be taken before the wider one. This behavior is in contrast to IP rules where the first matching rule is used.

In the above example, a packet with a destination IPv4 address of 192.168.0.4 will theoretically match both the first route and the last one. However, the first route entry is a narrower, more specific match so the evaluation will end there and the packet will be routed according to that entry.

Although routing table ordering is not important, it is still recommended for troubleshooting purposes to try and place narrower routes first and the default route last.

The LocalIP Property

The LocalIP property of a route is the source IP used for packets sent from the route's interface. This is automatically chosen by cOS Stream unless explicitly configured by the administrator.

When cOS Stream chooses the source IP automatically, it uses the IP address of the route's interface. If several IP addresses have been assigned to the interface, it takes the first address that is the same as or lies within the route's Network property. For example, if the first IPv4 address configured on the interface is 192.168.10.1, this will be chosen if the route's Network property is 192.168.10.0/24.

If no match is found, cOS Stream takes the first address it finds that is the same IP type as the network. In other words, if the route's Network property is an IPv4 network, it takes the first IPv4 address assigned to the interface. If the network is an IPv6 network, it takes the first IPv6 address. If no such similar type is configured on the interface, the LocalIP property cannot be set and an event message is generated flagging this as an error.

Manually Setting the LocalIP Property

In some cases, the LocalIP needs to be set manually. Normally, a physical interface such as if1 is connected to a single network and the interface and network are on the same network. It can be said that the network is bound to a physical interface and clients on the connected network can automatically find the Clavister NetShield Firewall through ARP queries. ARP works because the clients and the interface are part of the same network.

A second network might then be added to the same physical interface via a switch, but with a new network range that does not include one of the physical interface's IP addresses. We would say that this network is not bound to the physical interface. Clients on this second network will not then be able to communicate with the Clavister NetShield Firewall because ARP will not function between the clients and the interface.

To solve this problem, a new route is added which has the following properties:

Interface: The interface on which the second network is found.
Network: The IP address range of the second network.
LocalIP: An address within the second network's IP range.

When the Default Gateway of the second network's clients is now set to the same value as the LocalIP of the above route, the clients will be able to communicate successfully with the interface. The IP address chosen in the second network is not significant, as long as it is the same value for the Default Gateway of the clients and the LocalIP.

The effect of adding the route with the LocalIP is that the firewall will act as a gateway with the LocalIP address and respond to, as well as send out, ARP queries as though the interface had that IP address.

The diagram below illustrates a scenario where this feature could be used. The IPv4 network 10.1.1.0/24 is bound to a physical interface that has a single IPv4 address within the network of 10.1.1.1. If we now attach a second network 10.2.2.0/24 to the interface via the switch, it is unbound since none of the interface's IP addresses belong to it.

Figure 6.2. Using LocalIP with an Unbound Network

By adding a route for this second network with the LocalIP specified as 10.2.2.1, the interface will then respond to ARP requests from the 10.2.2.0/24 network. The clients in this second network must also have their Default Gateway set to 10.2.2.1 in order to reach the firewall.

This feature is normally used when an additional network is to be added to an interface but it is not desirable to change the existing IP addresses of the network. From a security standpoint, doing this can present significant risks since different networks will typically be joined together through a switch which imposes no controls on traffic passing between those networks. Caution should therefore be exercised before using this feature.

Example 6.2. Adding a Route with LocalIP

This example will show adding a route for the network 10.2.2.0/24 on the interface if1 with LocalIP set as 10.2.2.1.

System:/> cc RoutingTable main
				
System:/RoutingTable/main> add Route Interface=if1
			Network=10.2.2.0/24
			LocalIP=10.2.2.1

System:/RoutingTable/main> cc
System:/>

All Traffic Must have Two Associated Routes

Something that is not intuitive when trying to understand routing in cOS Stream is the fact that all traffic must have two routes associated with it. Not only must a route be defined for the destination network of a flow but also for the source network.

The route that defines the source network simply says that the source network is found on a particular interface. When a new flow is opened, cOS Stream performs a check known as a reverse route lookup which looks for this route. The source network route is not used to perform routing but instead as a check that the source network should be found on the interface where it arrived. If this check fails, cOS Stream generates a Disallowed by Access Rule error log message.

Even traffic destined for Core (cOS Stream itself), such as ICMP ping requests must follow the rule of having two routes associated with it. In this case, the interface of one of the routes is specified as Core.

6.2. Static Routing

The most basic form of routing is known as Static Routing. The term "static" is used because most entries in a routing table are part of the system's static configuration. They usually remain unchanged during long periods of system operation.

Due to this manual approach, static routing is most appropriate to use in network deployments where addresses are fairly fixed and where the amount of connected networks are limited to a few.

This section describes how to configure static routing and also explains how routing is implemented in cOS Stream.

Multiple routing tables are supported. A default table called main is predefined and is always present in cOS Stream. However, additional and completely separate routing tables can be defined by the administrator to provide alternate routing.

The Route Lookup Mechanism

The route lookup mechanism has some slight differences to how some other router products work. In many routers, where the IP packets are forwarded without context (in other words, the forwarding is stateless), the routing table is scanned for each and every IP packet received by the router. Packets are forwarded with state-awareness, so the route lookup process is tightly integrated into the stateful inspection mechanism.

When an IP packet is received on any of the interfaces, the list of active flows is consulted to see if there is already a flow to which the received packet belongs. If an existing flow is found, the flow information includes where to route the packet so there is no need for further lookups in the routing table. This is far more efficient than traditional routing table lookups, and is one reason for the high forwarding performance of cOS Stream.

If an established flow cannot be found, then the routing table is consulted. It is important to understand that the route lookup is performed before any of the various policy rules get evaluated (for example, IP rules). Consequently, the destination interface is known at the time cOS Stream decides if the flow should be allowed or dropped. This design allows for a more fine-grained control in security policies.

Route Notation

The Clavister NetShield Firewall uses a slightly different way of describing routes compared to most other systems but this way is easier to understand, making errors less likely.

Many other products do not use the specific interface in the routing table, but specify the IP address of the interface instead. The routing table below is from a Microsoft Windows workstation:

====================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 13 d4 51 8d dd ...... Intel(R) PRO/1000 CT Network
0x20004 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===================================================================
===================================================================
Active Routes:
Network Destination        Netmask      Gateway    Interface Metric
          0.0.0.0          0.0.0.0  192.168.0.1 192.168.0.10     20
         10.0.0.0        255.0.0.0   10.4.2.143   10.4.2.143      1
       10.4.2.143  255.255.255.255    127.0.0.1    127.0.0.1     50
   10.255.255.255  255.255.255.255   10.4.2.143   10.4.2.143     50
     85.11.194.33  255.255.255.255  192.168.0.1 192.168.0.10     20
        127.0.0.0        255.0.0.0    127.0.0.1    127.0.0.1      1
      192.168.0.0    255.255.255.0 192.168.0.10 192.168.0.10     20
     192.168.0.10  255.255.255.255    127.0.0.1    127.0.0.1     20
    192.168.0.255  255.255.255.255 192.168.0.10 192.168.0.10     20
        224.0.0.0        240.0.0.0   10.4.2.143   10.4.2.143     50
        224.0.0.0        240.0.0.0 192.168.0.10 192.168.0.10     20
  255.255.255.255  255.255.255.255   10.4.2.143   10.4.2.143      1
  255.255.255.255  255.255.255.255 192.168.0.10 192.168.0.10      1
Default Gateway:       192.168.0.1
===================================================================
Persistent Routes:
None

The corresponding routing table in cOS Stream will be similar to the following:

Flags Network            Iface    Gateway        Local IP  Metric
----- ------------------ -------- -------------- --------- ------
      192.168.0.0/24     if1                              20
      10.0.0.0/8         wan                              1
      0.0.0.0/0          wan      192.168.0.1             20

Note that multicast routes have not been included in the list but are displayed in the Microsoft listing.

Route Definition

The method of defining routes makes the reading and understanding of routing information easier.

A further advantage with the Clavister NetShield Firewall approach is that the administrator can directly specify a gateway for a particular route and the following is true:

A separate route does not need to be defined that includes the gateway IP address.
It does not matter even if there is a separate route which includes the gateway IP address and that routes traffic to a different interface.

Composite Subnets can be Specified

Another advantage with the Clavister NetShield Firewall approach to route definition is that it allows the administrator to specify routes for destinations that are not aligned with traditional subnet masks.

For example, it is perfectly legal to define one route for the destination IPv4 address range 192.168.0.5 to 192.168.0.17 and another route for IP addresses 192.168.0.18 to 192.168.0.254. This is a feature that makes cOS Stream highly suitable for routing in highly complex network topologies.

Displaying Routing Tables

It is important to note that routing tables that are initially configured by the administrator can have routes added, deleted and changed automatically during live operation and these changes will appear when the routing table contents are displayed.

These routing table changes can take place for different reasons. For example, if dynamic routing with OSPF has been enabled then routing tables will become populated with new routes learned from communicating with other OSPF routers in an OSPF network. Other events such as route failover can also cause routing table contents to change over time.

Example 6.3. Displaying the main Routing Table

This example illustrates how to display the contents of the default main routing table.

Command-Line Interface

To see the configured routing table:

System:/> cc RoutingTable main

System:/RoutingTable/main> show

Route
   #  Interface  Network   Gateway        Local IP
   -  ---------  --------  -------------  --------
   1  wan        all-nets  213.124.165.1
   2  if1        if1_net
   3  wan        wan_net

To see the active routing table enter:

System:/> routes

Routing table: main

Flags Network            Iface         Gateway   Local IP Metric
----- ------------------ ------- --------------- -------- ------
      192.168.0.0/24     if1                              0     
      213.124.165.0/24   wan                              0     
      0.0.0.0/0          wan      213.124.165.1           0

	Tip: The CLI cc command may be needed first
	In the CLI example above, it was necessary to first select the name of a specific routing table with the cc command (meaning change category or change context) before manipulating individual routes. This is necessary for any category that could contain more than one named group of objects.

The all-nets Route

The most important route defined is the route to the network all-nets, which includes all IPv4 and IPv6 addresses. This route typically routes traffic to an ISP for public Internet access. In most examples in this publication, the all-nets-ip4 address object is used, which is the IPv4 subset of the all-nets address.

Core Routes

The Clavister NetShield Firewall automatically populates the active routing table with Core Routes. These routes are present for the system to understand where to route traffic that is destined for the system itself. There is one route added for each interface in the system. In other words, two interfaces named if1 and wan, and with IPv4 addresses 192.168.0.10 and 193.55.66.77, respectively, will result in the following routes:

Route #	Interface	Destination	Gateway
1	core	192.168.0.10
2	core	193.55.66.77

When the system receives an IP packet whose destination address is one of the interface IPs, the packet will be routed to the core interface. In other words, it is processed by cOS Stream itself.

There is also a core route added for all multicast addresses:

Route #	Interface	Destination	Gateway
1	core	224.0.0.0/4

6.3. Route Failover

6.3.1. Overview

The Route Failover feature is typically used in mission-critical situations where availability and connectivity are crucial. A typical example could be an enterprise where access to the Internet would be disrupted if a single flow to an external Internet Service Provider (ISP) fails. The solution would connectivity to a second ISP with route failover configured to use this second flow if the first fails.

This is illustrated in the diagram below, where there are different Ethernet interfaces and different routes being used to connect to ISP A and ISP B.

Figure 6.3. Route Failover Used for Internet Access

The Clavister NetShield Firewall implements route failover through the use of Route Monitoring in which cOS Stream monitors route connectivity by polling external hosts. cOS Stream will then switch traffic to an alternate route should this connectivity appear to be unavailable.

Setting Up Route Failover

To set up route failover, the following steps are required: Route Monitoring must be enabled and this is an option that is enabled on a route by route basis. To enable route failover in a scenario with a preferred and a backup route, the preferred route will have route monitoring enabled, however the backup route does not require this since it will usually have no route to failover to. When route monitoring is enabled for a route, one of the following monitoring methods must be chosen:

Decide on the route which requires a route failover if a network failure is detected. This will be sometimes referred to later as the primary route.
Make sure there is an alternate route in the route table to failover to. This route will not be chosen by default because of the value of its Metric property or because it has a wider Network property (cOS Stream will always choose the route with the narrowest fit for the destination IP).
Set up monitoring for the primary route. This can be one of the following two types:
1. Gateway Monitoring
  
  If the Gateway property has been specified as the next router hop for the route, accessibility to that gateway can be monitored by sending periodic IPv4 ARP or IPv6 ND messages (depending on if it is an IPv4 or IPv6 route being monitored). As long as the gateway responds to these requests, the route is considered to be functioning correctly.
  
  Gateway monitoring is the quickest and easiest way for the administrator to set up monitoring and is described further in Section 6.3.2, Gateway Monitoring.
2. Host Monitoring
  
  An alternative is to monitor the accessibility of one or more nominated hosts. These hosts might have known availability and polling them can indicate if traffic from the local Clavister NetShield Firewall is reaching them. Host monitoring also provides a way to measure the network delays in reaching remote hosts and to initiate failover to an alternate route if delays exceed administrator specified thresholds.
  
  A detailed discussion of host monitoring can be found in Section 6.3.3, Host Monitoring.
If the enabled monitoring method detects a connectivity failure, the route will be disabled and cOS Stream will search for an alternate route in the routing table.

Route Failover Processing

Once route monitoring is enabled, the processing steps are the following:

For every route with monitoring enabled, the designated host or hosts are monitored by polling.
Should monitoring indicate a problem with connectivity, the route is marked as disabled.
The system searches for an alternative route for the destination IP address. If one is found, that route is used for the traffic flow. If one is not found, traffic cannot flow.
The monitoring for the original route will continue even if the route is disabled. If monitoring indicates that connectivity is restored, the route will be re-enabled and used instead of the alternate route.
A restart will also cause a disabled route to be re-enabled. It can then be disabled if monitoring still indicates a connectivity problem.

Route failover processing is discussed further in Section 6.3.4, Route Monitoring Issues.

6.3.2. Gateway Monitoring

Gateway Monitoring is Simplified Host Monitoring

The idea with gateway monitoring is to provide a quick and easy way to enable host monitoring. Instead, gateway monitoring simplifies the process by requiring that only two Route object properties be set:

MonitorGateway

When enabled, this will set up host monitoring to the IP address value specified by the Gateway property of the Route object. If the Gateway has not been set then setting MonitorGateway has no effect. By default, gateway monitoring is disabled. cOS Stream will use a predefined set of host monitoring settings that cannot be altered by the administrator. It will use the ARP/ND polling method.

The following command will enable gateway monitoring for the second route (index=2) in the main routing table:
```
System:/> cc RoutingTable main
System:/RoutingTable/main> set Route 2
			RouteMonitor=Yes
			MonitorGateway=Yes
System:/RoutingTable/main> cc
System:/> 
```
The property RouteMonitor must always be enabled as well for both gateway monitoring and host monitoring.
GatewayMonitorInterval

The time in milliseconds between each poll. This is the only gateway polling variable that can be set and it can be set in one of two ways. It can be set globally:
```
System:/> set Settings RoutingSettings GatewayMonitorInterval=100
```
Alternatively, it can be set just on the route itself:
```
System:/> cc RoutingTable main
System:/RoutingTable/main> set Route 2 GatewayMonitorInterval=100
System:/RoutingTable/main> cc
System:/> 
```
The command above assumes that the route being changed is the second one (index=2) in the routing table main.

Gateway polling and host monitoring can be enabled at the same time. Gateway monitoring could be also be set up by the administrator using host monitoring but if there is a requirement to have precise control over all the configurable options.

6.3.3. Host Monitoring

Overview

To provide a more flexible and configurable way to monitor the integrity of routes, cOS Stream provides the additional capability to perform Host Monitoring. This feature means that one or more external host systems can be routinely polled to check that a particular route is available.

The advantages of host monitoring are twofold:

In a complex network topology it is more reliable to check accessibility to external hosts. Just monitoring a link to a local switch may not indicate a problem in another part of the internal network.
Host monitoring can be used to help in setting the acceptable Quality of Service level of Internet response times. Internet access may be functioning but it may be desirable to instigate route failover if response latency times become unacceptable using the existing route.

Enabling Host Monitoring

Enabling host monitoring requires the following steps:

The RouteMonitor property of a Route object must be set to Yes. This is a prerequisite for either enabling gateway monitoring or host monitoring.
The MonitorHosts property of the same Route object must be set to Yes. This can be done in the same CLI command as the previous step.
One or more MonitorHost objects are added as children to the Route object. Each MonitorHost object specifies a single host to monitor and the monitoring settings for that host. Multiple hosts can provide a higher certainty that any network problem resides in the local network rather than because a single remote host is unreachable.

Settings in the Route Object

For host monitoring there are the following related properties for a Route object:

GracePeriod

This is the period of time in seconds after startup or after reconfiguration of the Clavister NetShield Firewall which cOS Stream will wait before starting Route Monitoring. This waiting period allows time for all network links to initialize once the firewall comes online.
MinReachability

This is the minimum number of hosts that must be considered to be accessible before the route is deemed to have failed. The criteria for host accessibility are described below.
GratuitousARPOnChange setting

Send a gratuitous ARP or ND (depending on if the route is for IPv4 or IPv6) on the alternate route's interface to alert connected equipment of changes to MAC addresses and associated IP addresses. This is enabled by default and must be enabled for the alternate Route object.

Settings in the MonitoredHost Object

For each MonitoredHost object added to a Route object, there are a number of properties that should be set:

MonitoringMethod

The method by which the host is to be polled. Currently, this can be:
- ICMP - Polling using ICMP "Ping" messages. An IP address must be specified for this method and hosts must be configured to reply to such messages.
- ARP/ND - This is used only for hosts that are on the same network as the Clavister NetShield Firewall. It works by sending either an IPv4 ARP query or an IPv6 Neighbor Discovery message to the host specified by the IP address. Which one is sent depends on the IP address type of the Route object's Network property.
IPAddress

The IP address of the host when using the ICMP option. This will be either an IPv4 or an IPv6 address and this should agree with if the route is for an IPv4 or IPv6 network range.
OriginatorIP

The source IP address used when polling a host. If not specified, the LocalIP property of the Route object will be used and if that is not set then the IP address of the sending interface IP will be used.

Whichever source IP is used, its IP type (either IPv4 or IPv6) must agree with the IP type of the Network property of the Route object.
HostMonitorInterval

The interval in milliseconds between polling attempts. The default setting is 1000 milliseconds and the minimum value allowed is 10 milliseconds.
Samples

The number of polling attempts used as a sample size for calculating the Percentage Loss and the Average Latency. This value cannot be less than 1. The default value is 10.
MaxFailedSamples

The maximum permissible number of polling attempts that fail. If this number is exceeded then the host is considered unreachable. The default value is 2.
MaxLatency

The maximum number of milliseconds allowable between a poll request and the response. If this threshold is exceeded then the host is considered unreachable. Average Latency is calculated by averaging the response times from the host. If a polling attempt receives no response then it is not included in the averaging calculation.
ReachabilityRequired

When this is selected, the host must be determined as accessible in order for that route to be considered to be functioning. Even if other hosts are accessible, this option says that the accessibility of a host with this option set is mandatory.

Where multiple hosts are specified for host monitoring, more than one of them could have Reachability Required enabled. If cOS Stream determines that any host with this option enabled is not reachable, Route Failover is initiated.

Example 6.4. Setting Up Route Monitoring

This example will add route monitoring to the second route (index=2) in the main routing table. The monitoring will consist of polling two hosts on the same network. One host will be polled with ICMP and the other with ARP. If one host will not respond to ICMP because it is wrongly configured then we can check the other host's availability with ARP.

Change the CLI context to the main routing table.

System:/> cc RoutingTable main

Enable host monitoring:

System:/RoutingTable/main> set Route 2 RouteMonitor=Yes MonitorHosts=Yes

Change the CLI context to be the second route in the table:

System:/RoutingTable/main> cc Route 2

Add the first host monitor to the route which polls a host on the same network using ARP. The host is considered unreachable if 5 out of 15 attempts fails:

System:/RoutingTable/main/Route/2> add MonitoredHost
			MonitoringMethod=ARP/ND
			IPAddress=203.0.113.8
			Samples=15
			MaxFailedSamples=5

Add a second host monitor to the route which polls a remote host using ICMP (the default method). This host must be reachable:

System:/RoutingTable/main/Route/2> add MonitoredHost
			IPAddress=203.0.113.5
			ReachabilityRequired=Yes

Return to the original CLI context:

System:/RoutingTable/main> cc
System:/>

6.3.4. Route Monitoring Issues

This section will discuss various issues that should be considered when setting up route monitoring.

Any Automatically Added Routes Will Need Redefining

It is important to note that route monitoring cannot be enabled on automatically added routes. For example, the routes that cOS Stream creates at initial startup for physical interfaces (these are known as core routes) are such automatically added routes. Routes added automatically during IPsec tunnel setup are also of this type.

The reason why monitoring cannot be enabled for these routes is because automatically created routes have a special status in a configuration and are treated differently. If route monitoring is required on an automatically created route, the original route should first be deleted and then it should be recreated manually as a new route. Monitoring can then be enabled on this newly created route.

Setting the Route Metric

When specifying routes, the administrator should manually set a route's Metric property. The metric is a positive integer that indicates how preferred the route is as a means to reach its destination. When two routes offer a means to reach the same destination, cOS Stream will select the one with the lowest metric value for sending data (if two routes have the same metric, the route found first in the routing table will be chosen).

A primary, preferred route should have a lower metric (for example "10"), and a secondary, failover route should have a higher metric value (for example "20").

Multiple Failover Routes

It is possible to specify more than one failover route. For instance, the primary route could have two other routes as failover routes instead of just one. In this case the metric should be different for each of the three routes: "10" for the primary route, "20" for the first failover route and "30" for the second failover route. The first two routes would have route monitoring enabled in the routing table but the last one (with the highest metric) would not since it has no route to failover to.

Failover Processing

Whenever monitoring determines that a route is not available, cOS Stream will mark the route as disabled and instigate route failover for existing and new flows. For already established flows, a route lookup will be performed to find the next best matching route and the flows will then switch to using the new route. For new flows, route lookup will ignore disabled routes and the next best matching route will be used instead.

The table below defines two default routes, both having all-nets as the destination, but using two different gateways. The first, primary route has the lowest metric and also has route monitoring enabled. Route monitoring for the second, alternate route is not meaningful since it has no failover route.

Route #	Interface	Destination	Gateway	Metric	Monitoring
1	wan	all-nets	195.66.77.1	10	On
2	wan	all-nets	193.54.68.1	20	Off

When a new flow is about to be established to a host on the Internet, a route lookup will result in the route that has the lowest metric being chosen. If the primary WAN router should then fail, this will be detected by cOS Stream, and the first route will be disabled. As a consequence, a new route lookup will be performed and the second route will be selected with the first one being marked as disabled.

Re-enabling Routes

Even if a route has been disabled, cOS Stream will continue to check the status of that route. Should the route become available again, it will be re-enabled and existing flows will automatically be transferred back to it.

Route Interface Grouping

When using route monitoring, it is important to check if a failover to another route will cause the routing interface to be changed. If this could happen, it is necessary to take some precautionary steps to ensure that policies and existing flows will be maintained.

To illustrate the problem, consider the following configuration:

First, there is one IP rule that will NAT all HTTP traffic destined for the Internet through the wan interface:

Action	Src Iface	Src Net	Dest Iface	Dest Net	Parameters
NAT	if1	if1_net	wan	all-nets	http

The routing table consequently contains the following default route:

Interface	Destination	Gateway	Metric	Monitoring
wan	all-nets	203.0.113.1	10	Off

Now a secondary route is added over a backup DSL connection and Route Monitoring is enabled for this. The updated routing table will look like this:

Route #	Interface	Destination	Gateway	Metric	Monitoring
1	wan	all-nets	203.0.113.1	10	On
2	dsl	all-nets	198.51.100.1	20	Off

Notice that route monitoring is enabled for the first route but not the backup, failover route.

As long as the preferred wan route is healthy, everything will work as expected. Route monitoring will also be functioning, so the secondary route will be enabled if the wan route should fail.

There are, however, some problems with this setup: if a route failover occurs, the default route will then use the dsl interface. When a new HTTP flow is then established from the intnet network, a route lookup will be made resulting in a destination interface of dsl. The IP rules will then be evaluated, but the original NAT rule assumes the destination interface to be wan so the new flow will be dropped by the rule set.

In addition, any existing flows matching the NAT rule will also be dropped as a result of the change in the destination interface. Clearly, this is undesirable.

To overcome this issue, potential destination interfaces should be grouped together into an InterfaceGroup object and the SecurityEquivalentInterfaces property of each interface should be set to the other interfaces in the group (see Section 3.6, Security/Transport Equivalence for more on this topic). This InterfaceGroup object will then used as the destination interface in IP rules. For more information on groups, see Section 3.4, Interface Groups.

6.4. Virtual Routing

6.4.1. Overview

Virtual Routing allows cOS Stream route lookup to be logically separated between different routing tables. This can be regarded as creating Virtual Routers within a single Clavister NetShield Firewall.

Enabling Virtual Routing

The following steps are needed to enable virtual routing:

Create one or more RoutingTable objects containing the routes that will be used for route lookup.
Associate an interface with a RoutingTable object by setting its RoutingTableMembership property. This means that all traffic received on the interface will be subject to route lookups in the designated table. Any reverse route lookups performed by cOS Stream will also be performed using the specified table.

Example 6.5. Associating an Interface with a Routing Table

In this example, the Ethernet interface if1 is associated with the routing table my_rtable.

System:/> set Interface if1 RoutingTableMembership=my_rtable

The Addition of Core Routes to Routing Tables

If the RoutingTableMembership is left at the default value of <all> then the core route for the interface (the route to the IP address of the interface) is automatically added to all RoutingTable objects. However, route lookup is only done using the main table.

If RoutingTableMembership is set to a specific RoutingTable object then the core route for the interface is only added to that routing table.

This is also true if the RoutingTableMembership is explicitly set to be the routing table main. If this is done, the core route is only added to the main table.

6.4.2. A Simple Virtual Routing Scenario

This section examines a simple scenario where virtual routing might be used. Consider a single Clavister NetShield Firewall connected to two external ISPs called ISP1 and ISP2.

ISP1 provides Internet connection to Department A and connects to the Clavister NetShield Firewall via the physical interface if1.

ISP2 provides Internet connection to Department B and connects via the physical interface if2. Using virtual routing, the Clavister NetShield Firewall is to be divided into 2 separated virtual routers, one for each ISP.

The virtual routers are set up using two dedicated routing tables, one called RT1 for ISP1 and Department A traffic. A second routing table called RT2 deals with ISP2 and Department B traffic.

The interface if1 is associated with RT1. Interface if2 is associated with RT2.

Reusing Internal IP Addresses

An advantage of using separate routing tables on different interfaces is that internal IP address ranges can be reused. For example, Department A and Department B could both use the internal network 192.168.0.0/24.

Since route lookup is done in separate routing tables, there are no conflicts.

VPN Tunnels are Logical Interfaces

VPN tunnels are also considered to be interfaces in cOS Stream and can therefore also be associated with their own routing tables just as physical interfaces can.

6.4.3. IPsec Virtual Routing

Virtual Routing is supported for IPsecTunnel objects. This is implemented by being able to assign different routing tables for encrypted traffic inside the tunnel and the IKE/IPsec traffic outside the tunnel. The different routing tables can be assigned using an IPsecTunnel object's RoutingTableMembership and OuterRoutingTable properties.

This separation of routing between tunnels allows the complete separation of the traffic that flows through them and also allows the reuse of IP address ranges across tunnels.

Virtual Routing Setup with IPsec

To enable virtual routing for IPsec, the following properties should be assigned suitable values for each IPsecTunnel object:

RoutingTableMembership

This is the routing table for the "inner" encrypted tunnel traffic. The predefined main routing table might be used for this purpose in some cases.
OuterRoutingTable

This is the routing table for the tunnel's "outer" IKE and IPsec traffic. It specifies which routing table the source interface is to be a member of (in case it is found in multiple routing tables).

Note that cOS Stream can also handle the unusual case of asymmetric routing where the incoming and outgoing traffic for a flow can use different interfaces. For IPsec virtual routing, this means that the SourceInterface does not have to be associated with the OuterRoutingTable.

Optional Setup Properties

The following IPsecTunnel object properties might also be assigned values for setting up virtual routing:

LocalEndpoint

This is the local IP address to which the remote IPsec peers connect. Setting this value means that the tunnel will only be selected when peers connect to this IP address.
SourceInterface

This is the interface which receives outer IKE and IPsec traffic. If this is not specified then cOS Stream will listen on all interfaces. Specifying this value will ensure the tunnel listens only on a specific interface.

Example 6.6. Setting Up IPsec Virtual Routing

This example shows how an existing IPsecTunnel object called my_ipsec_tunnel1 is configured for virtual routing so it is completely separated from other tunnels.

The following is assumed:

The interface if1 and network if1_net are on the protected side of the firewall. The remote network will connect to the local network if1_net.
The interface if2 and network if2_net are on the unprotected side. The IP address object if2_gw is the IP of an external router connected to if2.
The remote network from which traffic inside the tunnel originates is represented by the IP address object remote_net.
The SourceInterface will be set to if2. This is the interface on which IKE and IPsec traffic is received.
The LocalEndpoint IP address of 203.0.113.5 will be used. This is the IP address to which the remote IPsec peer must connect.
It is assumed that two new routing tables have been created to route traffic correctly. One table is called outer_rt and this will be used to route the tunnel's outer IKE and IPsec traffic. The second routing table is called inner_rt and will route the traffic inside the tunnel. The contents of both tables are shown below.

Routing table outer_rt

#	Interface	Network	Gateway
1	if2	if2net
2	if2	all-nets	gw-if2

Routing table inner_rt

#	Interface	Network	Gateway
1	if1	if1net
2	my_ipsec_tunnel1	remote_net

Command-Line Interface

System:/> set Interface IPsecTunnel1 my_ipsec_tunnel
			SourceInterface=if2
			LocalEndpoint=203.0.113.5
			RoutingTableMembership=inner_rt
			OuterRoutingTable=outer_rt

6.4.4. Troubleshooting

The following are some simple diagnostic steps that can be used to identify problems with virtual routing.

Make sure that the IP rule source interface filters are correct.
Double check interface routing table membership. For all types of interfaces and tunnels.
Use "ping -routingtable=<table>" to source pings from different routing tables.
Use "arpsnoop -verbose <ifacenames>" to get verbose information about ARP resolution.
Use "routes <routingtable> -alltypes" to view all route entries in a given table, including "core" routes.
Use "routes -lookup=<ipaddr> <routingtable>" to make sure that a given IP address is routed the way it should be.
Use "flow -verbose" to view verbose information about open flows. Both ends of a flow will be shown; before and after address translation. Also, the routing tables used in the forward and return direction will be shown.
Enable logging and read the logs. In each virtual router, a separate IP rule decision is made, and a separate flow is established.

6.5. Policy-based Routing

Overview

Policy-based Routing (PBR) is a routing feature that provides administrators with significant flexibility in implementing routing policies by being able to use different routing tables for different traffic flows.

Normal routing forwards packets based on the destination IP address using information derived from statically configured routes or from dynamic routes added during runtime by features such as IPsec or OSPF. Instead, policy-based routing allows routes to be chosen based on other traffic characteristics in addition to the destination IP.

Policy-based routing allows the following:

Source-based Routing

A different routing table can be chosen based on the source interface and/or source IP address of the traffic. For example, when more than one ISP is used to provide Internet services, policy-based routing can route traffic originating from different sets of users through different routes.

When filtering on source IP address, traffic from one address range might be routed through one ISP while traffic from another address range might be routed through a second ISP. The same can be applied for the source interface.

Destination-based Routing

A different routing table can be chosen based on the destination network of traffic.

Destination-based routing can be combined with source-based routing so both source and destination is used to determine the routing table to use.

	Note
	As the destination interface is unknown until the route lookup has been done, policy-based routing cannot be based on the destination interface.

Service-based Routing

A routing table can be chosen based on the traffic Service, meaning the transport protocol such as TCP or UDP, together with the source and/or destination port numbers. Policy-based routing can therefore route a given protocol, such as HTTP, through proxies such as Web caches. Specific services might also be routed through a specific ISP so that one ISP handles all SNMP traffic.

Service-based routing can be combined with source-based and/or destination-based routing so that all three are considered when choosing a routing table.

Policy-based Routing Components

Policy-based routing in cOS Stream is implemented using two configuration components:

Alternate Routing Tables

The administrator defines one or more alternate RoutingTable objects in addition to the default main routing table.

These are also sometimes referred to in documentation as Named Routing Tables.
Routing Rules

One or more RoutingRule objects are created to determine which routing table to use for which traffic.

cOS Stream provides a predefined parent object called PBRRules to which RoutingRule objects are added.

Creating Alternate Routing Tables

cOS Stream has one predefined routing table called main. In addition to the main table, it is possible to define one or more, additional routing tables for policy-based routing. These will also be referred to in this document as alternate routing tables.

Alternate routing tables contain the same information for describing routes as main. Additionally, they have an extra property called Ordering. The Ordering property decides how route lookup is performed using alternate tables in conjunction with the main routing table. This is described further under the heading "The Ordering Property" below.

Example 6.7. Creating an Alternate Routing Table

In this example, a new routing table called my_pbr_table is created with the Ordering property set to First.

Command-Line Interface

To create the routing table:

System:/> add RoutingTable my_pbr_table Ordering=First

Example 6.8. Adding Routes to an Alternate Routing Table

After defining the routing table MyPBRTable, routes can be added to the table. Assume that the route to a network my_network is to be defined for the if3 interface.

Command-Line Interface

First, change the CLI context to be the routing table:

System:/> cc RoutingTable my_pbr_table

Now, add the route:

System:/RoutingTable/my_pbr_table> add Route
			Interface=if3
			Network=my_network

Finally, change back to the default CLI context:

System:/RoutingTable/my_pbr_table> cc
System:/>

Creating Routing Rules

A RoutingRule object in the routing rule set can decide which routing table is selected. By default, there is a single routing rule set defined in cOS Stream which has the object name PBRRules and all routing rules are added to it as children.

A RoutingRule has a number of filtering properties that are similar to those used in an IP rule. A rule can trigger on a type of service (HTTP for example) in combination with the specified source interface and source/destination network. Routing rules cannot be filtered on destination interface as it would not be known before route lookup.

When looking up routing rules, the rule set is searched from top to bottom and it is the first matching rule found that is triggered.

Example 6.9. Creating a Routing Rule

In this example, a routing rule called my_routing_rule is created. This will select the routing table my_pbr_table for any http traffic destined for the network my_network.

Command-Line Interface

First, change the context to be the routing rule set:

System:/> cc PBRRules

Next, add the routing rule:

System:/PBRRules> add RoutingRule
			Service=http
			SourceInterface=any
			SourceNetwork=all-nets-ip4
			DestinationNetwork=my_network
			ForwardRoutingTable=my_pbr_table
			ReturnRoutingTable=my_pbr_table
			Name=my_routing_rule

This current contents of the routing rule set can be listed:

System:/PBRRules> show

RoutingRule

  # Name Source interface Source network Destination network Service
  - ---- ---------------- -------------- ------------------- ------------
+ 1 my   any              all-nets       my_network          http

Finally, change back to the default CLI context:

System:/PBRRules> cc
System:/>

Routing Rules can use IPv4 or IPv6 Addresses

Routing rules support either IPv4 or IPv6 addresses as the source and destination network for a rule's filtering properties.

However, both the source and destination network must be either IPv4 or IPv6. It is not permissible to combine IPv4 and IPv6 addresses in a single rule. For further discussion of this topic, see Section 5.4, IPv6 Support.

For this reason it is recommended to not use the all-nets address object in a routing rule. It is better to use either all-nets-ip4 or all-nets-ip6 so that it is clear what kind of IP addresses the rule applies to.

The Forward and Return Routing Table can be Different

In most cases, the routing table for forward and return traffic will be the same. However, in some cases it can be advantageous to have different values.

Consider the example of a firewall with two hypothetical interfaces wan1 and wan2 connected to two ISPs and with a protected network if1_net on the if1 interface. All IP addresses are assumed to be IPv4.

Assume, that there are two routing tables, the main routing table and an alternate routing table called isp2_rt. The contents of these tables are shown below:

The main routing table

Index #	Interface	Network	Gateway
1	if1	if1_net
2	wan1	all-nets-ip4	isp1_ip

The isp2_rt routing table

Index #	Interface	Destination	Gateway
1	wan2	all-nets-ip4	isp2_ip

If traffic coming through wan2 is to have access to if1_net then a routing rule needs to be defined as follows:

Source Interface	Source Network	Destination Network	Forward Routing Table	Return Routing Table
wan2	all-nets-ip4	if1_net	main	isp2

This rule allows the forward traffic received through the wan2 interface to find the route for if1_net in the main routing table. The return traffic will use the isp2_rt table so it can reach the initiator of the flow.

With IPv4, this example would most likely have some address translation rules since if1_net will probably be a private IP network. For simplicity, these details have been omitted.

Interface Routing Table Membership

If a particular routing table is to be always used for traffic from a given source interface, regardless of the service, it is possible to associate the source interface explicitly with a particular routing table using the Routing Table Membership property of the interface.

The difference with this method of explicit association is that the administrator cannot specify the service, such as HTTP, for which the lookup will apply. Routing rules allow a more fine-grained approach to routing table selection by being able to also select a specific service and network filter.

The Routing Table Selection Process

When a packet corresponding to a new flow first arrives, these are the processing steps taken to determine which routing table to use:

The routing rules are looked up first. A search is made for a routing rule that matches the packet's source interface, source/destination network as well as service. If a matching rule is found then this determines the routing table to use.
If no matching routing rule is found, a check is made to see if the receiving interface is a member of a specific routing table. If the interface is associated with a particular routing table through its Routing Table Membership property, that routing table will be used. If there is no membership then the main table will be used.

The Ordering Property

When route lookups are to be performed in an alternate routing table, the Ordering property of the table decides how the alternate table is combined with the main routing table to lookup the route.

The three available options for the Ordering property are:

First

With this option, route lookups will first of all be done in the alternate routing table. If no matching route is found there, the lookup will continue in the main routing table.

Note that if a default route (a route with all-nets-ip4 or all-nets-ip6 as the network) is found in the alternate table, it will be counted as a match.
Last

The behavior for this option is to start the route lookup in the main table. If no matching route is found, or the default route is found, a lookup for a matching route in the alternate table is performed. If no match is found in the alternate table then the default route in the main table will be used.
Only

Route lookups will only be done in the alternate routing table. The existence of any other table is ignored. This is the default behavior.

This option gives the administrator a way to dedicate a single routing table to one set of interfaces.

Important: Check that a default route exists

A common mistake when setting up policy-based routing with First or Last ordering is the absence of a default route with a destination network of all-nets-ip4 or all-nets-ip6 in the main routing table. If there is no matching route, the absence of a default route will mean that the traffic will be dropped.

The need for a default route applies regardless if the routing table is selected by using a routing rule, or by using the RoutingTableMembership property.

Setting Up Policy-based Routing with Multiple ISPs

A multiple ISP scenario is a common use of policy-based routing. Consider the situation where there are two protected networks, if1_net and if2_net, on a Clavister NetShield Firewall connected to the interfaces if1 and if2 respectively.

Now, suppose that are two different ISPs, ISP A with the gateway address isp_A_gw, and ISP B with the gateway address isp_B_gw. These ISPs are connected to the firewall interfaces wan1 and wan2 respectively.

The requirement is to have hosts and clients on if1_net use only ISP A for Internet connection. Similarly, if2_net is to use only ISP B.

The contents of the main routing table will be as follows:

Interface	Network	Gateway
if1	if1_net
if2	if2_net
wan1	all-nets-ip4	isp1_gw_ip

An alternate routing table rt2 is created with the following entry:

Interface	Network	Gateway
wan2	all-nets-ip4	isp2_gw_ip

The table rt2 has its Ordering property set to Last, which means that it will only be consulted if a lookup in the main routing table gives a match with the default all-nets route.

The policy-based routing rule set contains a single rule that triggers on traffic coming from the if2_net network bound for the public Internet:

Source Interface	Source Network	Destination Network	Selected Service	Forward RoutingTable	Return Routing Table
if2	if2_net	all-nets-ip4	all_services	rt2	rt2

When the configuration objects listed above are created, the result is that flows originating from clients and hosts on if1_net and if2_net to the public Internet will be routed to the intended ISP.

Although routed correctly, the appropriate IPRule objects that are needed to allow these flows have been omitted from the description above.

6.6. OSPF

The feature called Dynamic Routing is implemented in cOS Stream using the Open Shortest Path First (OSPF) architecture.

This section begins by looking generally at the ways in which dynamic routing can be implemented. It then looks at how OSPF provides dynamic routing followed by a description of how OSPF is set up.

6.6.1. Dynamic Routing

Before looking at OSPF in detail, this section will discuss the general concept of Dynamic routing and the type of dynamic routing provided by OSPF. It introduces important concepts in dynamic routing and in OSPF.

Differences with Static Routing

Dynamic routing is different to static routing in the following respects:

Network devices that perform routing share exchange routing information.
These network devices are able to automatically adapt routing to changes in network topology.

Dynamic routing involves network devices performing the following processing steps:

Learn about all the connected routing devices.
Receive information from these devices about which networks they are connected to.
Process the received information so that the best routes for remotely connected destinations are available in the device's local routing tables.

Dynamic routing responds to routing changes dynamically but has the disadvantage that it can be more susceptible to certain problems such as routing loops where traffic is routed back to the originating router.

Selecting the "Best" Route

One of two types of algorithms are generally used to implement dynamic routing and to select the "best" route:

A Distance Vector (DV) algorithm.
A Link State (LS) algorithm.

How a router decides the optimal or "best" route and then shares updated information with other routers depends on the type of algorithm used. The two most common algorithm types are discussed next.

Distance Vector Algorithms

A Distance Vector (DV) algorithm is a decentralized routing algorithm that computes the best path in a distributed way.

Each router in a network computes the "costs" of its own attached links, and shares routing information only with its neighboring routers. Each router determines the least-cost path to a destination by iterative computation and also using information exchanged with its neighbors.

Routing Information Protocol (RIP) is a well-known DV algorithm for router information exchange and operates by sending regular update messages and reflecting routing changes in routing tables. Path determination is based on the "length" of the path which is the number of intermediate routers (also known as "hops") to the destination.

After updating its own routing table, the router immediately begins transmitting its entire routing table to neighboring routers to inform them of changes.

Link State Algorithms

In contrast to DV algorithms, Link State (LS) algorithms enable routers to keep routing tables that reflect the topology of the entire network.

Each router broadcasts its attached links and link costs to all other routers in the network. When a router receives these broadcasts it runs the LS algorithm locally and calculates its own set of least-cost paths. Any change of the link state will be sent everywhere in the network, so that all routers keep the same routing table information and have a consistent view of the network.

Advantages of Link State Algorithms

Since global link state information is maintained throughout a network, LS algorithms, like the one used in OSPF, offer a high degree of configuration control and scalability. Changes result in broadcasts of only the updated information to other routers which means faster convergence and less possibility of routing loops. OSPF can also function within a hierarchy, whereas RIP has no knowledge of sub-network addressing.

The OSPF Solution

Open Shortest Path First (OSPF) is a widely used dynamic routing architecture which is based on LS algorithms. The Clavister NetShield Firewall can implement dynamic routing using OSPF.

An OSPF enabled router first identifies the routers and sub-networks that are directly connected to it and then broadcasts the information to all the other routers. Each router uses the information it receives to add the OSPF learned routes to its routing table.

With this larger picture, each OSPF router can identify the best route to a given destination IP. OSPF routers will then only broadcast updates to inform others of any route changes instead of broadcasting the entire routing table.

OSPF depends on various metrics for path determination, including hops, bandwidth, load and delay. OSPF can also provide a high level of control over the routing process since its parameters can be finely tuned.

A Simple OSPF Example

The network topology illustrated below provides a simple example of what can be achieved using OSPF. Here, there are two Clavister NetShield Firewalls, A and B, connected together directly and configured to be in the same OSPF area (the concept of OSPF area will be explained later).

Figure 6.4. A Simple OSPF Example

OSPF allows firewall A to know that in order to reach network Y, traffic needs to be sent to firewall B. Instead of manually inserting this routing information into the routing tables of A, OSPF allows B's routing table information to be shared with A.

In the same way, OSPF allows firewall B to automatically become aware that network X can be reached via firewall A.

Under OSPF, this exchange of routing information is completely automatic.

OSPF Provides Route Redundancy

Now take the above scenario and add a third Clavister NetShield Firewall called C. This is illustrated below.

Figure 6.5. OSPF Providing Route Redundancy

OSPF allows each of the three firewalls to share routing information with each other. Each of the three firewalls can be aware of what networks are reachable through the other two firewalls.

In addition, there is now route redundancy between any two of the firewalls. For example, if the direct link between A and C fails then OSPF allows both firewalls to know immediately that there is an alternate route between them via firewall B.

For instance, traffic from network X which is destined for network Z will be routed automatically through firewall B. When there is no failure and both alternate routes are available, OSPF determines which is the "best" route.

From the administrator's point of view, only the routes for directly connected networks need to be configured on each firewall. OSPF automatically provides the required routing information to find networks reachable via other firewalls, even if traffic needs to transit several firewalls to reach its destination.

	Tip: Ring topologies always provide alternate routes
	When designing the topology of a network that implements OSPF, arranging the Clavister NetShield Firewalls in a circular ring means that any firewall always has two possible routes to any other. Should any one inter-firewall connection fail, an alternative path always exists.

A Look at Routing Metrics

In discussing dynamic routing and OSPF further, an understanding of Routing Metrics can be useful and a brief explanation is given here.

Routing metrics are the criteria that a routing algorithm will use to compute the "best" route to a destination. A routing protocol relies on one or several metrics to evaluate links across a network and to determine the optimal path. The principal metrics used with OSPF include:

Path length: The sum of the costs associated with each link. A commonly used value for this metric is called "hop count" which is the number of routing devices a packet must pass through when it travels from source to destination.
Item Bandwidth: The traffic capacity of a path in Mbps.
Load: The usage of a router. The usage can be evaluated by CPU utilization and throughput.
Delay: The time it takes to move a packet from the source to the destination. The time depends on various factors, including bandwidth, load, and the length of the path.

6.6.2. OSPF Concepts

Overview

Open Shortest Path First (OSPF) is a routing protocol developed for IP networks by the Internet Engineering Task Force (IETF). The Clavister NetShield Firewall OSPF implementation is based upon RFC 2328, with compatibility to RFC 1583.

OSPF functions by routing IP packets based only on the destination IP address found in the IP packet header. IP packets are routed "as is", in other words they are not encapsulated in any further protocol headers as they transit the OSPF Autonomous System (AS).

The Autonomous System

The term Autonomous System (AS) refers to a single network or group of networks with a single, clearly defined routing policy controlled by a common administrator. It forms the top level of a tree structure which describes the various OSPF components.

OSPF Routers

An AS corresponds to a number of separate network devices which are running as OSPF Routers. A Clavister NetShield Firewall becomes an OSPF router by having an OSPFProcess object defined.

In most scenarios, only a single AS is required and therefore only a single OSPFProcess object needs to be defined on each Clavister NetShield Firewall involved in the OSPF AS. This object is described further in Section 6.6.3.1, The OSPFProcess Object.

Link-state Routing

OSPF makes use of link-state routing (LS). This means Link-state Advertisements (LSAs) are sent to the other routers within the same area. Each router maintains a database, known as a Link-state Database, which maps the topology of the autonomous system (AS). Using this database, each router constructs a tree of shortest paths to other routers, with itself as the root. This shortest-path tree is used to determine the best route to each destination in the AS.

OSPF Authentication.

All OSPF protocol exchanges can, if required, be authenticated. This means that only OSPF routers with the correct authentication can join an AS. Different authentication schemes can be used. Authentication can be performed using either a passphrase or an MD5 digest.

Authentication should be viewed as a way to make sure that the correct OSPF routers join an AS. It is therefore most useful when more than one AS is defined. This feature is described further in Section 6.6.3.1, The OSPFProcess Object.

OSPF Areas

An OSPF Area is a way of creating subgroups of networks and hosts within an OSPF AS. OSPF routers that are only connected to a single area are called internal routers. All interfaces on internal routers are directly connected to networks within the area.

The topology of an area is hidden from the rest of the AS. This information hiding reduces the amount of routing traffic exchanged. Also, routing within the area is determined only by the area's own topology, giving an area protection from bad routing data. An area is a generalization of an IP subnetted network.

Areas are defined by OSPFArea objects and are added to OSPFProcess objects. There can be more than one area within an AS so multiple OSPFArea objects could be added to a single OSPFProcess. In simple OSPF scenarios, a single OSPF area is sufficient and it should be defined on each Clavister NetShield Firewall which will be part of the OSPF AS.

This area object is described further in Section 6.6.3.2, The OSPFArea Object.

Components Related to OSPF Areas

A summary of OSPF components related to an area is given below:

ABRs

Area Border Routers are routers that have interfaces connected to more than one area. These maintain a separate topological database for each area to which they have an interface.

ASBRs

Routers that exchange routing information with routers in other Autonomous Systems are called Autonomous System Boundary Routers. They advertise externally learned routes throughout the Autonomous System.

Backbone Areas

All OSPF AS' need to have at least the Backbone Area which is the OSPF area with an ID of 0. This is the area that other related areas should be connected to. The backbone ensures routing information is distributed between connected areas. When an area is not directly connected to the backbone it needs a virtual link to it.

An OSPF AS should be designed by beginning with the backbone.

Stub Areas

Stub areas are areas through which or into which AS external advertisements are not flooded. When an area is configured as a stub area, the router will automatically advertise a default route so that routers in the stub area can reach destinations outside the area.

Transit Areas

Transit areas are used to pass traffic from an area that is not directly connected to the backbone area.

The Designated Router

Each OSPF broadcast network has a single Designated Router (DR) and a single Backup Designated Router (BDR). The routers use OSPF Hello messages to determine the DR and BDR based on the priorities advertised by all the routers. If there is already a DR on the network, the router will accept that one, regardless of its own router priority.

With the Clavister NetShield Firewall, the DR and the BDR are assigned automatically.

OSPF Neighbors

Routers that are in the same area become neighbors in that area. Neighbors are elected by the use of OSPF Hello messages. These are sent out periodically on each interface using IP multicast. Routers become neighbors as soon as they see themselves listed in a neighbor's Hello message. In this way, two way communication is guaranteed.

The following Neighbor States are defined:

Down

This is the initial state of the neighbor relationship.

Init

When a Hello message is received from a neighbor, but does not include the Router ID of the firewall in it, the neighbor will be placed in the Init state.

As soon as the neighbor in question receives a Hello message it will know the sending router's Router ID and will send a Hello message with that included. The state of the neighbors will change to the 2-way state.

2-Way

In this state the communication between the router and neighbor is bi-directional.

On Point-to-Point and Point-to-Multipoint OSPF interfaces, the state will be changed to Full. On Broadcast interfaces, only the DR/BDR will advance to the Full state with their neighbors, all the remaining neighbors will remain in the 2-Way state.

ExStart

Preparing to build adjacency.

Exchange

Routers are exchanging Data Descriptors.

Loading

Routers are exchanging LSAs.

Full

This is the normal state of an adjacency between a router and the DR/BDR.

OSPF Aggregates

OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing table. This is commonly used to minimize the routing table.

To set this feature up in cOS Stream, see Section 6.6.3.5, OSPF Aggregates.

Virtual Links

Virtual links are used for the following scenarios:

A. Linking an area that does not have a direct connection to the backbone area.

B. Linking backbone areas when the backbone is partitioned.

These two uses are discussed next.

A. Linking areas without direct connection to the backbone

The backbone area always needs to be the center of all other areas. In some rare cases where it is impossible to have an area physically connected to the backbone, a Virtual Link is used. Virtual links can provide an area with a logical path to the backbone area.

This virtual link is established between two Area Border Routers (ABRs) that are on one common area, with one of the ABRs connected to the backbone area. In the example below two routers are connected to the same area (Area 1) but just one of them, fw1, is connected physically to the backbone area.

Figure 6.6. Virtual Links Connecting Areas

In the above example, a Virtual Link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In this configuration only the Router ID has to be configured. The diagram shows that fw2 needs to have a Virtual Link to fw1 with Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1.

B. Linking a Partitioned Backbone

OSPF allows for linking a partitioned backbone using a virtual link. The virtual link should be configured between two separate ABRs that touch the backbone from each side and have a common area in between.

Figure 6.7. Virtual Links with Partitioned Backbone

The virtual link is configured between fw1 and fw2 on Area 1 as it is used as the transit area. In the configuration, only the Router ID has to be configured, as in the example above show fw2 need to have a virtual link to fw1 with the Router ID 192.168.1.1 and vice versa. These virtual links need to be configured in Area 1.

To set this feature up in cOS Stream, see Section 6.6.3.6, The OSPFVLink Object.

Using OSPF

When using OSPF, there will be two or more firewalls connected together in some topology. OSPF will allow any of these firewalls to be able to correctly route traffic to a destination network connected to another firewall without needing a static route to be added manually to its routing tables.

OSPF allows connected Clavister NetShield Firewalls to share the information in their routing tables so that traffic entering an interface on one of the firewalls can be automatically routed so that it exits another firewall's interface on which the destination network is reachable.

Another important aspect is that the firewalls monitor the connections between each other and route traffic by an alternate connection if one is available. For scenarios involving more than two firewalls, a network topology can therefore be designed to provide tolerance for single link failures. If a connection between any two firewalls fails then an alternate traffic route is available between them.

OSPF High Availability Support

OSPF is supported by the High Availability (HA) feature. However, there are some issues that should be noted:

Both the active and the inactive unit of an HA cluster will run separate OSPF processes, but the inactive unit will make sure that it is not the preferred choice for routing.
The HA master and slave will not form OSPF adjacency with each other and are not allowed to become a DR or BDR on broadcast networks. This is done by forcing the router priority to 0.
For OSPF HA support to work correctly, the Clavister NetShield Firewall needs to have a broadcast interface with at least one neighbor for all areas that the firewall is attached to. This is because the inactive unit in the cluster needs a neighbor to get the link state database from.
It is not possible to put an HA cluster on the same broadcast network without any other neighbors (they will not form OSPF adjacency with each other because of the router priority is 0). However, it may be possible, depending on the scenario, to set up a point to point link between them instead.
Special care must also be taken when setting up a virtual link to firewalls in an HA cluster. When the endpoint sets up a link to any HA firewall, it must set up 3 separate links: one to the shared, one to the master and one to the slave router id of the firewall.

6.6.3. OSPF Configuration Objects

This section looks at the objects that need to be configured to describe the OSPF AS structure and also lists the most important properties for these objects. The objects are defined on each Clavister NetShield Firewall that is part of the OSPF AS and will usually describe a single AS.

An illustration of the relationship between different OSPF objects is shown below.

Figure 6.8. OSPF Objects

	Note
	Dynamic routing rules are not included in the above diagram. They describe the rules for importing and exporting routes and do not describe the OSPF structure. They are covered in Section 6.6.4, Dynamic Routing Rules.

6.6.3.1. The OSPFProcess Object

This object defines the autonomous system (AS) which is the top level of the OSPF AS structure. A similar OSPFProcess object should be defined on each Clavister NetShield Firewall which is part of the OSPF AS.

General Parameters

Name

Specifies a symbolic name for the OSPF AS.

RouterID

Specifies the IP address that is used to identify the router in a AS. If no Router ID is configured, the firewall computes the Router ID based on the highest IP address of any interface participating in the OSPF AS.

PrivRouter ID

This is used in an HA cluster and is the ID for this firewall and not the cluster.

	Note
	When running OSPF on a HA Cluster there is a need for a private master and private slave Router ID as well as the shared Router ID.

RefBandwidthValue

Set the reference bandwidth that is used when calculating the default interface cost for routes.

If bandwidth is used instead of specifying a metric on an OSPF Interface, the cost is calculated using the following formula:

cost = reference bandwidth / bandwidth

RFC1583

Enable this if the Clavister NetShield Firewall will be used in a environment that consists of routers that only support RFC 1583.

Authentication

OSPF supports the following authentication options:

No (null) authentication

No authentication is used for OSPF protocol exchanges.

AuthPassphrase

A simple password is used to authenticate all the OSPF protocol exchanges.

AuthMD5ID

MD5 authentication consists of a key ID and 128-bit key. When MD5 digest is used the specified key is used to produce the 128-bit MD5 digest.

This does NOT mean that the OSPF packets are encrypted. If the OSPF traffic needs to be encrypted then they must be sent using a VPN. For example, using IPsec. Sending OSPF packets through an IPsec tunnel is discussed further in Section 6.6.5, Setting Up OSPF.

Note: Authentication must be the same on all routers

If a passphrase or MD5 authentication is configured for OSPF, the passphrase or authentication key must be the same for all the OSPFProcess objects in an Autonomous System (AS).

In other words, the same OSPF authentication must be replicated on all Clavister NetShield Firewalls.

Advanced

Time Settings

SPFHoldTime: Specifies the minimum time, in seconds, between two SPF calculations. The default time is 10 seconds. A value of 0 means that there is no delay. Note, however, that SPF can potentially be a CPU demanding process, so with large network topologies it is not recommended to run it often.
SPFDelayTime: Specifies the delay time, in seconds, between when OSPF receives a topology change and when it starts an SPF calculation. The default time is 5 seconds. A value of 0 means that there is no delay. Note again that SPF can potentially be a CPU demanding process, so with large network topologies it is not recommended to run it often.
LSAGroupPacing: This specifies the time in seconds at which interval the OSPF LSAs are collected into a group and refreshed. It is more optimal to group many LSAs and process them at the same time, instead of running them one and one.
RoutesHoldTime: This specifies the time in seconds that the routing table will be kept unchanged after a reconfiguration of OSPF entries or a HA failover.

Memory Settings

MemoryMaxUsage: Maximum amount in Kilobytes of RAM that the OSPF AS process are allowed to use, if no value is specified the default is 1% of installed RAM. Specifying 0 indicates that the OSPF AS process is allowed to use all available ram in the firewall.

6.6.3.2. The OSPFArea Object

An Autonomous System (AS) is divided into smaller parts called an OSPF Area. An area collects together OSPF interfaces, neighbors, aggregates and virtual links. The OSPFArea object is used to define an area.

An OSPFArea object is a child of an OSPFProcess object and there can be many multiple areas defined under one process. In most simple networking scenarios, a single area is sufficient. Like the OSPFProcess object, a similar OSPFArea object should be defined on all the Clavister NetShield Firewalls which will be part of the same area.

General Parameters

Name

Specifies the name of the OSPF Area.

AreaID

Specifies the area id. If 0.0.0.0 is specified then this is the backbone area.

There can only be one backbone area and it forms the central portion of an AS. Routing information that is exchanged between different areas always transits the backbone area.

Stub

Enable this option if the area is a stub area.

StubSummarize

It is possible to configure if the firewall should become the default router for the stub area, and with what metric.

Import Filter

The import filter is used to filter what can be imported in the OSPF AS from either external sources (like the main routing table or a policy based routing table) or inside the OSPF area.

External: Specifies the network addresses allowed to be imported into this OSPF area from external routing sources.
Interarea: Specifies the network addresses allowed to be imported from other routers inside the OSPF area.

6.6.3.3. The OSPFInterface Object

This section describes how to configure an OSPFInterface object. OSPF interface objects are children of OSPF areas. Unlike areas, they are not similar on each Clavister NetShield Firewall in the OSPF AS. The purpose of an OSPF interface object is to describe a specific interface which will be part of an OSPF AS.

	Note: Different interface types can be used with OSPF interfaces
	Note that an OSPF Interface does not always correspond to a physical interface although this is the most common usage. Other types of interfaces, such as a VLAN, could instead be associated with an OSPF Interface.

General Parameters

Interface

Specifies which interface on the firewall will be used for this OSPF interface.

Network

Specifies the IP network that is reachable through this interface. The route to this network is exported automatically to the OSPF AS. Exporting any other routes requires a RouteExportRule object which is described in Section 6.6.4, Dynamic Routing Rules.

The network must be specified for an OSPFInterface and only a single network can be used.

Type

This can be one of the following:

Auto - Tries to automatically detect interface type. This can be used for physical interfaces.
Broadcast - The Broadcast interface type is an interface that has native Layer 2 broadcast/multicast capabilities. The typical example of a broadcast/multicast network is an ordinary physical Ethernet interface.

When broadcast is used, OSPF will send OSPF Hello packets to the IP multicast address 224.0.0.5. Those packets will be heard by all other the OSPF routers on the network. For this reason, no configuration of OSPF Neighbor objects is required for the discovery of neighboring routers.
Point-to-point - Point-to-Point is used for direct links which involve only two routers (in other words, two firewalls).
Point-to-multipoint - The Point-to-Multipoint interface type is a collection of Point-to-Point networks, where there is more than one router in a link that does not have OSI Layer 2 broadcast/multicast capabilities.

Metric

Specifies the metric for this OSPF interface. This represents the "cost" of sending packets over this interface. This cost is inversely proportional to the bandwidth of the interface.

BandwidthValue

If the metric is not specified, the bandwidth is specified instead. If the bandwidth is known then this can be specified directly instead of the metric.

Authentication

All OSPF protocol exchanges can optionally be authenticated using a simple password (passphrase) or MD5 cryptographic hashes.

If Use Default for Router Process is enabled then the values configured in the router process properties are used. If this is not enabled then the following options are available:

No authentication specified - the default.
AuthPassphrase - A passphrase.
AuthMD5Key - MD5 Digest.

Advanced

HelloInterval

Specifies the number of seconds between Hello packets sent on the interface.

RtrDeadInterval

If not Hello packets are received from a neighbor within this interval then that neighbor router will be considered to be out of operation.

RxmtInterval

Specifies the number of seconds between retransmissions of LSAs to neighbors on this interface.

InfTransDelay

Specifies the estimated transmit delay for the interface. This value represents the maximum time it takes to forward a LSA packet trough the router.

WaitInterval

Specifies the number of seconds between the interface brought up and the election of the DR and BDR. This value should be higher than the hello interval.

RtrPriority

Specifies the router priority, a higher number increases this routers chance of becoming a DR or a BDR. If 0 is specified then this router will not be eligible in the DR/BDR election.

	Note
	An HA cluster will always have 0 as router priority, and can never be used as a DR or BDR.

The following should be noted for OSPFInterface objects:

The Network property of an OSPFInterface object is automatically exported to the OSPF AS. No dynamic routing rules are required to achieve this.

If the IgnoreMTU property is enabled for an OSPFInterface object, OSPF MTU mismatches will be allowed.

It is often required to include the network on the OSPFInterface in the OSPF AS but there is no need to run OSPF on the interface. This is done by enabling the Passive property of the OSPFInterface object to indicate that there are no OSPF routers connected to the interface.

6.6.3.4. The OSPFNeighbor Object

In some scenarios the neighboring OSPF router to a firewall needs to be explicitly defined. For example, when the connection is not between physical interfaces.

The most common situation for using this object is when a VPN tunnel is used to connect two neighbors and there is a need to tell cOS Stream that the OSPF connection needs to be made through the tunnel. This type of VPN usage with IPsec tunnels is described further in Section 6.6.5, Setting Up OSPF.

OSPFNeighbor objects are created within an OSPFArea and each object has the following property parameters:

Interface: Specifies which OSPF interface the neighbor is located on.
IPAddress: The IP Address of the neighbor. This is the IP Address of the neighbors OSPF interface connecting to this router. For VPN tunnels this will be the IP address of the tunnel's remote end.
Metric: Specifies the metric value for the neighbor.

6.6.3.5. OSPF Aggregates

OSPF Aggregation is used to combine groups of routes with common addresses into a single entry in the routing table. The following are the advantages of aggregation:

If advertised, aggregation will decrease the size of the routing table in the firewall (a primary function of the feature).
If not advertised the aggregated networks will be hidden.
OSPF related traffic is reduced.

Configuration

To aggregate routes, OSPF Aggregate objects are created for an OSPF Area. Each of these objects has the following parameters:

Network: The network consisting of the smaller routers.
Advertise: If the aggregation should be advertised or not.

A Usage Example

In most, simple OSPF scenarios, OSPF Aggregate objects will not be needed. OSPF aggregation is only used when the firewall is acting as an Area Border Router (ABR) which is linking two or more OSPF areas. The diagram below illustrates a typical example of how aggregation would be used.

Figure 6.9. OSPF Route Aggregation Example

Here, the three routes on Area 0 can be collapsed into one by setting up an OSPF Aggregate object for the network 192.168.0.0/24 on Area 1.

6.6.3.6. The OSPFVLink Object

All areas in an OSPF AS must be physically connected to the backbone area (the area with ID 0). In some cases this is not possible and in that case a Virtual Link (VLink) can be used to connect to the backbone through a non-backbone area.

A virtual link is implemented by defining an OSPFVLink object as a child of an OSPF Area. Each OSPFVLink object has the following parameters:

General Parameters

Name: Symbolic name of the virtual link.
RouterID: The Router ID of the OSPFProcess object on the other side of the virtual link.

Authentication

UseDefaultAuth: If enabled, use the authentication configured for the OSPFProcess object.

	Note: Linking partitioned backbones
	If the backbone area is partitioned, a virtual link is used to connect the different parts.

In simple OSPF scenarios, OSPFVLink objects will not be needed.

6.6.4. Dynamic Routing Rules

This section looks at Dynamic Routing Rules which decide which routes are exported to an OSPF AS from the local routing tables and which can be imported into the local routing tables from an AS.

6.6.4.1. Overview

The Final OSPF Setup Step is Creating Dynamic Routing Rules

After the OSPF AS structure is created, the final step is to create Dynamic Routing Rules which allow the exchange of routing information between the local routing tables and the OSPF AS.

Dynamic routing rules are discussed here in the context of OSPF, but can also be used in other situations.

The Reasons for Dynamic Routing Rules

In a dynamic routing environment, it is important for routers to be able to regulate to what extent they will participate in the routing exchange. It is not feasible to accept or trust all received routing information, and it may be crucial to avoid parts of the routing tables being published to other routers.

For this reason, Dynamic Routing Rules are used to regulate the flow of routing information. These rules filter either statically configured or OSPF learned routes according to parameters such as the origin of the routes, destination and metric.

Usage with OSPF

Dynamic Routing Rules are used with OSPF to achieve the following:

Allowing the import of routes from the OSPF AS into local routing tables.
Allowing the export of routes from local routing tables to the OSPF AS.
Allowing the export of routes from one OSPF AS to another OSPF AS.

	Note
	The last usage of joining asynchronous systems together is rarely encountered except in very large networks.

The Two Types of Dynamic Routing Rules

There are two kinds of dynamic routing rule objects that can be defined. One for route import and one for route export:

RouteExportRuleOSPF for Route Import from an OSPF AS

This object is added as a child to a OSPFProcess object. It determines which routes are to be imported from the OSPF.

A ExportToRoutingTable object is added as a child to the RouteExportRuleOSPF object to determine which routing table the imported routes are added to.
RouteExportRule for Route Export to an OSPF AS

This object is added as a child to a RoutingTable object. It determines the routes that are to exported to the OSPF from that routing table.

The route to the Network property for all OSPFInterface objects is exported automatically to the OSPF AS. However, any other routes must be explicitly exported. This includes any routes that have a gateway defined, such as an all-nets-ip4 route to an ISP.

A ExportToOSPF object is added as a child to the RouteExportRule object to determine which OSPF AS the routes will be exported to.

Specifying an IP Address Filter

Dynamic routing rules allow an IP address filter to be specified which narrows the routes that are imported or exported based on the network reached by those routes. One of two properties can be used for filtering the IP address or network specified in a route:

DestinationNetworkIn

This will include all routes with IP addresses or networks matching or within the specified value.
DestinationNetworkExact

This will include only those routes which have an IP address or network which are an exact match with the specified value. The IP addresses or networks that are within the value specified will not be included.

In simple cases, the DestinationNetworkIn property should be specified as all-nets-ip4 so that no filter is applied (all IPv4 addresses and networks are included).

If, for example, DestinationNetworkExact is specified as being all-nets-ip4 then only a route to exactly all-nets-ip4 would be included. All other routes are excluded.

Exporting Routes from One AS to Another

It is not true to say that a RouteExportRuleOSPF object is only involved in importing routes and can only have ExportToRoutingTable objects as children.

The exception is when exporting routes from one OSPF AS to another. This is done by adding a DynamicRouteRuleExportOSPF object as a child of a RouteExportRuleOSPF object and specifying the destination AS using the ExportToProcess property.

6.6.5. Setting Up OSPF

Setting up OSPF can seem complicated because of the large number of configuration possibilities that OSPF offers. However, in many cases a simple OSPF solution using a minimum of configuration objects is needed and setup can be straightforward.

Let us examine again the simple scenario described earlier with just two Clavister NetShield Firewalls.

Figure 6.10. Setting Up OSPF

In this example we connect together the two Clavister NetShield Firewalls with OSPF so they can share the routes in their routing tables. Both will be inside a single OSPF area which will be part of a single OSPF autonomous system (AS). If unfamiliar with these OSPF concepts, please refer to earlier sections for further explanation.

Beginning with just one of these firewalls, the setup steps are as follows:

1. Create an OSPFProcess object

Create an OSPFProcess object. This will represent an OSPF Autonomous Area (AS) which is the highest level in the OSPF hierarchy. Give the object an appropriate name. The Router ID can be left blank since this will be assigned automatically by cOS Stream.

2. Add an OSPFArea to the OSPFProcess

Within the OSPFProcess created in the previous step, add a new OSPFArea object. Assign an appropriate name and use the value 0.0.0.0 for the Area ID.

An AS can have multiple areas but in many cases only one is needed. The ID 0.0.0.0 identifies this area as the backbone area which forms the central portion of the AS.

3. Add OSPFInterface objects to the OSPFArea

Within the OSPFArea created in the previous step, add a new OSPF Interface object for each physical interface that will be part of the area.

The OSPFInterface object needs the following parameters specified in its properties:

Interface - the physical interface which will be part of the OSPF area.
Network - the network on the interface that will be part of the area.

This does not need to be specified and if it is not, the network assigned to the physical interface is used. For example if lan is the interface then lannet will be the default network.
Interface Type - this would normally be Auto so that the correct type is automatically selected.
The Passive option should be enabled on the OSPFInterface object if the physical interface does not connect directly to another OSPFProcess (in other words, with another Clavister NetShield Firewall that acts as an OSPF router). For example, the interface may only be connected to a network of clients, in which case the option would be enabled.

The option must be disabled (the default) if the physical interface is connected to another firewall which is set up as an OSPFProcess. In this example, the physical interface connected to the other firewall would have this option disabled.

4. Import Routes from the OSPF AS

Importing routes from the OSPF AS requires the following steps:

A RouteExportRuleOSPF object is added as a child of the OSPFProcess.

The DestinationNetworkIn filter property for this object should be set to all-nets-ip4 to import all routes. A narrower filter could be used.
To the RouteExportRuleOSPF just added, add an ExportToRoutingTable object as a child. The Destination property of this object determines the routing table that routes are imported into.

In the typical case this will be the routing table called main. However, the destination could also be another OSPF process or it could also be a BGP process.

5. Export Routes to the OSPF AS

Exporting routes to the OSPF AS requires the following steps:

A RouteExportRule object is added as a child to the RoutingTable object from which routes will be exported.

The DestinationNetworkIn filter property for the object should be set to all-nets-ip4 to export all routes. A narrower filter could be used.
To the RouteExportRule just added, add a ExportToOSPF object as a child. The ExportToProcess property of this object determines the AS that routes are exported to.

In the typical case this will be the routing table called main.

6. Repeat these steps on the other firewall

Now repeat steps 1 to 5 for the other Clavister NetShield Firewall that will be part of the same OSPF AS and OSPF area. The OSPFProcess and OSPFArea objects will be identical on each. The OSPFInterface objects will be different depending on which interfaces and networks are included.

If more than two firewalls will be part of the same OSPF area then all of them should be configured similarly.

OSPF Routing Information Exchange Begins Automatically

As the new configurations are created in the above steps and then deployed, OSPF will automatically start and begin exchanging routing information. Since OSPF is a dynamic and distributed system, it does not matter in which order the configurations of the individual firewalls are deployed.

When the physical link is plugged in between two interfaces on two different firewalls and those interfaces are configured with OSPFProcess objects, cOS Stream will begin exchanging routing information.

Sending OSPF Traffic Through a VPN Tunnel

In some cases, the link between two Clavister NetShield Firewalls which are configured with OSPFProcess objects may be insecure. For example, over the public Internet.

In this case, we can secure the link by setting up a VPN tunnel between the two firewalls and telling OSPF to use this tunnel for exchange of OSPF information. Next, we will look at how to set this up and assume that IPsec will be the chosen method for implementing the tunnel.

Figure 6.11. OSPF Over IPsec

To create this setup we need to perform the normal OSPF steps described above but with the following additional steps applied to both firewalls A and B:

1. Set up an IPsec tunnel

First set up an IPsec tunnel in the normal way between the two firewalls A and B. This IPsec tunnel is now treated like any other interface when configuring OSPF.

2. Choose a random internal IP network

For both firewalls, we need to choose a common random IP network using internal, private IPv4 addresses. Assume that the network 192.168.55.0/24 is used. Manually create a route in the main routing table that routes this network on the IPsec tunnel created in the previous step.

	Note: The random network is not a real network
	The random network is a convenience and is not associated with a physical network.

3. Define an OSPFInterface for the tunnel

Define an OSPFInterface object which has the IPsec tunnel for the Interface property. Specify the Type parameter to be Point-to-multipoint and the Network parameter to be the network chosen in the previous step, 192.168.55.0/24.

This OSPFInterface object tells cOS Stream that any OPSF related connections to addresses within the network 192.168.55.0/24 should be routed into the IPsec tunnel.

4. Define an OSPF Neighbor

Next, we must explicitly tell OSPF how to find the neighboring OSPF router. Do this by defining an OSPFNeighbor object. This consists of a pairing of the IPsec tunnel (which is treated like an interface) and the IP address of the OSPF router at the other end of the tunnel.

For the IPv4 address of the router, simply use any single IP address from the network 192.168.55.0/24. This address must be different for A and B. Assume that 192.168.55.1 is chosen for A and 192.168.55.2 is chosen for B.

When cOS Stream sets up OSPF on A, it will look at this OSPFNeighbor object and try to send OSPF messages to the IPv4 address 192.168.55.1. The OSPFInterface object defined in the previous step tells cOS Stream that OSPF related traffic to this IP address should be routed into the IPsec tunnel.

5. Change the properties of the IPsecTunnel

To finish the setup there needs to be changes made to the IPsec tunnel properties. These are:

The IPsec tunnel IPAddress property should be set to the single IP address chosen for the OSPFNeighbor at the other end of the tunnel. In this example, it is set to 192.168.55.2 for the IPsecTunnel object on A and 192.168.55.1 for the IPsecTunnel object on B.

The IPAddress property determines the source IP address of tunnel traffic.
The properties LocalNetwork and RemoteNetwork should both be set to all-nets-ip4. These could be narrower if the networks are known but it is better to use all-nets-ip4.
The property AddRouteToRemoteNetwork should be set to No so the route to the RemoteNetwork is not added automatically.

	Tip: Non-OSPF traffic can also use the tunnel
	A VPN tunnel can carry both OSPF traffic as well as other types of traffic. There is no requirement to dedicate an IPsec tunnel to OSPF traffic.

6.6.6. An OSPF Example

This section goes through the detailed setup steps for the simple OSPF scenario illustrated below.

Here, two identical Clavister NetShield Firewalls called A and B are joined together directly via their if3 interfaces. Each has a network of hosts attached to its if1 interface. On one side, if1_net is the IPv4 network 10.4.0.0/16 and on the other side it is the IPv4 network 192.168.0.0/24.

The goal is to configure OSPF on both firewalls so routing information is automatically exchanged and traffic can be correctly routed between the 10.4.0.0/16 network and the 192.168.0.0/24 network. The IP rules that are needed to allow such traffic to flow are not included in this example.

Figure 6.12. An OSPF Example

Example 6.10. Creating an OSPFProcess

Object

First, the Autonomous System (AS) must be defined on both firewalls.

On firewall A, create an OSPFProcess object. Assume that the object name will be as_0.

Command-Line Interface

System:/> add OSPFProcess as_0

Now, repeat this for firewall B, using the same OSPFProcess object name of as_0.

Example 6.11. Adding an OSPFArea Object

Now, add an OSPF Area object to the OSPFProcess object as_0 on firewall A.

This area will be the OSPF backbone area and will therefore have the ID 0.0.0.0. Assume that the name for the area object is area_0 and the same AreaID of 0.0.0.0.

Command-Line Interface

First, change the CLI context to be the OSPFProcess object created above:

System:/> cc OSPFProcess as_0

Now, add the area:

System:/OSPFProcess/as_0> add OSPFArea area_0 AreaID=0.0.0.0

This new OSPFArea object can be displayed with the command:

System:/OSPFProcess/as_0> show

OSPFArea/

   Name    Area ID  Comments
   ----    -------  --------
!  area_0  0.0.0.0  <empty>

Now, repeat this for firewall B, using the same OSPF Area object name of area_0 and the same backbone AreaID.

Example 6.12. Adding OSPFInterface Objects

For firewall A, add OSPFInterface objects for each physical interface that is to be part of the OSPF area named area_0.

Command-Line Interface

Assume that the context is still the OSPFProcess called as_0 from the last example. Now, change the context to be the OSPFArea that was created previously:

System:/as_0> cc OSPArea area_0

Next, add the OSPFInterface objects:

System:/OSPFProcess/as_0/OSPFArea/area_0> add OSPFInterface if1
						Network=if1_net

System:/OSPFProcess/as_0/OSPFArea/area_0> add OSPFInterface if3
						Network=if3_net

Return to the default CLI context:

System:/OSPFProcess/as_0/OSPFArea/area_0> cc
System:/>

The same procedure should be repeated for firewall B.

Example 6.13. Importing Routes into the main Routing Table

In this example, the routes received using OSPF will be added into the main routing table. To do this, a DynamicRoutingRule OSPF needs to be added as a child of the OSPFProcess object which describes the AS. In this example, the added object is called ImportOSPFRoutes.

Depending on the routing topology, it may be preferable to just import certain routes using the Destination Interface/Destination Network filters, but in this example all available routes are imported by setting the DestinationNetworkIn property to the value all-nets-ip4.

The steps are first performed for firewall A.

Command-Line Interface

First, change the context from the default to the OSPFProcess object:

System:/> cc OSPFProcess as_0

Next, add a RouteExportRuleOSPF object:

System:/OSPFProcess/as_0> add RouteExportRuleOSPF
				Name=ImportOSPFRoutes
				DestinationNetworkIn=all-nets-ip4
Added RouteExportRuleOSPF/1(Import).
System:/OSPFProcess/as_0>

Notice that the rule is automatically allocated an index number of 1 and this is how it will be referenced later. The textual name is for description only.

Now, add a ExportToRoutingTable object as a child to the RouteExportRuleOSPF object created above. This specifies the destination routing table where the routes will be added, in this case the main table.

Change the CLI context to be the RouteExportRuleOSPF just added for import:

System:/OSPFProcess/as_0> cc RouteExportRuleOSPF 1

Next, add a ExportToRoutingTable object:

System:/OSPFProcess/as/RouteExportRuleOSPF/1(Import)> 
				add ExportToRoutingTable 
				Destination=main
Added ExportToRoutingTable/1.

Return to the default CLI context:

System:/OSPFProcess/as/RouteExportRuleOSPF/1(Import)> cc
System:/>

The same procedure should be repeated for firewall B.

Example 6.14. Exporting Routes into the OSPF AS

In this example, all the static routes from the main routing table will be exported into the OSPF AS named as_0. This is not required for routes to networks defined for OSPFInterface objects because those are exported automatically.

The steps are first performed for firewall A.

First, add another Dynamic Routing Policy Rule.

Command-Line Interface

First, change the context to be the main routing table:

System:/> cc RoutingTable main

Next, add a RouteExportRule object:

System:/RoutingTable/main> add RouteExportRule
				DestinationNetworkIn=all-nets-ip4
Added RouteExportRule/1.

Now, change the context to be this new RouteExportRule object:

System:/RoutingTable/main> cc RouteExportRule 1

With the new context, add a ExportToOSPF object:

System:/RoutingTable/main/RouteExportRule/1> 
				add ExportToOSPF
				ExportToProcess=as_0
				Name=ExportRoutesToAS

Finish by returning to the default CLI context:

System:/RoutingTable/main/RouteExportRule/1> cc
System:/>

The property DestinationNetworkIn=all-nets-ip4 is specified for the DynamicRoutingTableRTable object to specify that all routes are to be exported. If the only route to be exported is the all-nets-ip4 route then the property set should be DestinationNetworkExactly=all-nets-ip4.

The same procedure should be repeated for firewall B.

6.6.7. OSPF Troubleshooting

The OSPF CLI command

The CLI command ospf provides various options for examining the behavior of OSPF in real-time on a particular.

In order to see general OSPF activity on a CLI console, the -snoop option can be used:

System:/> ospf -snoop=on

Usually, there is only one OSPFProcess defined for a firewall and there is therefore no need to specify this explicitly in the command. The snooping processes is turned off with:

System:/> ospf -snoop=off

Snoop messages have the prefix SNP: to distinguish them from other console output.

A snapshot of the state of any of the different OSPF components can be displayed. For example, if an OSPFInterface object has the name ospf_if1, details about this can be shown with the command:

System:/> ospf -interface ospf_if1

A similar snapshot can be displayed for areas, neighbors, routes and LSAs. For example, to display the area_0 OSPF area. within the AS called as_0:

System:/> ospf -area as_0/area_0
		
	   Area: 0.0.0.0
       Stub: No
    Transit: No
 Interfaces: if1, if3
       LSAs: 3
 ChkSumSums: 0x1d282 - 0x0 - 0x1d282 (Int-Ext-Tot)
* LSAHshLmt: 65

ID  Type         Link ID       ADV Router    Age  Seq#
--  -----------  ------------  ------------  ---  ----------
4   Network-LSA  10.6.60.10    172.22.60.33  865  0x80000001
2   Router-LSA   192.168.0.3   172.22.60.33  865  0x80000003
1   Router-LSA   192.168.60.1  191.168.60.1  861  0x80000002
*[0x0001d282]

Note that the area name needs to be qualified with the AS name.

For example, to display OSPF neighbors:

System:/> ospf -neighbor
		
 Neighbor: 192.168.0.3 (10.6.60.10)
Interface: if3
     Prio: 1
  Options: E
    State: FULL
   Expire: 25
       DR: 10.6.60.10
       BDR 10.6.60.141

ID  Type         Link ID       Age  Seq#
--  -----------  ------------  ---  ----------
4   Network-LSA  10.6.60.10    6    0x80000001
2   Router-LSA   192.168.0.3   6    0x80000003

OSPF interface operation can also be selectively halted and restarted. For example, to stop the OSPFInterface called ospf_if1, the CLI command would be:

System:/> ospf -ifacedown ospf_if1

To restart the same interface:

System:/> ospf -ifacedown ospf_if1

An entire functioning OSPFRouteProcess can also be halted. For example, assuming that there is only one OSPFRouteProcess object defined in the configuration, the CLI command to halt it is:

System:/> ospf -execute=stop

To start the stopped OSPFRouteProcess:

System:/> ospf -execute=start

To stop and then start in a single command:

System:/> ospf -execute=restart

The ospf command options are fully described in the separate Clavister NetShield Firewall CLI Reference Guide.

Checking Routing Tables

It is possible to check that routing information is being exchanged by examining the routing tables.

Routes that have been imported into the routing tables though OSPF are indicated with the letter "O" to the left of the route description. For example, the routes command might give following output:

System:/> routes
		
Flags Network         Iface       Gateway         Local IP   Metric
----- --------------- ----------- --------------- ---------- ------
      192.168.1.0/24  if1                                    0
      172.16.0.0/16   if3                                    0
O     192.168.2.0/24  if3         10.6.60.10                 1

Here, the route for 192.168.2.0/24 has been imported via OSPF and that network can be found on the if3 interface with the gateway of 10.6.60.10. The gateway in this case is of course the Clavister NetShield Firewall to which the traffic should be sent. That firewall may or may not be attached to the destination network but OSPF has determined that that is the optimum route to reach it.

Additional OSPF Log Event Messages

By default, a range of basic log event messages are generated by OSPF operation within cOS Stream. For example, if the OSPFProcess object running in cOS Stream is called my_ospf_proc, normal log generation would be enabled with the CLI command:

System:/> set OSPFProcess my_ospf_proc LogEnabled=Yes

This is the default setting so the command is only for illustration.

The following properties can be enabled to provide additional OSPF log messages for troubleshooting and/or monitoring purposes:

DebugPacket - Log general packet parsing events.
DebugHello - Log Hello packets.
DebugDDesc - Log database description packets.
DebugExchange - Log exchange packets.
DebugLSA - Log LSA events.
DebugSPF - Log SPF calculation events.
DebugRoute - Log routing table manipulation events.

Each of these properties can be assigned one of the following values:

Off - Nothing is logged.
Low - Logs all actions.
Medium - Logs all actions but with more detail.
High - Logs everything with maximum detail.

	Note: The High setting generates large amounts of data
	When using the High setting, the firewall will log a large amount of information, even when just connected to a small AS. Changing the value of the property LogSendRateLimit for the log receiver object may be required.

Example 6.15. Enabling OSPF Debug Log Events

In this example, the DebugHello and DebugRoute log events will be enabled for the OSPFProcess called my_ospf_proc.

Command-Line Interface

System:/> set OSPFProcess my_ospf_proc DebugHello=Low DebugRoute=High

OSPF Statistics

OSPF makes available a number of statistical values that can be monitored from a CLI console. To add monitoring of all OSPF statistics, use the command:

System:/> statistics -add /routing/ospf/*

To display the current values of the added OSPF statistics, the above command should be followed with:

System:/> statistics
	
Name                                              Value  Unit
------------------------------------------------  -----  --------------
/routing/ospf/pkt_errors                          0      packets
/routing/ospf/processes/ospf1/adjacency_failures  0      adjacencies
/routing/ospf/processes/ospf1/lsa_current         3      advertisements
/routing/ospf/processes/ospf1/lsa_errors          0      advertisements
/routing/ospf/processes/ospf1/lsa_max             3      advertisements
/routing/ospf/processes/ospf1/routers_current     1      routers
/routing/ospf/processes/ospf1/routers_max         1      routers
/routing/ospf/processes/ospf1/routes_current      3      routes
/routing/ospf/processes/ospf1/routes_max          3      routes

6.7. BGP

Overview

Border Gateway Protocol (BGP) allows the exchange of routing information between an Autonomous System (AS) and other Autonomous Systems. The Clavister NetShield Firewall can act as a single AS and use BGP to both import routes from and export routes to other autonomous systems.

BGP is implemented in cOS Stream in a similar way to OSPF. A single BGPProcess object must be defined which identifies the firewall as an AS with an AS number and router ID. Other objects are then added to define BGP neighbors as well as what routes can be imported from these neighbors and what routes can be exported to them.

BGP can both import and export routes from/to local routing tables as well as OSPF-processes.

In the simplest scenario, BGP setup will involve the following 3 steps:

A. Set up a BGP process that can communicate with other BGP processes.

B. Add process rules to import routes from BGP processes.

C. Add rules to export routes to BGP processes.

A detailed description of these three steps along with examples are given next.

A. Set up a BGP process that can communicate with BGP neighbors:

Create a BGPProcess object and set the ASNum and RouterID properties. Only a single BGPProcess object instance can be created in a firewall. The RouterID must be specified as an IPv4 address.
Add BGPNeighbor object as a child of the BGPProcess for each neighbor that the process will exchange routes with. At least one must be added.

The IPAddress and RemoteASNum properties must be specified for the neighbor. IPv4 and IPv6 neighbor addresses can be mixed in a single process. The RemoteASNum property value must match the AS number of the neighbor BGP process but the IPAddress does not have to be the same as the Router ID of the neighbor.

Example 6.16. Setting Up a BGP Process with Neighbors

This example shows how a BGP process is created with associated neighbors. It is assumed the process will have a private AS number of 64512 and its ID specified as the private IPv4 address 192.168.0.10.

A single BGP neighbor will be associated with the process that has the IPv4 address 10.0.0.100.

Note that this and later examples use private IP addresses and private AS numbers. It is assumed that the AS is not connected to the public Internet.

Command-Line Interface

Add the BGPProcess object:

System:/> add BGPProcess my_bgp ASNum=64512 RouterID=192.168.0.10

Change the CLI context to be the BGP process:

System:/> cc BGPProcess my_bgp

Add a BGPNeighbor as a child:

System:/BGPProcess/my_bgp> add BGPNeighbor
			IPAddress=10.0.0.100
			RemoteASNum=64513

B. Add process rules to import routes from neighbors:

Add at least one RouteExportRuleBGP object as a child of the BGPProcess. The DestinationRouteIn property must be set to a network range. Only routes within that range will be imported from neighbors to one or more destinations. The destinations are specified in the next step.
Add at least one ExportToRoutingTable object as a child of the RouteExportRuleBGP created in the previous step. This new child object must have its Destination property set to a destination for the imported routes. The destination can be either a RoutingTable object or an OSPFProcess object.

Multiple ExportToRoutingTable objects could be added if there is a need to send the same imported routes to multiple destinations.

Example 6.17. Adding Rules to Import Routes to a BGP Process

This example continues from the previous example and adds rules to the BGP process to import routes from neighbors. Only routes within the network 10.0.1.0/24 will be imported and they will be inserted into cOS Stream's main routing table.

Command-Line Interface

Make sure the CLI context is the BGP process:

System:/> cc BGPProcess my_bgp

Add a child RouteExportRuleBGP object to import all routes within 10.0.1.0/24:

System:/BGPProcess/my_bgp> add RouteExportRuleBGP 
			DestinationNetworkIn=10.0.1.0/24

Change the CLI context to be the rule:

System:/BGPProcess/my_bgp> cc RouteExportRuleBGP 1

Add an ExportToRoutingTable object as a child to specify the destination:

System:/BGPProcess/my_bgp/RouteExportRuleBGP/1> 
			add ExportToRoutingTable
			Destination=main

Return to the default CLI context:

System:/BGPProcess/my_bgp/RouteExportRuleBGP/1> cc
System:/>

C. Add rules to export routes to neighbors:

Add at least one RouteExportRule object as a child of a RoutingTable object. The DestinationNetworkIn property of the object must be set to a network range for the routes that will be exported.
Add an ExportToBGP object as a child of the RouteExportRule. The ExportToProcess property of this object must be set to the BGPProcess object created previously.

Example 6.18. Adding Rules to Export Routes to BGP Neighbors

This example continues from the previous example and adds a rule to cOS Stream's main routing table to export routes to BGP neighbors.

Command-Line Interface

Change the CLI context to be the main routing table:

System:/> cc RoutingTable main

Add a child RouteExportRule object to export all routes within 10.0.2.0/24:

System:/RoutingTable/main> add RouteExportRule 
			DestinationNetworkIn=10.0.2.0/24

Change the CLI context to be the rule:

System:/RoutingTable/main> cc RouteExportRule 1

Add an ExportToRoutingTable object as a child to specify the destination:

System:/RoutingTable/main/RouteExportRule/1> 
			add ExportToBGP
			ExportToProcess=my_bgp

Return to the default CLI context:

System:/RoutingTable/main/RouteExportRule/1> cc
System:/>

Dynamically Applying Changes to Exchanged Routes

It is possible to dynamically apply specified modifications to given routes as they are exported to a particular neighbor or imported from a particular neighbor. The modifications could, for example, involve changing the route's next-hop or metric, or a variety of other parameters such as community related options.

Specifying such dynamic changes is done with the following steps:

Specify the affected route(s) by creating a RoutePrefixList object and add one or more child RoutePrefixEntry objects. Set the Network property of each RoutePrefixEntry object to filter out the affected routes.
Create a RouteMap object to specify the change to be made. The MatchIP property of this object is set to the RoutePrefixList created in the previous step and the appropriate property should be chosen to make the required change.

For example, the SetNextHop property would be used to change the next-hop of the routes filtered by the RoutePrefixList. All the available properties that can be set can be found under the entry for the RouteMap object in the separate CLI Reference Guide.
For the BGPNeigbor object to which the changes will apply, set its RouteMapOut property to the RouteMap created in the previous step, if exported routes are to be changed. If routes imported from the neighbor are to be changed, the RouteMapIn property should be set to the RouteMap.

Using these steps is illustrated in the example below.

Example 6.19. Applying Dynamic Changes to BGP Routes

This example will change the next-hop of the exported route for the host at IP address 10.0.2.15.

Command-Line Interface

Create a new RoutePrefixList object:

System:/> add DynRouteObject RoutePrefixList my_net

Change the CLI context to this list:

System:/> cc DynRouteObject RoutePrefixList my_net

Add a child RoutePrefixEntry object to specify the host:

System:/RoutePrefixList/my_net> add RoutePrefixEntry 
			Action=Allow
			Network=10.0.2.15

Return to the default CLI context:

System:/RoutePrefixList/my_net> cc

Create a new RouteMap object:

System:/> add DynRouteObject RouteMap my_map

Change the CLI context to this map:

System:/> cc DynRouteObject RouteMap my_map

Add a child RouteMapEntry object to specify the desired change:

System:/RouteMap/my_map> add RouteMapEntry 
			Action=Allow
			MatchIP=my_net
			SetNextHop=10.0.0.90

Return to the default CLI context:

System:/RoutingTable/main/RouteExportRule/1> cc

Change the CLI context to be the BGP process:

System:/> cc BGPProcess my_bgp

Set the route map to use for routes exported a specific neighbor:

System:/BGPProcess my_bgp> set BGPNeighbor 1 
			RouteMapOut=my_map

Return to the default CLI context:

System:/RoutingTable/main/RouteExportRule/1> cc
System:/>

	Note: Configuration with BGP
	When BGP is configured with SIIT or NAT64, BGP export needs to be configured accordingly. This is discussed further in section 3.2 of RFC 6052.

Using BFD

Using Bidirectional Forwarding Detection (BFD) with BGP allows very fast failover time when a neighbor becomes unreachable. By default, it is disabled with BGP and is enabled by setting the value of the property FalloverDetection to BFD in the relevant BGPNeighbor object.

The following should be noted about using BFD:

For BFD to function, it must be enabled in all communicating BGP neighbors. In other words, on both sides of each neighbor pair.
For a standalone firewall that is not part of an HA cluster, enabling both BFD and the GracefulRestart property of the BGPProcess object should be avoided. This is because BFD will detect neighbor failure instantly and GracefulRestart will try to send traffic regardless of failure.
For an cOS Stream HA cluster, both BFD and GracefulRestart can be enabled together (enabling GracefulRestart is a requirement for HA).
The following four properties in BGPNeighbor can be used to modify BFD behavior:
- BFDTransmitInterval
  
  The minimum interval between transmitting BFD hello packets to a neighbor with which a BFD session has been established (default, 250 msecs).
- BFDReceiveInterval
  
  The minimum expected interval between receiving BFD hello packets from a neighbor with which a BFD session has been established (default, 250 msecs).
- BFDHelloMultiplier
  
  The number of hello packets not received from a neighbor before the neighbor is consider unreachable (default, 3).
- BFDSlowTimerInterval
  
  This determines how fast a new BFD session is started and can be used to slow asynchronous sessions (default, 2000 msecs)
These properties are also discussed in the separate cOS Stream CLI Reference Guide.

BGP With High Availability Clusters

If a failover occurs in an HA cluster that is running BGP, the following should be noted:

To allow BGP to restart, the GracefulRestart and GracefulReset properties of the BGPProcess object should be enabled, as well as the GracefulRestart property of all BGPNeighbor objects.

These properties, or their equivalent, should also be enabled on any BGP routers communicating with the firewall.
The routes set up by BGP are state synchronized and will be unaffected by the failover. This means that all traffic flows that use these routes will be unaffected after the failover completes.
The objects involved in BGP setup, such as the BGPProcess object, are not state synchronized. This means that the BGP mechanisms will be automatically set up again by cOS Stream after the failover.
The GracefulRestartTime and GracefulStalePath properties of the BGPProcess object should be set to the appropriate values. If the restart is too fast, information can be lost. It should be long enough to allow all internal BGP mechanisms to be fully initialized. The more routes and complexity, the more time that is required. Other factors include the number BGP peers and uplink speed. Trial and error may be required to find the appropriate settings.
As mentioned earlier, BFD could also be enabled for an HA cluster. However, note that BFD is separate from the HA cluster failover mechanism. A BFD failure will never trigger an HA failover.

6.8. Traceroute

Overview

The cOS Stream traceroute command provides information about the routes that packets take as they traverse the routers in the external network and the round-trip transit time to and from these routers. A similar traceroute command is found on many other systems such as Microsoft Windows™.

How Traceroute Functions

Traceroute functions by sending packets with a time-to-live (TTL) value that starts at 1 and is progressively incremented for subsequent packets. A router will decrement the time-to-live as a packet traverses it. If the value becomes zero, the packet is dropped by the router and an ICMP time-exceeded message is sent back to the source which sends another packet with a time-to-live of 2 in order to reach the next router. The incrementing of the time-to-live continues until the intended destination is reached. The ICMP time-exceeded messages sent back by the routers between the source and destination provide the basis for the traceroute output.

By default, cOS Stream sends its traceroute packets as ICMP ping messages. However, the option exists to send messages using either UDP or TCP.

The Basic Traceroute Command Format

The basic form of the traceroute command is the following:

System:/> traceroute <host>

The <host> can be either an IPv4 or IPv6 address, for example:

System:/> traceroute 192.168.4.1

Alternatively, <host> can be a DNS resolvable Fully Qualified Domain Name (FQDN), for example:

System:/> traceroute server.example.com

When using traceroute with an FQDN, at least one DNS server must have been configured in cOS Stream to perform the resolution. Doing this is described in Chapter 12, DNS.

The equivalent command to the above when sending a UDP message would be:

System:/> traceroute -udp server.example.com

The equivalent when sending a TCP message would be:

System:/> traceroute -tcp server.example.com

Note that the UDP and TCP options must appear before the host in the command.

Manually Terminating Traceroute

After entering the traceroute command, cOS Stream will continue to send messages until either the trace is complete or the command is manually terminated. Manual termination is done by entering CTRL-C on the keyboard.

Traceroute Output

Below is some typical output from traceroute using the default settings with the destination specified as an FQDN:

System:/> traceroute server.example.com
		
Traceroute to 10.194.40.247, 32 hops max, 32-byte packets	
1    <1 ms    10 ms    10 ms  10.4.16.1
2    10 ms    10 ms    10 ms  10.4.0.2
3    10 ms     0 ms    10 ms  10.194.40.247

Here, each line of output corresponds to an attempt by traceroute to reach the next router. The first column is the hop number.

By default, traceroute tries 3 times for each router hop and the Round Trip Time (RTT) for each attempt expressed in milliseconds is shown in the three columns that follow the hop number. In the example above, there were two routers in the path to the target destination, hop number 1 and hop number 2. The final hop. number 3, is the destination which was DNS resolved as the IPv4 address 10.194.40.247.

The Route Can Change

Given the dynamic nature of a packet switch network, it is possible for consecutive packets sent by the traceroute command to pass through different sets of routers. It is difficult to know that this is occurring and it is not indicated in the command output.

It is also possible that different routers could have responded for a given hop value. The address displayed at the end of lines of traceroute output under the Host column is always the router that dealt with the last ICMP message sent for that hop.

Additional Traceroute Options

The following are some of the other options that can be used with the traceroute command:

-ipver

When the destination is specified as an FQDN, by default cOS Stream will only request an IPv4 address from the resolving DNS server and will use that as the destination address. This option must be used if only an IPv6 address is to be used as the destination address. For example:
```
System:/> traceroute server.example.com -ipver=6
```
Alternatively, the IPv6 address could be entered directly after the traceroute command.
-maxttl

This specifies the maximum value for the time-to-live parameter of the packets sent.
```
System:/> traceroute server.example.com -maxttl=20
```
The default value is 30.

Note that if cOS Stream gets no response from a router within the set timeout (the default is 1 second) then it will continue to send ICMP ping messages with an increasing time-to-live value until the -maxttl limit is reached.
-queries

This specifies how many attempts are made for each hop. For example:
```
System:/> traceroute server.example.com -count=1
```
The default value is 3.
-length

This specifies how large the sent payload is. The payload itself is made up of zeros. For example:
```
System:/> traceroute server.example.com -length=128
```
The default value is 32.
-interval

This specifies the number of milliseconds between each query (the default is 1000 milliseconds). For example:
```
System:/> traceroute server.example.com -interval=100
```
An interval of zero means the messages are sent continuously and can simulate a denial of service attack.
-ttl

This specifies what time-to-live (TTL) value to start with and therefore at which hop to start. For example:
```
System:/> traceroute server.example.com -ttl=3
```
The default value is 1.
-noresolve

This switches off the default behavior of resolving host names in the output from the command. For example:
```
System:/> traceroute server.example.com -noresolve
```
The principle reason to use this option is that omitting host name resolution makes the command execution faster.
-timeout

This is the amount of time cOS Stream will wait for a response from a router or the destination before it increases the time-to-live and tries again.
```
System:/> traceroute server.example.com -timeout=2000
```
Any timeout conditions are indicated in the traceroute output. An example of this is shown below:
```
System:/> traceroute example.com
				
Traceroute to 10.194.40.247, 32 hops max, 32-byte packets
1     0 ms     0 ms    10 ms  10.4.16.1
2    10 ms    10 ms    10 ms  10.4.0.2
3    10 ms    10 ms    10 ms  10.131.48.2
4     *        *        *     Request timed out
```
A timeout could occur because any of the following:
1. A router or the destination may not be set up to respond to the messages sent
2. The destination host may be offline.

-verbose

This option provides some additional information, including the routing table used. For example:

System:/> traceroute server.example.com -verbose
				
Traceroute to 10.194.40.247, 32 hops max, 32-byte packets	(IPv4 ICMP)
Using route "0.0.0.0/0 via if2 , gw: 10.4.16.1" in routingtable "main":

1    <1 ms    10 ms    10 ms  10.4.16.1
2    10 ms    10 ms    10 ms  10.4.0.2
3    10 ms     0 ms    10 ms  10.194.40.247

The full list of options can be found in the separate CLI Reference Guide.

Chapter 7: IP Rules

7.1. Security Policies

Before examining IP rule sets in detail, it is useful to first look at the general concept of security policies to which IP rule sets belong.

Security Policy Characteristics

Security policies are configured by the administrator to regulate the way in which traffic can flow through the Clavister NetShield Firewall. Such policies are described by the rules defined in various rule sets. These rule sets share a uniform means of specifying filtering criteria which determine the type of traffic to which they will apply. Usually, the filtering criteria consist of the following rule properties:

Source Interface

An Interface where the packet is received on the Clavister NetShield Firewall. This could also be a physical Ethernet interface but might be a configuration object that acts as an interface such as a VPN tunnel.

Source Network

The network that contains the source IP address of the packet. This is usually an IP address object which defines a single IP address, a range of addresses or a network.

Destination Interface

An Interface from which the packet would leave the Clavister NetShield Firewall. This could also be a physical Ethernet interface but might be a configuration object that acts as an interface such as a VPN tunnel.

Destination Network

The network to which the destination IP address of the packet belongs. This is usually an IP address object which defines a single IP address, a range of addresses or a network.

Service

The protocol type to which the packet belongs. Service objects define different protocols. Examples are HTTP and ICMP communication.

A number of predefined service objects exist but administrator defined custom services can also be created. Existing service objects can also be collected together into Service Groups so that a group can be specified in a policy rule instead of a single service.

IP Rules and the Default main Rule Set

IP rule sets are the most important of cOS Stream's security policy rule sets. They determine the critical packet filtering function of cOS Stream, regulating what is allowed or not allowed to pass between different interfaces and between interfaces and cOS Stream.

By default, one IP rule set always exists and this has the name main. The object type IPRuleSet exists in the category RuleSet so the CLI command to change the context to main is:

System:/> cc RuleSet IPRuleSet main

If tab completion is not being used, this can be shortened to

System:/> cc IPRuleSet main

Examples in this guide will assume tab completion is used with the longer form.

There are two possible approaches to how traffic traversing the Clavister NetShield Firewall could be dealt with:

Everything is denied unless specifically permitted.
Or everything is permitted unless specifically denied.

To provide optimal security from the outset, cOS Stream uses the first of these approaches. This means that when started for the first time, cOS Stream has no IP rules defined in the main IP rule set and all traffic arriving at all interfaces is therefore dropped. In order to permit any traffic to traverse the Clavister NetShield Firewall (as well as allowing cOS Stream to respond to ICMP Ping requests), some initial IP rules must be added to the configuration.

Each IP rule that is added by the administrator will define the following basic filtering criteria:

From what interface to what interface traffic flows (the Source Interface and Destination Interface).
From what network to what network the traffic flows (the Source Network and Destination Network).
What kind of protocol is affected (the Service).
What action the rule will take when a match on all the criteria is triggered (the Action).

IPv4 and IPv6 addresses for the network properties can coexist in the same IP rule set as well as in the same IP rule.

Specifying Any Interface or Network

When specifying the filtering criteria in any of the rule sets specified above there are a number of useful predefined filtering parameters that can be used:

For a Source or Destination Network, the all-nets-ip4 address object is equivalent to the IPv4 address 0.0.0.0/0 which will mean that any IPv4 address is acceptable.

Similarly, the all-nets-ip6 address object is equivalent to any IPv6 address. The address object all-nets includes both all-nets-ip4 and all-nets-ip6.
For Source or Destination Interface, the any option can be used so that cOS Stream will not care about the interface which the traffic is going to or coming from.
The Destination Interface can be specified as core. This means that traffic, such as an ICMP Ping, is destined for the Clavister NetShield Firewall itself and cOS Stream will respond to it.

New flows that are initiated by cOS Stream itself do not need an explicit IP rule as they are allowed by default. For this reason, the interface core is not used as the source interface.
The Service can be specified as all_services which includes all possible protocols.

Traffic Flow Needs an IP Rule and a Route

As stated above, when cOS Stream is started for the first time, all traffic is dropped so at least one IP rule must be added to allow the traffic to flow. In fact, the following conditions need to be satisfied:

A route must exist in a routing table which specifies on which interface packets should leave in order to reach their destination.

A second route must also exist that indicates the source of the traffic is found on the interface where the packets enter. This satisfies the reverse route lookup check performed by cOS Stream when a new flow is established.
An IP rule in an IP rule set which specifies the security policy that allows the packets from the source interface and network bound for the destination network to leave the Clavister NetShield Firewall on the interface decided by the route.

If the IP rule used is an Allow rule then this is bi-directional by default.

The ordering of these steps is important. The route lookup occurs first to determine the exiting interface and then cOS Stream looks for an IP rule that allows the traffic to leave on that interface. If a rule does not exist allowing the traffic then it is dropped.

Figure 7.1. Simplified Traffic Flow

Before the route lookup is done, cOS Stream first checks that traffic from the source network should, in fact, be arriving on the interface where it was received. This is done by cOS Stream performing a reverse route lookup which means that the relevant routing table is searched for a route that indicates the network should be found on that interface.

This second route should logically exist if a flow is bi-directional and it must have a pair of routes associated with it, one for each direction.

Changing Multiple IPRule Objects Together

Because IP rules are indexed objects (each rule has a unique number in its rule set) it is possible to either apply the set or delete commands to multiple rules at the same time by using the -Range option.

For example, to change the LogEnabled property for all IP rules from index number 65 to 80 (inclusive), the command would be the following:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> set IPRule -Range=65-80 LogEnabled=No

A general discussion of the -Range option can be found in Section 2.1.3, The CLI.

IP Rule Snooping

A helpful troubleshooting command that can be used to see which IP rules are triggering in real-time is rulesnoop. However, this command is only available when the advanced command view is first enabled using the following command:

System:/> cmdview advanced

The rulesnoop command allows the administrator to receive messages on the console when IPRule objects trigger. Filters can be added to the command to specify which types of rules are of interest. The basic form of the command should specify the receive interface (in other words the SourceInterface of the IP rule). The value ALL can be used to specify all interfaces:

System:/> rulesnoop all

If the administrator is only interested in turning on rule snooping for the if1 interface then the command would be:

System:/> rulesnoop if1

In addition, a destination network and/or a source network can be specified as filters for the command. The destination network filter must always be specified first and can be the special value all-nets. For example, to apply a destination network filter for 203.0.113.0/24, the command would be the following:

System:/> rulesnoop if1 203.0.113.0/24

The -verbosity parameter can be used to increase the amount of detail provided. The default value for this parameter is BASIC but this can be increased to INFORMATIVE and then increased further to EXTREME. For example:

System:/> rulesnoop if1 -verbosity=informative

Rule snooping will continue until either CTRL-C is typed by the administrator or the following command is entered:

System:/> rulesnoop none

A complete list of rulesnoop options can be found in the separate CLI Reference Guide.

7.2. IP Rule Evaluation

When a new flow, such as a TCP/IP connection, is being established through the Clavister NetShield Firewall, the list of IP rules are evaluated from top to bottom until a rule that matches the parameters of the new flow is found. The first matching rule's Action is then performed. For this reason, the ordering of the IP rules in the rule set is important.

If the action in the matching IP rule allows it then the establishment of the new flow will go ahead. A new entry representing the new flow will then be added to the internal list of active flows. This list allows monitoring of opened and active flows.

If the matching IP rule action is Deny or Reject then the flow is not set up.

Tip: Rules in the wrong order can cause problems

It is important to remember the principle that cOS Stream searches the IP rules from top to bottom, looking for the first matching rule.

If an IP rule seems to be ignored, check that some other rule above it is not being triggered first.

Stateful Inspection

After initial rule evaluation of the opening flow, subsequent packets belonging to that flow will not need to be evaluated individually against the rule set. Instead, a highly efficient algorithm searches the flow table for each packet to determine if it belongs to an established flow.

This approach is known as stateful inspection and is applied not only to stateful protocols such as TCP but also by means of "pseudo-connections" to stateless protocols such as UDP and ICMP. This approach means that evaluation against the IP rule set is only done in the initial opening phase of a flow. The size of the IP rule set consequently has negligible effect on overall throughput.

Flows are unidirectional. This means that a typical traffic connection, for example between a web browsing client and a web server, will consist of two flows. This is not the case with the ESP flows used in IPsec where only a single flow is required for the connection.

Examining Flows

All current flows can be shown using the flow CLI command. Some typical output is shown below:

System:/> flow -show
			
Proto   Source                        Destination                   Timeout
------- ----------------------------- ----------------------------- -------
TCP     wan:10.6.58.2:2112            core:10.6.58.100:22           262142

If the -verbose option is used then the matching reverse flow for a connection is also shown. The command form is as follows:

System:/> flow -show -verbose

All options for the flow command can be found in the separate CLI Reference Guide. These include filtering parameters to only list certain flows. The use of this command with IPsec tunnels is discussed in Section 13.6, IPsec Troubleshooting.

The First Matching Principle

If several IP rules in an IP rule set match the same filtering parameters, the first matching rule in a scan from top to bottom is the one that decides how the flow will be handled.

Non-matching Traffic and Adding a Deny All Rule

Traffic that does not match any rule in the IP rule set is, by default, dropped by cOS Stream with an action of Deny and it is also logged. This denial is silent with no response sent to the source. Although not visible in the IP rule set, this is the result of an implicit Deny All rule which is automatically encountered at the end of rule set scanning if there has been no previous match.

To override the default behavior of the implicit Deny All rule, an explicit IP rule must be created with a filter that triggers on all source/destination networks/interfaces and all services. This rule is then placed as the last entry in the IP rule set. This explicit rule can then be used to change any of the following behaviors:

Changing the default silent action of Deny only to SendReject (this action is described in Section 7.3, IP Rule Actions).
Changing the default logging of dropped traffic to not logging it at all.
Making log identification easier if logging is enabled by having a specific rule name appear in the log message.

Example 7.1. Adding a Deny All IP Rule

This example shows how to create a Deny All rule that explicitly drops any IPv4 or IPv6 traffic not caught by any preceding rules in the main IP rule set. The action will be set to Deny but with the SendReject option enabled. Logging will not be enabled.

Command-Line Interface

First, change the current context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule Action=Deny
			Service=all_services
			SourceInterface=any
			SourceNetwork=all-nets
			DestinationInterface=any
			DestinationNetwork=all-nets
			OnDeny=SendReject
			LogEnabled=No
			Name=main_deny_all
Added IPRule/1.

After the rule is added to an empty rule set, it can be displayed by using its index number:

System:/IPRuleSet/main> show IPRule 1

              Property  Value
 ---------------------  ------------
                Index:  1
                 Name:  main_deny_all
      SourceInterface:  any
 DestinationInterface:  any
        SourceNetwork:  all-nets
   DestinationNetwork:  all-nets
              Service:  all_services
               Action:  Deny
               OnDeny:  SendReject (Send Reject)
           LogEnabled:  No
             Comments:  <empty>

Now, return to the default, root context:

System:/IPRuleSet/main> cc
System:/>

These configuration changes must now be saved by entering an activate followed by a commit command.

7.3. IP Rule Actions

A rule consists of two parts: the filtering parameters and the action to take if there is a match with those parameters. As described above, the parameters of any rule, including IP rules are:

Source Interface
Source Network
Destination Interface
Destination Network
Service

When an IP rule is triggered by a match then one of the following Actions can occur:

Allow

The packet is allowed to pass from the specified source to the specified destination interface. As the rule is applied to only the opening of a flow, an entry in the "flow table" is made to record that a flow is open. The remaining packets related to this flow will pass through the system "state engine" and will not require another rule table lookup.

The parameter SourceTranslation can optionally be set to one of the following values:
1. NAT - This enables dynamic address translation (NAT) for traffic that triggers the rule. Refer to Section 9.2, NAT in Chapter 9, Address Translation for a detailed description of this.
2. SAT - This enables static address translation (SAT) for traffic that triggers the rule. Refer to Section 9.5, SAT in Chapter 9, Address Translation for a detailed description of this.

Deny

This tells cOS Stream to immediately discard the packet and by default, no reply is sent back to the sending host.

A "polite" version of Deny can be created if the optional OnDeny parameter of a Deny rule is set to SendReject. This setting means the rule returns a TCP RST or ICMP Unreachable message for denied traffic, informing the sender that the packet was dropped. Using this option can help to speed up applications that must wait for a reply timeout period.

The "impolite" default setting for a Deny rule is OnDeny=DropSilent.

Bi-directional Connections

A common mistake when setting up IP Rules is to define two rules, one rule for traffic in one direction and another rule for traffic coming back in the other direction. In fact, an IP rule with the action defined as Allow will permit bi-directional traffic flow once the initial flow is set up.

The Source Network and Source Interface in an IP rule with action Allow refers to the source of the initial flow request. If a flow is permitted and then becomes established, traffic can pass in either direction over it.

Example 7.2. Adding an Allow IP Rule

This example shows how to create a simple Allow rule that will allow HTTP flows to be opened from the if1_net network on the if1 interface to any IP4 address (all-nets-ip4) on the wan interface.

Command-Line Interface

First, change the current context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets-ip4
			Service=http
			Action=Allow
			Name=lan_http

Return to the default CLI context:

System:/IPRuleSet/main> cc
System:/>

Configuration changes must be saved by then issuing an activate followed by a commit command.

The Stateless Property

With the Stateless property of an IPRule object, it is possible to turn off the stateful tracking of protocols such as TCP. However, bidirectional flow states will still be set up for the flow in the system state table.

Stateless IP rules are used in a network scenario where data traffic is not suited to the default stateful protocol validation used by cOS Stream. This is usually only an issue with the TCP or ICMP protocols.

For example, with the default TCP state tracking, new flows are only opened when a TCP SYN packet is seen. cOS Stream performs validation so that illegal TCP state transitions are not allowed. When using IP rules with the Stateless property enabled, state transitions are not validated and a TCP flow can be opened even though the first packet is not a SYN.

A typical use case for this option is where asymmetric routing is used in a network topology. This means that only one direction of the TCP flow is passing through cOS Stream. If TCP validation were enabled then the flow would be dropped by cOS Stream since only one side of the TCP exchange will be seen.

Another use case is where there are TCP data flows from a wireless device to a 3GPP network. The flow might be started over a cellular phone wireless network and then be handed over to a Wi-Fi network that comes into range. The Wi-Fi network access could be via a Clavister NetShield Firewall and the triggering IP rule in the configuration will need the Stateless property enabled since any TCP flows have already been established prior to transiting through the firewall.

The following points should also be noted when using the Stateless option:

There is no loss of firewall throughput performance when the option is used.
The disadvantage of turning off flow validation is a reduction in security.
The IPRule object property StatelessAllowNewTCP can be used to prevent new TCP flows being established using the IP rule. The default value for this is Yes which allows new TCP flows.

The StatelessAllowNewTCP property is only used if the Stateless property is enabled.
IP rules with the Stateless property enabled can still support all the address translation options.

Example 7.3. Enabling the IP Rule Stateless Property

This example assumes the existence of the IP rule that has index number 6 in the main IP rule set. The Stateless property for this rule is to be enabled.

In addition, establishing new TCP flows with this IP rule will not be allowed by disabling the property StatelessAllowNewTCP.

Command-Line Interface

First, change the current context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> set IPRule 6 Stateless=Yes StatelessAllowNewTCP=No
Modified IPRule/6.
System:/IPRuleSet/main>

Return to the default CLI context:

System:/IPRuleSet/main> cc
System:/>

Configuration changes must be saved by issuing an activate followed by a commit command.

7.4. Geolocation

An additional traffic filtering option that is available in IPRule objects is Geolocation. This feature allows filtering of IPv4 and IPv6 addresses for the traffic source and/or destination according to its geographic association. Some IP addresses may not have a known geographic association but these can also be targeted by this feature.

The geolocation feature can be used in two ways:

An IPRule object can allow traffic from and/or to specific geographical areas.
An IPRule object can deny traffic from and/or to specific geographical areas.

The following IPRule properties determine geographic filtering:

SourceGeolocation - The geographic filter for the traffic source.
DestinationGeolocation - The geographic filter for the traffic destination.

Geolocation Setup Steps

The steps required for setting up the geolocation feature are as follows:

If the predefined GeolocationFilter objects are not suitable targeted geographic area, define a custom GeolocationFilter area that includes the desired regions.
Use either predefined or custom GeolocationFilter objects as the value for the SourceGeolocation property and/or the DestinationGeolocation property in an IPRule object. The IPRule determines how triggering traffic will be handled.

These configuration components will now be described in more detail.

Selecting a Geographic Area

The value assigned to the SourceGeolocation and/or DestinationGeolocation properties can be one of the following two types:

A predefined GeolocationFilter object.

cOS Stream provides a predefined list of GeolocationFilter objects which correspond to regions. The names of the predefined GeolocationFilter objects are the following:
- any-region (all locations)
- Africa
- Antarctica
- Asia
- Europe
- North America
- Oceana
- South America
The any-region value is the default setting for geolocation if no region is specified for an IP rule and this will include all regions. All the predefined filters have their MatchPrivate and MatchUnknown properties disabled with the exception of any-region which has both properties enabled. In other words, any-region will match on both unknown and private IP addresses but the other predefined filters will not.

To list the regions included in a predefined filter use a CLI command like the following:
```
System:/> show GeolocationFilter Europe

This object is read-only.

     Property  Value                                     Remarks
-------------  ----------------------------------------  ---------
        Name:  Europe                                    Read-only
     Regions:  AD, AL, AT, AX, BA, BE, BG, BY, CH, CY,   Read-only
               CZ, DE, DK, EE, ES, FI, FO, FR, GB, GG,
               GI, GR, HR, HU, IE, IM, IS, IT, JE, LI,
               LT, LU, LV, MC, MD, ME, MK, MT, NL, NO,
               PL, PT, RO, RS, RU, SE, SI, SJ, SK, SM,
               UA, VA, XK
MatchPrivate:  No                                        Read-only
MatchUnknown:  No                                        Read-only
    Comments:  Europe                                    Read-only
```
The region list is given as a set of 2 character codes which follow the ISO-3166-1 Alpha-2 convention. Note that the predefined filters are read-only and cannot be edited by the administrator.
A Custom GeolocationFilter object.

For finer control of the targeted geographic area, the administrator can create a custom GeolocationFilter object which consists of one or more targeted regions. This object can then be used as the value for the SourceGeolocation and/or DestinationGeolocation properties of an IPRule object.

The principal property in the Geolocation filter is Regions. This property should be assigned a comma separated list of 2 character ISO-3166-1 Alpha-2 codes representing regions. Tab completion in the CLI will provide a list of all available codes.

In addition to specifying regions for a GeolocationFilter object, or instead of regions, the following two additional options can be enabled in the filter:
1. Match Private Networks - This includes the IP addresses used for private networks. This includes the IPv4 networks 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and the IPv6 network fd00::/8. Although this option is not directly related to geolocation and could be implemented through the address book, it is provided as a convenience.
2. Match Unclassified Networks - This will match any IP address that is public but does not have a known region association.

Tip: Using tab completion to list codes

When, for example, creating a new Geolocation object, tab completion can be used to list all available country codes. However, it can be useful to also see the country names associated with codes and this is done by entered a question mark '?' before pressing the TAB key:

System:/> add Geolocation Filter my-gf Regions=?<TAB>
Name     Description
-------  --------------------------------------------
AD       Andorra
AE       United Arab Emirates
AF       Afghanistan
AG       Antigua and Barbuda
AI       Anguilla
AL       Albania
AM       Armenia
AO       Angola
AQ       Antarctica

Updating the Geolocation Database Files

The predefined geolocation regions and their associated IP addresses are defined by two files found on the firewall. One file is for IPv4 addresses and the other is for IPv6 addresses. All cOS Stream software versions come with two default files already installed and activated:

geoip4.bin - Geolocation data for IPv4 addresses.
geoip6.bin - Geolocation data for IPv6 addresses.

Note that the filetype of these two database files must always be .bin. Clavister will release new versions of these files periodically which can then be uploaded using SCP. They will automatically overwrite their older versions.

Activating Geolocation Files

Once a file is uploaded, it must be activated before it will be used by cOS Stream. This is done with the geoip -activate command but this is only available with the advanced command view :

System:/> geoip -activate=<filename>

A file can be deleted from storage with the -remove option:

System:/> geoip -remove=<filename>

However, it should be noted that -remove operation does not affect the currently activated definitions, it removes the file from which the definitions came.

The current status of all files can be displayed with the -status option:

System:/> geoip -status

The -lookup option can also be used to display the region that corresponds to a given IP address:

System:/> geoip -lookup=<ip-address>

The geoip command and its options are fully described in the separate CLI Reference Guide.

Example 7.4. IP Rule Filtering Using Geolocation

This example will set up an IPRule object that will drop all Internet traffic to a DMZ which is coming from the mythical region of Hackerland. This is done by first creating a GeolocationFilter object that includes only the fictitious regions Hackerland (fictitious ISO code: HA) and Phisherland (fictitious ISO code: PI). An IPRule object will then be defined which will drop all flows that originate from these regions.

In addition, the IPRule will also drop traffic that comes from any IP address that is not known to be associated with a region by enabling the MatchUnknown property in the GeolocationFilter object.

Command-Line Interface

First, create the GeolocationFilter object:

System:/> add GeolocationFilter my_geo_filter
			Regions=HA,PI
			MatchUnknown=Yes

Next, create the IPRule object that uses this filter:

System:/> add IPRule SourceInterface=wan
			SourceNetwork=all-nets
			DestinationInterface=dmz
			DestinationNetwork=all-nets
			Service=all_services
			Action=Deny
			SourceGeoFilter=my_geo_filter
			Name=wan_to_dmz

Note that all-nets includes both all IPv4 and all IPv6 addresses (it is a combination of all-nets-ip4 and all-nets-ip6) so the rule will be applied to both IPv4 and IPv6 source addresses.

Chapter 8: Services

8.1. Overview

A Service object type provides a means to reference a specific IP protocol. Such an object is most often used as a filter by assigning it to the Service property of a rule, such as an IPRule.

The available Service object types have the following names:

ServiceTCPUDP

This can be used for either the TCP or UDP protocol.
ServiceICMP

This is used for IPv4 ICMP messages. This type is described further in Section 8.3, ICMP.
ServiceICMPv6

This is used for IPv6 ICMP messages.
ServiceSCTP

This is used for the SCTP protocol. STCP validation can be performed for both stateless or stateful flows. Dealing with SCTP flows is discussed further in Section 8.2, SCTP.
ServiceIPProto

This is used for an IP protocol which can be specified using the IP protocol number. This type is described further in Section 8.4, ServiceIPProto Services.

In addition, a ServiceGroup object can be defined which can group a number of separate Service objects as a single object. Groups are described further in Section 8.5, Service Groups.

A Service is Passive

Service objects are passive objects in that they do not normally themselves carry out any action. Instead, they usually form part of the filtering criteria of rules, allowing a rule to trigger on a particular protocol. To do this they are assigned to the Service property of the rule.

For examples of how service objects are used with IP rules, see Chapter 7, IP Rules.

Predefined Services

A large number of service objects are predefined in cOS Stream. These include common services such as HTTP.

Predefined services can be used and also modified just like custom, user defined services. However, it is recommended to not make any changes to predefined services and instead create custom service objects with the desired characteristics.

Specifying All Protocols

An important predefined service has the name all_services. This service covers all possible protocols and it is used in the filtering criteria of a rule when the protocol is not relevant. This is an example of a ServiceGroup object which is discussed later in Section 8.5, Service Groups.

Other predefined services, such as all_icmp, also provide a means to describe a large number of related protocol types.

Example 8.1. Listing the Available Services

To produce a listing of the available services in the system:

Command-Line Interface

System:/> show Service

The output will look similar to the following listing with the services grouped by type with the service groups appearing first:

ServiceGroup

ServiceGroup

   Name            Comments
   --------------  ------------------------------
   all_tcpudpicmp  All ICMP, TCP and UDP services

ServiceICMP

   Name               Comments
   -----------------  -----------------------------------------------
   all_icmp           All ICMP services
   ping-inbound       Inbound ping (does not allow tracerouting)
       "
       "

Example 8.2. Viewing a Specific Service

To view a specific service in the system:

Command-Line Interface

System:/> show Service ServiceTCPUDP http

The output will look similar to the following listing:

          Property  Value                Remarks
 -----------------  -------------------  ---------
             Name:  http                 Read-only
 DestinationPorts:  80
             Type:  TCP
      SourcePorts:  0-65535
         SYNRelay:  No
   PassICMPReturn:  No
              ALG:  <empty>
         Comments:  World Wide Web HTTP

8.2. SCTP

8.2.1. The SCTP Service

A service object of the type ServiceSCTP can be assigned to the Service property of an IPRule so the rule triggers on SCTP traffic. cOS Stream provides a predefined object of this type with the name all_sctp.

In addition to being used as a filter for SCTP traffic, the ServiceSCTP service type also performs validation of SCTP flows. Validation can be performed for both stateless or stateful SCTP flows. Note that an SCTP flow is stateless if the Stateless property on the associated IPRule is enabled.

Supported SCTP Scenarios

A typical SCTP scenario that is supported by cOS Stream is where two networks communicate via the firewall using the SCTP protocol. SCTP multi-homing is supported by cOS Stream which means that the communicating networks can connect to the firewall via multiple interfaces, therefore providing path redundancy.

Limitations with SCTP

It should be noted that although cOS Stream supports the routing of SCTP traffic, it does not support the firewall acting as a terminator for SCTP traffic. Having cOS Stream perform NAT or SAT address translation with SCTP is also not possible.

SCTP Global Settings

There is a set of global settings for SCTP available in the SCTPSettings object. These settings are fully documented in the SCTPSettings section of the separate Clavister NetShield Firewall CLI Reference Guide and apply to all SCTP processing in the firewall

The global setting SCTPEnabled in the object SCTPSettings determines if SCTP filtering can be performed using a ServiceSCTP object. This is enabled by default but, if required, can be disabled with the following command:

System:/> set Settings SCTPSettings SCTPEnabled=No

When enabled, STCP validation will also be part of the all_services object for both stateless and stateful flows.

If SCTPEnabled is set to No, SCTP is treated as an unknown protocol.

Multi-Homing

cOS Stream supports SCTP multi-homing with either all IPv4 or all IPv6 addresses. Multi-homing means that SCTP peers can make use of multiple IP addresses for path redundancy. If a path fails, SCTP will retransmit the data over an alternate path. Flows can be between any IP address pair which is negotiated by the peers, but the port number is always the same.

Stripping of Multi-Homing Packets

The following should be noted about the stripping performed with multi-homing:

For SCTP stateful flows, all the IP addresses need to be routed through cOS Stream which means that the SCTP traffic must match the filter of the IPRuleobject. cOS Stream will strip IP addresses from packets that do not match the filter during the setup of SCTP associations. It will also strip host name addresses since they might get resolved by the peers to IP addresses that do not match the filter.
For SCTP stateless flows, stripping of IP addresses that lie outside the filter of the IP Rule object can be controlled by the SCTPMultihoming property of SCTPSettings. The default behavior is to not apply any restrictions on additional IP addresses or host name addresses for SCTP stateless flows. Handling of host name addresses is controlled by the SCTPHostNameAddressParam property of SCTPsettings.

Limiting Multi-Homing IP Addresses

The number of IP addresses allowed with multi-homing can be configured on the ServiceSCTP object by setting the properties MaxSourceAddresses and MaxDestAddresses.

Multi-Homing Interfaces Must Be Security Equivalent

The set of interfaces used for multi-homing must be set to be security equivalent. For example:

System:/> set Interface EthernetInterface if1
			SecurityEquivalentInterfaces=if2,if3

Security equivalence is explained further in Section 3.6, Security/Transport Equivalence.

Using Interface Groups with Multi-Homing

It can be helpful to create an InterfaceGroup object which consists of the interfaces that will be involved in multi-homing. This group can then be used as the source and destination interfaces of IP rule(s) set up to handle SCTP traffic instead of specifying the interfaces individually.

A Summary of Multi-Homing Setup

The steps for setting up multi-homing with multiple source interfaces and multiple destination interfaces can be summarized as the following:

Set up security equivalence between the source interfaces and again between the destination interfaces.
Create an interface group for the source interfaces and another for the destination interfaces.
Set up an IP rule with the appropriate SCTP service that uses these groups as the source and destination interface values. Also set the source and destination network values to the networks reachable through the interface groups. The setup and function of this rule is described in more detail next.

Setting up the IP Rule for Multi-Homing

The following points should be noted about the IPRule object that is created for SCTP multi-homing:

The rule should allow the initiator (the SCTP client) to make connections to the responder (the SCTP server).
The source IP address group of the rule should, at a minimum, contain all the IP aliases of the SCTP initiator that will be visible to the SCTP responder.
The source interface group should include all the interfaces through which the SCTP initiator can reach the SCTP responder.
The destination IP address group should include all the IP aliases of the SCTP responder that will be visible to the SCTP initiator.
The destination interface group should include all the interfaces through which the SCTP responder can reach the SCTP initiator.
Even though the rule does not explicitly allow the SCTP responder to contact the initiator, the return path is implicitly defined once the initiator has contacted the responder.
The source and destination interface filter specified for the rule can include interfaces which are not security equivalent. However, once the SCTP initiator has made initial contact with the responder, communication can only continue over security equivalent interfaces. Specifically, the initiator will only be allowed to send via source interfaces that are security equivalent to the source interface used for initial contact. Similarly, the responder will only be allowed to send via destination interfaces that are security equivalent to the destination interface used for initial contact.
Similarly, the rule's source and destination IP address filter can include IP addresses that are not part of IP aliases used by the SCTP endpoints. This means that the filters can be configured with entire network ranges, provided that this does not compromise security. However, once the SCTP initiator and responder have made contact, they will only be allowed to use their respective IP aliases for further communication.

Setting Up Stateless SCTP

Stateless SCTP is set up by setting the Stateless property of the IPRule object to a value of Yes. What this means is that SCTP will function as before and multi-homing will work, but cOS Stream will not be able to apply its full range of SCTP integrity checks. For example, the initial SCTP endpoint negotiation might flow through another route outside the firewall before subsequent SCTP traffic flows through the firewall. Note that if part of the SCTP session were to occur outside of the firewall then a second IP rule would be needed for SCTP traffic returning from the responder.

Also note that the SCTP multi-homing redundancy feature, described later in this section, will not function with stateless SCTP.

Example 8.3. Setting Up Stateful SCTP Multi-Homing

This example sets up stateful SCTP multi-homing. There are two IPv4 source networks that will initiate SCTP flows, if1_net on the if1 interface and if2_net on the if2 interface.

There are two destination remote SCTP peers which have IPv4 addresses 198.168.3.1 and 192.168.4.1. These addresses have associated interfaces if3 and if4.

Note that this example is valid if there are two independent remote peers using SCTP or there is a just a single remote peer implementing multi-homing using two IP addresses.

Command-Line Interface

First, create address book objects for the remote peers that will be the destination addresses:

System:/> add Address IPAddress peer_ip1 Address=192.168.3.1

System:/> add Address IPAddress peer_ip2 Address=192.168.4.1

Next, set up security equivalence for the source and destination interfaces:

System:/> set Interface EthernetInterface if1
			SecurityEquivalentInterfaces=if2

System:/> set Interface EthernetInterface if3
			SecurityEquivalentInterfaces=if4

Create interface groups for the source and destination interfaces:

System:/> add Interface InterfaceGroup ifgp1 Members=if1,if2

System:/> add Interface InterfaceGroup ifgp2 Members=if3,if4

Create an IP rule for traffic coming from the networks that initiate SCTP flows towards the remote peers:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=ifgp1
			SourceNetwork=if_net,if2_net
			DestinationInterface=ifgp2
			DestinationNetwork=peer_ip1,peer_ip2
			Service=all_sctp
			Stateless=No

8.2.2. Multi-Homing Redundancy

Both SCTP stateless and stateful flows are fully supported by a high availability cluster. SCTP flows do not need to be reestablished after an HA failover.

In addition, SCTP stateful flows can make use of an HA cluster feature called Multi-Homing Redundancy in conjunction with SCTP multi-homing This feature means that stateful SCTP flows are able to use a route through either HA cluster node. If one cluster node fails then, using multi-homing, the SCTP endpoints will reroute traffic through the other node with no requirement for flow reestablishment.

Traffic rerouting using the multi-homing redundancy feature is illustrated in the diagram below where two SCTP endpoints have a choice of traversing an HA cluster using either route 1 or route 2. If one route becomes unavailable because of a firewall failure in the cluster, SCTP multi-homing allows the endpoints to immediately switch to the alternate route through the other firewall, without traffic interruption.

Figure 8.1. SCTP Multi-Homing Redundancy

8.2.3. Node Only Routes with Multi-Homing Redundancy

The routing of SCTP traffic through an HA cluster with multi-homing redundancy can sometimes require either or both of the following routing requirements:

SCTP traffic to a specific network may need to be routed through a specific interface on one node in the HA cluster, and dropped entirely on the other node.
SCTP traffic to a specific network may need to be routed through one interface on one node in the HA cluster and through a different interface on the other node.

To address the above requirements, cOS Stream provides a special HARoute object which can be added to a user-defined routing table. These special routes are also referred to as HA node only routes.

Setup Steps for Node Only Routes

The following steps are needed to set up the node only routing feature:

Define a new RoutingTable object and set its property AllowHARoutes to the value Yes. This property allows both normal routes and node only routes to be added to the table. However, the property cannot be enabled for the predefined main routing table.

Note also that with the AllowHARoutes property enabled, a table cannot be assigned to the RoutingTableMembership property of an interface.
Add one or more HARoute objects to the new routing table. These define the required node only routing behavior for a specific destination network.

The MasterInterface property of an HARoute specifies a single interface for routing on the master node and the SlaveInterface property does the same for the slave node. The interface specified could be Ethernet, VLAN or another type. Either of these properties (but not both) can be set to the special interface value of <drop> if traffic to the matching destination network is to be dropped on one of the nodes.
Define a policy based routing rule which triggers on the relevant SCTP traffic and selects the routing table defined in the first step for both forward and return traffic. This is done by adding a child RoutingRule object to the predefined PBRRules parent object.

Note that the Service property of the RoutingRule must be set to a value of SCTP. Otherwise, it will not be possible to use the rule with a RoutingTable that has its AllowHARoutes property enabled.
Make sure there is an IPRule object that allows the traffic for each HARoute object created. Where a single HARoute object routes traffic through different interfaces depending on the node, a single IPRule must allow this traffic on both interfaces.
On the external network equipment connected to the HA cluster interfaces, static ARP table entries may need to be created so that the equipment knows which cluster interface to send traffic to for a given IP address. The reason for this is that the HA cluster only sends out gratuitous ARPs for the shared IP addresses of interfaces and not the unique IP addresses of each HA node.

Example 8.4. HA Node Only Routes with Multi-Homing Redundancy

This example will assume that there is a requirement in an HA cluster with multi-homing redundancy to route the destination network if1_net on the master HA node through the if1 interface and to drop this same traffic on the slave node.

An additional requirement is to route the destination network ext_net on the master HA node through the if2 interface but to route this same network on the slave node through the if3 interface.

Note that creating an appropriate IPrule is not shown in this example but one has to exist that allows the traffic flow for each HARoute. Each IPRule must specify all the destination interfaces specified in its corresponding HARoute.

A. Create a routing table for the node only routes:

System:/> add RoutingTable sctp_rt AllowHARoutes=Yes

B. Add the HA routes to the new routing table:

System:/> cc RoutingTable sctp_rt
System:/RoutingTable/sctp_rt> add HARoute
			Network=if1_net
			MasterInterface=if1
			SlaveInterface=<drop>
System:/RoutingTable/sctp_rt> add HARoute
			Network=ext_net
			MasterInterface=if2
			SlaveInterface=if3
System:/RoutingTable/main> cc
System:/>

C. Add a policy based routing rule:

System:/> cc PBRRules
System:/PBRRules> add RoutingRule
			Service=all_sctp
			SourceInterface=any
			SourceNetwork=all-nets-ip4
			DestinationNetwork=if1_net,ext_net
			ForwardRoutingTable=sctp_rt
			ReturnRoutingTable=sctp_rt
			Name=sctp_rr
System:/PBRRules> cc
System:/>

8.3. ICMP

The Internet Control Message Protocol (ICMP) is a protocol that is integrated with IP for error reporting and transmitting control information. For example, the ICMP Ping feature uses ICMP to test Internet connectivity.

ICMP Types and Codes

ICMP messages are delivered in IP packets, and includes a Message Type that specifies the format of the ICMP message and a Code that is used to further qualify the message. For example, the message type Destination Unreachable uses the Code parameter to specify the exact reason for the error.

Either all ICMP message types can be accepted by a service (with 256 possible types) or it is possible to filter the types using the MessagesTypes property of the ICMP service.

Specifying Codes

If a type is selected then the codes for that type can be assigned to the MessageTypes property of the ServiceICMP or ServiceICMPv6 object in the same way that port numbers are specified. For example, if the Destination Unreachable type is selected with the comma delimited code list 0,1,2,3 then this will filter Network unreachable, Host unreachable, Protocol unreachable and Port unreachable.

When a message type is selected but no code values are given then all codes for that type is assumed.

ICMP Message Types

The message types that can be selected are as follows:

Echo Request

Sent by PING to a destination in order to check connectivity.

Destination Unreachable

The source is told that a problem has occurred when delivering a packet. There are codes from 0 to 5 for this type:

Code 0: Net Unreachable
Code 1: Host Unreachable
Code 2: Protocol Unreachable
Code 3: Port Unreachable
Code 4: Cannot Fragment
Code 5: Source Route Failed

Redirect

The source is told that there is a better route for a particular packet. Codes assigned are as follows:

Code 0: Redirect datagrams for the network
Code 1: Redirect datagrams for the host
Code 2: Redirect datagrams for the Type of Service and the network
Code 3: Redirect datagrams for the Type of Service and the host

Parameter Problem

Identifies an incorrect parameter on the datagram.

Echo Reply

The reply from the destination which is sent as a result of the Echo Request.

Source Quenching

The source is sending data too fast for the receiver, the buffer has filled up.

Time Exceeded

The packet has been discarded as it has taken too long to be delivered.

8.4. ServiceIPProto Services

Services that run over IP and perform application/transport layer functions can be uniquely identified by IP protocol numbers. IP can carry data for a number of different protocols. These protocols are each identified by a unique IP protocol number specified in a field of the IP header. For example, ICMP, IGMP and EGP have protocol numbers 1, 2 and 8 respectively. The ServiceIPProto object type allows a Service to be defined based on these numbers by assigning them to the object's IPProto property.

Similar to the TCP/UDP port ranges described previously, a range of IP protocol numbers can be used to specify multiple applications for one service. For example, specifying the range 1-4,7 will match the protocols ICMP, IGMP, GGP, IP-in-IP and CBT.

IP protocol numbers

The currently assigned IP protocol numbers and references are published by the Internet Assigned Numbers Authority (IANA) and can be found at:

http://www.iana.org/assignments/protocol-numbers

Example 8.5. Adding an IP Protocol Service

This example shows how to add an IP Protocol service, with the Virtual Router Redundancy Protocol.

Command-Line Interface

System:/> add Service ServiceIPProto VRRP IPProto=112

8.5. Service Groups

A Service Group is an object that consists of a collection of services. Although the group concept is simple, it can be very useful when constructing security policies since the group can be used instead of an individual service.

The Advantage of Groups

For example, there may be a need for a set of IP rules that are identical to each other except for the service property. By defining a service group which contains all the service objects from all the individual rules, we can replace all of them with just one IP rule that uses the group.

Suppose that we create a service group called email-services which combines the three services objects for SMTP, POP3 and IMAP. Now only one IP rule needs to be defined that uses this group service to allow all email related traffic to flow.

Groups Can Contain Other Groups

When a group is defined then it can contain individual services and/or other service groups. This ability to have groups within groups should be used with caution since it can increase the complexity of a configuration and decrease the ability to troubleshoot problems. However, the feature allows the easy construction of large and complex sets of service definitions.

Chapter 9: Address Translation

9.1. Overview

The ability to modify the source and/or destination IP address of packets as they traverse a Clavister NetShield Firewall is known as Address Translation.

The ability to transform one IP address to another can have many benefits. Two of the most important are:

Private IP addresses can be used on a protected network where protected hosts need to have access to the public Internet. There may also be servers with private IP addresses that need to be accessible from the public Internet.
Security is increased by making it more difficult for intruders to understand the topology of the protected network. Address translation hides internal IP addresses which means that an attack coming from the "outside" is much more difficult.

Types of Translation

Two types of IP address translation are possible:

Dynamic Network Address Translation (NAT).
Static Address Translation (SAT).

Both types of translation are policy-based, which means that they can be applied to specific traffic based on the source/destination and network/interface as well as based on the type of protocol (the service). Two types IP rules, NAT rules and SAT rules, are used to configure address translation.

This section describes and provides examples of configuring NAT and SAT rules.

9.2. NAT

Dynamic Network Address Translation (NAT) provides a mechanism for translating original source IP addresses to a different address as packets traverse a network device. Outgoing packets from the device then appear to come from a different source IP address. Incoming packets returning to that source address have their IP address translated back to the original one.

NAT is configured in cOS Stream by specifying the SourceTranslation property of an IP Rule to have an action of NAT. cOS Stream allows NAT to be applied to both IPv4 and IPv6 addresses, and NATing can be done both with a single IP Rule object. An example of this is given towards the end of this section.

NAT Benefits

NAT can have two important benefits:

The IP addresses of individual clients and hosts can be "hidden" behind the firewall's IP address. This is sometimes referred to as topology hiding.
Only the firewall needs a public IP address for public Internet access. Hosts and networks behind the firewall can be allocated private IP addresses (as defined in RFC1918 for IPv4) but can still have access to the public Internet through the public IP address.

NAT Provides many-to-one IP Address Translation

NAT provides many-to-one translation. This means that each NAT rule in the IP rule set will translate between several source IP addresses and a single source IP address.

To maintain session state information, each NAT flow is translated to a unique combination of port number and IP address for the source. cOS Stream then performs automatic translation of the source port number as well as the IP address for returning packets. In other words, the actual source IP addresses for flows are all translated to the same IP address and the flows are distinguished from one another by the allocation of a unique port number to each.

The diagram below illustrates the NAT concept.

Figure 9.1. NAT IP Address Translation

In the diagram above, three flows from IP addresses A, B and C are NATed through a single source IP address N. The original port numbers are also changed.

The next source port number allocated for a new NAT flow will be the first free port selected randomly by cOS Stream. Ports are allocated randomly to increase security from external attack.

Limitations on the Number of Flows

There is a limitation of approximately 65,500 simultaneous NAT flows where each flow consists of a unique pair of IP addresses. The term IP pair means one IP address on an interface and the IP address of some external host to which a flow is being made. If two different IP addresses on an external host are being connected to from the same NAT address on the firewall then this will constitute two, unique IP pairs. The 65,500 figure is therefore not a limitation for the entire Clavister NetShield Firewall.

When discussing the 65,500 simultaneous NAT flow limit, a "flow" is considered to be a unique pair of IP addresses where different port numbers are not used or the same destination port is used. For example, if a remote server demands that all flows are to a single destination port then this limit will apply.

However, since there is a possible range of 65,500 source ports and the same number for destination ports, it is theoretically possible to have over 4 billion flows between two IP addresses if all ports are used.

The Source IP Address Used for Translation

There are three options for how cOS Stream determines the source IP address that will be used for NAT:

Use the IP Address of the Interface

When a new flow is established, the routing table is consulted to resolve the outbound interface for the flow. The IP address of that resolved interface is then used as the new source IP address when cOS Stream performs the address translation. This is the default way that the IP address is determined.
Specify a Specific IP Address

A specific IP address can be specified as the new source IP address. The specified IP address needs to have a matching ARP Publish entry configured for the outbound interface. Otherwise, the return traffic will not be received by the Clavister NetShield Firewall. This technique might be used when the source IP is to differ based on the source of the traffic. For example, an ISP that is using NAT, might use different IP addresses for different customers.

The NAT Translation Process

To explain the NAT process in a simple example, consider a protected client behind the firewall which has the private IPv4 address 192.168.1.5. It wants to make an HTTP connection on port 80 of a server with the public IPv4 address 203.0.113.10.

The public IPv4 address of the Ethernet interface connected to the Internet is 203.0.113.5 (for simplicity, assume that the interface and the server are on the same network). NAT translation is applied to flows originating on this interface by specifying a NATing IP Rule object that allows flows from the client to the server.

The sequence of these events in the NAT process is illustrated in the diagram below and the description of steps that follows.

Figure 9.2. The NAT Translation Process

The sender at IP address 192.168.1.5 sends a packet from a dynamically assigned port number (assume port 1038) to the server at 203.0.113.10 on port 80.
```
		 => 
```
Assume that the NAT Use Interface Address option is used in the IP rule. cOS Stream changes the source port to a random unused port on its interface which is above port 1024. In this example, assume port 32,789 is chosen. The packet is then sent to its destination with this source port and the source IP of the interface.
```
		 => 
```
The server then processes the packet and sends its response back to the source IP and port.
```
		 => 
```
cOS Stream receives the packet and looks up the destination IP and port in its list of open flows. If it finds the flow, it restores the original source IP address and port number and forwards the packet.
```
		 => 
```
The original sender has now received the response without needing a public IP address of its own.

Example 9.1. Adding an IPv4 NAT Rule

This example will add a NAT rule that will perform IPv4 address translation for all HTTP/HTTPS traffic originating from the internal network if1 as it flows out to the public Internet on the wan interface. The IPv4 address of the wan interface will be used as the NATing address for all flows.

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_HTTP

Now, return to the default CLI context if no more rules are needed:

System:/IPRuleSet/main> cc
System:/>

DNS Traffic Needs a Separate Rule

Note that a second, similar rule will be needed to NAT DNS traffic from the internal HTTP/HTTPS clients so that web browsers can resolve URLs. Everything will be the same except the Service property should be set to dns-all in such a rule.

Specifying the NAT IP Address

In the preceding example, the IP address used for NAT is the IPv4 address of the destination interface. The alternative is to specify another IPv4 address that is to be used on the destination interface. This is done by specifying the SetSourceAddress option as AllToOne and using the NewSourceIP4 option to specify the new NAT address for the interface.

Example 9.2. Specifying an IPv4 NAT Address

This example is the same as the preceding example except the NAT address used on the wan interface is to be explicitly specified as 10.0.0.1

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=AllToOne
			NewSourceIP4=10.0.0.1
			Name=NAT_HTTP

The IPv4 address 10.0.0.1 must also be explicitly ARP published on the wan interface if it is not already one of the addresses assigned to that interface.

ARP Publishing the NAT IPv4 address

As mentioned in the last NAT example, if the NAT IPv4 address is not already ARP published on the Ethernet interface then this must be done explicitly. Doing this is described in Chapter 4, ARP.

ARP publishing of all the IP addresses already assigned to an Ethernet interface is done automatically and any Ethernet interface can have multiple IP addresses associated with it.

IPv6 NAT Addresses

It is possible to NAT IPv6 traffic in the same way that NAT is used for IPv4 traffic. It is also possible to combine IPv4 and IPv6 traffic in the same IP rule.

Example 9.3. Adding an IPv6 NAT Rule

This example will add a NAT rule that will perform IPv6 address translation for all IPv6 HTTP/HTTPS traffic originating from the internal network if1 as it flows out to the public Internet on the wan interface. The IPv6 address of the wan interface will be used as the NATing address for all flows.

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=LAN
			SourceNetwork=LAN_ip6_net
			DestinationInterface=WAN
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_IP6_HTTP

Example 9.4. Adding a Combined IPv4 and IPv6 NAT Rule

This example repeats the preceding example but will perform NAT on both IPv4 and IPv6 traffic. The difference in how the SourceNetwork property is specified.

Command-Line Interface

First, change the current category to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=LAN
			SourceNetwork=LAN_net,LAN_ip6_net
			DestinationInterface=WAN
			DestinationNetwork=all-nets
			Service=http-all
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_IPv4_IP6_HTTP

Specifying the IPv6 NAT Address

Note that the property NewSourceIP6 could be used to specify an IPv6 address as the NAT address for IPv6 traffic. Either or both of NewSourceIP4 and NewSourceIP6 must be specified in the same rule when the SetSourceAddress=AllToOne option is used.

If the NAT rule allows both IPv4 and IPv6 addresses (for example, the source IP might be all-nets) then both NewSourceIP4 and NewSourceIP6 will have to be specified since the rule must deal with applying NAT to both address types.

Protocols Handled by NAT

Dynamic address translation is able to deal with the TCP, UDP and ICMP protocols with a good level of functionality since the algorithm knows which values can be adjusted to become unique in the three protocols. For other IP level protocols, unique flows are identified by their sender addresses, destination addresses and protocol numbers.

This means that for protocols other than TCP, UDP and ICMP:

An internal machine can communicate with several external servers using the same IP protocol.
An internal machine can communicate with several external servers using different IP protocols.
Several internal machines can communicate with different external servers using the same IP protocol.
Several internal machines can communicate with the same server using different IP protocols.
Several internal machines can not communicate with the same external server using the same IP protocol.

Note: Restrictions only apply to IP level protocols

These restrictions apply only to IP level protocols other than TCP, UDP and ICMP, such as OSPF and L2TP. They do not apply to the protocols transported by TCP, UDP and ICMP such as telnet, FTP, HTTP and SMTP.

cOS Stream can alter port number information in the TCP and UDP headers to make each flow unique, even though such flows have had their sender addresses translated to the same IP.

Some protocols, regardless of the method of transportation used, can cause problems during address translation.

9.3. NAT Pools

Overview

Network Address Translation (NAT) provides a way for many clients and hosts, with unique private IPv4 addresses, to communicate with remote hosts through a single external public IP address (this is discussed in depth in Section 9.2, NAT). When multiple public external IPv4 addresses are available then a NATPool object can be used to allocate new flows across these public addresses.

NAT pools are usually employed when there is a requirement for huge numbers of unique port connections. The port manager has a limit of approximately 65,000 connections for a unique combination of source and destination IP addresses. Where large number of internal clients are using applications such as file sharing software, very large numbers of ports can be required for each client. The situation can be similarly demanding if a large number of clients are accessing the Internet through a proxy-server. The port number limitation is overcome by allocating extra external IP addresses for Internet access and using NATPool objects to allocate new flows across them.

The NAT Pool Type Property

A NAT pool can be one of the following types with each allocating new flows in a different way:

Stateful
Stateless
Fixed
Deterministic

The first three types are discussed further in this section. The Deterministic option is described separately in Section 9.4, Deterministic NAT.

Stateful NAT Pools

When the Stateful option is selected for the Type property, cOS Stream allocates a new flow to the external IP address that currently has the least number of flows routed through it with the assumption that it is the least loaded. cOS Stream keeps a record in memory of all such flows. Subsequent flows involving the same internal client/host will then use the same external IP address.

The advantage of the stateful approach is that it can balance flows across several external ISP links while ensuring that an external host will always communicate back to the same IP address which will be essential with protocols such as HTTP when cookies are involved. The disadvantage is the extra memory required by cOS Stream to track the usage in its state table and the small processing overhead involved in processing a new flow.

To make sure that the state table does not contain dead entries for communications that are no longer active, a StateKeepAlive property can be specified. This is the number of seconds of inactivity that must occur before an entry in the state table is removed. After this period, cOS Stream assumes no more communication will originate from the associated internal host. Once the state is removed then subsequent communication from the host will result in a new state table entry and may be allocated to a different external IP address in the NAT Pool.

The state table itself takes up memory but this memory is limited in size using the MaxStates property in a NAT Pool object. The following should be noted about the MaxStates property:

The MaxStates property does not have a default value and must be specified. It is up to the administrator to decide the appropriate size.
One entry in a state table tracks all the flows for a single host behind the firewall, no matter which external host the flow concerns. As a rule of thumb, the MaxStates value should be at least the number of local hosts or clients that will be expected to connect to the Internet.
The MaxStates value determines the amount of memory the pool will require. Minimizing this is recommended but the value could be the maximum number of addresses in the network if the administrator has insufficient knowledge about the potential number of simultaneous users and hosts.
There is only one state table per NAT pool. This means that if a single pool is reused in multiple NAT IP rules, they will share the same state table.
If the MaxStates value has been reached when adding a new state, an existing state entry with the longest idle time will be replaced. If all entries in the table are active then a random entry will be selected and replaced.

Stateless NAT Pools

If the Stateless option is selected for the Type property, it means that no state table is maintained and the external IP address chosen for each new flow is the one that has the least flows already allocated to it. This means two flows between one internal host to the same external host may use two different external IP addresses.

The advantage of a Stateless pool is that there is a good spread of new flows between external IP addresses with no requirement for memory allocated to a state table and there is less processing time involved in setting up each new flow. The disadvantage is that it is not suitable for communication that requires a constant external IP address.

Fixed NAT Pools

The Fixed option for the Type property means that each internal client or host is allocated one of the external IPv4 addresses through a hashing algorithm. Although the administrator has no control over which external flow will be used, this scheme ensures that a particular internal client or host will always communicate through the same external IPv4 address.

Using Fixed has the advantage of not requiring memory for a state table and provides very fast processing for new flow establishment. Although explicit load balancing is not part of this option, there should be adequate spreading of the load across the external flows due to the random nature of the allocating algorithm. This type option is therefore recommended over the Stateful option if the internal network is extremely large.

Explicitly Enable Proxy ARP

When external routers sends ARP queries to the firewall to resolve any external IPv4 addresses included in a NAT pool, cOS Stream needs to send the correct ARP replies so the external router can correctly build its routing table. This is done by using the proxy ARP feature of cOS Stream.

The administrator must always explicitly enable proxy ARP for the NAT pool addresses on the IP rule's destination interface and any other relevant interfaces. This is done by adding a route for the NAT pool addresses on the core interface (in other words a core route) and enabling proxy ARP for that route on the destination interface or other selected interfaces.

Using NAT Pools with an IP Rule

NAT pools are used in conjunction with a normal NAT IP rule. When defining the NAT IP rule, a NATPool object can be selected by setting the SetSourceAddress property to the value NATPool and assigning the NATPool object to the property NATPool. The example below illustrates this.

Note: All network addresses are available unless excluded

If the NAT pool is specified as an entire IP network then it should be noted that all addresses in that network can be allocated. For example, if the network 203.0.113.0/24 is used, the addresses 203.0.113.0 and 203.0.113.255 are available for allocation.

If this behavior is undesirable and the .0 and .255 IP addresses are to be excluded, this must be done explicitly when the address range is specified. This applies to all NAT pool types, including deterministic NAT pools.

Example 9.5. Using NAT Pools

This example creates a NAT pool with the external IPv4 address range 10.6.13.10 to 10.16.13.15 which is then used in a NAT IP rule for HTTP traffic coming from the protected network if1_net on the if1 interface destined for the public Internet, which is connected to the if2 interface.

The MaxStates value will be set at 16,384. The administrator might choose a much lower value to minimize memory usage but the value should always accommodate the maximum number of simultaneous users and hosts that are expected.

Command-Line Interface

Create an address book object that specifies the IP range for the pool:

System:/> add Address IPAddress nat_pool_range
			Address=10.6.13.10-10.16.13.15

Add the NATPool object:

System:/> add NATPool my_stateful_natpool
			Type=Stateful
			ExternalIPPool=nat_pool_range
			MaxStates=16384

Change the context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule to perform NAT:

System:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceNetwork=if1_net
			SourceInterface=if1
			DestinationNetwork=all-nets-ip4
			DestinationInterface=if2
			Service=http
			SourceTranslation=NAT 
			SetSourceAddress=NATPool
			NATPool=my_stateful_natpool
			Name=lan_to_wan

Restore the default CLI context:

System:/IPRuleSet/main> cc

To add a core route, change the context to be the main routing table:

System:/> cc RoutingTable main

Create the route to add the core route and specify proxy ARP:

System:/RoutingTable/main> add Route
			Interface=core
			Network=nat_pool_range
			ProxyArpInterfaces=if2

Restore the default CLI context:

System:/RoutingTable/main> cc

When defining the route, the property ProxyArpAllInterfaces=Yes could have been used to enable proxy ARP on all interfaces.

The natpool CLI Command

The CLI command natpool can be used to look at the current status of NATPool objects.

Below is some typical output from the command, showing all NAT pool activity.

System:/> natpool
		
NAT Pool summary

Pool     Type   Size   Active  Flows
-------  -----  -----  ------  -------
my_pool  Fixed  65024  45884   1359944

Here, there is only one fixed pool called my_pool configured with 45,884 IPv4 addresses being used out of a possible maximum of 65,024.

The fixed pool in the output above can be examined in depth with the command:

System:/> natpool my_pool
		
NAT Pool External IP usage

External IP Flows
----------- -----
1.2.0.1     193
1.2.0.2     0
1.2.0.3     70
1.2.0.4     88

Here, only four IPv4 addresses are being used from the pool and the total active flows for each IP address is listed.

Note that the output shown above for a single pool can change according to the type of pool.

For example, if the pool type is Stateful then Lingering values will also be shown. This is the number of states in lingering mode for the specified NAT IP. In other words, the number of internal hosts that have had a NAT IP mapping but do not have any active flows.

For a full list of options, see the natpool command entry in the separate Clavister NetShield Firewall CLI Reference Guide.

9.4. Deterministic NAT

The Nat Pool Logging Problem

A problem with the normal usage of a NAT pool is that a log event message may have to be generated every time a user's IP address is translated by the NAT pool mechanism and their flow is allocated a port number and IP address. Logging of all new flows might be necessary because local legislation requires that a service provider can identify the actual IP address of a given user. The constant generation of log messages poses a storage problem when large numbers of users are constantly connecting and disconnecting and can be a costly issue.

The Deterministic Nat Solution

The Clavister NetShield Firewall provides a solution to this problem with a feature of NAT pools called Deterministic NAT. When this is enabled on a NATPool object, instead of logging being done, an algorithm can be used to find out which user was using a given port number and shared IP address.

Deterministic NAT Setup

In order to set up this feature, the following steps are needed:

Create a NATPool object as normal. This is described in Section 9.3, NAT Pools.
Set the Type property of this object to be Deterministic.
Change any of the NATPool properties related to deterministic NAT if the default values are not sufficient for the traffic load expected. These properties and their function are described later in this section.
Now use the NATPool object with an IPRule object.

Deterministic and Dynamic IP Mapping

The algorithm used for deterministic NAT will be configured to deal with a certain amount of concurrent flows. While the number of flows is below this level, the algorithm can be applied and no logging is necessary since the user IP can always be calculated. This state is referred to as deterministic assignment.

However, when the concurrent flows exceed the maximum expected, the algorithm can no longer be applied and normal logging of NAT allocation takes place. This state is referred to as dynamic assignment. As explained next, the tool used to calculate the user's IP address will indicate if the address was allocated dynamically and the log event messages must be examined.

Avoiding dynamic port assignment depends on whether the default parameters for the algorithm are sufficient for the demands of the traffic flows. If they are not then the administrator must change them and/or expand the IP address pool to deal with the expected traffic load. The configurable properties for deterministic NAT are explained later in this section.

Disabling Dynamic Assignment

One of the NAT pool properties discussed later is DynPoolRatio. When this is set to zero, dynamic mapping is disabled entirely. However, if deterministic mapping then runs out of IP/port combinations, the excess flows that cannot be mapped will be dropped and the following log message is generated:

prio=warning id=1091
event=deterministic_natpool_found_no_free_ports_for_ip name=det
internalip=192.168.12.32 blocksizedet=1 blocksizedyn=0 action=drop

Identifying the IP Address of a User

The following is the procedure for identifying a user:

Use the CLI command natpool -reverse command to calculate the IP address. This command requires the NATPool object used for the mapping, or an exact copy of it, as a parameter so it is important to have this object, or an exact copy of it, when the calculation is done.
The resulting output provides the IP address, unless the Internal IP Range is indicated as "Dynamic". If the assignment was dynamic then the IP address will have to determined by examining the log event messages.

An example of using the natpool -reverse command is given at end of this section in Example 9.7, “Calculating a Deterministic NAT User IP”.

NAT Pool Properties for Deterministic NAT

As mentioned, there are a number of properties of a NATPool object that control the functioning of the deterministic NAT pool mechanism. They are the following:

DynBlockAllocation

This property can be either of the following values:
1. InternalNetwork - This is the default value, and means that an internal IP that is outside the NAT pool's InternalNetwork will not get a mapping. Instead, the log message NATPool_DetNATDeniedIP will be generated and the flow will be dropped.
2. AnyIP - This setting means that an internal IP that is outside the InternalNetwork property of the NAT pool will still be mapped. However, the mapping of such an IP outside the range will always be dynamic (the algorithm will not be used) so the user IP must be looked up in the event message log. The IP rule associated with the IP pool would also need a SourceNetwork property setting that allowed the out-of-range IP.

CompressionRatio

This specifies how many internal IPs will be mapped to each external IP. It affects the deterministic mapping algorithm. The possible values are:
1. Auto - This is the default value and means the property is calculated as follows:
```
CompressionRatio = roundup (internal_ip_count / external_ip_count)
```
  The internal_ip_count and external_ip_count values are calculated from the IP pool properties InternalNetwork and ExternalIPPool respectively.
2. An integer between 1 and 65535 - This is the number of internal IPs mapped to each external IP and is used only if there is a need to customize the mapping.

DynPoolRatio

This is an integer value between 0 and 100 and specifies the percentage of available ports that will be used for dynamic port block allocation. Note that this percentage of available ports are always reserved for dynamic allocation.

If this property is set to 0 (the default), dynamic allocation is disabled. In addition, the properties DynBlockAllocation, DynBlockSize and DynBlockAllocLimit will have no meaning since all mapping will be deterministic.

DynBlockSize

This specifies the size of each dynamic port block.
1. Auto - This is the default setting and means the size is calculated as follows:
```
DynBlockSize =
   rounddown( (total_ports - reserved_ports - CompressionRatio)
     * DynPoolRatio / CompressionRatio )
```
2. An integer between 1 and 65535 - This is the port block size and is used only if there is a need to customize the mapping.

DynBlockAllocLimit

This specifies the maximum number of dynamic port blocks that can be allocated for each internal IP. The default value is 1. Note that there can be multiple port blocks for dynamic mapping but only a single port block for deterministic mapping.

DetBlockSize

This specifies the number of external ports in each pre-allocated deterministic port block. This property is the key driver of the mapping mechanism if dynamic mapping is disabled. If dynamic mapping is enabled, this property and DynBlockSize should both be considered.
1. Auto - This is the default setting and means the size is calculated as follows:
```
DetBlockSize = rounddown(
  (total_ports – reserved_ports – dynamic_ports – CompressionRatio)
	  / CompressionRatio )
```
  Here, Total_ports is 65535 and Reserved_ports is 1023. Also:
```
Dynamic_Ports =
  rounddown( (total_ports – reserved_ports – CompressionRatio)
	  * DynPoolRatio )
```
2. An integer between 1 and 65535 - This is the number of external ports available and and is used only if there is a need to customize the mapping.

Calculating the User IP Manually

It is useful to describe examples of manually determining the user IP from a deterministic mapping. In practice, it should not be necessary to do these calculations manually because the natpool -reverse CLI command could be used to do it automatically. This description is included for completeness.

The formula for determining the index into the InternalIPPool is calculated as follows:

Index = rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
   + CompressionRatio * ExternalIPIndex)

Where ExternalIPIndex is the index of the external IP in the configured ExternalIPPool assuming that the first position has an index value of 0.

The derived Index value can indicate if the mapping was deterministic (the internal IP can be determined mathematically) or dynamic (the internal IP must be looked up in the event message logs). The rules for deciding which should be used are the following:

Calculate the following:
```
(CompressionRatio + CompressionRatio * ExternalIPIndex)
```
If the Index is less than this value then the mapping was deterministic.
If the Index is greater or equal to this value then the mapping was dynamic.

The examples below are all based on the following NATPool object:

System:/> add NATPool my_dnatpool_example
			Type=deterministic
			ExternalIPPool=203.0.113.51-203.0.113.60
			InternalNetwork=192.0.2.0/24
			DynPoolRatio=10
			DynBlockAllocLimit=2

Example 1: Who had the external IP 203.0.113.51 : 4096 ?

Get the values for the following properties: CompressionRatio, DynPoolRatio, DetBlockSize, DynBlockSize.

If needed, calculate the DynPortQuantity:

DynPortQuantity =
  rounddown((TotalPorts-ReservedPorts-CompressionRatio)*DynPoolRatio)
                = rounddown((65535-1023-26)*0.1) = 6448

If needed, calculate the DetBlockSize:

DetBlockSize =
  rounddown((TotalPorts-ReservedPorts-DynBlockQuantity-CompressionRatio)
	  /CompressionRatio)
	     = rounddown((65535-1023-6448-26)/26) = 2232

Now calculate the internal IP Index value, assuming that the ExternalIPIndex is 0 (because 203.0.113.51 is the first usable IP in the ExternalIPPool):
```
Index = rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
          + compressionRatio * ExternalIPIndex )
            = rounddown( (4096-1023)/2232 + 26*0)  = 1
```
Starting from 0, an Index of 1 is the second IP in the InternalNetwork, 192.0.2.1 (since 192.0.2.0 is the first IP).

Example 2: Who had the external IP 203.0.113.52 : 4096 ?

Assuming the ExternalIPIndex is 1, calculate the internal IP Index:

Index =
   rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
     + compressionRatio * ExternalIPIndex )
        = rounddown((4096-1023)/2232 + 26*1) = 27

The Index is 27 starting from 0 and this corresponds to the IP address 192.0.2.27.

Example 3: Who had the external IP 203.0.113.53 : 60000 ?

Calculate the internal IP Index, assuming this time the ExternalIPIndex to be 2:
```
Index =
   rounddown( (ExternalPort-ReservedPorts)/DetBlockSize
     + compressionRatio * ExternalIPIndex )
       = rounddown((60000-1023)/2232 + 26*2) = 78
```
Compare the result to the following:
```
(CompressionRatio+CompressionRatio*ExternalIPIndex) = 26+26*2 = 78
```
Since the result is greater than or equal to this, the flow was opened using a dynamic mapping. This means the dynamic logs need to be searched to find the internal IP address.

Displaying Deterministic NAT Status

The administrator can use the natpool <natpool-name> command to display the current status of a deterministic NAT pool. The -verbose option can be added to provide complete information. Below is an example:

System:/> natpool my_det_natpool -verbose 
External IP Pool                    : 203.0.113.51-203.0.113.60
Internal Network                    : 192.168.20.10-192.168.20.40
Deterministic Port Block Size       : 10
Dynamic Address Pool Ratio          : 10 % 
Dynamic Allocation Port Block Size  : 10
Compression Ratio                   : 1
Reserved Port Range                 : 1-1023

Highest flow count          (External IP)   : 15 (203.0.113.52)
Highest dynamic block count (External IP)   : 1 (203.0.113.52)
Highest dynamic block user  (Internal IP)   : (192.168.20.11)
Total TCP flow count        (NATPool)       : 15
Total UDP flow count        (NATPool)       : 0
Average TCP flows, deterministic blocks     : 10
Average UDP flows, deterministic blocks     : 0
Average TCP flows, dynamic blocks           : 5
Average UDP flows, dynamic blocks           : 0

               Deterministic NAT bindings:

External IP    Port Range  Internal IP Range  Flow Count
-------------  ----------  -----------------  ----------
203.0.113.51   1024-1033   192.168.20.10      0
203.0.113.51   1034-65535  <dynamic>          0
203.0.113.52   1024-1033   192.168.20.11      10
203.0.113.52   1034-65535  <dynamic>          5

In the above, the lines with <dynamic> in them represent the dynamic mappings. The other lines represent deterministic mappings.

An alternative way to find the mapping for a particular internal address, is to use the -internalip option:

System:/> natpool <natpool-name> -internalip=<int-ip_address>

An example of usage along with the resulting output is shown below:

System:/> natpool my_det_natpool -internalip=192.168.20.11

                     Deterministic NAT bindings:

External IP    Port Range  Range type       Internal IP    Flow Count
-------------  ----------  ---------------  -------------  ----------
203.0.113.52   1024-1033   <deterministic>  192.168.20.11  10
203.0.113.52   1034-1043   <dynamic>        192.168.20.11  5

cOS Stream will indicate if an internal address cannot be found:

System:/> natpool my_det_natpool -internalip=192.0.2.1
IP (192.0.2.1) not found on any ip range for the (my_det_natpool) NAT Pool.

Similarly, to find the mapping for a given external address, the -externalip option can be used:

System:/> natpool <natpool-name> -externalip=<ext-ip_address>

An example of usage along with the resulting output is shown below:

System:/> natpool my_det_natpool -externalip=203.0.113.52

                     Deterministic NAT bindings:

External IP    Port Range  Range type       Internal IP    Flow Count
-------------  ----------  ---------------  -------------  ----------
203.0.113.52   1024-1033   <deterministic>  192.168.20.11  10
203.0.113.52   1034-1043   <dynamic>        192.168.20.11  5

cOS Stream will indicate if an address is actually an internal IP:

System:/> natpool my_det_natpool -externalip=192.168.20.11
IP (192.168.20.11) is identified as internal.
Please use -internalip flag instead.

Example 9.6. Deterministic NAT Setup

This example closely follows Example 9.5, “Using NAT Pools” but uses deterministic NAT so that logging is kept to a minimum.

It creates a deterministic NAT pool with the external IPv4 address range 203.0.113.51 to 203.0.113.60 which is then used in a NAT IP rule for HTTP traffic coming from the protected network if1_net on the if1 interface. This traffic is destined for the public Internet which is connected to the if2 interface.

The default property values for the deterministic NAT pool mechanism are assumed.

Command-Line Interface

Create an address book object that specifies the IP range for the pool:

System:/> add Address IPAddress nat_pool_range
			Address=203.0.113.51-203.0.113.60

Create the NATPool object that is deterministic:

System:/> add NATPool my_det_natpool
			Type=Deterministic
			ExternalIPPool=nat_pool_range
			InternalNetwork=if1_net

Change the context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule to perform NAT:

System:/IPRuleSet/main> add IPRule
			SourceNetwork=if1_net
			SourceInterface=if1
			DestinationNetwork=all-nets-ip4
			DestinationInterface=if2
			Service=http
			Action=Allow
			SourceTranslation=NAT 
			SetSourceAddress=NATPool
			NATPool=my_det_natpool
			Name=lan_to_wan_det_nat

Restore the default CLI context:

System:/IPRuleSet/main> cc

To add a core route, change the context to be the main routing table:

System:/> cc RoutingTable main

Create the route to add the core route and specify proxy ARP:

System:/RoutingTable/main> add Route
			Interface=core
			Network=nat_pool_range
			ProxyArpInterfaces=if2

Restore the default CLI context:

System:/RoutingTable/main> cc

Note that when defining the route, the property ProxyArpAllInterfaces=Yes could have been used to enable proxy ARP on all interfaces.

Example 9.7. Calculating a Deterministic NAT User IP

This example shows how the IP address of a user, decided by the deterministic NAT pool described above in Example 9.6, “Deterministic NAT Setup”, can be calculated using the natpool CLI command.

Note that the NATPool object used with the -reverse option must be the same object that was used for the original mapping, or an exact copy of it.

Command-Line Interface

Create an address book object that specifies the IP range for the pool:

System:/> natpool -reverse my_det_natpool
			-externalip=203.0.113.51
			-externalport=2500

External IP Pool                    : 203.0.113.51-203.0.113.60
Internal Network                    : 192.0.2.0-192.0.2.255
Deterministic Port Block Size       : 1240
Dynamic Address Pool Ratio          : 50 %
Dynamic Allocation Port Block Size  : 1240
Compression Ratio                   : 26
Reserved Port Range                 : 0-1023

                 Deterministic NAT bindings:

External IP   Port Range  Internal IP Range
------------  ----------  -----------------
203.0.113.51  2264-3503   192.0.2.1

If port assignment was Dynamic and the address could only be found by looking at the event log, the output might look like the following:

natpool -reverse my_det_natpool
			-externalip=203.0.113.51
			-externalport=35000
					
External IP Pool                    : 203.0.113.51-203.0.113.60
Internal Network                    : 192.0.2.0-192.0.2.255
Deterministic Port Block Size       : 1240
Dynamic Address Pool Ratio          : 50 %
Dynamic Allocation Port Block Size  : 1240
Compression Ratio                   : 26
Reserved Port Range                 : 0-1023

                 Deterministic NAT bindings:

External IP   Port Range   Internal IP Range
------------  -----------  -----------------
203.0.113.51  33264-65535  <dynamic>

9.5. SAT

It is possible to translate entire ranges of IP addresses and/or port numbers. These translations are transpositions where each address or port is mapped to a corresponding address or port in a new range, rather than translating them all to the same address or port. This functionality is known as Static Address Translation (SAT).

SAT is configured by setting either the SourceTranslation or DestinationTranslation to the value SAT in an IP rule with an action of Allow. Other SAT options are also added to completely specify the translation required.

9.5.1. One-to-One Translation (1:1)

The simplest form of SAT usage is the translation of a single IP address to another, single IP address (a 1:1 relationship). A very common scenario for this is to enable external users to access a protected server in a DMZ that has a private network address. This is sometimes referred to as implementing a Virtual IP or as a Virtual Server.

Using a DMZ

At this point, it is important to understand the role of networks designated as a DMZ since SAT IP rules are often used with them.

The DMZ's purpose is to act as a network where resources, such as servers, are placed for access by external, untrusted clients, typically across the public Internet. This network, therefore, has the maximum exposure to external threats.

By isolating the DMZ network, a clear security separation is created from sensitive, internal networks. Security policies can then control traffic flows between the DMZ and internal networks, isolating any security problems occurring in the DMZ.

The illustration below shows a typical network arrangement with a Clavister NetShield Firewall mediating communications between the public Internet and servers in a DMZ and between the DMZ and local clients on an internal network called LAN. This is a simplified diagram since it is recommended to keep an SMTP server and a web server on separate networks.

Figure 9.3. The Role of the DMZ

Example 9.8. Enabling Traffic to a Protected Web Server in a DMZ (1:1)

In this example, we will create a SAT IP rule that will translate and allow IPv4 flows from the Internet to a web server located in a DMZ. The Clavister NetShield Firewall is connected to the Internet using the wan interface with address object wan_ip (defined as 195.55.66.77) as IPv4 address. The web server has the private IPv4 address 10.10.10.5 and is on the network connected to the dmz interface.

Command-Line Interface

Change the current CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Create a SAT IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=any
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=all_services
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=10.10.10.5
			Name=SAT_HTTP_To_DMZ

Now, return to the default CLI context if no more rules are needed:

System:/IPRuleSet/main> cc
System:/>

9.5.2. Many-to-Many Translation (M:N)

A single SAT rule can be used to translate an entire range of IP addresses (a many-to-many translation). This results in a transposition where the first original IP address will be translated to the first IP address in the translation address list and so on. Port numbers are not changed.

Example 9.9. Translating Traffic to Multiple Protected Web Servers (M:N)

In this simple example, a SAT IP rule will translate from five IPv4 public IP addresses to five web servers located in a DMZ. The firewall is connected to the Internet via the wan interface and the public IPv4 addresses are the range 195.55.66.77 to 195.55.66.81. The web servers have the private IPv4 address range 10.10.10.5 to 10.10.10.9 and are on the network connected to the dmz interface. The SAT IP rule must translate the nth public address to the nth private server address.

The following steps need to be performed:

Define an address object containing all the public IPv4 addresses.
Define another address object set to be the first IPv4 address 10.10.10.5 of the web servers.
Publish the public IPv4 addresses on the wan interface using the ARP publish mechanism.
Create a SAT rule that will perform the translation.
Create an Allow rule that will permit the incoming HTTP flows.

Since the five public IPv4 addresses are being ARP published so these addresses are not routed on core, the SAT destination interface is wan and not core.

Command-Line Interface

Create an address object for the public IPv4 addresses:

System:/> add Address IPAddress wwwsrv_pub
			Address=195.55.66.77-195.55.66.81

Now, create another object for the base of the web server IPv4 addresses:

System:/> add Address IPAddress wwwsrv_priv_base Address=10.10.10.5

Publish the public IPv4 addresses on the wan interface using ARP publish. CLI commands similar to the following are needed for each IP address:

System:/> cc ARPEntries
System:/ARPEntries> add ARPEntry
			Interface=wan
			IP=195.55.66.77
			Mode=Publish

This could alternatively be done by assigning all five addresses to the Ethernet interface since cOS Stream supports multiple IP addresses on interfaces.

Next, change the current CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation:

System:/IPRuleSet/main> add IPRule
			SourceInterface=any	
			SourceNetwork=all-nets-ip4
			DestinationInterface=wan
			DestinationNetwork=wwwsrv_pub
			Service=http
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=wwwsrv_priv_base

Next, return to the default CLI context using the command:

System:/IPRuleSet/main> cc
System:/>

Example 9.10. Source Address Translation (M:N)

Suppose there is a network 192.168.0.0/24 called lan_net connected to the lan interface. There is also a network called dmz_net connected to the dmz interface.

Hosts on lan_net need to communicate with servers on dmz_net and appear as though they are coming from the network 172.16.0.0/24. For example, the source IP address 192.168.0.25 will become 172.16.0.25.

The required SAT rule is defined as follows:

Command-Line Interface

Change the current CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation:

System:/IPRuleSet/main> add IPRule
			SourceInterface=lan
			SourceNetwork=lan_net
			DestinationInterface=dmz
			DestinationNetwork=dmz_net
			Service=http
			Action=Allow
			SourceTranslation=SAT
			NewDestinationIP4=172.16.0.0

Next, return to the default CLI context using the command:

System:/IPRuleSet/main> cc
System:/>

	Note
	In the above examples, IPv4 addresses are used. The option NewDestinationIP6= could be used with, or instead of NewDestinationIP4= to perform the same function with IPv6 addresses.

A SAT IP rule can combine source and destination translation in the same rule if required.

9.5.3. Many-to-One Translation (N:1)

It is possible to translate ranges and/or groups into just one IP address.

Example 9.11. Translating Traffic to a Single Web Server (N:1)

This example is similar to the previous many-to-many (M:N) example but this time a SAT IP will translate from five public IPv4 addresses to a single web server located on a DMZ network. The Clavister NetShield Firewall is connected to the Internet via the wan interface and the public IP addresses have the range of 195.55.66.77 to 195.55.66.81. The server has the private IPv4 address 10.10.10.5 and is on the network connected to the dmz interface.

The following steps need to be performed:

Define an address object containing all the public IP addresses.
Define another address object set to be the IP address 10.10.10.5 of the web server.
Publish the public IP addresses on the wan interface using the ARP publish mechanism.
Create a SAT rule that will perform the translation.
Create an Allow rule that will permit the incoming HTTP flows.

Command-Line Interface

Create an address object for the public IP addresses:

System:/> add Address IPAddress wwwsrv_pub
			Address=195.55.66.77-195.55.66.81

Now, create another object for the base of the web server IP addresses:

System:/> add Address IPAddress wwwsrv_priv Address=10.10.10.5

Publish the public IP addresses on the wan interface using ARP publish. To do this, change the CLI context to be ARPEntries:

System:/> cc ARPEntries

Then enter a command like the following for each IP address:

System:/ARPEntries> add ARPEntry
			Interface=wan
			IP=195.55.66.77
			Mode=Publish

This could alternatively be done by assigning all five addresses to the Ethernet interface since cOS Stream supports multiple interface IP addresses.

Next, change the current CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation:

System:/IPRuleSet/main> add IPRule
			SourceInterface=wan	
			SourceNetwork=all-nets-ip4
			DestinationInterface=dmz
			DestinationNetwork=wwwsrv_pub
			Service=http
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=AllToOne
			NewDestinationIP4=wwwsrv_priv

Return to the default CLI context with the command:

System:/IPRuleSet/main> cc

In the above example, the option NewDestinationIP6= could be used with or instead of NewDestinationIP4= to perform the same function with IPv6 addresses.

	Note
	When all-nets or all-nets-ip4 or all-nets-ip6 is the destination in a SAT rule, an All-to-One mapping is always done.

9.5.4. Port Translation with SAT

Port Translation (also known as Port Address Translation - PAT) can be defined in a SAT IP rule to modify either the source or destination port. This is similar to the 1:1 translation specified above but the additional option NewDestinationPort is used.

Port translation is dependent on the range of port numbers specified in the Service filter parameter used in the IP rule. If the Service object specifies only a single port number then the port is always translated to the NewDestinationPort value. If the Service object specifies a port range then the new port number is the NewDestinationPort value plus the offset within the range.

For example, suppose that NewDestinationPort=80 is specified in the SAT IP rule and the Service object used for the rule has a port range of 1000 to 1050. If the traffic allowed by the IP rule has a destination port number of 1003, this will be translated to port 83 (1003 - 1000 + 80).

	Note
	Both predefined or custom service objects can be used with SAT IP rules. A custom service might be needed to identify the exact port range being translated, as shown in the example below.

Example 9.12. Port Translation with SAT

This example is very similar to the N:1 example near the beginning of this SAT section but the port number will also be changed by the translation. Assume that a web server has a private IP address of wwwsrv_priv and is located on the DMZ interface. All incoming HTTP flows must be translated to wwwsrv_priv and all ports in the http service object's range 80 - 85 must be translated to the range 1080 - 1085.

Command-Line Interface

First, create a custom HTTP service:

System:/> add Service ServiceTCPUDP http_custom DestinationPorts=80-85

Change the current CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation:

System:/IPRuleSet/main> add IPRule
			SourceInterface=wan	
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=http_custom
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=AllToOne
			NewDestinationIP4=wwwsrv_priv
			SetDestinationPort=Offset
			NewDestinatPort=1000

Finally, return to the default CLI context with the command:

System:/IPRuleSet/main> cc
System:/>

9.5.5. Combining SAT with NAT in the Same Rule

Both SAT and NAT translation can be combined into the same Allow IP rule by using the options SourceTranslation=SAT and DestinationTranslation=SAT together.

Example 9.13. Combining NAT and SAT

Assume a number of clients on the internal, protected lan_net network are surfing the public Internet. Normally their flows are routed out to the Internet via the wan interface.

However, sometimes these clients will try to access their own web server that has the private IP address our_server_ip and is located on the local dmz_net. This will cause a problem because a public DNS server will resolve the local server's domain name to wan_ip which is the public IP address of the firewall's wan interface IP.

The solution is to create a SAT rule for the clients that translates wan_ip to our_server_ip. However, NAT is also required to handle the server requests coming from the different clients via the dmz interface.

The required IP rule is defined as follows:

Command-Line Interface

Change the current CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Next, create a SAT rule for the translation:

System:/IPRuleSet/main> add IPRule
			SourceInterface=lan
			SourceNetwork=lan_net
			DestinationInterface=wan
			DestinationNetwork=wan_ip
			Service=http
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=our_server_ip
			SourceTranslation=NAT
			SetSourceAddress=AllToOne
			NewSourceIP4=dmz_ip

Finally, return to the default CLI context with the command:

System:/IPRuleSet/main> cc
System:/>

9.6. Protocols Not Handled by SAT

SAT can deal with IP based protocols that allow address translation to take place. However, there are protocols that can only be translated in special cases, and some protocols that cannot be translated at all.

Protocols that cannot be translated using SAT usually cannot be translated using NAT. The reasons for this can include:

The protocol cryptographically requires that IP addresses are unaltered. This applies to many VPN protocols.
The protocol embeds IP addresses inside TCP or UDP level data and requires that the addresses visible at the IP level are the same as those embedded in the data.
Either party is attempting to open new dynamic flows to the addresses that are visible to that party. In some cases, this can be resolved by modifying the application or the configuration.

There is no definitive list of protocols that cannot be translated. A rule of thumb is that VPN protocols that open secondary flows in addition to the initial flow can be difficult to translate.

9.7. NAT64 Address Translation

To address the need for communication between IPv4 and IPv6 networks, cOS Stream provides an Address Family Translation (AFT) feature using NAT64.

Usually, NAT64 assumes that a flow will be initiated by an IPv6 host towards an IPv4 host. However, translation is also possible in the reverse direction with IPv4 initiated flows. On the IPv6 side, IPv4 addresses are embedded in IPv6 addresses and creating such IPv4 embedded address objects in a firewall configuration is described in Section 5.5, IPv6 With Embedded IPv4.

NAT64 is configured by creating an appropriate IPRule object. On the IPv4 side of the IPRule object, an interface could have a single IPv4 address or, when appropriate, make use of multiple IPv4 addresses by associating a NATPool object with the interface (however, deterministic NAT cannot be used).

Types of NAT64

NAT64 can be configured in one of the following two ways:

Stateful NAT64

Stateful NAT64 is the most frequently used type of NAT64 and the typical use case is when multiple IPv6 hosts behind a firewall require access to remote IPv4 servers. The address translation is automatic and the mapping is many-to-one (multiple IPv6 addresses to one IPv4 address which is usually a public address). However, the mapping could be made many-to-one by configuring a NAT pool for the IPv4 addresses (this would often be done in a CGNAT scenario). Configuring this is described in Section 9.7.1, Stateful NAT64.

With stateful NAT64, only IPv6 hosts can initiate the communication.

Where IPv6 HTTP clients initiate access to IPv4 HTTP servers on the Internet, access to a DNS64 server is required to resolve FQDNs and this is discussed in the stateful NAT64 section.
Stateless NAT64 (SIIT)

Stateless NAT64 is also referred to as SIIT and is a static one-to-one translation between IPv6 and IPv4 addresses, similar to normal IPv4 to IPv4 SAT. In the typical but infrequent use case, an IPv4 only server will be behind the firewall (possibly in a DMZ network) and stateless NAT64 will allow remote IPv6 hosts to access this server. Configuring this is described in Section 9.7.4, Stateless NAT64 (SIIT).

Stateless NAT64 allows translation in either direction so that either the IPv4 or IPv6 host can initiate communication.

Protocol Restrictions

It should be noted that NAT64 feature supports only the following protocols:

ICMPv6 traffic.
UDP and/or TCP traffic.

In addition, protocols that embed IPv4 addresses in packets, for example SIP and FTP, cannot be used with NAT64 in cOS Stream.

	Note: NAT64 configuration with BGP
	When BGP is configured with NAT64, BGP export needs to be configured accordingly. This is discussed further in section 3.2 of RFC 6052.

Configuring the different types of NAT64 translation is described further in the sections that follow.

9.7.1. Stateful NAT64

The stateful version of NAT64 is similar to normal NAT where an IPv4 (usually public) address on an interface connected to an IPv4 network is reused for multiple connections. cOS Stream implements stateful NAT64 by changing the address of the packet to its own overloaded IPv4 address and tracks these changes so it can reverse the change in returning packets. The diagram below illustrates stateful NAT64 usage.

Figure 9.4. Stateful NAT64

Use Cases

The principal use cases for stateful NAT64 are the following:

IPv6-only clients accessing IPv4-only servers on the Internet.
IPv4-only servers delivering data over IPv6.

Stateful NAT64 Supports Only IPv6 to IPv4 Mapping

It should be noted that unlike stateless NAT64 (SIIT), IPRule objects can only be configured that support IPv6 to IPv4 address mapping, where the IPv6 hosts initiate the communication.

Stateful NAT64 Setup

Setting up stateful NAT64 is achieved by creating an IPRule object with the following property values:

Set the ProtocolTranslation property to have the value ToIP4.
Set the SourceTranslation property to be NAT.
Set the DestinationTranslation property to be SAT.

Note that a route is also needed for the IPv6 address of the server.

Configuring an IPRule for Stateful NAT64

The following table summarizes the properties and the combinations of their possible values for IPRule objects used to define stateful NAT64 translation. Note that values in brackets are specified in the rule as either actual IP addresses or references to other configuration objects such as IP address objects or NAT pool objects.

ProtocolTranslation	ToIP4	ToIP4	ToIP4	ToIP4	ToIP4
SourceAddress	(IPv6 address)	(IPv6 address)	(IPv6 address)	(IPv6 address)	(IPv6 address)
SourceTranslation	NAT	NAT	NAT	NAT	NAT
SetSourceAddress	InterfaceAddress	AllToOne	AllToOne	NATPool	NATPool
NATPool				(NATPool object)	(NATPool object)
Destination Address	(IPv6 address)	(IPv6 address)	(IPv6 address)	(IPv6 address)	(IPv6 address)
DestinationTranslation	SAT	SAT	SAT	SAT	SAT
SetDestinationAddress	Prefix	Offset	Prefix	Offset	Prefix
NewDestinationIP4		(IPv4 address)		(IPv4 address)
Prefix	(IPv6 prefix)		(IPv6 prefix)		(IPv6 prefix)

Example 9.14. Setting Up Stateful NAT64

In this example, clients on an IPv6 network 2001:db1::/120 will be allowed UDP access to a single server with the IP address with the known IPv4 address 192.168.20.220 on the IPv4 network 192.168.20.0/24. This is done by setting up an IP rule with stateful NAT64 source address translation.

It is assumed that the Clavister NetShield Firewall is connected to the IPv6 network via the if1 interface and to the IPv4 network via the if2 interface. The IPv4 server is accessible by the IPv6 clients using the IPv6 address 2001:db21::5.

Command-Line Interface

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			SourceNetwork=2001:db1::/120
			DestinationInterface=if2
			DestinationNetwork=2001:db21::5 
			Service=all_udp
			ProtocolTranslation=ToIP4
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress 
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=192.168.20.220
			Name=NAT64_udp_6to4

Note that if a route does not already exist for the server it must be added manually so that the address 2001:db21::5 is routed on the if2 interface.

Using NAT Pools with NAT64

To spread the IPv4 connection load across multiple IPv4 addresses, NAT64 can take advantage of the NAT pool feature in cOS Stream. Setting up a NATPool object is described in Section 9.3, NAT Pools. To utilize a NAT pool object with NAT64, the IPRule object for NAT64 is modified as follows:

The SetSourceAddress property is set to the value NATPool.
The NATPool property of the rule is set to a NATPool object that has been previously created.

	Note: Deterministic NAT pools are not supported with NAT64

9.7.2. Stateful NAT64 with DNS64

When IPv6 HTTP clients need to access a remote IPv4-only server over the Internet, they will first need to resolve the web server's FQDN into an IP address that they can use to make the connection via NAT64. This is usually done by resolving the FQDN with a DNS64 server. The DNS64 server will look up the FQDN and if no AAAA record (for IPv6) is available it uses the available A record (for IPv4) to synthesize an acceptable response by embedding the IPv4 address into an IPv6 address that has a fixed prefix. The DNS64 server could be private and internal or public and external.

DNS64 Server Prefixes

When a DNS64 server sends back a synthesized IPv6 address it will use an IPv6 prefix in the address that will depend on the configuration of the server. There are a number of public DNS64 servers and the prefix used by them is usually the Well Known Prefix which is 64::ff9b::/96. For example, this is the prefix used by Google's public DNS64 server. However, some DNS64 servers may be set to use another Network Specific Prefix (NSP).

Knowing the prefix used by the DNS64 server is important since this will be the prefix of the destination address for flows that an IPv6 client will open. The prefix will therefore need to be specified in the IPRule object that performs NAT64 translation.

Configuring Stateful NAT64 with a DNS64 server

The diagram below illustrates how NAT64 is used with a private NAT64 server located in a DMZ network.

Figure 9.5. Stateful NAT64 with Private DNS64

In the case of an internal IPv6 network of clients accessing IPv4 servers on the Internet via the firewall, the following needs to be configured:

An IP rule to translate the IPv6 client traffic to IPv4.
An IP rule that allows the clients to query the DNS64 server.
If the DNS64 server is internal, an IP rule to allow access to the Internet by the server.
IPv6 clients will need to be configured with the address of the DNS64 server.

Note that the IP rule that performs the translation must have its DestinationNetwork and Prefix properties set to the prefix used by the DNS64 server. In the example below with a private DNS64 server, this is the address object if1_64_prefix.

It is also possible to narrow the DestinationNetwork value further by increasing the prefix size from the standard 96 bits. For example, if the DNS64 prefix is 64:ff9b::/96 then setting the DestinationNetwork to 64:ff9b::203.0.113.0/120 will specify the permitted destination IPv4 range as being 203.0.113.0-203.0.113.255 (matching will be done against everything except the last 8 bits of the IPv6 address).

Example 9.15. Setting Up Stateful NAT64 with a Private DNS64 Server

This example for NAT64 will be set up using a private DNS64 server to resolve client FQDNs into IPv4 embedded addresses so they can perform HTTP/HTTPS web browsing.

It is assumed that the DNS64 server is located on the local DMZ network if3_net which is connected to the if3 interface. The DNS64 server is set up to use the prefix if1_64_prefix. Note that the server has the following IPv4 and IPv6 address objects in the address book:

dns64_ip4 - 192.168.10.10
dns64_ip6 - 2001:db9::10

It is also assumed the if1 interface is connected to the IPv6 client network and the if2 network is connected to the IPv4 Internet. Below is a summary of the other IP addresses used in this example:

if1_64_prefix - 2001:64::/96 (prefix used by the DNS64 server)
if1_ip6 - 2001:db8::1
if1_ip6_net - 2001:db8::/96
if2_ip - 203.0.113.1 (the public IP address of the firewall)
if2_net - 203.0.113.0/24 (the network for ISP connection)

Command-Line Interface

Give IPv6 clients access to IPv4 HTTP/HTTPS Internet servers:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			DestinationInterface=if2
			SourceNetwork=if1_ip6_net
			DestinationNetwork=if1_64_prefix
			Service=http-all
			ProtocolTranslation=ToIP4
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			DestinationTranslation=SAT
			SetDestinationAddress=Prefix
			Prefix=if1_64_prefix
			Name=NAT64_6to4

Allow IPv6 client access to the private DNS64 server:

System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			DestinationInterface=if3
			Service=dns-all
			SourceNetwork=if1_ip6_net
			DestinationNetwork=dns64_ip6
			Name=client_to_private_DNS64

Allow the private DNS64 server access to the Internet:

System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if3
			DestinationInterface=if2
			SourceNetwork=dns64_ip4
			DestinationNetwork=all-nets-ip4
			Service=dns-all
			ProtocolTranslation=Disabled
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=DNS64_to_internet

Using a Public DNS64 Server

The rules used with a public DNS64 server are simpler. However, it is important to know the prefix that the server will use when it sends back IPv4 embedded addresses to a querying client. As with a private DNS64 server, this prefix must be specified for the DestinationNetwork and Prefix properties of the translating IP rule.

Example 9.16. Setting Up Stateful NAT64 with a Public DNS64 Server

This example for NAT64 repeats the previous scenario from Example 9.15, “Setting Up Stateful NAT64 with a Private DNS64 Server” but instead uses an external public DNS64 server to resolve client FQDNs into IPv4 embedded addresses. The two rules in the previous example that allow access for the private DNS64 server are replaced with a single rule that allows direct IPv6 access to the Internet for DNS queries.

It is assumed that the IPv6 clients have already been allocated the IPv6 address of a public DNS64 server. It is also assumed that the prefix used by the DNS64 server in the addresses it sends back is defined by the address object dns64_prefix. In many cases, this will be the well-known prefix 64:ff9b::/96.

Command-Line Interface

Give IPv6 clients access to IPv4 HTTP/HTTPS Internet servers:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			DestinationInterface=if2
			SourceNetwork=if1_ip6_net
			DestinationNetwork=dns64_prefix
			Service=http-all
			ProtocolTranslation=ToIP4
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			DestinationTranslation=SAT
			SetDestinationAddress=Prefix
			Prefix=dns64_prefix
			Name=NAT64_6to4

Give IPv6 clients direct access to the IPv6 Internet (including the public DNS64 server) with no translation:

System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			DestinationInterface=if2
			Service=all_services
			SourceNetwork=if1_ip6_net
			DestinationNetwork=all_nets_ip6
			Name=client_to_public DNS64

9.7.3. Stateful NAT64 Hairpinning

The term hairpinning refers to the ability for an IPv6 host behind the firewall to communicate with another IPv6 host behind the firewall using the second host's external NATed IPv4 address. cOS Stream's stateful NAT64 feature supports hairpinning and it is set up by configuring an additional IPRule object.

An example of when hairpinning is needed might be when an IPv6 client queries a DNS64 server for a host located on its own network and receives back, embedded in an IPv6 address, the external, public IPv4 address used for stateful NAT64. The diagram below illustrates a typical hairpinning scenario.

Figure 9.6. Stateful NAT64 Hairpinning

Example 9.17. Setting Up Hairpinning in Stateful NAT64

This example assumes the same scenario as Example 9.16, “Setting Up Stateful NAT64 with a Public DNS64 Server” but this time an extra rule is needed to allow the internal IP clients to communicate with another server on the internal IPv6 network. The following address book objects are used:

server_ip6 - 2001:db8::5
server_embedded_ip6 - 2001:64::203.0.113.5

Command-Line Interface

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			DestinationInterface=core
			SourceNetwork=if1_ipv6_net
			DestinationNetwork=server_embedded_ip6
			SourceTranslation=NAT
			SetSourceAddress=AllToOne 
			NewSourceIP6=server_embedded_ip6
			DestinationTranslation=SAT
			SetDestinationAddress=AllToOne
			NewDestinationIP6=server_ip6
			Service=all_http
			Name=NAT64_hairpin_6to4

Note that a route is also needed so that the address server_embedded_ip6 is routed on the core interface.

9.7.4. Stateless NAT64 (SIIT)

Stateless NAT 64 (also known as Stateless IP/ICMP Translation which can be abbreviated to SIIT) is a type of address translation that allows IPv6 networks to communicate with IPv4 networks in either direction. The term SIIT will be used throughout this section.

The principal use case for SIIT is IPv4-only clients accessing IPv6-only servers.

SIIT works by replacing the headers in IP packets and cOS Stream supports both kinds of SIIT:

SIIT with Prefix - A single IPv6 prefix is removed or appended to packets.
SIIT with EAM - Explicit Address Mapping (EAM) means that the address mapping to be performed can be explicitly defined.

With cOS Stream, either type of SIIT can be defined in a configuration by creating the appropriate IPRule object. There is no port mapping so the address translation must be a 1:1 mapping.

SIIT Supports Address Mapping in Both Directions

It should be noted that unlike stateful NAT64, IPRule objects can be configured for SIIT that support both IPv6 to IPv4 address translation or IPv4 to IPv6 address translation.

Configuring an IPRule for Stateless NAT64 (SIIT)

The following tables summarize the properties and the combinations of their possible values for IPRule objects used to define stateless NAT64 (SIIT) translation. The first table applies to IPv6 to IPv4 translation. The second table applies to IPv4 to IPv6 translation.

A. Properties for IPv6 to IPv4 Translation

ProtocolTranslation	ToIP4	ToIP4	ToIP4	ToIP4
SourceAddress	(IPv6 address)	(IPv6 address)	(IPv6 address)	(IPv6 address)
SourceTranslation	SAT	SAT	SAT	SAT
SetSourceAddress	Offset	Offset	Prefix	Prefix
NewSourceIP4	(IPv4 address)	(IPv4 address)
DestinationAddress	(IPv6 address)	(IPv6 address)	(IPv6 address)	(IPv6 address)
DestinationTranslation	SAT	SAT	SAT	SAT
SetDestinationAddress	Offset	Prefix	Offset	Prefix
NewDestinationIP4	(IPv4 address)		(IPv4 address)
Prefix		(IPv6 prefix)	(IPv6 prefix)

B. Properties for IPv4 to IPv6 Translation

ProtocolTranslation	ToIP6	ToIP6	ToIP6	ToIP6
SourceAddress	(IPv4 address)	(IPv4 address)	(IPv4 address)	(IPv4 address)
SourceTranslation	SAT	SAT	SAT	SAT
SetSourceAddress	Offset	Offset	Offset	Offset
NewSourceIP6	(IPv6 address)	(IPv6 address)
DestinationAddress	(IPv4 address)	(IPv4 address)	(IPv4 address)	(IPv4 address)
DestinationTranslation	SAT	SAT	SAT	SAT
SetDestinationAddress	Offset	Prefix	Offset	Prefix
NewDestinationIP6	(IPv6 address)		(IPv6 address)
Prefix		(IPv6 address)	(IPv6 address)	(IPv6 address)

SIIT with Prefix Setup

Setting up SIIT with prefix is achieved by creating an IPRule object with the following property values:

Set the ProtocolTranslation property to have the value ToIP6 or ToIP4 depending on the type of translation required.
Set the SetSourceAddress and SetDestinationAddress properties to the value Prefix.
Set the Prefix property to be the value of the prefix.

Note that a route is also needed for the destination address for flows and may have to be added manually if it does not already exist. The following example illustrates the setup of SIIT with prefix.

Example 9.18. Setting Up Stateless NAT64 (SIIT) with Prefix

In this example, multiple clients on the IPv4 network 192.168.10.0/24 will be allowed TCP access to a single server with the IPv6 address 2001:db2::192.168.11.15 located on the network 2001:db2::192.168.11.0/120.

It is assumed that the Clavister NetShield Firewall is connected to the IPv4 network via the if1 interface and to the IPv6 network via the if2 interface. The server is accessible to the IPv4 clients using the IPv4 address 192.168.11.15.

Command-Line Interface

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			SourceNetwork=192.168.10.0/24
			DestinationInterface=if2
			DestinationNetwork=192.168.11.15 
			Service=all_tcp
			ProtocolTranslation=ToIP6
			SourceTranslation=SAT
			SetSourceAddress=Prefix
			DestinationTranslation=SAT
			SetDestinationAddress=Prefix
			Prefix=2001:db2::/96
			Name=SIIT_TCP_4to6

Note that if a route does not already exist for the server it must be added manually so that the address 192.168.11.15 is routed on the if2 interface.

SIIT with EAM Setup

Setting up SIIT with EAM is achieved by creating an IPRule object with the following property values:

Set the ProtocolTranslation property to have the value ToIP6 or ToIP4 depending on the type of translation required.

Set the SetSourceAddress and SetDestinationAddress properties to the offset value.

Example 9.19. Setting Up Stateless NAT64 (SIIT) with EAM

This example will implement the following 1:1 address mapping between IPv6 addresses and IPv4 addresses:

IPv6	IPv4
2001:ab::/120	1.2.3.0/24
2002:ab::10	10.10.10.10

Command-Line Interface

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			SourceNetwork=2001:ab::/120
			DestinationInterface=if2
			DestinationNetwork=2002:ab::10 
			Service=all_udp
			ProtocolTranslation=ToIP4
			SourceTranslation=SAT
			SetSourceAddress=Offset
			NewSourceIP4=1.2.3.0
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=10.10.10.10
			Name=SIIT_EAM_6to4

	Note: Configuration with BGP
	When BGP is configured with SIIT, BGP export needs to be configured accordingly. This is discussed further in section 3.2 of RFC 6052.

9.8. CGNAT

Carrier Grade NAT (CGNAT or CGN) is a concept that refers to the usage of NAT techniques to share public IPv4 addresses amongst users but on a much larger scale than with conventional NAT. An important reason behind the need for such large scale sharing is the exhaustion of available public IPv4 addresses.

CGNAT IPv4 address sharing is often similar to the usage of standard NAT but with the key difference that the sharing is moved back one step to the service provider level and closer to the public Internet. An ISP, for example, might then allocate private (RFC 1918) IPv4 addresses to connecting hosts instead of public IPv4 addresses and then NAT these flows through the limited number of public IPv4 addresses available to them. This results in an increased number of hosts sharing less IPv4 addresses.

CGNAT is also sometimes referred to as Large Scale NAT (LSN) and can also be referred to with the names Service Provider NAT44 or NAT444 (alternatively NAT44(4)).

cOS Stream provide tools to implement the CGNAT concept with the following features:

Stateful NAT64.
NAT pools on interfaces.
Deterministic NAT.

These features, both singly and in combinations, allow the administrator to provide both the interworking of IPv4 and IPv6 networks as well as the provision of a large scale NAT solution.

Chapter 10: ALGs

10.1. Overview

In addition to low-level packet filtering (which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP), cOS Stream provides a set of Application Layer Gateways (ALGs) which can examine and filter traffic at the higher application OSI level.

An ALG object acts as a mediator when accessing Internet hosts outside the protected network. For example, for FTP file transfer and VoIP with SIP. ALGs provide improved security over basic packet filtering since they are capable of performing security checks at a higher level in the TCP/IP stack.

ALGs currently exist for the following protocols:

FTP
SIP
DNS
Syslog

Deploying an ALG

Each type of ALG has a unique profile object associated with it. The profile object must be associated with an IPRule object in order to apply the ALG to the traffic filtered by the rule. For example, an FTPAlgProfile object is used with an IP rule to activate the FTP ALG. For convenience, cOS Stream provides predefined ALG profile objects. These are read-only but custom profile objects with differing property values can be created by the administrator. For example, an FTPAlgProfile object instance called ftp-passthrough is predefined in cOS Stream.

In addition, the IPRule object must also have a ServiceTCPUDP object specified for its Service property that corresponds to the targeted protocol. The AppProto property of the ServiceTCPUDP object must be set to the targeted protocol. Predefined ServiceTCPUDP objects are provided that can be used for this purpose and that already have the AppProto property correctly set. For example, a predefined ServiceTCPUDP object called ftp can be used with the FTP ALG.

10.2. FTP ALG

Overview

File Transfer Protocol (FTP) is a TCP/IP-based protocol for exchanging files between a client and a server. The client initiates the connection by connecting to the FTP server. Normally the client needs to authenticate itself by providing a predefined login and password. After granting access, the server will provide the client with a file/directory listing from which it can download/upload files (depending on access rights). The FTP ALG provides a way to inspect and control FTP flows, providing better security. FTP modes of operation and the protocol's security issues will be discussed next, before moving on to how the FTP ALG is configured.

FTP Channels

FTP uses two communication channels, one for FTP control commands and one for the actual files being transferred. When an FTP session is opened, the FTP client establishes a TCP connection (the control channel) to port 21 (by default) on the FTP server. What happens after this point depends on which of two FTP modes is being used. These modes are explained next.

FTP Connection Modes

FTP operates in two modes: active and passive. These determine the role of the server when opening data channels between client and server.

Active Mode

In active mode, the FTP client sends a command to the FTP server indicating what IP address and port the server should connect to. The FTP server establishes the data channel back to the FTP client using the received address information.
Passive Mode

In passive mode, the data channel is opened by the FTP client to the FTP server, just like the command channel. This is often the recommended default mode for FTP clients although sometimes the opposite may be recommended.

FTP Modes and Security Issues

Let us look at FTP flows between a client and server when an FTP ALG is not used and only IP rules control the flows. Both active and passive modes of FTP operation can present issues for cOS Stream in this situation. Consider a scenario where an FTP client on an internal network connects through a Clavister NetShield Firewall to an FTP server out on the Internet. An IP rule must be configured to allow network traffic from the protected FTP client to port 21 on the public FTP server.

When active mode is used, cOS Stream does not know that the FTP server will establish a new connection back to the FTP client. Therefore, the incoming connection for the data channel from the server will be dropped. As the port number used for the data channel is dynamic, the only way to solve this is to allow traffic from all ports on the FTP server to all ports on the FTP client. Obviously, this is not a good solution.

When passive mode is used, cOS Stream does not need to allow connections from the FTP server. On the other hand, cOS Stream still does not know what port the FTP client will try to use for the data channel. This means that it has to allow traffic from all ports on the FTP client to all ports on the FTP server. Although this is not as insecure as in the active mode case, it still presents a potential security threat. Furthermore, not all FTP clients are capable of using passive mode.

The FTP ALG Solution

The FTP ALG handles these issues by fully reassembling the TCP stream of the FTP command channel and examining its contents. By doing this, cOS Stream knows what port to open for the data channel. Furthermore, the FTP ALG also provides functionality to filter out certain control commands and provide buffer overrun protection.

FTP Commands Supported by the FTP ALG

The following are known FTP commands that are supported by the ALG:

ABOR
ACCT
ALGS
ALLO
APPE
CDUP
CLNT
CWD
DELE
EPRT
EPSV
FEAT
HELP
HOST
LANG
LIST
MDTM
MFCT
MFF
MFMT
MKD
MLSD
MLST
MODE
NLST
NOOP
OPTS
PASS
PASV
PORT
PWD
QUIT
REIN
REST
RETR
RMD
RNFR
RNTO
SITE
SIZE
SMNT
STAT
STOR
STOU
STRU
SYST
TYPE
USER
XCUP
XCWD
XMKD
XPWD
XRMD

Unsupported FTP Commands

Some FTP commands are unsupported and will never be allowed by the FTP ALG, even if the AllowUnknownCommands setting is enabled (it is disabled by default).

The following commands will always be unrecognized and will result in an illegal_command_received log message being generated:

FILT
LPRT
LPSV

The following encryption related commands will always be unrecognized and will result in an unsupported_encryption_command_rejected log message being generated:

AUTH
ADAT
CCC
CONF
ENC
MIC
PBSZ
PROT

Any command that is not in the above unsupported command lists, or in the list of supported commands, will be treated as an unknown command and will be allowed if the AllowUnknownCommands setting is enabled.

Setting up the FTP ALG

Deploying the FTP ALG requires the following steps:

Define an FTPAlgProfile object that describes the FTP connection. FTPAlgProfile object properties are described later in this section.

cOS Stream provides a predefined FTPAlgProfile object called ftp-passthrough which has the default settings. However, this object cannot be edited and a custom FTPAlgProfile object with customized settings may provide better security.
Define an IPRule object for the targeted traffic. This rule must have the following two properties correctly set in order to use the FTP ALG:
1. Service - This should be a Service object that targets the FTP traffic. cOS Stream provides a predefined service called ftp to do this. A custom service could also be used in its place. One service object can be shared across multiple IP rules.
  
  Any Service object used with FTP must have its AppProto property set to the value FTP. If this is not the case, the FTP ALG will not be applied to a flow even though it is configured in an IP rule. This AppProto property is already correctly set for the predefined ftp service.
2. FTPAlgProfile - This must be set to the FTPAlgProfile object that was defined above or it can be set to the predefined object called ftp-passthrough. One FTPAlgProfile object can be shared across multiple IP rules.

FTPAlgProfile Properties

The FTPAlgProfile object has the following properties:

ServerPorts

The list of server ports that are acceptable.
ClientPorts

The list of client ports that are acceptable.
MaxSessions

This is the maximum number of FTP sessions allowed for this FTPAlgProfile object. Multiple IP rules could use the same FTPAlgProfile object so the total sessions across all these IP rules could not be more than the MaxSessions value for the shared object.

The default value of the predefined ftp-passthrough object is 1000 concurrent sessions.

AllowUnknownCommands

This property allows commands that the ALG does not consider part of the standard set. It is disabled by default. The commands allowed are any that are not explicitly never allowed. Commands that are never allowed are listed earlier in this section.

	Note: Some FTP commands are never allowed
	Some commands, such as encryption instructions, are never allowed. Encryption would mean that the FTP command channel could not be examined by the ALG and the dynamic data channels could not be opened.

MaxLineLength

This is the maximum line length in the control channel. Creating very large control channel commands can be used as a form of attack against a server by causing buffer overruns This restriction combats this threat. The default value is 256.

If very long file or directory names on the server are used then this limit may need to be raised. The shorter the limit, the better the security.

Example 10.1. Protecting an Internal FTP Server

In this example, an FTP server is located on a DMZ with a private IPv4 address of 10.10.10.5, as shown below. FTP clients on the Internet will access the server via the wan interface which has a public IP address. An IP rule needs to be created that translates client requests to the FTP server's address using SAT.

Command-Line Interface

Change the CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Create a SAT IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=any
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=ftp
			Action=Allow
			FTPAlgProfile=ftp-passthrough
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=10.10.10.5
			Name=SAT_FTP_to_DMZ

Note that further IP rules will be needed if protected clients on internal networks are to be allowed to also access the FTP server. Doing this is described in Example 9.8, “Enabling Traffic to a Protected Web Server in a DMZ (1:1)”.

Example 10.2. Protecting Internal FTP Clients

In this example, protected internal clients are connecting to FTP servers on the Internet. It is assumed that the clients have private IPv4 addresses and NAT is used so they share a single public IPv4 address.

Change the CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets-ip4
			Service=ftp
			Action=Allow
			FTPAlgProfile=ftp-passthrough
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_FTP_to_Internet

10.3. SIP ALG

Overview

Session Initiation Protocol (SIP) is an ASCII (UTF-8) text based signaling protocol used to establish sessions between clients in an IP network. It is a request-response protocol that resembles HTTP and SMTP. The session which SIP sets up might consist of a Voice-Over-IP (VoIP) telephone call or it could be a collaborative multi-media conference. Using SIP with VoIP means that telephony can become another IP application which can integrate into other services.

SIP does not know about the details of a session's content and is only responsible for initiating, terminating and modifying sessions. Sessions set up by SIP are typically used for the streaming of audio and video over the Internet using the RTP/RTCP protocol (which is based on UDP) but they might also involve traffic based on the TCP protocol. A RTP/RTCP based sessions might also involve TCP or TLS based traffic in the same session.

SIP is defined by IETF RFC 3261 and is considered an important standard for VoIP communication. It is comparable to H.323 but a design goal with SIP was to make it more scalable than H.323.

SIP ALG processing is set up by creating a SIPAlgProfile object and associating it with the SIPAlgProfile property of an IPRule object. The IPRule object must also have a ServiceTCPUDP object assigned to it which has its AppProto property set to SIP.

	Note: Traffic shaping does not function with SIP profiles
	Any traffic connections that trigger an IP rule that references a SIPAlgProfile object cannot be also subject to traffic shaping.

SIP Media-related Protocols

A SIP session makes use of a number of protocols. These are:

SDP: Session Description Protocol (RFC4566) is used for media session initialization.
RTP: Real-time Transport Protocol (RFC3550) is used as the underlying packet format for delivering audio and video streaming via IP using the UDP protocol.
RTCP: Real-time Control Protocol (RFC3550) is used in conjunction with RTP to provide out-of-band control flow management.

SIP Components

The following components are the logical building blocks for SIP communication:

User Agents

These are the endpoints or clients that are involved in the client-to-client communication. These would typically be the workstation or device used in an IP telephony conversation. The term client will be used throughout this section to describe a user agent.

Proxy Servers

These act as routers in the SIP protocol, performing both as client and server when receiving client requests. They forward requests to a client's current location as well as authenticating and authorizing access to services. They also implement provider call-routing policies.

The proxy is often located on the external, unprotected side of the Clavister NetShield Firewall but can have other locations. All of these scenarios are supported by cOS Stream.

Registrars

A server that handles SIP REGISTER requests is given the special name of Registrar. The Registrar server has the task of locating the host through which the other client is reachable.

The Registrar and Proxy Server are logical entities and may, in fact, reside on the same physical server.

SIP Setup Steps

When configuring cOS Stream to handle SIP sessions the following steps are needed:

A ServiceTCPUDP object for SIP is required. If no custom values are required, the predefined ServiceTCPUDP object called sip-udp can be used.

If custom values are required, a new ServiceTCPUDP object should be created. The AppProto property of the service must be set to a value of SIP.
A SIPAlgProfile object is required. If no custom values are required, the predefined SIPAlgProfile object called sip can be used.

If custom values are required, a new SIPAlgProfile object should be created.
Define the appropriate IP rules for SIP communications and associate the ServiceTCPUDP object and SIPAlgProfile object with them.

SIP Profile Properties

The following properties can be configured for a SIPAlgProfile object:

MaxSessionsPerID: The maximum number of simultaneous sessions that a single client can be involved with is restricted by this value. The default number is 5.
MaxSessions: The maximum number of sessions that can be handled by a single instance of this object. The default number is 1000.
MaxRegistrationTime: The maximum time for registration with a SIP Registrar. The default value is 3600 seconds.
SIPSignalTimeout: The maximum time allowed for SIP sessions. The default value is 14400 seconds.

The SIP Proxy Record-Route Option

To understand how to set up SIP scenarios with cOS Stream, it is important to first understand the SIP proxy Record-Route option. SIP proxies have the Record-Route option either enabled or disabled. When it is switched on, a proxy is known as a Stateful proxy. When Record-Route is enabled, a proxy is saying it will be the intermediary for all SIP signalling that takes place between two clients.

When a SIP session is being set up, the calling client sends an INVITE message to its outbound SIP proxy server. The SIP proxy relays this message to the remote proxy server responsible for the called, remote client's contact information. The remote proxy then relays the INVITE message to the called client. Once the two clients have learnt of each other's IP addresses, they can communicate directly with each other and remaining SIP messages can bypass the proxies. This facilitates scaling since proxies are used only for the initial SIP message exchange.

The disadvantage of removing proxies from the session is that IP rules must be set up to allow all SIP messages through the Clavister NetShield Firewall, and if the source network of the messages is not known then a large number of potentially dangerous connections must be allowed by the IP rule set. This problem does not occur if the local proxy is set up with the Record-Route option enabled. In this mode, all SIP messages will only come from the proxy.

The different rules required when the Record-Route option is enabled and disabled can be seen in the two different sets of IP rules listed below in the detailed description of SIP setup.

IP Rules for Media Data

When discussing SIP data flows there are two distinct types of exchanges involved:

The SIP session which sets up communication between two clients prior to the exchange of media data.
The exchange of the media data itself, for example the coded voice data which constitute a VoIP phone call.

In the SIP setups described below, IP rules need only be explicitly defined to deal with the first of the above, the SIP exchanges needed for establishing client-to-client communications. No IP rules or other objects need to be defined to handle the second of the above, the exchange of media data. The SIP ALG automatically and invisibly takes care of creating the connections required (sometimes described as SIP pinholes) for allowing the media data traffic to flow through the Clavister NetShield Firewall.

	Tip
	Make sure there are no preceding rules already in the IP rule which disallow or allow the targeted traffic.

SIP Usage Scenarios

Currently, cOS Stream only provides support for a single SIP scenario and that is protecting local clients with SIP proxy located on the Internet

In this scenario, the SIP session is between a client on the local, protected side of the Clavister NetShield Firewall and a client which is on the external, unprotected side. The SIP proxy is located on the external, unprotected side of the Clavister NetShield Firewall. Communication typically takes place across the public Internet with clients on the internal, protected side registering with a proxy on the public, unprotected side. This scenario also deals with the situation where two clients in a session reside on the same network.

For example, assume that there is an office with VoIP users on a private internal network where the network's topology will be hidden using NAT. This is illustrated below.

Figure 10.1. SIP ALG Usage

The proxy should be configured with the Record-Route feature enabled to insure all SIP traffic to and from the office clients will be sent through the SIP Proxy. This is recommended since the attack surface is minimized by allowing only SIP signaling from the SIP Proxy to enter the local network.

This scenario can be implemented in two ways:

Using NAT to hide the network topology. Note that NAT pools could also be used for this and is discussed later in this section.
Without NAT so the network topology is exposed.

	Note: NAT traversal should not be configured
	SIP User Agents and SIP Proxies should not be configured to employ NAT Traversal in any setup. For instance the Simple Traversal of UDP through NATs (STUN) technique should not be used. The SIP ALG will take care of all NAT traversal issues in a SIP scenario.

The detailed setup steps for this scenario are as follows:

Define a SIPAlgProfile object. This step is not needed if the predefined sip object is used.
Define a Service object for SIP. The service should have the following configured:
- Destination Port set to 5060 (the default SIP signaling port).
- Type set to TCP/UDP.
- AppProto set to SIP.
Note that the predefined Service called sip-udp can be used instead of creating a new custom object.
Define two rules in the IP rule set:
1. A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy Server located externally. The SIP ALG will take care of all address translation needed by the NAT rule. This translation will occur both on the IP level and the application level. Neither the clients or the proxies need to be aware that the local users are being NATed.
2. An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the Clavister NetShield Firewall. This rule will use core (in other words, cOS Stream itself) as the destination interface. The reason for this is due to the NAT rule above. When an incoming call is received, cOS Stream will automatically locate the local receiver, perform address translation and forward SIP messages to the receiver. This will be executed based on the ALGs internal state.
A SAT rule for translating incoming SIP messages is not needed since the ALG will automatically redirect incoming SIP requests to the correct internal user. When a SIP client behind a NATing Clavister NetShield Firewall registers with an external SIP proxy, cOS Stream sends its own IP address as contact information to the SIP proxy. cOS Stream registers the client's local contact information and uses this to redirect incoming requests to the user. The ALG takes care of the address translations needed.
Ensure the clients are correctly configured. The SIP Proxy Server plays a key role in locating the current location of the other client for the session. The proxy's IP address is not specified directly in the SIP profile. Instead, its location is either entered directly into the client software used by the client or in some cases the client will have a way of retrieving the proxy's IP address automatically such as through DHCP.

The IP rules with the Record-Route option enabled would be as shown below, the changes that apply when NAT is used are shown in parentheses "(..)".

Action	Src Interface	Src Network	Dest Interface	Dest Network
Allow (or NAT)	if1	if1_net	wan	ip_proxy
Allow	wan	ip_proxy	if1 (or core)	if1_net (or wan_ip)

Without the Record-Route option enabled the IP rules would be as shown below, the changes that apply when NAT is used are again shown in parentheses "(..)".

Action	Src Interface	Src Network	Dest Interface	Dest Network
Allow (or NAT)	if1	if1_net	wan	<All possible IPs>
Allow	wan	<All possible IPs>	if1 (or core)	if1_net (or wan_ip)

The advantage of using Record-Route is clear since now the destination network for outgoing traffic and the source network for incoming traffic have to include all IP addresses that are possible.

	The Service object for IP rules
	In this section, tables which list IP rules like those above, will omit the Service object associated with the rule. However, the same Service object could be used for all SIP scenarios and that could be the predefined object called sip.

Example 10.3. SIP with Local Clients, Proxy on Internet

This example implements SIP with local clients and an external proxy on the Internet. The local network topology is hidden using NAT. The proxy server lies on the external, unprotected side of the Clavister NetShield Firewall.

The client is assumed to be on the network if1_net connected to the interface if1. The SIP proxy is assumed to have the IPv4 address proxy_ip. The interface if3 is connected to the Internet and has the public IPv4 address if3_ip.

This example will use the predefined ServiceTCPUDP object called sip-udp and the predefined SIPAlgProfile object called sip. Custom objects will not be created.

Command-Line Interface

A. Set up the IPv4 address objects if this has not been done already:

The protected if1 network which has the clients:

System:/> set Address IPAddress if1_net Address=192.168.1.0/24

The public IP address of the if3 interface:

System:/> set Address IPAddress if3_ip Address=203.0.113.1

The external SIP proxy IP:

System:/> add Address IPAddress proxy_ip Address=203.0.113.10

B. Define the outgoing SIP traffic IP rule using NAT:

System:/> cc RuleSet IPRuleSet main

Now, create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if3
			DestinationNetwork=proxy_ip
			Service=sip-udp
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=sip_nat
			SIPALGProfile=sip

C. Define the incoming SIP traffic IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if3
			SourceNetwork=proxy_ip
			DestinationInterface=core
			DestinationNetwork=if3_ip
			Service=sip-udp
			Action=Allow
			Name=sip_allow
			SIPALGProfile=sip

D. Return to the default CLI context:

System:/IPRuleSet/main> cc
System:/>

Using NAT Pools with the SIP ALG

As mentioned previously in this section, when using NAT with SIP to hide the network behind the firewall, a NATPool object could be used to allocate the public IP address on the external interface. These pools are described at length in Section 9.3, NAT Pools. A pool with its Type property set to Stateless cannot be used for this purpose.

The recommendation is to use a NATPool object with its Type property set to either Fixed or Deterministic.

The Type property can be set to Stateful but if this done then the rules listed below should be followed to avoid problems:

SIP clients must send periodic keep-alive messages to maintain the connection.
SIP clients must periodically re-register with the registrar.
In the NATPool object, the StateKeepAlive property must be set to a value which is at least twice the re-register period described in the previous requirement.

Below is an example of using a deterministic NATPool object with the SIP ALG. Note that a Route object needs to be created that routes the NAT pool's addresses on the core interface and which also proxy ARPs those addresses on the interface connected to the Internet.

Example 10.4. Setting Up SIP with NAT Pools

This example implements SIP with local clients and an external proxy on the Internet. The local network topology is hidden using NAT. The proxy server lies on the external, unprotected side of the Clavister NetShield Firewall. The example is based on Example 10.3, “SIP with Local Clients, Proxy on Internet” but uses a deterministic NATPool object to allocate the public IP addresses.

The protected clients are on the network connected to the interface if1 and the public Internet is connected to the interface if3.

Command-Line Interface

A. Create an address book object that specifies the public IP range for the pool:

System:/> add Address IPAddress nat_pool_range
			Address=203.0.113.2-203.0.113.5

B. Create a deterministic NATPool object:

System:/> add NATPool my_sip_natpool
			Type=Deterministic
			ExternalIPPool=nat_pool_range
			InternalNetwork=if1_net
			DynPoolRatio=10
			DynBlockAllocLimit=2

C. Set up the IPv4 address objects:

The protected network on the interface if1 which has the clients:

System:/> set Address IPAddress if1_net Address=192.168.1.0/24

The public IP address of the if3 interface:

System:/> set Address IPAddress if3_ip Address=203.0.113.1

The IP address of the external SIP proxy:

System:/> add Address IPAddress proxy_ip Address=203.0.113.10

D. Create the outgoing SIP traffic IP rule using the NAT pool:

Change the CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Add the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if3
			DestinationNetwork=proxy_ip
			Service=sip-udp
			Action=Allow
			SourceTranslation=NAT
			SetSourceAddress=NATPool
			NATPool=my_sip_natpool
			Name=sip_nat
			SIPALGProfile=sip

E. Define the incoming SIP traffic IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if3
			SourceNetwork=proxy_ip
			DestinationInterface=core
			DestinationNetwork=nat_pool_range
			Service=sip-udp
			Action=Allow
			Name=sip_allow
			SIPALGProfile=sip

F. Return to the default CLI context:

System:/IPRuleSet/main> cc
System:/>

G. Create a core route for the addresses in the NAT pool:

Change the context to be the main routing table:

System:/> cc RoutingTable main

Add the core route and specify proxy ARP:

System:/RoutingTable/main> add Route
			Interface=core
			Network=nat_pool_range
			ProxyArpInterfaces=if3

Return to the default CLI context:

System:/RoutingTable/main> cc

HA Synchronization with the SIP ALG

When the SIP ALG is being used in a high availability cluster, some aspects of SIP are synchronized and preserved after an HA failover occurs and some other aspects will be lost.

The fully synchronized parts of SIP are the following:

Most SIP signaling traffic flows, except those set up by cOS Stream itself. Such flows can be reviewed with the CLI command flow.
Registered SIP clients. Registered clients can be listed with the CLI command sipalg -registration.
Established SIP call sessions. Established calls can be listed with the CLI command sipalg -session and will have the state field set to CONFIRMED.
IP rules set up for RTP/RTCP flows. These can be listed using the CLI command ruledb -show sipalg.

The elements of SIP that will be lost after an HA failover are the following:

Flows for RTP/RTCP traffic. The CLI command flow would list these before a failover occurs. However, after a failover occurs these will be recreated by the media traffic using the dynamic rules since the rules are synchronized.
SIP sessions which have not yet reached the CONFIRMED state. The CLI command sipalg -session would list these before a failover and they would not have the Call State field set to CONFIRMED.

As a result of the above losses after a failover, a mismatch can occur between the cluster nodes for statistical values related to SIP. For example, the statistical values regarding total SIP sessions might not be the same on both cluster nodes after a failover. However, the statistics for active registrations and call sessions will always match.

For troubleshooting purposes, it is useful to note that the statistical value for the total number of SIP objects for an HA node:

		/system/ha/modules/sipalg/objects

Should normally equal the following sum of statistics for that node:

		/alg/sip/global/active_call_sessions
				plus
		/alg/sip/global/active_registrations

10.4. DNS ALG

Overview

DNS queries can provide a means of attack for malicious third parties. The DNS ALG feature can be used to monitor DNS queries as they flow through the firewall in the following scenarios:

DNS queries flowing to the public Internet from protected clients behind the firewall.
DNS queries being sent, usually from the Internet, to a DNS server located on a DMZ behind the firewall.

Setting up the DNS ALG

Deploying the DNS ALG requires the following steps:

Define a DNSAlgProfile object that describes the DNS connection. DNSAlgProfile object properties are described later in this section.

A predefined DNSAlgProfile object is provided called dns which has default settings. However, this object cannot be edited and a custom DNSAlgProfile object with customized settings may provide better security.
Define an IPRule object for the targeted traffic. This rule must have the following two properties correctly set in order to use the DNS ALG:
1. Service - This should be a Service object that targets the DNS traffic. A predefined service object is provided called dns-all or the predefined objects dns-udp and dns-tcp to target UDP and TCP DNS traffic. A custom service could be used instead. One service object can be shared across multiple IP rules.
  
  Any Service object used with DNS must have its AppProto property set to the value DNS. If this is not the case, the DNS ALG will not be applied to a flow even though it is configured in an IP rule. This AppProto property is already correctly set for the predefined service objects, such as dns-all.
2. DNSAlgProfile - This must be set to the DNSAlgProfile object that was defined above or it can be set to the predefined object called dns. One DNSAlgProfile object can be shared across multiple IP rules.

DNSAlgProfile Properties

The DNSAlgProfile object has the following properties:

MaxSessions

This is the maximum number of DNS sessions allowed for this DNSAlgProfile object. Multiple IP rules could use the same DNSAlgProfile object so the total sessions across all these IP rules could not be more than the MaxSessions value for the shared object.
MaxUDPQueryLength

The maximum allowed payload size in bytes for UDP DNS queries. The default value is 512. Queries exceeding this size will be dropped and a log message generated.
MaxUDPResponseLength

The maximum allowed payload size in bytes for UDP DNS responses. The default value is 512. Responses exceeding this size will be dropped and a log message generated. When using DNSSEC the responses can be large so the default value should be increased.
MaxTCPQueryLength

The maximum allowed payload size in bytes for TCP DNS queries. The default value is 4096. Queries exceeding this size will be dropped and a log message generated.
MaxTCPResponseLength

The maximum allowed payload size in bytes for TCP DNS responses. The default value is 4096. Responses exceeding this size will be dropped and a log message generated. When using DNSSEC the responses can be large so the default value should be increased.
RecursionDesiredFlag

DNS recursion means that a DNS server can query other servers to fully resolve the original query. DNS requests have a Recursion Desired (RD) flag which is typically set by, for example, client browsers.

The RecursionDesiredFlag property is enabled by default in the DNS ALG so requests with the RD flag set are allowed. However, recursion could be used as a means to launch an amplification attack against a DNS server by sending fake DNS queries from a spoofed IP address and the RecursionDesiredFlag property can be enabled to drop any DNS queries with the RD flag set.
MaxQuestionEntries

The maximum number of question entries in a query. The default value is 1.
AllowedClasses

This property is set to a list of the allowed classes. Classes can be specified either as their numeric ID or their name (tab completion will show names and IDs). The default value is IN (the Internet class). The value <All> can be used to specify all classes.
AllowedTypes

This property is set to a list of the allowed types. Types can be specified either as their numeric ID or their name (tab completion will only show names). For example:
```
System:/> set DNSAlgProfile my_dns_profile
			AllowedTypes=A,CNAME,NS,OPT
```
The default value for this property is <All> (all types are allowed).
Translations

To enable DNS translation, this property should be set to an instance of the DNSTranslationList object. The default value is <disable> (no translation).
TranslationOnDNSSEC

If DNS translation is enabled, force addresses to be modified even if a DNS packet is digitally signed using DNSSEC. This will invalidate the DNSSEC signature but can still be useful for clients that do not perform validation.
ScrambleQueryID

When enabled (the default) the transaction ID of DNS queries are randomized. This helps defend against cache poisoning caused by the spoofing of DNS queries using non-randomized IDs.

State Tracking is Always Enabled

The DNS ALG has state tracking always enabled and there is no setting to control this. State tracking means that DNS queries and responses are matched to each other. A response with no matching query is automatically dropped.

Forms of DNS Attack and DNS ALG Defense Mechanisms

The DNS ALG is designed to provide a defense against the following forms of DNS attack:

DNS Cache Poisoning

DNS cache poisoning relies on being able to spoof DNS responses, which means it is mainly applicable to DNS traffic over UDP. An attacker forges and sends a fake/spoofed response to a legitimate DNS query. If the DNS client that sent the original query accepts the faked response, this allows the attacker to inject false entries into the client's DNS cache. The DNS ALG will protect against this in multiple ways. For example, by using the ScrambleQueryID property of the DNSAlgProfile object (making it more difficult for an attacker to generate a proper response) and also through query/response state tracking (which drops unexpected responses and is always enabled).

In addition, the RecursionDesiredFlag property of the DNSAlgProfile object can be used to prevent DNS clients from sending queries which request recursion.
DNS Reflection/Amplification Attacks

In this scenario, a DNS server is used to reflect and/or amplify traffic. An attack can be performed in different ways but generally relies on UDP for the spoofing of the source address of the attack victims. An attacker will generate a large amount of DNS queries to one or more DNS servers which will all respond to the spoofed address. Typically, the attacker will craft the spoofed DNS queries in a way that they will not only reflect, but also amplify traffic (for example, by asking many questions in a single query).

The DNS ALG can help protect against this using the following DNSAlgProfile object properties:
- MaxUDPQueryLength
- MaxUDPResponseLength
- MaxTCPQueryLength
- MaxTCPResponseLength
- AllowedClasses
- AllowedTypes
- MaxQuestionEntries
DNS Tunneling

In this scenario, an attacker uses DNS traffic to tunnel data through the firewall. The DNS ALG provides protection against basic tunneling by only allowing well-formed DNS traffic through. This means that cOS Stream validates the DNS traffic against the protocol description in the relevant RFCs. Non-conforming data traffic will be dropped.

More sophisticated tunneling attacks might encode data as valid domain names and store it in the DNS queries/responses. This is difficult to detect. The DNS ALG provides a degree of protection against this using the following DNSAlgProfile object properties:
- MaxUDPQueryLength
- MaxUDPResponseLength
- MaxTCPQueryLength
- MaxTCPResponseLength
- AllowedClasses
- AllowedTypes

DNS Translation

The DNS ALG can provide DNS translation to convert the result of a DNS query from one specific IP address to another. A typical use case for this feature is where the public IP address for a server returned by a DNS server should be translated to its private IP address for internal clients.

To implement IP translations, the steps are as follows:

Create a new DNSTranslationList object.
Add one or more DNSTranslation objects as children to the parent DNSTranslationList object.
Create a DNSAlgProfile object for the DNS traffic and set its DNSTranslationList property to the list created in the previous steps. The predefined DNSAlgProfile object called dns could be used but this is not recommended.
Create an IPRule object that targets the DNS traffic and set its DNSAlgProfile property to the profile created in the previous step.

Example 10.5. Using the DNS ALG with an Internal DNS Server

In this example, the DNS ALG is used to filter UDP DNS queries sent to a protected DNS server on a DMZ which are coming from the Internet. This is illustrated in the diagram below.

Command-Line Interface

Change the current CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Create a SAT IP rule that uses the predefined DNS ALG profile:

System:/IPRuleSet/main> add IPRule
			SourceInterface=wan
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=dns-udp
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=10.0.0.5
			DNSAlgProfile=dns
			Name=SAT_DNS_To_DMZ

Now, return to the default CLI context if no more rules are needed:

System:/IPRuleSet/main> cc
System:/>

Example 10.6. Using the DNS ALG with Protected Clients

In this example, clients on the internal protected network if1_net are sending DNS queries out to the public Internet using NAT via the interface wan. This is illustrated in the diagram below.

A single translation will be applied that changes a DNS server response so that the IPv4 address 203.0.113.10 will be changed to 10.0.0.10.

Create a DNSTranslationList object:

System:/> add DNSTranslationList my_translations

Add DNSTranslation objects to the list:

Change the CLI context to the list:

System:/> cc DNSTranslationList my_translations

Add the translation:

System:/DNSTranslationList/my_translations> add DNSTranslation
			FromIP=203.0.113.10
			ToIP=10.0.0.10

Return to the default CLI context:

System:/DNSTranslationList/my_translations> cc
System:/>

Create a custom DNSAlgProfile using the list:

System:/> add DNSAlgProfile my_dns_alg Translations=my_translations

Create an IPRule that uses the profile:

Change the CLI context to be the main IP rule set:

System:/> cc RuleSet IPRuleSet main

Create the IP rule:

System:/IPRuleSet/main> add IPRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets-ip4
			Service=dns-udp
			Action=Allow
			DNSAlgProfile=my_dns_alg
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=NAT_DNS_to_Internet

10.5. Syslog ALG

The Syslog ALG can perform checks on Syslog messages passing through the firewall with the ability to drop messages containing certain text. The ALG is not used with Syslog messages generated by the local firewall itself.

Syslog ALG Setup

The Syslog ALG is set up using the following steps:

Create a new ServiceTCPUDP object that has the following settings:
- DestinationPorts: 514
- Type: UDP
- AppProto: Syslog
Alternatively, the predefined syslog service could be used. This already has its AppProto property set to the value Syslog.
Create a new SyslogAlgProfile object that defines the type of processing to be performed by cOS Stream on the targeted Syslog traffic. The key properties of this object are described below.
Create a new IPRule object that allows the targeted Syslog traffic to flow. The Service property of the rule's filter must be set to the service created in the first step. The SyslogAlgProfile created in the previous step must also be assigned to the rule.

Key Properties of SyslogAlgProfile

A SyslogAlgProfile object has the following key properties:

AppendTag

This option has the value Disabled by default. This can be changed to a value of RecvIfName in order to append the name of the receiving interface to the Syslog message.

The appended data will always be surrounded by double quotation marks and will have a preceding space character. For example:
```
 "if3"
```
TagPrefix

If the AppendTag option is not disabled, the TagPrefix property can optionally be used to specify a prefix for the appended data. The prefix chosen should not be a string that might appear in any of the messages processed. For example, if the tag prefix is specified as Receiving_If= then the appended text would appear like the following:
```
 Receiving_If="if3"
```
Note that the tag prefix also has a preceding space automatically inserted. The prefix specified has a length limit of 15 characters and cannot include spaces.

DenyProhibitedKeywords

If this option is enabled then a comma separated list of prohibited keywords can be specified using the ProhibitedKeywords property. The list can contain up to four strings and each string cannot be be longer than 15 characters.

If a Syslog message contains any of these keywords then it is dropped. The option can help guard against spurious data being inserted into a message. By default, this option is disabled.
MaxSyslogLength

If the Syslog message payload exceeds this size in bytes, the message is dropped. The default value is 4096 bytes. This option is always enabled.

Any Return Traffic Will Close Traffic Flows

Syslog traffic is one directional and there should be no traffic going in the return direction. If the Syslog ALG detects any returning traffic, the traffic is dropped and the flow is closed.

Example 10.7. Syslog ALG Setup

In this example, Syslog traffic flowing between interfaces if1 and if2 will be scanned using a SyslogAlgProfile.

The following is required for the Syslog messages processed:

Messages will be tagged with the receiving interface and the tag prefix text "Receiving_If=" will be added.
Syslog messages will be dropped if they contain either the keyword "test" or "debug".
The maximum allowed message size is to be 8192 bytes, otherwise the message is dropped.

Command-Line Interface

A. Create a new Service object for the Syslog traffic:

System:/> add Service ServiceTCPUDP my_syslog_service
			Type=UDP
			DestinationPorts=514
			AppProto=Syslog

B. Create a SyslogAlgProfile object:

System:/> add SyslogAlgProfile my_syslog_profile
			AppendTag=RecvIfName
			TagPrefix="Receiving_If="
			DenyProhibitedKeywords=Yes
			ProhibitedKeywords=test,debug
			MaxSyslogLength=8192

C. Create an IPRule for Syslog traffic:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			Service=my_syslog_service
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if2
			DestinationNetwork=if2_net
			SyslogAlgProfile=my_syslog_profile
			Name=my_syslog_rule

Chapter 11: Internet Access

This chapter describes setting up access to the public Internet using the CLI using static IP addresses supplied by an ISP.

Assumptions

It is assumed in this section that the hardware platform has two Ethernet interfaces available: interface if1 and interface if2. The if2 interface will be used for connection to the public Internet and the if1 interface will be used for connection to a protected, local network.

Required IP Address Objects

It is first necessary to set or create a number of IP address objects. It is assumed here that the interface used for Internet connection is if2, the ISP gateway IPv4 address is 10.5.4.1, the IPv4 address for the connecting interface will be 10.5.4.35 and the network to which they belong is 10.5.4.0/24.

	Note: Private IPv4 addresses are used for example only
	Each installation's IP addresses will be different from these IP addresses but they are used here only to illustrate how setup is done. Also, these addresses are private IPv4 addresses and in reality an ISP would use public IP addresses instead.

It is also necessary to add the gateway IP address object which will be called wan_gw:

System:/> add Address IPAddress wan_gw Address=10.5.4.1

This is the address of the ISP's gateway which is the first router hop towards the public Internet. If this IP object already exists, it can be given the IP address with the command:

System:/> set Address IPAddress wan_gw Address=10.5.4.1

Defining Routes

A route must now be defined which specifies that the Internet can be found on the if2 interface along with the IP address of the default gateway which is the ISP's router. First, change the context to be the main routing table:

System:/> cc RoutingTable main

The prompt changes to indicate the context has changed.

System:/RoutingTable/main>

Now add the route to the Internet:

System:/RoutingTable/main> add Route
			Interface=if2
			Network=all-nets-ip4
			Gateway=wan_gw

Once the route is added, the context is changed back to the original with the command:

System:/> cc

Next, set the IP object if2_ip which will be the IP address of the interface connected to the ISP:

System:/> set IPAddress if2_ip Address=10.5.4.35

On initial startup, cOS Stream automatically creates and fills the address book with the all interface related IP address objects.

Now set the IP object if2_net which will be the IP network of the connecting interface:

System:/> set IPAddress if2_net Address=10.5.4.0/24

It is recommended to verify the properties of the if2 interface with the command:

System:/> show Interface EthernetInterface if2

The typical output from this will be similar to the following:

                     Property  Value
 ----------------------------  --------------------------
                        Name:  if2
             EthernetAddress:  0:<empty>  1:<empty>
       HAEthernetAddressMode:  PrivateSharedMAC
                      HAType:  Critical
              MonitorTargets:  <empty>
                   Backplane:  No
              EthernetDevice:  0:if2  1:if2
            VLANOutboundPrio:  0
      VLANOutboundPrioPolicy:  Set (Set priority)
                   PrivateIP:  0:<empty>  1:<empty>
  RouterAdvertisementProfile:  DefaultProfile
                         MTU:  1500
                   IPAddress:  if2_ip
                IP4Broadcast:  <empty>
      RoutingTableMembership:  <all>
                 DHCPEnabled:  <empty>
SecurityEquivalentInterfaces:  <empty>
    IPv6AddressConfiguration:  Static
                        Zone:  <empty>
                    Comments:  <empty>

Defining IP Rules

Even though an all-nets-ip4 route is automatically added, no traffic can flow without the addition of an IP rule which explicitly allows the flow. Let us assume we want to allow web surfing from the protected network if1_net on the interface if2. A simple rule to do this would have an Action of Allow and would be defined with the following commands.

First, it is necessary to change the current CLI context to be the default IPRuleSet called main using the command:

System:/> cc RuleSet IPRuleSet main

Additional IP rule sets can be defined which is why we do this, with the rule set main existing by default. Notice that the CLI prompt changes to reflect the current context:

System:/main>

Now add an IP rule called lan_to_wan that allows the traffic through to the public Internet:

System:/main> add IPRule
			Action=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if2
			DestinationNetwork=all-nets-ip4
			Service=http
			Name=lan_to_wan

Since the protected network is likely to consist of private IPv4 addresses. It is more likely that a NAT rule is required to share the public IP address of if2. The CLI command for defining this would be:

System:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceNetwork=if1_net
			SourceInterface=if1
			DestinationNetwork=if2
			DestinationInterface=all-nets-ip4
			Service=http
			SourceTranslation=NAT 
			Name=lan_to_wan

The service used in the IP rule is http which will allow most web surfing but does not include the DNS protocol to resolve URLs into IP addresses. To solve this problem, a custom service could be used in the above rule which combines http with the dns service. However, the recommended method which provides the most clarity to a configuration is to create a separate IP rule for DNS:

System:/main> add IPRule
			Action=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if2
			DestinationNetwork=all-nets-ip4
			Service=dns-all
			SourceTranslation=NAT 
			Name=lan_to_wan_dns

Activating and Committing Changes

After any changes are made to a configuration, they will be saved as a new configuration but will not yet be activated. To activate all the configuration changes made since the last activation of a new configuration, the following command must be issued:

System:/> activate

Although the new configuration is now activated, it does not become permanently activated until the following command is issued within 30 seconds following the activate:

System:/> commit

The reason for two commands is to prevent a configuration accidentally locking out the administrator. If a lock-out occurs then the second command will not be received and cOS Stream will revert back to the original configuration after the 30 second time period. This time period is a setting that can be changed as shown in the example below.

Example 11.1. Changing the Activation Revert Timeout

This example shows how the default revert timeout after a configuration is activated can be changed to 120 seconds from the default.

Command-Line Interface

System:/> set Settings RemoteMgmtSettings BiDirTimeout=120

Allowing ICMP Ping Requests

It can be useful to allow ICMP Ping requests to be sent out to external hosts on the Internet. As discussed earlier, the system will drop any traffic unless an IP rule explicitly allows it. Let us suppose that we wish to allow the pinging of external hosts with the ICMP protocol by computers on the internal if1_net network. The commands to allow this are as follows.

First, the current CLI context must be changed to be the IPRuleSet called main using the command:

System:/> cc RuleSet IPRuleSet main

Now add an IP rule called allow_ping_outbound to allow ICMP pings to pass:

System:/main> add IPRule
			Action=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=if2
			DestinationNetwork=all-nets-ip4
			Service=ping-outbound-ip4
			SourceTranslation=NAT
			Name=allow_ping_outbound

Chapter 12: DNS

Overview

A DNS server can resolve a Fully Qualified Domain Name (FQDN) into the corresponding numeric IP address. FQDNs are unambiguous textual domain names which specify a node's unique position in the Internet's DNS tree hierarchy. FQDN resolution allows the actual physical IP address to change while the FQDN can stay the same.

A Uniform Resource Locator (URL) differs from an FQDN in that the URL includes the access protocol along with the FQDN. For example the protocol might be specified http//: for world wide web pages. DNS servers can exist both on the public Internet for resolution of public IP addresses as well as private servers for the resolution of private IP addresses.

FQDNs are used in many aspects of a configuration where IP addresses are unknown or where it makes more sense to make use of DNS resolution instead of using static IP addresses. cOS Stream supports the use of FQDNs in defining an address book object and this is described further in Section 5.6, FQDN Address Objects.

Defining External DNS Servers

cOS Stream has a predefined object called DNS. To enable DNS resolution, at least one DNSServer object must be added as a child of this DNS parent object. Up to a maximum of 8 DNS servers can be defined in this way. An example of the CLI commands to do this can be found in Example 12.1, “Configuring DNS Servers”.

Multiple DNS Servers are Recommended

For DNS lookup to function in cOS Stream, at least one DNS server must be defined. However, it is recommended that at least two different DNS servers are defined so that there is a backup should one server be unavailable. Note that it also possible to define a different routing table for each server (the default routing table is main). This is useful in virtual routing scenarios but also where an alternate route to the Internet is available for redundancy purposes.

The DNS ALG

A DNS ALG can be configured in cOS Stream to check the integrity of DNS traffic and impose restrictions on such traffic as well as provide custom DNS translations. This is described in Section 10.4, DNS ALG.

Features Requiring DNS Resolution

Having at least one DNS server configured is vital for the functioning of the following modules:

Automatic time synchronization.
Access to an external certificate authority server for CA signed certificates.

DNS Lookup and IP Rules

In the case of DNS server request being generated by cOS Stream itself, no IP rules need to be defined for the connection to succeed. This is because flows initiated by cOS Stream are considered to be trusted. For example, this would be the case if cOS Stream is accessing a CA server to establish the validity of a certificate and first needs to resolve the certificate's FQDN to an IP address.

The DNS Cache

cOS Stream uses an internal DNS cache to ensure that the same FQDN does not need to be resolved every time it is referenced. The current cache contents can be examined using the following command:

System:/> dns -list

DNS Cache Updating

When a DNS server returns the IP addresses for an FQDN, it also returns a Time-To-Live (TTL) value. This value is stored with the cache entry.

The TTL value returned could be very low or even zero. For this reason, cOS Stream provides a global property called MinTTL in the system's predefined DNS object that has a default value of 1 second. If the TTL returned from a DNS server is less than MinTTL then the TTL is reset to be MinTTL.

A second global property also exists in the system's predefined DNS object called MaxTTL. Any TTL value returned by a DNS server that is greater than this maximum will be set to it.

The object property FQDNValidAfterTTLDefault is only used when caching FQDN address objects and explained further in Section 5.6, FQDN Address Objects.

Example 12.1. Configuring DNS Servers

In this example, two DNS servers are configured for DNS lookup by the firewall. The first DNS server has the IPv4 address 203.0.113.5 and will use the default main routing table for the route lookup of this address. The second server has the IPv4 address 192.0.2.5 and will use a user-defined routing table called alt-rt for the route lookup of the address.

Command-Line Interface

System:/> cc DNS
System:/DNS> add DNSServer IPAddress=203.0.113.5
System:/DNS> add DNSServer IPAddress=192.0.2.5 RoutingTable=alt-rt

To show the configured DNS servers, the show command should be used within the DNS CLI context:

System:/DNS> show
			
DNSServer

  # IP address  Routing table
  - ----------- -------------
+ 1 203.0.113.5 main
+ 1 192.0.2.5   alt-rt

System:/DNS> cc
System:/>

The predefined DNS object has a number of properties which apply to all the child DNSServer objects added to it. These can be displayed with the show DNS command:

System:/> show DNS
			
                 Property  Value
-------------------------  -------
        CacheNegativeTTL:  30
               QueueSize:  1024
              RepeatTime:  5
             RepeatCount:  3
                  MinTTL:  3600
                  MaxTTL:  86400
FQDNValidAfterTTLDefault:  86400
                Comments:  <empty>

If the IPv4 address 203.0.113.5 is defined in the address book with the name dns1_ip, the CLI to add the server would become the following:

System:/> cc DNS
System:/DNS> add DNSServer IPAddress=dns_ip1

If adding three alternate DNS servers with IP addresses dns_ip1, dns_ip2 and dns_ip3, the CLI becomes the following:

System:/> cc DNS
System:/DNS> add DNSServer IPAddress=dns_ip1
System:/DNS> add DNSServer IPAddress=dns_ip2
System:/DNS> add DNSServer IPAddress=dns_ip3
System:/> cc
System:/>

Assuming that at least one public DNS server has been configured and the configuration changes have been committed, DNS lookup can then be tested using the dns command with a suitable FQDN:

System:/> dns www.google.com
			
ip4 info:
  209.85.149.99
  209.85.149.103
  209.85.149.104
  209.85.149.105
  209.85.149.106
  198.41.0.4
TTL: 60

The DNS cache can then be listed to see the addresses that have been added to it:

System:/> dns -list

Name                     Address                       Type TTL
----------------------------------------------------------------
www.google.com           209.85.149.99                 A    49
www.google.com           209.85.149.103                A    49
www.google.com           209.85.149.104                A    49
www.google.com           209.85.149.105                A    49
www.google.com           209.85.149.106                A    49
www.google.com           198.41.0.4                    A    49

Example 12.2. Setting the DNS Cache Minimum TTL and Minimum Lifetime

This example sets the global MinTTL value to 10 seconds and the FQDNValidAfterTTLDefault to 1000 seconds. This means that an entry will stay in the cache for at least its TTL plus 1000 seconds and the TTL cannot be less than 10 seconds.

Command-Line Interface

System:/> set DNS MinTTL=10 FQDNValidAfterTTLDefault=1000

Chapter 13: IPsec VPN

13.1. Overview

The section takes a general look at IPsec based VPNs, what they are, what they can provide and the typical scenarios where they are used.

13.1.1. IPsec VPN Usage

The Internet is increasingly used as a means to connect together computers since it offers efficient and inexpensive communication. The requirement therefore exists for data to traverse the Internet to its intended recipient without another party being able to read (confidentiality) or alter it (integrity).

It is equally important that the recipient can verify that no one is falsifying data, in other words, pretending to be someone else. Virtual Private Networks (VPNs) meet this need, providing a highly cost effective means of establishing secure links between two co-operating computers so that data can be exchanged in a secure manner.

IPsec VPN allows the setting up of a tunnel between two devices known as tunnel endpoints. All data flowing through the tunnel is then secure. The mechanism that provides tunnel security is encryption.

There are two common scenarios where IPsec VPNs are used:

LAN to LAN connection - Where two internal networks need to be connected together over the Internet. In this case, each network is protected by an individual Clavister NetShield Firewall and the VPN tunnel is set up between them.
Client to LAN connection - Where many remote clients need to connect to an internal network over the Internet. In this case, the internal network is protected by the Clavister NetShield Firewall to which the client connects and the VPN tunnel is set up between them.

13.1.2. IPsec VPN Encryption

Encryption of VPN traffic is done using the science of cryptography. Cryptography is an umbrella expression covering 3 techniques and benefits:

Confidentiality: No one but the intended recipient is able to receive and understand the communication. Confidentiality is accomplished by encryption.
Authentication and Integrity: Proof for the recipient that the communication was actually sent by the expected sender, and that the data has not been modified in transit. This is accomplished by authentication, and is often implemented through the use of cryptographic keyed hashing.
Non-repudiation: Proof that the sender actually sent the data; the sender cannot later deny having sent it. Non-repudiation is usually a side-effect of authentication.

VPNs are normally only concerned with confidentiality and authentication. Non-repudiation is normally not handled at the network level but rather is usually done at a higher, transaction level.

13.1.3. IPsec VPN Planning

An attacker targeting a VPN connection will typically not attempt to crack the VPN encryption since this requires enormous effort. They will, instead, see VPN traffic as an indication that there is something worth targeting at the other end of the connection. Typically, mobile clients and branch offices are far more attractive targets than the main corporate network. Once inside those, getting to the corporate network then becomes easier.

In designing a VPN there are many issues that need to be addressed which aren't always obvious. These include the following:

Protecting mobile and home computers.
Restricting access through the VPN to needed services only, since mobile computers are vulnerable.
Creating DMZs for services that need to be shared with other companies through VPNs.
Adapting VPN access policies for different groups of users.
Creating key distribution policies.

Endpoint Security

A common misconception is that VPN-connections are equivalents to the internal network from a security standpoint and that they can be connected directly to it with no further precautions. It is important to remember that although the VPN-connection itself may be secure, the total level of security is only as high as the security of the tunnel endpoints.

It is becoming increasingly common for users on the move to connect directly to their company's network via VPN from their laptops. However, the laptop itself is often not protected. In other words, an intruder can gain access to the protected network through an unprotected laptop and already-opened VPN connections.

Placement in a DMZ

A VPN connection should never be regarded as an integral part of a protected network. The VPN firewall should instead be located in a special DMZ or outside a firewall dedicated to this task. By doing this, the administrator can restrict which services can be accessed via the VPN and ensure that these services are well protected against intruders.

In instances where the firewall features an integrated VPN feature, it is usually possible to dictate the types of communication permitted and the Clavister NetShield Firewall has this feature.

IPsec Key Distribution

If using pre-shared keys for IPsec security, key distribution schemes are best planned in advance. Issues that need to be addressed include:

How will keys be distributed? Email is not a good solution. Phone conversations might be secure enough.
How many different keys should be used? One key per user? One per group of users? One per LAN-to-LAN connection? One key for all users and one key for all LAN-to-LAN connections? It is probably better using more keys than is necessary today since it will be easier to adjust access per user (group) in the future.
Should the keys be changed? If they are changed, how often? In cases where keys are shared by multiple users, you may want to consider overlapping schemes, so that the old keys work for a short period of time when new keys have been issued.
What happens when an employee in possession of a key leaves the company? If several users are using the same key, it should be changed.
In cases where the key is not directly programmed into a network unit, such as a VPN firewall, how should the key be stored? On a floppy? As a passphrase to memorize? On a smart card? If it is a physical token, how should it be handled?

13.1.4. The SSL VPN Alternative

If secure access by clients to web servers using HTTP is the scenario under consideration, then using a Clavister NetShield Firewall for SSL termination can offer an alternative "lightweight" VPN approach that is quickly and easily implemented. Setting this up is described further in Chapter 14, SSL VPN.

13.2. IPsec Components

This section looks at the IPsec standards and describes in general terms the various components, techniques and algorithms that are used in IPsec based VPNs.

13.2.1. Overview

Internet Protocol Security (IPsec) is a set of protocols defined by the Internet Engineering Task Force (IETF) to provide IP security at the network layer. An IPsec based VPN is made up of two parts:

Internet Key Exchange protocol (IKE)
IPsec protocols (AH or ESP or both)

The first part, IKE, is the initial negotiation phase, where the two VPN endpoints agree on which methods will be used to provide security for the underlying IP traffic. Furthermore, IKE is used to manage connections, by defining a set of Security Associations, SAs, for each connection. SAs are unidirectional, so there are usually at least two for each IPsec connection.

The second part is the actual IP data being transferred, using the encryption and authentication methods agreed upon in the IKE negotiation. This can be accomplished in a number of ways: by using IPsec protocols ESP or AH, or a combination of both. Currently, only ESP is supported in cOS Stream.

The flow of events can be briefly described as follows:

IKE negotiates how IKE should be protected
IKE negotiates how IPsec should be protected
IPsec moves data in the VPN

The following sections will describe each of these stages in detail.

13.2.2. Internet Key Exchange (IKE)

This section describes IKE, the Internet Key Exchange protocol, and the parameters that are used with it.

Encrypting and authenticating data is fairly straightforward, the only things needed are encryption and authentication algorithms, and the keys used with them. The Internet Key Exchange (IKE) protocol, IKE, is used as a method of distributing these "session keys", as well as providing a way for the VPN endpoints to agree on how the data should be protected.

IKE has three main tasks:

Provide a means for the endpoints to authenticate each other
Establish new IPsec connections (create SA pairs)
Manage existing connections

Security Associations (SAs)

IKE keeps track of connections by assigning a set of Security Associations, SAs, to each connection. An SA describes all parameters associated with a particular connection, such as the IPsec protocol used (ESP/AH/both) as well as the session keys used to encrypt/decrypt and/or authenticate/verify the transmitted data.

An SA is unidirectional and relates to traffic flow in one direction only. For the bidirectional traffic that is usually found in a VPN, there is therefore a need for more than one SA per connection. In most cases, where only one of ESP or AH is used, two SAs will be created for each connection, one describing the incoming traffic, and the other describing the outgoing traffic. In cases where ESP and AH are used in conjunction, four SAs will be created.

IKE Proposals

An IKE algorithm proposal list is a suggestion of how to protect IPsec data flows. The VPN device initiating an IPsec connection will send a list of the algorithms combinations it supports for protecting the connection and it is then up to the device at the other end of the connection to say which proposal is acceptable.

The responding VPN device, upon receiving the list of supported algorithms, will choose the algorithm combination that best matches its own security policies, and reply by specifying which member of the list it has chosen. If no mutually acceptable proposal can be found, the responder will reply by saying that nothing on the list was acceptable, and possibly also provide a textual explanation for diagnostic purposes.

This negotiation to find a mutually acceptable algorithm combination is done not just to find the best way to protect the IPsec connection but also to find the best way to protect the IKE negotiation itself.

Algorithm proposal lists contain not just the acceptable algorithm combinations for encrypting and authenticating data but also other IKE related parameters. Further details of the IKE negotiation and the other IKE parameters are described next.

IKE Negotiation

An IKE negotiation consists of two phases:

IKE Phase-1 - Negotiate how IKE should be protected.
IKE Phase-2 - Negotiate how IPsec should be protected.

These phases are described in detail next.

IKE Phase-1 - IKE Security Negotiation

An IKE negotiation is performed in two phases. The first phase, phase 1, is used to authenticate the two VPN firewalls or VPN Clients to each other, by confirming that the remote device has a matching Pre-Shared Key.

Since publishing details of the negotiation in plaintext is undesirable, IKE first agrees upon a way of protecting the majority of the IKE negotiation. This is done by the initiator sending a proposal-list to the responder. After the responder accepts one of the proposals, we try to authenticate the other end of the VPN to make sure it is who we think it is, as well as proving to the remote device that we are who we claim to be. Next, a technique known as a Diffie Hellman Key Exchange is used to initially agree a shared secret between the two parties in the negotiation and to derive keys for encryption.

Authentication can be accomplished through using Pre-shared Keys (PSK) or certificates. Using pre-shared keys is the most common authentication method. Both PSK and certificates based VPNs are supported by cOS Stream.

IKE Phase-2 - IPsec Security Negotiation

In phase 2, another negotiation is performed, detailing the parameters for the IPsec connection.

During phase 2 we will also extract new keying material from the Diffie-Hellman key exchange in phase 1 in order to provide session keys to use in protecting the VPN data flow.

If Perfect Forward Secrecy (PFS) is used, a new Diffie-Hellman exchange is performed for each phase 2 negotiation. While this is slower, it makes sure that no keys are dependent on any other previously used keys; no keys are extracted from the same initial keying material. This is to make sure that, in the unlikely event that some key was compromised, no subsequent keys can be derived.

Once the phase 2 negotiation is finished, the VPN connection is established and ready for traffic to pass through it.

IKE Parameters

There are a number of parameters used in the IKE negotiation process and these are summarized below with general explanations.

Local Endpoint Identification

The Local ID is a piece of data representing the identity of the local VPN tunnel endpoint.

Local and Remote Networks/Hosts

These are the subnets or hosts between which IP traffic will be protected by the VPN. In a LAN-to-LAN connection, these will be the network addresses of the respective LANs.

Tunnel and Transport Mode

IPsec can be used in two modes, tunnel or transport.

Tunnel mode indicates that the traffic will be tunneled to a remote device, which will decrypt/authenticate the data, extract it from its tunnel and pass it on to its final destination. This way, an eavesdropper will only see encrypted traffic going from one of VPN endpoint to another.

In transport mode, traffic is not tunneled. This mode can be used to secure a connection from a VPN client directly to the Clavister NetShield Firewall, for example for IPsec protected remote configuration.

Currently, cOS Stream only supports tunnel mode.

Remote Endpoint

The remote endpoint (sometimes also referred to as the remote gateway) is the remote device that performs VPN decryption/authentication and that passes the unencrypted data on to its final destination.

The remote endpoint is not used in transport mode.

IPsec Protocols

The IPsec protocols describe how the data will be processed. The two protocols to choose from are AH, Authentication Header, and ESP, Encapsulating Security Payload.

ESP provides encryption, authentication, or both. However, it is not recommended to use encryption only, since it will dramatically decrease security.

Note that AH only provides authentication and does not support encryption. The difference from ESP with authentication only is that AH also authenticates parts of the outer IP header, for instance source and destination addresses, making certain that the packet really came from who the IP header claims it is from.

Since AH protects the outer IP addresses, it not work with NAT.

	Note
	AH is not currently supported by cOS Stream.

IKE Encryption

This specifies the encryption algorithm used in the IKE negotiation, and depending on the algorithm, the size of the encryption key used.

IKE Authentication

This specifies the authentication algorithms used in the IKE negotiation phase.

IKE DH Group

This specifies the Diffie-Hellman group to use for the IKE exchange. The available DH groups are discussed below in the section titled Diffie-Hellman Groups.

IKE Lifetime

This is the lifetime of the IKE connection.

It is specified in time (seconds). Whenever one of these expires, a new phase-1 exchange will be performed. If no data was transmitted in the last "incarnation" of the IKE connection, no new connection will be made until someone wants to use the VPN connection again. This value must be set greater than the IPsec SA lifetime.

PFS

With Perfect Forward Secrecy (PFS) disabled, initial keying material is "created" during the key exchange in phase-1 of the IKE negotiation. In phase-2 of the IKE negotiation, encryption and authentication session keys will be extracted from this initial keying material. By using PFS, completely new keying material will always be created upon rekey. Should one key be compromised, no other key can be derived using that information.

PFS can be used in two modes: the first is PFS on keys, where a new key exchange will be performed in every phase-2 negotiation. The other type is PFS on identities, where the identities are also protected, by deleting the phase-1 SA every time a phase-2 negotiation has been finished, making sure no more than one phase-2 negotiation is encrypted using the same key.

PFS is generally not needed, since it is very unlikely that any encryption or authentication keys will be compromised. It is enabled in cOS Stream by specifying one or more DH groups for the IPsec proposal.

IPsec Encryption

The encryption algorithm that will be used on the protected IPsec traffic.

This is not needed when AH is used, or when ESP is used without encryption.

IPsec Authentication

This specifies the authentication algorithm used on the protected traffic.

This is not used when ESP is used without authentication, although it is not recommended to use ESP without authentication.

IPsec Lifetime

This is the lifetime of the VPN connection. It is specified as a time in seconds. Whenever this value is exceeded, a rekey will be initiated, providing new IPsec encryption and authentication session keys. If the VPN connection has not been used during the last rekey period, the connection will be terminated, and re-opened from scratch when the connection is needed again.

This value must be set lower than the IKE lifetime.

Diffie-Hellman Groups

Diffie-Hellman (DH) is a cryptographic protocol that allows two parties that have no prior knowledge of each other to establish a shared secret key over an insecure communications channel through a series of plain text exchanges. Even though the exchanges between the parties might be monitored by a third party, Diffie-Hellman makes it extremely difficult for the third party to determine what the agreed shared secret key is and to decrypt data that is encrypted using the key.

Diffie-Hellman is used to establish the shared secret keys for IKE, IPsec and PFS.

The Diffie-Hellman group indicates the degree of security used for DH exchanges. The higher the group number, the greater the security but also the processing overhead. The DH groups supported by cOS Stream are the following:

DH group 1 (MODP 768-bit)
DH group 2 (MODP 1024-bit)
DH group 5 (MODP 1536-bit)
DH group 14 (MODP 2048-bit)
DH group 15 (MODP 3072-bit)
DH group 16 (MODP 4096-bit)
DH group 17 (MODP 6144-bit)
DH group 18 (MODP 8192-bit)
DH group 19 (ECP 256-bit)
DH group 20 (ECP 384-bit)
DH group 21 (ECP 521-bit)

DH groups are specified in a configuration as part of the IKE proposal list. At least one DH group must be specified in a proposal list. By default, DH groups 5 and 14 are used. The group chosen by the peers during the IKE negotiation will be the highest which both have available. It is recommended to try to use DH group 14 or greater and only use groups less that 14 for compatibility purposes. However, it should be noted that higher DH group numbers require greater processing resources.

IKE and IPsec Lifetimes

Both the IKE and the IPsec connections have limited lifetimes, described in terms of time. These lifetimes prevent a connection from being used for too long, which is undesirable from a security perspective.

The IPsec lifetime must be shorter than the IKE lifetime. The difference between the two must be a minimum of 5 minutes. This allows for the IPsec connection to be rekeyed simply by performing another phase-2 negotiation. There is no need to do another phase-1 negotiation until the IKE lifetime has expired.

Default Lifetimes

It default lifetime values are as follows:

IKE lifetime - 28800 seconds (8 hours).
IPsec lifetime - 3600 seconds (1 hour).

The minimum allowed values are:

IKE lifetime - 60 seconds + 5 minutes = 360 seconds.
IPsec lifetime - 60 seconds.

13.2.3. IKE Authentication

IKE provides a way to securely establish communications between the two ends of an IPsec tunnel. Before examining IKE in detail, the alternative of manually setting up a tunnel is discussed.

Manual Keying without IKE

Without IKE, the "simplest" way of configuring the algorithms used by an IPsec tunnel is by using manual keying. This is a method where the encryption and authentication keys as well as some other parameters are directly configured on both sides of the VPN tunnel.

Manual keying is supported by cOS Stream but only for ESP with tunnel mode. However, it has a number of limitations, such as having to always use the same encryption/authentication keys, no anti-replay services. There is also no way of assuring that the remote host/firewall really is the one it says it is.

The vulnerability of manual keying to "replay attacks" means that a malicious entity with access to the encrypted traffic can record packets, store them, and send them to its destination at a later time. The destination VPN endpoint will have no way of telling if this packet is a "replayed" packet or not. Using IKE eliminates this vulnerability.

PSK Based Authentication

Using a Pre-shared Key (PSK) is a method where the endpoints of the VPN "share" a secret key. This is a service provided by IKE, and thus has all the advantages that come with it, making it far more flexible than manual keying.

PSK Advantages

Pre-Shared Keying has a lot of advantages over manual keying. These include endpoint authentication, which is what the PSKs are really for. It also includes all the benefits of using IKE. Instead of using a fixed set of encryption keys, session keys will be used for a limited period of time, where after a new set of session keys are used.

PSK Disadvantages

One thing that has to be considered when using PSKs is key distribution. How are the PSKs distributed to remote VPN endpoints? This is a major issue, since the security of a PSK system is based on the PSKs being kept secret. Should one PSK be compromised, the configuration will need to be changed to use a new PSK.

Certificate Based Authentication

Each VPN firewall has its own certificate, and one or more trusted root certificates.

The authentication is based on several things:

That each endpoint has the private key corresponding to the public key found in its certificate, and that nobody else has access to the private key.
That the certificate has been signed by someone that the remote endpoint trusts.

Advantages of Certificates

A key advantage of certificates is added flexibility. Many VPN clients, for instance, can be managed without having the same pre-shared key configured on all of them, which is often the case when using pre-shared keys and roaming clients. Instead, should a client be compromised, the client's certificate can simply be revoked. No need to reconfigure every client.

Disadvantages of Certificates

A disadvantage of using certificates is added complexity. Certificate-based authentication may be used as part of a larger public key infrastructure, making all VPN clients and firewalls dependent on third parties. In other words, there are more aspects that have to be configured, and there is more that can go wrong.

13.2.4. IPsec Protocols (ESP/AH)

The IPsec protocols are the protocols used to protect the actual traffic being passed through the VPN. The actual protocols used and the keys used with those protocols are negotiated by IKE.

There are two protocols associated with IPsec, AH and ESP. These are covered in the sections below.

AH (Authentication Header)

AH is a protocol used for authenticating a data stream.

Figure 13.1. The AH protocol

AH uses a cryptographic hash function to produce a MAC from the data in the IP packet. This MAC is then transmitted with the packet, allowing the remote endpoint to verify the integrity of the original IP packet, making sure the data has not been tampered with on its way through the Internet. Apart from the IP packet data, AH also authenticates parts of the IP header.

The AH protocol inserts an AH header after the original IP header. In tunnel mode, the AH header is inserted after the outer header, but before the original, inner IP header.

AH is not currently supported by cOS Stream.

ESP (Encapsulating Security Payload)

The ESP protocol inserts an ESP header after the original IP header, in tunnel mode, the ESP header is inserted after the outer header, but before the original, inner IP header.

All data after the ESP header is encrypted and/or authenticated. The difference from AH is that ESP also provides encryption of the IP packet whereas AH does not. The authentication phase also differs in that ESP only authenticates the data after the ESP header and the outer IP header is left unprotected.

Since AH protects the outer IP addresses, it cannot be used with NAT.

The ESP protocol is used for both encryption and authentication of the IP packet. It can also be used to do either encryption only, or authentication only.

Figure 13.2. The ESP protocol

13.2.5. Creating and Using Proposal Lists

To agree on the VPN flow parameters, a negotiation between tunnel peers is performed. As a result of these negotiations, the IKE and IPsec security associations (SAs) are established. A proposal list of supported algorithms is the starting point for a negotiation. Each entry in the list defines parameters for a supported algorithm that the VPN tunnel end point device is capable of supporting (the shorter term tunnel endpoint will also be used in this manual). The initial negotiation attempts to agree on a set of algorithms that the devices at either end of the tunnel can both support.

There are two types of proposal lists, IKE proposal lists and IPsec proposal lists. IKE lists are used during IKE Phase-1 (IKE Security Negotiation), while IPsec lists are using during IKE Phase-2 (IPsec Security Negotiation).

Supported Algorithms

The algorithms currently supported by cOS Stream are:

Encryption algorithms:

AES128-CBC
AES192-CBC
AES256-CBC
3DES
Null

Data integrity algorithms:

AES-XCBC
SHA-1
SHA-256
SHA-384
SHA-512
MD5

	Caution: SHA1 and MD5 have weaknesses
	SHA1 is considered to have weaknesses and should be used with caution. MD5 is no longer considered to be a secure algorithm and should be avoided if possible.

Pseudo-random function algorithms:

This is the same list as for Data Integrity Algorithms above.

	Note: AES-XCBC is not available for IKEv1 proposals
	The AES-XCBC algorithm cannot be used with IKE proposal lists for IKEv1. If it is accidentally specified, it does not cause an error condition but will be ignored.

Algorithm Sets

In cOS Stream, the various encryption and integrity algorithms are grouped together into sets according to the level of security they provide. These sets, called High, Low and All, are then used in the predefined IKE and IPsec proposal lists. The sets are as follows:

High

This consists of a set of algorithms to give higher security. This is the default algorithm set for an IPsec tunnel if no proposal lists are explicitly set. The complete list is:
1. 3DES and AES256-CBC for encryption.
2. SHA256, SHA384, SHA512 and AES-XCBC for integrity.
Low

This set gives slightly less security. The complete list is:
1. 3DES and AES128-CBC for encryption.
2. SHA256 and AES-XCBC for integrity.
All

This set combines all available algorithms.

Creating and Using Proposal Lists

There are two object types that define proposal lists and these make use of the High, Low and All algorithm groupings described above:

IKEProposalList

This type has three predefined objects:
1. ike_high - The IPsec tunnel default.
2. ike_low
3. ike_all
IPsecProposalList

This type has three predefined objects:
1. ipsec_high - The IPsec tunnel default.
2. ipsec_low
3. ipsec_all

However, as the example below shows, it is possible to create new custom proposal lists objects with different combinations of algorithms.

Example 13.1. Creating and Using IKE Proposal Lists

This example looks at creating a new IKE proposal list called my_list and adding this to an existing IPsecTunnel object called my_tunnel.

Command-Line Interface

First, create the IKE proposal list:

System:/> add IKEProposalList my_list

Change the current context to be the created list:

System:/> cc IKEProposalList my_list

Add at least one proposal to the list:

System:/IKEProposalList/my_list> add IKEProposal DHGroup=2,5
			EncryptionAlgorithms=aes128-cbc,aes256-cbc
			IntegrityAlgorithms=sha1,md5

Return to the original context:

System:/IKEProposalList/ike_list> cc

Associate the proposal list with the tunnel:

System:/> set Interface IPsecTunnel my_tunnel IKEProposalList=my_list

An IPsec proposal list would be created and used in a similar way.

13.2.6. Pre-shared Keys

Pre-Shared Keys (PSK) are one of the methods used to authenticate VPN tunnels. The other method is using certificates.

PSKs are secrets that are shared by the communicating parties before communication takes place. To communicate, both parties prove that they know the secret. The security of a shared secret depends on how "good" a passphrase is. Passphrases that are common words are extremely vulnerable to dictionary attacks. A PSK can be specified as either a hexadecimal or ASCII value.

The longer the value used for the PSK, the better the security.

Example 13.2. Adding an ASCII PSK

This example creates a PSK object based on an ASCII string. The object can then be used for authentication with, for example, VPN tunnels

Command-Line Interface

System:/> add PSK my_psk Type=ASCII PSKAscii="mypasswordstring"

Caution: Non-ASCII characters in PSKs with other platforms

Different encodings on different platforms can cause problems with non-ASCII characters in a non-hexadecimal PSK.

For example, Microsoft Windows encodes PSKs containing non-ASCII characters in UTF-16 while cOS Stream uses UTF-8. Even though the same PSK appears to be used at either end of the tunnel, there can be a mismatch because two platforms are encoding differently. As an example, this can cause problems when setting up a Windows L2TP client that connects to cOS Stream.

13.2.7. Certificates with IPsec

Using Certificates Instead of PSKs

The simplest and fastest way to provide security between the ends of an IPsec tunnel is to use Pre-shared Keys (PSKs). However, as a VPN network grows so does the complexity of using PSKs. Certificates provide a means to better manage security in much larger networks.

This section deals with specific issues associated with using X.509 certificates with IPsec. For a discussion of certificate uploading and how to define Certificate objects see Section 16.1, Configuring Certificates.

Using the ipsec Certificate Store

It should be noted that when a new Certificate object is created for use with IPsec tunnels, it must be added as a child to the CertificateStore object called ipsec. The ipsec store always exists as a predefined store.

Certificates Can be Reused with IPsec

Certificates are global objects that can be reused between IPsec tunnels. Even though a certificate is associated with one tunnel in cOS Stream, it can still be reused with any number of other, different tunnels.

Association with IPsec Tunnels

The association between a tunnel and certificates is done by using the LocalID property of the IPsec tunnel and the tunnel's LocalAuthMethod property should be set to Certificate (by default, this also becomes the value for RemoteAuthMethod although the two could be set differently).

The LocalID value specified for a tunnel is matched with the Subject or Subject Alternative Name fields in the available certificates. If more than one certificate provide a LocalID match, the first matching certificate is used.

The CRLChecks Property

The CRLChecks property of a Certificate object determines if the CRL for the certificate is to be checked by cOS Stream and what happens if the CRL cannot be retrieved in order to do the checking. The possible values for this property are the following:

Enforced

This is the default value and means that the associated CRL must be checked before the certificate can be used for authentication. If the associated CRL cannot be retrieved, perhaps because a CA server is offline, then the certificate will be unusable and authentication will fail.

If the certificate has no CRL associated with it then enforced checking is ignored. A self-signed certificate, such as the ones used for management connections, does not have an associated CRL but will still have this default option selected.

An example of setting this option using the CLI would be:
```
System:/> cc CertificateStore ipsec
System:/CertificateStore/ipsec> set Certificate my_cert
			CRLChecks=Enforced
```
Conditional

CRL checking will be performed by cOS Stream provided any associated CRL is available. If the CRL cannot be accessed, perhaps because a CA server is offline, then the certificate will be used anyway.
Disabled

The causes all CRL checking to be disabled. The certificate will be used even if there is a CRL associated with it.

CRLs are discussed further in Section 16.2, CA Server Access.

13.2.8. IPsec Tunnels

This section looks more closely at IPsec tunnel usage.

An IPsecTunnel object defines an endpoint of an encrypted VPN tunnel. Each IPsec tunnel is interpreted as a logical interface by cOS Stream, with the same filtering and configuration capabilities as an Ethernet interface.

IPv6 Support

Both IPv4 and IPv6 are supported for both IKE and IPsec. Furthermore, the networks connected together through the tunnel can be IPv4 or IPv6. The IP protocol used for tunnel establishment is independent of the traffic flowing inside the tunnel so that the tunnel might be established using IPv4 but have IPv6 traffic flowing inside it. Similarly, the tunnel might be established with IPv6 but have IPv4 traffic flowing inside it.

It is not possible to make the local and remote network for a tunnel a mixture of IPv4 and IPv6 networks. It is also not possible to have dissimilar local and remote endpoints.

Remote Initiation of Tunnel Establishment

When another Clavister NetShield Firewall or another IPsec compliant networking product (also known as the remote endpoint) tries to establish an IPsec VPN tunnel to a local Clavister NetShield Firewall, the list of currently defined IPsec tunnels in the configuration is examined. If a matching tunnel definition is found, that tunnel is opened. The associated IKE and IPsec negotiations then take place, resulting in the tunnel becoming established to the remote endpoint.

IP Rules Control Decrypted Traffic

Note that an established IPsec tunnel does not automatically mean that all the traffic flowing from the tunnel is trusted. On the contrary, network traffic that has been decrypted will be checked against the IP rule set. When doing this IP rule set check, the source interface of the traffic will be the associated IPsec tunnel since tunnels are treated like interfaces in cOS Stream.

Returning Traffic

For network traffic going in the opposite direction, back into an IPsec tunnel, a reverse process takes place. First, the unencrypted traffic is evaluated by the rule set. If a rule and route matches, cOS Stream tries to find an established IPsec tunnel that matches the criteria. If not found, cOS Stream will try to establish a new tunnel to the remote endpoint specified by a matching IPsec tunnel definition.

IPsec Tunnels Themselves Do Not Require IP Rules

By default, all traffic entering and leaving an IPsec tunnel is subject to defined IP rules so those must be defined in the rule sets for traffic to flow inside the tunnel.

However, the IPsec tunnel itself does not need any IP rules defined. These rules are hidden, and created automatically by cOS Stream so that IKE negotiations and tunnel establishment can take place.

Dead Peer Detection

After establishment of an IPsec tunnel to a client, cOS Stream uses an Informational message sent through the tunnel to the client as a Dead Peer Detection (DPD) mechanism. This message contains an empty encrypted payload.

If the client does not respond, six further DPD messages are sent by cOS Stream at progressively longer intervals before DPD is triggered, the client is considered unreachable and the tunnel's SAs are torn down. DPD is unidirectional, being concerned only with incoming tunnel traffic.

The interval that cOS Stream waits, when no traffic is received, before triggering DPD message sending, is determined by the IPsecTunnel property IKEDPDInterval. This has a default value of 90 seconds and this is the recommended setting for most scenarios. If this is set to zero, DPD will be disabled.

The value of IKEDPDInterval can be set as low as 10 seconds but the number of tunnels that cOS Stream can check in a short interval is limited. For this reason, it is recommended that the IKEDPDInterval value should not be less than 60 seconds, especially in environments with large numbers of IPsec tunnels.

IPsec Connection Using Two IPsec Tunnel Objects

As discussed in Section 13.6, IPsec Troubleshooting, a potential problem can occur when a single IPsec VPN tunnel is set up referencing two IPsec tunnel objects. This can cause confusion for the administrator so further explanation can be helpful.

Consider the situation of an IPsec client sending a request to open a tunnel to cOS Stream. The client begins by sending an IKE_INIT request that includes a proposal list, key information and a notification payload. cOS Stream then scans the list of IPsec tunnel objects looking for the closest match and uses the tunnel object it finds.

However, the tunnel chosen may not be the "right" tunnel since not all information needed for a correct match is yet available to cOS Stream. In the next IKE_AUTH stage of the setup process, the client sends the remainder of the required information and this may result in cOS Stream needing to find another IPsec tunnel object for the connection.

An example of this is two tunnels A and B with the following characteristics:

Tunnel A has:
1. AES-128 in its proposal list.
2. Authentication with PSK using ID id_a@somecompany.com
3. A remote endpoint of all-nets-ip4.
Tunnel B has:
1. 3DES in its proposal list.
2. Authentication with certificates using ID id_b@somecompany.com.
3. A remote endpoint of 177.22.0.47.

Now, consider the following sequence:

A client with IPv4 address 177.22.0.47 initiates an IPsec negotiation with an IKE_INIT message.
Assuming that the client's proposal list can match either tunnel, the IPsec tunnel object B is chosen for the connection because its remote endpoint is a narrower match to the client's IP address.
The IKE_AUTH phase now begins and cOS Stream finds out that the client wants to use PSK for authentication with an ID of id_a@somecompany.com.
Tunnel B no longer matches the client's authentication requirements. cOS Stream will therefore search the IPsec tunnel object list looking for another tunnel that can match and finds tunnel definition A.

The end result of these steps is that an IPsec tunnel is established but it uses the IKA SA established with tunnel B and the authentication established with tunnel A. This may not be the intended result so the administrator should take care when defining IPsec tunnel objects.

IPsec Rekeying

The Clavister NetShield Firewall supports IPsec rekeying. This means that a rekey of the IKE and IPsec Security Associations (SAs) will be initiated based upon the configured values in the proposal lists for IKE and IPsec. The lifetimes of the IKA SAs and IPsec SAs can be limited based on the time since they were created.

cOS Stream will respond to rekeying requests initiated by the MS as described by the IKEv2 specification.

IPsec Configuration Changes

The administrator should be aware of the effect of uploading a new configuration to a Clavister NetShield Firewall that is supporting live IPsec tunnels.

If any changes to the IPsec configuration are made as part of a new configuration, then any live IPsec tunnel connections will be terminated and must be reestablished.

This next section covers the steps for IPsec tunnel setup with cOS Stream in more detail.

13.2.9. Manually Keyed IPsec Tunnels

The Clavister NetShield Firewall provides the option to use manually keyed IPsec tunnels. This is done by using the IPsecManualKeyedTunnel object instead of the IPsecTunnel object.

The difference with a manually keyed tunnel is that the IKE phase of the tunnel setup is completely missing. This means that there is no proposal list involved and the integrity and encryption algorithms to use are specified manually along with other tunnel parameters.

Manually keyed tunnels are not normally used in a live production environment because the security is lower than a normal IPsec tunnel. However, they are often useful for testing purposes. Another advantage is that they provide extremely fast tunnel establishment times since the IKE phase is removed and the IKE processing overhead is absent.

Setting Up Manually Keyed Tunnels

To set up a manually keyed tunnel:

Add an IPsecManualKeyedTunnel to the configuration. This object is used as an interface in exactly the same way as an IPsecTunnel object and has exactly the same base properties such as LocalNetwork, RemoteNetwork, LocalEndpoint and RemoteEndpoint.
Add an ESP object as a child of the IPsecManualKeyedTunnel object. It is this ESP object which is used to statically define the algorithms and keys that will be used and it takes the place of the IKE negotiation.

Specifying the ESP Object

Only one ESP object needs to be added to a tunnel object. Multiple objects are allowed to support future tunnel features.

An ESP object represents the end result of an IKE negotiation had it taken place, and the assigned ESP object properties must match the parameters set for the remote end of the tunnel. In addition, an SPI (Security Parameter Index) value must be specified for both the incoming and outgoing traffic. The SPI value is inserted into traffic so that the different flow can be distinguished from each other.

The SPI values selected must match the values specified at the remote end of the tunnel, with the incoming SPI value for one end being the same as the outgoing SPI value at the other end. The SPI values must also be unique within the configuration. That is to say, two IPsecManualKeyedTunnel objects cannot share the same SPI value within the same configuration.

Example 13.3. Creating a Manually Keyed IPsec Tunnel

In the example, a manually keyed tunnel called mkt1 is created. It is assumed that the address book objects and PSK objects have already been created.

Command-Line Interface

First, create the IPsecManualKeyedTunnel object:

System:/> add Interface IPsecManualKeyedTunnel mkt1
			LocalNetwork=mkt1_local_net
			LocalEndpoint=mkt1_local_ip
			RemoteNetwork=mkt1_rem_net
			RemoteEndpoint=mkt1_rem_ip

Next, change the CLI context to be this IPsecManualKeyedTunnel:

System:/> cc Interface IPsecManualKeyedTunnel mkt1

Now, add the ESP object as a child:

System:/IPsecManualKeyedTunnel/mkt1> add ESP
			Encryption=3des
			EncryptionKeyIn=mkt1_ekey_in
			EncryptionKeyOut=mkt1_ekey_in
			Integrity=md5
			IntegrityKeyIn=mkt1_ikey_in
			IntegrityKeyIOut=mkt1_ikey_in
			SPIIn=1
			SPIOut=2

Finally, return to the default CLI context:

System:/> cc

13.3. Setting Up IPsec Tunnels

Overview

Other sections explore IPsec components in detail. This section provides a summary of the essential steps needed for IPsec setup.

It outlines the individual steps in setting up IPsec for the following scenarios:

IPsec LAN to LAN with Pre-shared Keys
IPsec LAN to LAN with Certificates

	Note: VPN tunnels themselves do not require IP rules
	As explained in Section 13.2.8, IPsec Tunnels, IP rules do not need to be defined in cOS Stream for VPN tunnel establishment. It is the data passing through a tunnel that requires IP rules which allow it to flow.

General Tunnel Setup Requirements

Before looking at each of these scenarios separately, it is useful to summarize the common requirements when setting up any VPN tunnel, regardless of the type.

Define the Tunnel

First, we must define the tunnel itself. cOS Stream has various tunnel object types which are used to do this, such as an IPsec Tunnel object.
A Route Must Exist

Before any traffic can flow into the tunnel, a route must be defined in a routing table. This route tells cOS Stream which network can be found at the other end of the tunnel so it knows which traffic to send into the tunnel.

In most cases, this route is created automatically when the tunnel is defined and this can be checked by examining the routing tables.

If a route is defined manually, the tunnel is treated exactly like a physical interface in the route properties, as it is in other aspects of cOS Stream. In other words, the route is saying to cOS Stream that a certain network is found at the other end of the tunnel.
Define an IP Rule to Allow VPN Traffic

An IP rule must be defined that explicitly allows traffic to flow between a network and the tunnel. As with route definitions, the tunnel is treated exactly like a physical interface when defining the IP rule.

IP rules are not created automatically after defining the tunnel object and if they do not exist then no traffic can flow through the tunnel and will be dropped instead.

The following sections will look at the detailed setup for each of the VPN scenarios listed earlier.

13.3.1. IPsec LAN to LAN with Pre-shared Keys

Create a new IPsecPSK object. This will contain the key as well as a unique combination of LocalID and RemoteID. It is this combination of local and remote ID that is used to associate the key with the tunnel.

Both local and remote ID can take on any string value such as an IP address or email address. They can also incorporate the wildcard asterisk ("*") character.

	Note: Wildcards cannot be combined in email addresses
	If the wildcard character is used in an email address, it must not be combined with other characters. For example, .user@somename.com cannot be used but .somename.com can.

Optionally create an IKEProposalList and/or IPsecProposalList object if the default proposal lists do not provide a set of algorithms that are acceptable to the tunnel remote end point. The ike_high and ipsec_high lists are the defaults.

An IKEProposalList object must contain at least one IKEProposal object. Similarly, an IPsecProposalList object must contain at least one IPsecProposal object. If PFS is required, the IPsec proposal must have DH groups specified otherwise PFS is disabled (the default).
In the Address Book create IP objects for:
- The remote VPN gateway which is the IP address of the network device at the other end of the tunnel. Let's call this object remote_gw.
- The remote network which lies behind the remote VPN gateway Let's call this object remote_net. This can be an IPv4 or IPv6 network.
- The local network behind the Clavister NetShield Firewall which will communicate across the tunnel. Here we will assume that this is the predefined address if1_net and this network is attached to the if1 interface which has the IP address if1_ip. The local network can also be an IPv4 or IPv6 network but the local and remote networks must be the same IP type.
Create an IPsecTunnel object (let's call this object my_tunnel). Specify the following tunnel properties:
- Specify the IKEVersion property as IKEv1 if it is not the default value of IKEv2.
- Set the IPaddress property of the tunnel. In most cases this can be set to something arbitrary such as 127.0.0.1. If NAT is being used on outgoing traffic, this should be set to an address in the local network.
- Set LocalEndpoint to if1_ip.
- Set LocalNetwork to if1_net.
- Set RemoteNetwork to remote_net.
- Set RemoteEndpoint to remote_gw.
- If not using the default ike_high list, set IKEProposalList to the proposal list to be used for the tunnel.
- If not using the default ipsec_high list, set IPsecProposalList to the proposal list to be used for the tunnel.
- Specify a LocalID for the tunnel. The combination of this and the RemoteID will identify the IPsecPSK object to use.
- Specify a RemoteID for the tunnel. This can be specified using the asterisk ("*") as a wildcard character.
- Specify the LocalAuthMethod to be PSK. By default, this also becomes the value for RemoteAuthMethod although the local and remote method could be set to different values.
The IPsec Tunnel object can be treated exactly like any Interface object in later steps.
Set up two IP rules in the IP rule set for the tunnel:
- An Allow rule for outbound traffic that has the previously defined my_tunnel object as the Destination Interface. The rule's Destination Network is the remote network remote_net.
- An Allow rule for inbound traffic that has the previously defined my_tunnel object as the Source Interface. The Source Network is remote_net.

Action	Src Interface	Src Network	Dest Interface	Dest Network	Service
Allow	if1	if1_net	my_tunnel	remote_net	all_services
Allow	my_tunnel	remote_net	if1	if1_net	all_services

The Service used in these rules is All but it could be a predefined service.

Define a new Route object which specifies that the VPN tunnel my_tunnel is the interface to use for routing packets bound for the remote network at the other end of the tunnel.

Interface	Network	Gateway
my_tunnel	remote_net	<empty>

Example 13.4. LAN to LAN IPsec Tunnel Setup with PSK

This example sets up a LAN to LAN IPsec tunnel with pre-shared keys using the steps describes above. It is assumed the address book has already been filled with the relevant address objects.

Assume the tunnel will connect the local network if3_net to a remote network remote_net. The tunnel extends from the local if3 interface to the remote endpoint remote_ep_ip.

To demonstrate how proposal lists can be customized, both IKE and IPsec will use only aes-128 for encryption and only aes-xcbc for integrity.

The IKE version is not specified so it defaults to IKEv2.

Command-Line Interface

1. Create an IPsecPSK object:

System:/> add IPsecPSK LocalID=site_local@local.com
			RemoteID=site_remote@remote.com
			Type=ASCII
			PSKAscii=somesharedsecretcode

2. Create an IKE proposal list to be used by the IPsec tunnel:

System:/> add IKEProposalList ike_pl

Now add the first IKE proposal to the list:

System:/> cc IKEProposalList ike_pl
System:/IKEProposalList/ike_pl> add IKEProposal
			EncryptionAlgorithms=aes128-cbc
			DHGroup=2
			IntegrityAlgorithms=aes-xcbc
			PRF=aes-xcbc

Return to the default CLI context:

System:/IKEProposalList/ike_pl> cc
System:/>

Create the IPsec proposal list in a similar way:

System:/> add IPsecProposalList ipsec_pl

Now add the following IPsec proposal to the list:

System:/> cc IPsecProposalList ipsec_pl
System:/IPsecProposalList/ipsec_pl> add IPsecProposal
			EncryptionAlgorithms=aes128-cbc
			IntegrityAlgorithms=md5

Return to the default CLI context:

System:/IPsecProposalList/ipsec_pl> cc
System:/>

3. Create address book objects:

This step is assumed and not shown in this example.

4. Create the IPsecTunnel object:

System:/> add Interface IPsecTunnel my_tunnel
			LocalAuthMethod=PSK
			LocalID=site_local@local.com
			LocalNetwork=if1_net
			LocalEndpoint=if1_ip
			RemoteEndpoint=remote_gw
			RemoteID=site_remote@remote.com
			RemoteNetwork=remote_net
			IPAddress=127.0.0.1
			IKEProposalList=ike_pl
			IPsecProposalList=ipsec_pl

5. Set up IP rules:

Change the current context to be the main rule set:

System:/> cc RuleSet IPRuleSet main

Add an IP rule to allow outbound traffic from the local network into the tunnel:

System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=my_tunnel
			DestinationNetwork=remote_net
			Service=all_services
			Name=lan_to_tunnel

Add the IP rule for inbound traffic:

System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=my_tunnel
			SourceNetwork=remote_net
			DestinationInterface=if1
			DestinationNetwork=if1_net
			Service=all_services
			Name=tunnel_to_lan

Restore the default CLI context:

System:/main> cc
System:/>

6. Define a route for the tunnel:

Change the current context to be the main routing table:

System:/> cc RoutingTable main

Add the route:

System:/RoutingTable/main> add Route Interface=my_tunnel Network=remote_net

Restore the default CLI context:

System:/main> cc
System:/>

Configuration changes are saved with an activate followed by a commit command.

13.3.2. IPsec LAN to LAN with Certificates

LAN to LAN security is often provided with pre-shared keys but sometimes it may be desirable to use X.509 certificates instead. If this is the case, Certificate Authority (CA) signed certificates may be used and these come from an internal CA server or from a commercial supplier of certificates.

Creating a LAN to LAN tunnel with certificates follows exactly the same procedures as the previous section where a pre-shared key was used. The difference is that certificates now replace pre-shared keys for authentication. In this case, specify the LocalAuthMethod to be Certificate. By default, the RemoteAuthMethod property will take on the same value so it does not need to be specified.

Two unique sets of two CA signed certificates (two for either end, a root certificate and a host certificate) are required for a LAN to LAN tunnel authentication. They are loaded into cOS Stream as globally available objects. Certificates are associated with a LocalID and it is this value which is used to associate them with a particular tunnel object.

The setup steps are as follows:

Connect to the management interface for the Clavister NetShield Firewall at one end of the tunnel.
Upload the Root Certificate and Host Certificate into cOS Stream using SCP. Using SCP is described further in Section 2.1.5, Secure Copy.

The host certificate needs to have 2 parts added: a certificate file and a private key file. The CA root certificate needs just the certificate file added.
If there is a certificate chain involved between the root and host certificates then all the certificates in the chain also need to be uploaded.
Define Certificate objects that use the uploaded files. These objects must be added as children to a CertificateStore object. With IPsec, they must be added to the predefined store called ipsec.
Set up the IPsecTunnel object in the same way as for pre-shared keys with the following differences:
- The LocalAuthMethod of the tunnel must be set to Certificate.
- The LocalID property of the tunnel must match the Subject or Subject Alt Name value in the host certificate.
- The LocalID and on one side of the tunnel must also match the RemoteID on the other side of the tunnel. For example, if one side has LocalID=my_id1 and RemoteID=my_id2 then the other side should have LocalID=my_id2 and RemoteID=my_id1.
  
  The RemoteID can alternatively be specified as the wildcard asterisk "*" character meaning that any LocalID on the other side of the tunnel is acceptable.
Connect to the management interface for the Clavister NetShield Firewall at the other side of the tunnel and repeat the above steps with a different set of certificates.

	Note: The system time and date should be correct
	The system date and time should be set correctly since certificates have an expiry date and time.

It is important to also review Section 16.2, CA Server Access below, which describes important considerations for certificate validation.

Example 13.5. LAN to LAN IPsec Tunnel Setup with Certificates

This example shows how to modify the previous LAN to LAN example to use certificates instead of PSK.

It assumes that the certificate files have been uploaded to cOS Stream using SCP. Assume the file name is my_ca_cert.cer for the root certificate and the filenames my_host_cert.cer plus my_host_cert.key for the host certificate.

Command-Line Interface

Change the CLI context to be the CertificateStore called ipsec:

System:/> cc CertificateStore ipsec
System:/CertificateStore/ipsec>

Add the CA certificate with its Type property set to Remote:

System:/CertificateStore/ipsec> add Certificate my_ca_cert
			Type=Remote
			CertificateData=file://my_ca_cert.cer

Add the host certificate which has its Type property set to Local:

System:/CertificateStore/ipsec> add Certificate my_host_cert
			Type=Local
			CertificateData=file://my_host_cert.cer
			PrivateKey=file://my_host_cert.key

Change the CLI context back to the default:

System:/CertificateStore/ipsec> cc
System:/>

Create the modified IPsec tunnel object:

System:/> add Interface IPsecTunnel my_tunnel
			LocalAuthMethod=Certificate
			LocalID=site_local@local.com
			LocalNetwork=if1_net
			LocalEndpoint=if1_ip
			RemoteEndpoint=remote_gw
			RemoteID=site_remote@remote.com
			RemoteNetwork=remote_net
			IPAddress=127.0.0.1
			IKEProposalList=ike_pl
			IPsecProposalList=ipsec_pl

13.3.3. IKE Config Mode

Overview

The Clavister NetShield Firewall supports IKEv2 Configuration Mode (Config Mode) for IPsec operation. Config mode is an extension to IKE that allows the provision of LAN configuration information to remote VPN clients during the IKE negotiation.

Config mode dynamically configures IPsec clients with IP addresses and corresponding netmasks, and also exchanges other types of information normally associated with DHCP. The IP address provided to a client can be either be based on a range of predefined static IP addresses defined for Config mode or it can come from DHCP servers via an IPPool object

An IP pool is a cache of IP addresses collected from DHCP servers. Leases for these addresses are automatically renewed by the pool when the lease time is about to expire. IP pools also manage additional information such as DNS and WINS/NBNS, just as an ordinary DHCP server would.

An IPPool object is added as a child to an IPsecTunnel object and a tunnel can only have one pool. If the pool gets its addresses from a DHCP server, the server can either be external or can be internal to cOS Stream.

Config Mode Setup

Config mode is set up with the following steps:

The CfgMode property of the IPsecTunnel is set to Server. The value of Server is used when it is cOS Stream that hands out IP addresses.
A single IPPool object is added as a child of the IPsecTunnel. This object specifies the source of the IP addresses. In most cases it will be a DHCP server.
If the IPPool object uses a DHCP server as the source of addresses, the DHCP server must be set up correctly to deliver those addresses. The DHCP server can be an external server but can also be the internal DHCP server in cOS Stream itself.

Setting the CfgMode property of the IPsec tunnel enables config mode and the IPPool object used to supply addresses will always be the object that is a child of the tunnel.

Example 13.6. Enabling Config Mode on an IPsec Tunnel

In this example, config mode will be enabled for an existing IPsecTunnel object called my_tunnel and an IPPool object will be added to the tunnel to define the pool used by config mode.

It is assumed that there is an external DHCP server (specified by the property DHCPServ) with the IP address dhcp_server_ip, which can be reached through the if1 interface.

Command-Line Interface

First, enable config mode on the IPsecTunnel object:

System:/> set Interface IPsecTunnel my_tunnel CfgMode=Server

Next, change the CLI context to be the tunnel:

System:/> cc Interface IPsecTunnel my_tunnel

Now, add an IPPool object as a child of the tunnel:

System:/Interface/IPsecTunnel/my_tunnel> add IPPool
			DHCPServ=dhcp_server_ip
			IPFilter=ms_pool_filter
			Iface=if1
			Prefetch=2000
			MaxFree=5000
			MaxClients=10000

Finally, return to the default CLI context:

System:/> cc

The following should be noted with the properties specified for the IP pool:

Prefetching addresses can improve performance since there will not be any waiting time for an IP. The number of prefetched IPs should be adjusted according to the size of the IP pool and expected tunnel setup rate.
The maximum number of free IPs must be equal to or greater than the prefetch property. The pool will start releasing (giving back IPs to the DHCP server) when the number of free clients exceed this threshold value.

13.3.4. IPsec Roaming Clients

An employee who is on the move and who needs to access to a central corporate server from a device over the Internet from different locations is a typical example where a roaming client IPsec connection is required.

IPsec Roaming Client Encryption and Authentication

When an IPsec tunnel is configured for roaming clients, authentication can be performed using either a pre-shared key (PSK) or using certificates and this is configured on the IPsecTunnel object.

Additional user authentication with IKEv2 is usually done by a client being asked for a username and password credential combination. IKEv2 handles this using EAP. Setting this up requires that an AuthenticationProfile is created that has its AgentType property set to the value EAP for IKEv2.The profile is then set as the value of the IPsec tunnel's AuthProfile property. An example of doing this can be found in Example 13.7, “Roaming Clients IPsec Setup”.

The AuthenticationProfile could use a local database as its authentication source but it could also use a RADIUS server instead (shown in the example).

Setting Up Certificates

The certificate on the client side must have a common name or subject alternative name that contains an email address, DNS, DN or IP address from the relevant domain. The asterisk * wildcard can be used to allow all trusted certificates. In Example 13.7, “Roaming Clients IPsec Setup”, the domain is example.com so the RemoteID property is assigned a value of *.example.com.

In a similar way, the firewall's own certificate must have a common name or subject alternative name that contains the value of the LocalID tunnel property. In Example 13.7, “Roaming Clients IPsec Setup”, this value is roaming-vpn@example.com. The same domain does not need to be used in the LocalID and RemoteID properties if the certificates are trusted CA signed certificates.

Tunnel Establishment Initiation

cOS Stream will not try and initiate tunnel establishment if there are multiple remote endpoints. This will be the case with roaming clients, where the RemoteEndpoint property of the tunnel will either be a network range or all-nets. It is therefore up to the client to initiate tunnel setup.

Adding Routes for Roaming Clients Dynamically

Usually, a route should be added to the routing table for each client as it connects. This can be done automatically by enabling the IPsec tunnel property AddRouteToRemoteNet (by default, this is disabled).

Only if cOS Stream initiates the tunnel connection would a static route to clients need to be created.

The Local Endpoint Property

Where clients are initiating IPsec connections, the client will send the initial IKE request to the IP address specified by the LocalEndpoint property. This must be specified.

Publishing Client IP Addresses Using Proxy ARP

It is possible to proxy ARP publish the IP addresses of connecting roaming clients on selected or all Ethernet interfaces by setting the ProxyARPInterfaces property of the IPsecTunnel object. This will allow networks on the interfaces specified to communicate with clients.

Allowing Clients Internet Access

If roaming clients require Internet access through the IPsec tunnel then the LocalNetwork property of the tunnel should be set to all-nets and the DestinationNetwork of an IP rule that allows traffic to flow would also be changed to all-nets.

The Client's Inner and Outer IPs Should Be Different

It is recommended that the inner and outer IP addresses for a roaming client tunnel are different. If they are the same, connections will be dropped by cOS Stream and a log message will be generated.

If the IP addresses must be the same, the situation can be corrected by using separate routing tables for the tunnel itself and the traffic the tunnel carries. Alternatively, cOS Stream can allocate a unique IP address to clients from an IP pool using Config Mode.

IKEv1 Roaming Clients

With IKEv1 roaming clients, the IPsecTunnel property IKEVersion must be set to a value of IKEv1 (the default is IKEv2). In addition, cOS Stream must use XAuth for tunnel authentication and this is configured using a number of XAuth related properties on the IPsecTunnel object.

Example 13.7. Roaming Clients IPsec Setup

This example describes how to configure an IPsec tunnel at a central firewall for IKEv2 roaming clients connecting to it on the interface if2 for remote access to the internal network 172.16.1.0/24. This protected network is located on the firewall's if3 interface. Certificate authentication will be used and incoming clients must also authenticate using EAP against a RADIUS server with the IP address 172.16.0.10.

It is also required that roaming clients should be reachable through the if1 and if4 interfaces so client addresses must be proxy ARPed on those interfaces.

Command-Line Interface

A. Create a DHCPServerRule to hand out IP addresses to clients:

System:/> cc DHCPServer
System:/DHCPServer> add DHCPServerRule dhcp_roaming
			Interface=if2
			IPAddressPool=192.168.1.201-192.168.1.254
			Netmask=255.255.255.0
System:/DHCPServer> cc
System:/>

B. Define the RADIUS server for EAP authentication:

System:/> add RadiusServer my_radius_server
			IPAddress=172.16.0.10
			SharedSecret=my-shared-radius-secret

C. Create an authentication profile:

System:/> add AuthenticationProfile clients_auth_profile
			LocalUserDB=""
			RemoteServer=my_radius_server
			AgentType=EAP

D. Create the IPsec tunnel:

System:/> add Interface IPsecTunnel my_tunnel
			LocalAuthMethod=Certificate
			RemoteAuthMethod=EAP
			CfgMode=Server
			LocalID=roaming-vpn@example.com
			RemoteID=*@example.com
			AddRouteToRemoteNetwork=True
			LocalNetwork=192.168.0.0/24
			RemoteNetwork=192.168.1.0/24
			LocalEndpoint=172.16.1.1
			RemoteEndpoint=all-nets
			ProxyArpInterfaces=if1,if4
			AuthProfile=clients_auth_profile

Note that RemoteAuthMethod must be set to EAP if the AuthProfile property is set.

E. Add an IP address pool to the tunnel:

System:/> cc Interface IPsecTunnel my_tunnel
System:/IPsecTunnel/my_tunnel> add IPPool
			DHCPserv=127.0.01
			Iface=core
			MaxClients=50
System:/IPsecTunnel/my_tunnel> cc
System:/>

Note that the DHCPserv property is not set to the name of an object. Instead, it is set to a network or IP address which matches a DHCP server. In this case, the server is local but it could be an external server.

F. Create an IP policy to allow traffic flow from clients:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=my_tunnel
			SourceNetwork=all-nets-ip4
			DestinationInterface=if3
			DestinationNetwork=172.16.1.0/24
			Service=all_services
			Name=roaming_clients_to_hq
System:/IPRuleSet/main> cc
System:/>

Configuring IPsec Roaming Client Software

Depending on the type of client used with IPsec, its configuration might require any of the following changes:

Specify the URL or IP address of the Clavister firewall so the client can locate the remote tunnel endpoint.
Specify the pre-shared key (PSK) if one is used for authentication. Alternatively, install certificates if those are required for authentication.
Specify the IKE and IPsec algorithms used so they can agree with the proposal list that cOS Stream will use.
Specify if the client will use config mode.

There are a variety of IPsec client software products available from third parties and also a number of IPsec clients that are already built into certain computing platforms. The network administrator should use the client that is best suited to their needs.

13.4. NAT Traversal

Both the IKE and IPsec protocols present a problem in the functioning of NAT. Both protocols were not designed to work with NAT and because of this, a technique called NAT Traversal (NAT-T) has evolved. This is an add-on to the IKE and IPsec protocols and it allows them to function when being NATed.

The Clavister NetShield Firewall supports the following standards for NAT traversal with IKE:

RFC 4306 for IKEv2.

NAT traversal is divided into two parts:

Additions to IKE that lets IPsec peers tell each other that they support NAT traversal, and the specific versions supported.
Changes to the ESP encapsulation. If NAT traversal is used, ESP is encapsulated in UDP, which allows for more flexible NATing.

NAT traversal is only used if both ends have support for it. For this purpose, NAT traversal aware VPNs send out a special "vendor ID" to tell the other end of the tunnel that it understands NAT traversal, and which specific versions of the draft it supports.

The NAT Detection Mechanism

To achieve NAT detection, both IPsec peers send hashes of their own IP addresses along with the source UDP port used in the IKE negotiations.

This information is used to see whether the IP address and source port each peer uses is the same as that which the other peer sees. If the source address and port have not changed, then the traffic has not been NATed along the way, and NAT traversal is not necessary. If the source address and/or port has changed, then the traffic has been NATed, and NAT traversal is used.

Changing Ports

Once the IPsec peers have decided that NAT traversal is necessary, the IKE negotiation is moved away from UDP port 500 to port 4500. This is necessary since certain NAT devices treat UDP packet on port 500 differently from other UDP packets in an effort to work around the NAT problems with IKE. The problem is that this special handling of IKE packets may in fact break the IKE negotiations, which is why the UDP port used by IKE has changed.

UDP Encapsulation

Another problem that NAT traversal resolves is that the ESP protocol is an IP protocol. There is no port information as we have in TCP and UDP, which makes it impossible to have more than one NATed client connected to the same remote gateway and at the same time. Because of this, ESP packets are encapsulated in UDP. ESP-UDP traffic is sent on port 4500, the same port as IKE when NAT traversal is used. Once the port has been changed, all following IKE communication is done over port 4500. Keep-alive packets are also sent periodically to keep the NAT mapping alive.

NAT Traversal Configuration

Most NAT traversal functionality is completely automatic and in the initiating firewall no special configuration is needed. However, for responding firewalls the following two points should be noted:

On responding firewalls, the Remote Endpoint field is used as a filter on the source IP of received IKE packets. This should be set to allow the NATed IP address of the initiator.
When individual pre-shared keys are used with multiple tunnels connecting to a single remote VPN peer which are then NATed out through the same address, it is important to make sure the Local ID is unique for every tunnel. The Local ID can be one of the following:
- IP - An IP address can be manually entered
- DNS - A DNS address can be manually entered
- Email - An email address can be manually entered

13.5. DiffServ with IPsec

The Differentiated Services (DiffServ) field in a packet can be used by network equipment to prioritize data traffic. The 8 bit DiffServ field consists of two parts: a 6 bit Differentiated Services Code Point (DSCP) and a 2 bit Explicit Congestion Notification (ECN). For IPsec, the DSCP bits related to a tunnel can be split into three types:

The DSCP bits of the packets involved in the IKE exchange for tunnel setup.
The DSCP bits of the outer tunnel IPsec packets.
The DSCP bits of the transported data inside the tunnel.

The administrator can alter the DSCP bits in the following ways:

For tunnel setup, the DSCP bits of IKE packets can have a specified fixed value.
The DSCP bits of the outer tunnel packets can be set to a fixed value or they can have the same value as the DSCP bits of the data inside the tunnel.

Setting up the above two options is described next.

Specifying the DSCP Bits for IKE Traffic

By default, all IKE packets sent by cOS Stream during tunnel setup have their DSCP value set to zero. This can be changed to a fixed value for a tunnel by setting the IKEDSCP property of the IPsecTunnel object. For example:

System:/> set Interface IPsecTunnel my_tunnel IKEDSCP=44

The IKE DSCP bits cannot be copied from other traffic, which can be done with the IPsec tunnel following the IKE negotiation.

Setting the DSCP Bits in the Outer Tunnel

By default, all IPsec outer tunnel packets sent by cOS Stream have their DSCP value set to zero. This can be changed to either of the following two options:

The DSCP bits can be set to a fixed value. This is done by setting the property DSCP for the IPsecTunnel object. For example:
```
System:/> set Interface IPsecTunnel my_tunnel DSCP=44
```
The DSCP bits can take on the value of the data transported inside the tunnel. This is done by setting the property CopyDSCP to a value of Yes for the IPsecTunnel object. For example:
```
System:/> set Interface IPsecTunnel my_tunnel CopyDSCP=Yes
```
If the CopyDSCP property is set to Yes, the DSCP property is ignored.

Propagating ECN Information Across the Tunnel

There is a 2 bit Explicit Congestion Notification (ECN) portion in the DiffServ field that is used to communicate network congestion information. To enable the propagation of ECN information about congestion from routers on the public outer network to the protected inner network, the ECN property of the IPsecTunnel object should be set to Yes. For example:

System:/> set Interface IPsecTunnel my_tunnel ECN=Yes

cOS Stream will now combine the ECN fields of the outer and inner IP header according to standardized rules.

13.6. IPsec Troubleshooting

This section deals with how to troubleshoot the common problems that are found with VPN.

13.6.1. General Troubleshooting

In all types of VPNs some basic troubleshooting checks can be made:

Check that all IP addresses have been specified correctly.
Check that all pre-shared keys and usernames/passwords are correctly entered.
Use ICMP Ping to confirm that the tunnel is working. With roaming clients this is best done by "Pinging" the internal IP address of the local network interface on the Clavister NetShield Firewall from a client (in LAN to LAN setups pinging could be done in any direction). If cOS Stream is to respond to a Ping then the following rule must exist in the IP rule set:

Action	Src Interface	Src Network	Dest Interface	Dest Network	Service
Allow	vpn_tunnel	all-nets-ip4	core	all-nets-ip4	ICMP

Ensure that another IPsec Tunnel definition is not preventing the correct definition being reached. The tunnel list is scanned from top to bottom by cOS Stream and a tunnel in a higher position with the Remote Network set to all-nets-ip4 and the Remote Endpoint set to none could prevent the correct tunnel being reached. A symptom of this is often an Incorrect Pre-shared Key message.
Try and avoid duplication of IP addresses between the remote network being accessed by a client and the internal network to which a roaming client belongs.

If a roaming client becomes temporarily part of a network such as a Wi-Fi network at an airport, the client will get an IP address from the Wi-Fi network's DHCP server. If that IP also belongs to the network behind the Clavister NetShield Firewall accessible through a tunnel, then Windows will still continue to assume that the IP address is to be found on the client's local network. Windows therefore will not correctly route packets bound for the remote network through the tunnel but instead route them to the local network.

The solution to this problem of local/remote IP address duplication is to create a new route in the client's Windows routing table that explicitly routes the IP address to the tunnel. For example, suppose 192.168.99.2 is the server to be reached, 192.168.0.0/24 is the remote network and 192.168.99.2 is assigned by L2TP or PPTP to the Windows computer. The Windows command line to add a route would be:
```
C:\> route add 192.168.0.2 mask 255.255.255.255 192.168.99.2
```
Is the correct tunnel being selected? When an external client connects, cOS Stream makes a decision about which IPsec tunnel object to use by choosing the tunnel that has the parameters that most closely match the incoming connection. However, the tunnel object selected in the initial exchange between client and cOS Stream may have to change because a mismatch is discovered in a later phase.

This can result, for example, in a situation where the proposal list matches one IPsec tunnel object but authentication matches another tunnel object. The administrator should be aware that this can happen so unexpected behavior can be understood. This topic is discussed with more depth in Section 13.2.8, IPsec Tunnels.

Troubleshooting IKEv1 XAuth

cOS Stream provides a set of properties in the IPSecTunnel object which are used only for testing purposes with IKEv1 when the XAuth property is set to either the value XAuthPSK or XAuthCert.

The properties are:

XAuthClient
XAuthUsername
XAuthPassword

They allow cOS Stream to behave like an IPsec client with a predefined set of authentication parameters. These properties are not used in a live traffic environment.

13.6.2. Troubleshooting Certificate Problems

If certificates have been used in a VPN solution then the following should be looked at as a source of potential problems:

Check that the correct certificates have been used for the correct purposes.

Check that the certificate .cer and .key files have the same filename. For example, my_cert.key and my_cert.cer.

Check that the certificates have not expired. Certificates have a specific lifetime and when this expires they cannot be used and new certificates must be issued.

Check that the system date and time is set correctly. If the system time and date is wrong then certificates can appear as being expired when, in fact, they are not.

Consider time-zone issues with newly generated certificates. The Clavister NetShield Firewall's time zone may not be the same as the CA server's time zone and the certificate may not yet be valid in the local zone.

Disable CRL (revocation list) checking to see if CA server access could be the problem. CA server issues are discussed further in Section 16.2, CA Server Access.

Use the ike CLI command to clear the certificate cache:
```
System:/> ike -certflush
```
cOS Stream uses the certificate version that is in the cache if it is there. If there has been a change to a certificate either locally or remotely then the cache may need to be updated.

The contents of the cache can be examined using only the -certshow option on its own. Some example output is given below:
```
System:/> ike -certshow
		
         IKE Certificates
		
#  Subject
-  ----------------------------------
1  C=SE, O=Clavister, OU=R&D, CN=TTG
2  C=SE, O=Clavister, OU=R&D, CN=TTG2
3  C=SE, O=Clavister, OU=R&D, CN=GGSN
4  DC=local, DC=devlab, CN=labsrv
```
The abbreviations found in this output have the following meanings for each cached certificate:

C - ISO3166 two character country code.
ST - State or province.
L - Locality. Usually a city.
O - Organization. Usually a company name.
OU - The organization unit. Typically, the certificate type.
CN - The common name. Typically a product name.
DC - The domain component.

The -verbose option with the -certshow option can provide more detailed information about the cache contents:

System:/> ike -certshow -verbose
		
                         IKE Certificates

#  Subject          Issuer          Valid From     Valid To      Status
-  ---------------  --------------  -------------  ------------  ------
1  C=SE,            DC=local,       2017-05-09     2018-05-09    Valid
   O=Clavister,     DC=lab,         06:37:00       06:47:00
   OU=R&D, CN=TTG   CN=labsrv
2  C=SE,            DC=local,       2017-06-28     2018-06-28    Valid
   O=Clavister,     DC=lab,         08:34:49       08:44:49
   OU=R&D, CN=TTG2  CN=labsrv
3  C=SE,            DC=local,       2017-07-28     2018-07-28    Valid
   O=Clavister,     DC=lab,         07:55:33       08:05:33
   OU=R&D, CN=GGSN  CN=labsrv
4  DC=local,        DC=local,       2017-10-11     2018-10-11    Valid
   DC=lab,          DC=lab,         10:09:29       10:17:17
   CN=labsrv        CN=labsrv

13.6.3. IPsec Troubleshooting Commands

A number of commands can be used to diagnose IPsec tunnel issues:

Using the flow CLI Command

IPsec traffic consists of ESP flows. A flow is unidirectional and ESP traffic consists of a single, unidirectional flow. ESP flows can be examined using the flow CLI command.

For example, all flows could be examined using the command:

System:/> flow -show

Proto   Source                        Destination                   Timeout
------- ----------------------------- ----------------------------- -------
ESP     core:53.0.0.1                 ext:53.0.1.2:0x757d8003       125
ICMP    ipsec-1:192.100.1.9:2048      gtp-1:192.200.0.1:17683       7
ESP     ext:53.0.1.2                  core:53.0.0.1:0x608f21ad      129
UDP     core:53.10.0.2:2152           int:53.10.0.1:2152            129
UDP     core:53.10.0.2:2123           int:53.10.0.1:2123            113
ESP     ext:53.0.1.2                  core:53.0.0.1:0x42c5fd04      75
UDP     core:172.22.53.101:514        mgm:172.22.53.1:514           125

	Caution: ESP uses hexadecimal numbers in flow output
	It is important to be aware that instead of decimal port numbers in the flow command output for ESP, the values displayed are SPI numbers and these are specified using hexadecimal.

The reverse flows for the above can be displayed using the -verbose option:

System:/> flow -show -verbose

Proto   Source                        Destination                   Timeout
------- ----------------------------- ----------------------------- -------
ESP     core(0):53.0.0.1              ext:53.0.1.2:0x757d8003       126
...rev: core(0):53.0.0.1              ext:53.0.1.2:0x757d8003       126
ICMP    ipsec-1(33):192.100.1.9:2048  gtp-1:192.200.0.1:17683       7
...rev: ipsec-1(33):192.100.1.9:17683 gtp-1:192.200.0.1:0           7
ESP     ext(0):53.0.1.2               core:53.0.0.1:0x608f21ad      129
...rev: ext(0):53.0.1.2               core:53.0.0.1:0x608f21ad      129
UDP     core(0):53.10.0.2:2152        int:53.10.0.1:2152            129
...rev: core(0):53.10.0.2:2152        int:53.10.0.1:2152            129
UDP     core(0):53.10.0.2:2123        int:53.10.0.1:2123            110
...rev: core(0):53.10.0.2:2123        int:53.10.0.1:2123            110
ESP     ext(0):53.0.1.2               core:53.0.0.1:0x42c5fd04      72
...rev: ext(0):53.0.1.2               core:53.0.0.1:0x42c5fd04      72
UDP     core(0):172.22.53.101:514     mgm:172.22.53.1:514           121
...rev: core(0):172.22.53.101:514     mgm:172.22.53.1:514           121

	Note
	The reverse flows in the output above (beginning with "...rev:") have the source and destination shown in reverse order so they do not match the column heading.

The displayed list can be filtered using any of a number of filtering parameters. For example, all flows that have a destination of the IPsec tunnel called my_tunnel could be examined with the command:

System:/> flow -show -destiface=my_tunnel

All options for the flow command can be found in the separate CLI Reference Guide.

The ike -stat CLI Command

The following command can provide a snapshot of the current state of negotiated tunnels:

System:/> ike -stat

This can be used to show that IPsec tunnels have been correctly established. A typical example of output from this command is shown below:

System:/> ike -stat
			
         IKE Statistics

Statistic                     Value
----------------------------  -----
IKE SAs active                2
IKE SA negotiations active    0
IKE SA negotiations done      3
IKE SA negotiations failed    1
IKE SA rekeys active          0
IKE SA rekeys done            0
IKE SA rekeys failed          0
 
IPsec SAs active              2
IPsec SA negotiations active  0
IPsec SA negotiations done    2
IPsec SA negotiations failed  0
IPsec SA rekeys active        0
IPsec SA rekeys done          0
IPsec SA rekeys failed        0

The ike -stat command provide a static view of IPsec tunnels. To see what is happening during the IKE negotiation of tunnel setup, the -snoop option should be used and this is discussed next.

13.6.4. Using ike -snoop

VPN Tunnel Negotiation

When setting up IPsec tunnels, problems can arise because the initial negotiation fails when the network devices at either end of a VPN tunnel try but fail to agree on which protocols and encryption methods will be used.

The CLI command ike -snoop is a tool that can be used to identify such problems by showing the details of the exchanges that occur when the peers at either end of the IPsec tunnel try to agree on a mutually acceptable set of algorithms. The algorithm lists they exchange are often referred to as proposal lists.

Using ike -snoop

The ike -snoop command is entered via a CLI console.

To begin monitoring with basic, summarized output, the full CLI command is:

System:/> ike -snoop -brief

This causes diagnostic output to be continuously sent to the console for all VPN tunnel IKE negotiations that take place, regardless of interface.

To turn off monitoring, the command is:

System:/> ike -snoop -off

Presented below is some typical ike -snoop output (the formatting has been changed slightly to fit the page). The tunnel negotiation considered is based on pre-shared Keys. A negotiation based on certificates is not discussed here but the principles are the same.

SNOOP: IKEv2: 2010-05-31 12:30:09 172.22.53.18:500 <- 172.22.53.23:500
 IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
SNOOP: IKEv2: 2010-05-31 12:30:09 172.22.53.18:500 -> 172.22.53.23:500
 IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
SNOOP: IKEv2: 2010-05-31 12:30:09 172.22.53.18:500 <- 172.22.53.23:500
 IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(INIT_CONTACT) N(ESP_TFC_PAD_N)
   N(NON_FIRST_FRAG) ]
SNOOP: IKEv2: 2010-05-31 12:30:09 172.22.53.18:500 -> 172.22.53.23:500
 IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]

In these listings the direction of packet movement is indicated by the <- and -> symbols. The IPv4 address and port number given on the left side of these symbols is local. The address and port number given on the right side is remote. Each packet movement is preceded by a timestamp.

Consider the first part:

	172.22.53.18:500 <- 172.22.53.23:500

Indicates that an initial request to set up a security association was made and originates from remote IPv4 address 172.22.53.23, port 500, which will be the remote tunnel endpoint. This was received at local IPv4 address 172.22.53.18, port 500 on the local firewall and this will be the local tunnel endpoint.

The nature of this request is described next:

IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

It is a security association (SA) initialization and the various abbreviations describe the details:

KE - Key Exchange
No - NONCE
N - Notify

The notification payloads in this case are NATD_S_IP and NATD_D_IP.

The second part of the output shows the local firewall sending the IKE response back to IPv4 address 172.22.53.23:

	172.22.53.18:500 -> 172.22.53.23:500

The third part of the output (IKE_AUTH request 1) is a request from the remote tunnel endpoint 172.22.53.23 to try and agree algorithms:

IDi AUTH SA TSi TSr N(INIT_CONTACT) N(ESP_TFC_PAD_N) N (NON_FIRST_FRAG)

The actual algorithms in the proposal lists sent by each tunnel peer are not shown in this summary version of the ike command. However, the sequence of steps leading to success or failure are shown.

Complete ike command options and abbreviation descriptions can be found in the Clavister cOS Stream CLI Reference Guide.

13.6.5. Management Interface Failure with VPN

If any VPN tunnel is set up and then the management interface no longer operates then it is likely to be a problem with the management traffic being routed back through the VPN tunnel instead of the correct interface.

This happens when a route is established in the main routing table which routes any traffic for all-nets-ip4 through the VPN tunnel. If the management interface is not reached by the VPN tunnel then the administrator needs to create a specific route that routes management interface traffic leaving the Clavister NetShield Firewall back to the management sub-network.

13.6.6. Specific Error Messages

This section will deal with specific error messages that can appear with VPN and what they indicate. The messages discussed are:

1. Could not find acceptable proposal / no proposal chosen.
2. Incorrect pre-shared key.
3. Ike_invalid_payload, Ike_invalid_cookie.
4. Payload_Malformed.
5. No public key found.

1. Could not find acceptable proposal / no proposal chosen

This is the most common IPsec related error message. It means that depending on which side initiates tunnel setup, the negotiations in either the IKE or the IPSec phase of setup failed since they were unable to find a matching proposal that both sides could agree on.

Troubleshooting this error message can be involved since the reasons for this message can be multiple depending on where in the negotiation it occurred.

If the negotiation fails during phase-1 – IKE

The IKE proposal list does not match. Double check that the IKE proposal list matches that of the remote side. A good idea is to use the ike -snoop -full command in the console and get the tunnel to initiate the tunnel from the remote side. You will be able to then see what proposals the remote side is sending and then compare the results with your own IKE proposal list. At least one proposal has to match in order for it to pass phase-1. Don't forget that the lifetimes are also important.
If the negotiation fails during phase-2 – IPsec

The IPsec proposal list does not match. Double check that the IPsec proposal list matches that of the remote side. The same method described above of using ike -snoop can be used from when the remote side initiates the tunnel and compare it against your own proposal list. What is "extra" in the IPsec phase is that the networks are negotiated here. Even if the IPsec proposal list seems to match the problem may be with mismatching networks. The Local Network(s) on your side needs to be the Remote Network on the other side and vice versa. Remember that multiple networks will generate multiple IPsec SAs, one SA per network (or host if you use that option). The defined network size is also important in that it must have exactly the same size on both sides, as will be mentioned again later in the symptom section.

There are also some cOS Stream settings on the IPsec tunnel that can be involved in a no-proposal chosen issue. Such as Main or Aggressive mode, DH Group (for the IKE phase) and PFS (for IPsec phase).

2. Incorrect pre-shared key

A problem with the pre-shared key on either side has caused the tunnel negotiation to fail. This is perhaps the easiest of all the error messages to troubleshoot since it can be only one thing, and that is an incorrect pre-shared key. Double-check that the pre-shared key is also of the same type (Passphrase or Hex-key) and correctly added on both sides of the tunnel.

Another reason for why cOS Stream detects that the pre-shared key is incorrect could be because the wrong tunnel is triggering during tunnel negotiations. IPsec tunnels are processed from the top to the bottom of the system tunnel list and are initially matched against the remote gateway. An example is if there is a roaming tunnel that uses all-nets-ip4 as its remote gateway. This tunnel will trigger before your defined tunnel if it is above it in the tunnel list.

3. Ike_invalid_payload, Ike_invalid_cookie

In this case the IPsec engine in cOS Stream receives an IPsec IKE packet but is unable to match it against an existing IKE.

If a VPN tunnel is only established on one side, this can be the resulting error message when traffic arrives from a tunnel that does not exist. An example would be if, for some reason, the tunnel has only gone down from the initiator side but the terminator still sees it as up. It then tries to send packets through the tunnel but when they arrive at the initiator it will drop them since no matching tunnel can be found.

Simply remove the tunnel from the side that believes it is still up to solve the immediate problem. An investigation as to why the tunnel only went down from one side is recommended. It could be that DPD and/or Keep-Alive is only used on one side. Another possible cause could be that even though it has received a DELETE packet, it has not deleted/removed the tunnel.

4. Payload_Malformed

This problem is very similar to the Incorrect pre-shared key problem described previously. A possible reason is that the PSK is of the wrong TYPE on either side (Passphrase or Hex key).

Verify that you are using the same type on both sides of the IPsec tunnel. If one side is using Hex and the other Passphrase, this is most likely the error message that you will receive.

5. No public key found

This is a very common error message when dealing with tunnels that use certificates for authentication.

Troubleshooting this error message can be very difficult. It is very important to keep in mind that when dealing with certificates it may be required to combine the output from ike -snoop with standard event logs because ike -snoop does not give that much information about certificates. A good suggestion before starting to troubleshoot certificate based tunnels is to first configure it as a PSK tunnel and then verify that it can successfully establish, then move on to using certificates. (Unless the configuration type prohibits that).

The possible causes are as follows:

The certificate on either side is not signed by the same CA server.
The certificate's validity time has expired or it has not yet started to be valid. The latter can happen if the clock is set incorrectly on either the CA server or the Clavister NetShield Firewall or they are in different time zones.
The Clavister NetShield Firewall is unable to reach the Certificate Revocation List (CRL) on the CA server in order to verify if the certificate is valid or not. Double-check that the CRL path is valid in the certificate's properties. (Using the CRL feature could be turned off.) Make sure also that there is a DNS client configured in cOS Stream in order for it to be able to correctly resolve the path to the CRL.

13.6.7. Specific Symptoms

The tunnel can only be initiated from one side

This is a common problem and is due to a mismatch of the size in local or remote network and/or the lifetime settings on the proposal list(s).

To troubleshoot this, the settings for the local network, remote network, IKE proposal list and IPsec proposal list on both sides need to be examined to try to identify a miss-match.

For example, suppose there are the following IPsec settings at either end of a tunnel:

Side A

Local Network = 192.168.10.0/24
Remote Network = 10.10.10.0/24
Side B

Local Network = 10.10.10.0/24
Remote Network = 192.168.10.0/16

In this scenario, the defined remote network on Side B is larger than that defined for Side A's local network. This means that Side A can only initiate the tunnel successfully towards Site B as its network is smaller. When Side B tries to initiate the tunnel, Side A will reject it because the network is bigger than what is defined. The reason it works the other way around is because a smaller network is considered more secure and will be accepted. This also applies to the lifetimes in the proposal lists.

Chapter 14: SSL VPN

cOS Stream provides an additional type of VPN connection called SSL VPN. This makes use of the SSL/TLS protocol to provide a secure tunnel between a remote client computer and a network behind the Clavister NetShield Firewall.

SSL VPN is configured in cOS Stream by creating an SSLVPNServer object which listens for SSL/TLS client connections on all or specific Ethernet interfaces and provides client access to a specific local network behind the firewall. The SSLVPNServer object is itself treated as an interface in the firewall configuration and can be referenced like an interface by other configuration objects, such as an IPRule.

The typical SSL VPN scenario is illustrated in the diagram below where a client running SSL VPN software has access to hosts on a protected local network behind a firewall.

Figure 14.1. SSL VPN

Advantages of SSL VPN

A primary advantage of SSL VPN is that it can provide an encrypted SSL/TLS tunnel for traffic between a client and a network behind a firewall, using readily available client software.

A secondary advantage is that in many environments where roaming clients have to operate, such as hotels and airports, the network equipment may not allow another tunneling protocol like IPsec.

SSL VPN Client Software Requirements

The Clavister NetShield Firewall implementation of SSL VPN supports clients that are OpenVPN® compatible. A detailed discussion of client configuration is covered later in this section. (Legal notice: © 2002-2017 OpenVPN Inc. OpenVPN is a registered trademark of OpenVPN Inc.)

Minimum Supported SSL/TLS Version

The minimum supported SSL/TLS version of connecting clients for the SSL VPN feature is TLS version 1.2.

Summary of SSL VPN Setup Steps

SSL VPN setup requires the following configuration steps to be performed:

Using SCP, upload the following certificates to cOS Stream:
- A server certificate which will be sent to connecting SSL VPN clients during authentication. This consists of public and private key files.
- Any certificate chain files which the client will need to authenticate the server certificate because it was signed by an intermediate CA.
- One or more CA root certificate files which will be used to authenticate the certificate received from SSL VPN clients.
A Certificate object should be created in the firewall configuration for each of the uploaded certificates. The Type property for each object will be Local for the server certificate and Remote for the others.

The Certificate objects must be added as children of a CertificateStore object. The default store called ipsec could be used for this purpose but it is often better to create a new store and give it a name such as sslvpn. Any reference to a Certificate object must be qualified by the name of the store in which it is found. For example, sslvpn/my_ca_cert.
Set up User objects in a LocalUserDatabase which have the username and password of connecting SLL VPN clients. A new LocalUserDatabase might be created just to only hold SSL VPN client credentials.
Create an AuthenticationProfile object with its LocalUserDB property set to the database containing the credentials of the connecting clients.
Create an address book IP object which specifies a range of IP addresses. This will act as a pool of addresses which will be handed out to clients.
If client connections are only to be accepted from a specific IP range then define this range in an address book IP object.
Create an SSLVPNServer object and configure, at a minimum, the following mandatory properties:
- LocalEndpoint - The IP of the outer tunnel endpoint to which clients connect.
- ServerCert - The SSL server certificate sent to the client.
- ServerIntermediateCert - Any certificate chain needed with the server certificate.
- ClientCACert - The certificate sent by the client must be signed by this certificate.
- AuthProfile - The previously defined AuthenticationProfile object.
- LocalNetwork - The protected network clients are allowed to access.
- ClientIPAddresses - The IP address range to hand out to clients.
- IPAddress - The IP address of the inner local tunnel endpoint.
Other optional properties are discussed later in this section.
Ensure that a route exists that routes the LocalEndpoint IP address on the core interface. This will already exist as a predefined route if the LocalEndpoint is set to an interface's default IPv4 address object. For example, ip_if2 is already routed on core for the if2 interface.

Note that routes for client IPs will automatically be added as they connect and receive an IP address from the pool.
Create an IPRule object that will allow traffic from the SSLVPNServer interface to the protected network.
Make sure the SSL VPN client is correctly configured. Doing this is described next.

Configuring the VPN SSL Client

The following should be noted when configuring the SSL VPN client:

A certificate must be installed in the client that can be authenticated by a CA root certificate configured in the firewall's SSLVPNServer object.
The client must be configured to connect to the LocalEndpoint IP address of the firewall's SSLVPNServer object.
The client needs to be configured to use a TUN device (not TAP) with either UDP or TCP. Note that the protocol selected must match the protocol allowed by the TransportProtocol property of the SSLVPNServer object.
Compression must be disabled as this is not supported by the firewall.
The TLS client mode should be used. The alternative of peer-to-peer is not currently supported.
The TLS extra-authentication option found in some clients is also not supported.

SSLVPNServer Object Properties

To configure SSL VPN, an SSLVPNServer object must be defined. The key object properties are as follows, divided up into mandatory and optional properties:

Mandatory Properties

ClientIPAddresses

The pool of addresses from which client IP addresses are allocated. This is specified directly as an address range or as an address book object that specified a range. A private IP address range should be used for this purpose. All IPs must belong to the same network.
LocalEndpoint

The Ethernet interface IP address on which to listen for SSL VPN connection attempts by clients. This will typically be a public IPv4 or IPv6 address which will be initially accessed using a web browser across the public Internet.
LocalNetwork

The protected network that the clients will be allowed access to.
AuthProfile

The AuthenticationProfile object that will be used to authenticate the credentials of connecting users.
ServerCert

The Certificate object for the host certificate that will be sent to the client. The Type property of this object will be set to Local.
ClientCACert

The Certificate object for the CA root certificate that will validate the certificate sent by the client. The Type property of this object will be set to Remote.

More than one such Certificate object can be specified for this property as a comma separated list.
IPAddress

This is the IP address of the local endpoint inside the tunnel. This must be an IP address that belongs to the same network as the pool of addresses specified by the ClientIPAddresses property.

This IP address does not have to be explicitly excluded from the range specified by ClientIPAddresses. cOS Stream will automatically exclude the IPAddress value from the addresses handed out to connecting clients.

	Tip: The inner IP address can be pinged
	For troubleshooting purposes, an ICMP Ping message can be sent to the IPAddress property of the tunnel. However, in order for cOS Stream to be able to respond, an IP rule must exist that allows traffic to flow from the SSL VPN interface to core (in other words, to cOS Stream itself).

Optional Properties

DNS1 and DNS2

Up to two DNS server addresses can be specified which will be handed to a client when it connects for performing FQDN lookups. The DNS addresses can be specified as a raw IP address or as the name of an address book object.
ServerIntermediateCert

The Certificate object for any certificate chain. If the server certificate was signed by an intermediate CA, this needs to be also sent to the client so it can authenticate the server certificate.

More than one such Certificate object can be specified for this property as a comma separated list.

Note that an alternative to specifying the intermediate chain separately is to manually concatenate the chain file to the public key file of the server certificate before creating the Certificate object for the server certificate. However, this can only be done if the certificates are ASCII PEM encoded. If certificates are binary DER encoded they will have to be specified separately using this property.
RemoteEndpoint

This specifies the acceptable IP addresses of connecting clients. The default is all-nets (any IP).
TransportProtocol

This property can be set to a value of TCP, UDP or TCPUDP. The default value is TCPUDP which will allow either protocol to be used. Note that the value of this property must match the expected protocol settings of the connecting OpenVPN clients.

TCP has the advantage that it can function in almost all network environments, such as where a connection is being made via a public WiFi service. For example, in an airport. However, there will be a slight throughput overhead if TCP is used. UDP is preferable if there is a need to maximize throughput.
TCPPort

The TCP port on which the server is listening for incoming TCP connections. The default value is 443.
UDPPort

The UDP port on which the server is listening for incoming UDP connections. The default value is 1194.
SourceInterface

The interface or interfaces on which to listen for SSL VPN connections. If not specified it defaults to all interfaces. More than one interface can be specified by using an InterfaceGroup object.

Any interface can listen for SSL VPN connections, including VLAN interfaces.
ClientGeolocation

A GeolocationFilter can be specified so only connections coming from clients is a given geographical area will be accepted. The default is any-region.
ProxyARPInterfaces

A list of interfaces can be specified on which to ARP publish client IP addresses.

Usually, the only time that this option needs to be used is when the IP addresses assigned to clients are part of an already existing subnet that clients need access to. If that is the case, proxy ARP must be enabled for the interface connected to the subnet. If traffic is already correctly routed by cOS Stream, this is not needed.
LogEnabled

If enabled then client connections generate log messages. The default value is Yes.
KeepAliveInterval

The interval between keep-alive messages sent by the server. The default value is 10 seconds.
KeepAliveTimeout

The server will close a connection if no keep-alive messages are sent by the client for this amount of time. The default value is 120 seconds. The value of this setting should usually be greater than the KeepAliveInterval.
ReplayWindow

The size of the window used to store previous packet IDs to prevent a replay attack on the data channel. The value is expressed as the number of IDs to store. The default value is 512.
DataChannelCipher

The encryption algorithm used for the data channel. This defaults to AES-256-GCM.
ControlChannelCipher

The encryption algorithms for the control channel. This defaults to the following:
- ECDHE-RSA-AES256-GCM-SHA384.
- ECDHE-ECDSA-AES256-GCM-SHA384.
- DHE-RSA-AES256-GCM-SHA384.

The complete list of SSLVPNServer object properties can be found in the separate CLI Reference Guide.

Support For IPv6

There are no restrictions on the use of IPv6 with SSL VPN in cOS Stream. Either IPv4 or IPv6 can be used for all the IP addresses when configuring SSL VPN. It also possible to have both, with all IPV6 outside the tunnel and all IPv4 inside the tunnel or the other way around.

However, there may be restrictions imposed on IPv4 and IPv6 usage by the VPN client software selected and this should be checked by the administrator before configuring SSL VPN. The example below uses only IPv4 addresses.

Example 14.1. Configuring an SSL VPN Server

This example shows how to configure an SSL VPN server in cOS Stream that will provide secure access by connecting clients to a protected network behind the firewall.

The following assumptions are made:

The firewall's Ethernet interface if2 will be used to listen for client connections coming from the Internet and this has the public IPv4 address if2_ip. The address if2_ip is already routed on core so no route needs to be added for this.
Client connections will be made using SSL VPN to hosts located on the protected IPv4 network if3_net (10.0.0.0/24) connected to the firewall's if3 Ethernet interface.
The IPv4 addresses handed out to connecting clients will be come from the address range defined by the address book object ssl_vpn_pool which has the range 192.168.1.115 -> 192.168.1.120.
Only TCP connections will be allowed.
The internal local endpoint IPv4 address is 192.168.1.110 and this is defined by the address book object int_local_ip.
Authentication of client credentials will be performed against a new and separate local database of users that will be called ss_vpn_users.
A geolocation filter will be added so that connections will only be allowed from source IP addresses in a given location.
The appropriate SSL client software has been installed and configured correctly on the connecting client devices.

The diagram below illustrates the scenario which will be set up in this example.

Command-Line Interface

1. Upload the CA, server and any chain certificate files to the firewall using SCP.

2. Create Certificate objects for the uploaded files:

Create a CertificateStore for SSL VPN:

System:/> add CertificateStore sslvpn

Add the Certificate objects as children of the store. First, the CA root certificate:

System:/> cc CertificateStore sslvpn
System:/CertificateStore/sslvpn> add Certificate ca_cert
			Type=Remote
			CertificateData=file://ca_cert.cer

Then add the server's host certificate:

System:/CertificateStore/sslvpn> add Certificate server_cert
			Type=Local
			CertificateData=file://server_cert.cer
			PrivateKey=file://server_cert.key

Optionally add any chain certificate that is needed because the host certificate was issued by an intermediate authority:

System:/CertificateStore/sslvpn> add Certificate server_cert_chain
			Type=Remote
			CertificateData=file://server_cert_chain.cer

System:/CertificateStore/sslvpn> cc
System:/>

3. Create a LocalUserDatabase and add at least one user:

System:/> add LocalUserDatabase ssl_vpn_users
System:/> cc LocalUserDatabase ssl_vpn_users
System:/LocalUserDatabase/ssl_vpn_users> add User client1
			Password=someobscurepassword
System:/LocalUserDatabase/ssl_vpn_users> cc
System:/>

4. Create an AuthenticationProfile object:

System:/> add AuthenticationProfile my_auth_profile
			LocalUserDB=ssl_vpn_users

5. Optionally create a GeolocationProfile object:

System:/> add GeolocationFilter my_geo_filter
			Regions=EU
			MatchUnknown=No

6. Create an SSLVPNServer object:

System:/> add Interface SSLVPNServer my_sslvpn_server
			TransportProtocol=TCP
			AuthProfile=my_auth_profile
			ClientCACert=sslvpn/ca_cert
			ServerCert=sslvpn/server_cert
			ServerIntermediateCert=sslvpn/server_cert_chain
			LocalNetwork=if3_net
			ClientIPAddresses=ssl_vpn_pool
			LocalEndpoint=if2_ip
			IPAddress=int_local_ip
			SourceInterface=if2
			RemoteEndpoint=all-nets-ip4
			SourceGeolocation=my_geo_filter

7. Create an IPRule for the traffic inside the tunnel:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			Service=all_services
			SourceInterface=my_sslvpn_server
			SourceNetwork=all-nets-ip4
			DestinationInterface=if3
			DestinationNetwork=if3_net
			Name=ssl_to_if3

Providing Internet Access Via SSL VPN

It is possible to provide Internet access to clients through an SSL VPN tunnel. Using the setup in the example above as the starting point, assume that the firewall's if1 interface is connected to the Internet and the network all-nets is routed on this interface in the configuration. The following steps are needed to give Internet access to SSL VPN clients:

Set the LocalNetwork of the SSLVPNServer to a value of all-nets (or in this case, all-nets-ip4 for IPv4 only access):
```
System:/> set Interface SSLVPNServer my_sslvpn_server
			LocalNetwork=all-nets-ip4
```

Create an IPRule to allow traffic from the tunnel to flow to the Internet:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			SourceInterface=my_sslvpn_server
			SourceNetwork=all-nets-ip4
			DestinationInterface=if1
			DestinationNetwork=all-nets-ip4
			Service=all_services
			Name=ssl_to_internet

Ensure that there is a default route set up in the client that correctly routes Internet traffic into the SSL VPN tunnel. An existing default route may not do this. Some SSL VPN client software may have an option that will ensure all traffic is sent through the tunnel.

SSL VPN Global Settings

The configuration object SSLVPNSettings object allows a set of global properties to be changed for all SSLVPNServer objects. They consist of the following:

RateLimitCtrlChan

This is the maximimum number of packets per second allowed over the SSL control channel. Setting this to zero will remove any limit.

Default value: 50 packets/second
RateLimitWindowCtrlChan

This is the time window over which an average measurement is taken to estimate the control channel packet rate. The wider the window, the more likely that peaks and troughs in activity will be averaged out and the less likely that the RateLimitCtrlChan setting will be unnecessarily triggered.

Default value: 2 seconds
RekeyTransitionWindow

The number of seconds that an old key is valid after the rekey negotiation has begun.

Default value: 3600 seconds
RekeyInterval

How often rekeying is performed.

Default value: 3600 seconds
HandshakeTimeout

The maximum length of time allowed for a key exchange over the control channel.

Default value: 60 seconds

Example 14.2. Changing an SSL VPN Advanced Setting

This example shows how to reduce the SSL rekey interval to 1800 seconds.

Command-Line Interface

System:/> set Settings SSLVPNSettings RekeyInterval=1800

Chapter 15: SSL Inspection

The feature SSL Inspection allows cOS Stream to apply its range of security features, for example IPS, to flows which are encrypted using SSL/TLS. This is done by the firewall detecting the opening of an SSL/TLS flow on an interface and sending the initiating client the SSL certificate instead of the final destination sending it. The firewall can then decrypt the traffic and process it as plain text before forwarding it on to the original destination in either plain text or re-encrypted form.

The typical scenario which this Clavister NetShield Firewall feature is intended for is illustrated in the diagram below. Here, a remote client is opening an SSL/TLS flow across the public Internet to a server. The firewall mediates the communication so it appears to be the server from the client's perspective and appears to be the client from the server's perspective. Neither the client or the server are aware that the firewall is applying additional security checks to the traffic that flows between them.

Figure 15.1. SSL Inspection

A key requirement for setting up SSL inspection is having the certificates used by the destination server available for upload to the firewall. There is no requirement for anything extra to be installed on the connecting client.

A Summary of SSL Inspection Setup

Setting up SSL inspection with cOS Stream involves the following steps:

Upload the server certificate files to cOS Stream using SCP. This consists of the SSL certificate (with its private key) and any certificate chain file if the SSL certificate was signed by an intermediate CA. The public key of the SSL certificate will be sent to clients along with any intermediate chain. The chain allows a client to validate an SSL certificate not signed directly by a CA.
Create Certificate objects in cOS Stream for the uploaded certificate files.

The Certificate objects must be added as children of a CertificateStore object. The default store called ipsec could be used for this purpose but it is often better to create a new store and give it a name such as sslins. Any reference to a Certificate object must be qualified by the name of the store in which it is found. For example, sslins/my_ca_cert.
Create an SSLInspectionProfile object. This has properties to set parameters such as the minimum SSL version.
Add one or more child SSLServer objects to the SSLInspectionProfile parent. More than one SSLServer will be defined if name-based virtual hosting is being used where a single server (usually a web server) is hosting multiple DNS hostnames on the same IP address. The ServerNameIndication property of the SSLServer objects is used to decide which is used. The default SSLServer object is always the first in the list so the ordering is important.

The relevant Certificate objects for the SSL certificate and the certificate chain must also be associated with each SSLServer object. These are the same certificates that would be used by the destination server. The SSL certificate should have a SubjectAltName field that contains the relevant domain name.
Associate the SSLInspectionProfile with an IPRule object which triggers on the traffic to be inspected as it passes through the firewall. The rule might use address translation like SAT or it might be a simple Allow rule with no translation.
Create another rule that will perform some action on the unencrypted traffic. For example, an IPSRule. This rule must trigger on the same filtering criteria as the IPRule above. There is no explicit association between this second rule and the IPRule other that they trigger on the same traffic.

The filtering criteria of say, an IPSRule, does not have to be identical with the criteria of the IPRule. The IPSRule could have a wider filter. However, a narrower filter should not be used since it might not then process all the unencrypted SSL traffic.

Note the IPSRule acts independently of the IPRule and will process any traffic that triggers it, including any plain text traffic.

SSLInspectionProfile Properties

The SSLInspectionProfile object is the basic building block for configuring SSL inspection. It is associated with an IPRule object to configure SSL inspection. The same SSLInspectionProfile object can be associated with multiple IPRule objects for different concurrent traffic flows.

The key properties for the SSLInspectionProfile object are the following:

Name

This is mandatory and is a logical name used when referring to the profile in an IPRule.
AllowedCipherSuites

This is optional and usually does need to be changed from the default. The default suites are listed under the SSLInspectionProfile entry of the separate CLI Reference Guide.
MinTLSVersion

This is optional and the default value is TLSv1.2.
ServerConnection

This is optional and specifies if the traffic between the firewall and the server should be encrypted or should be plain-text. The default value is SSL/TLS meaning that encryption should be used.
ServerCertMatching

This is optional and if enabled (the default) it enforces the requirement that the SSL certificate that is set in the triggering SSLServer object is an exact copy of the SSL certificate used by the server. This is a check to make sure the correct server has been selected.
DetectOpportunisticTLS

When this property is disabled (the default), a plain text flow that changes to an encrypted TLS flow on the same port number by using STARTTLS will not then be subject to SSL inspection. In other words, cOS Stream will not try to detect STARTTLS.

When enabled, cOS Stream scans plain text flows looking for STARTTLS and if it is detected anywhere in a flow, SSL inspection will then be used to perform decryption and any associated security scanning.

Having this option enabled can improve security with the trade-off that there is a slight increase in processing load on the system. If the server does not support STARTTLS then this property should be left as disabled.

SSLServer Properties

One or more SSLServer objects should be added as children to an SSLInspectionProfile object. As stated previously, multiple instances would be needed if name-based virtual hosting is being used, where a single server (usually a web server) is hosting multiple DNS hostnames on the same IP address. A single destination server would require just one SSLServer object.

The key properties for the SSLServer object are the following:

Name

A logical name for the server. This is optional and is only used when cOS Stream displays server information.
ServerNameIndication

This is mandatory and is used to match the SNI string sent by the SSL client. It can contain one or more asterisk "*" wildcards. For example, *.example.com. If the value is set to a single asterisk on its own then it will match any SNI sent by the client. Scanning the list always stops after a match is found so list ordering can be important.

If there is no SNI match, the first SSLServer object in the list is used as the default and this is also used as a default if the client does not send an SNI.
Certificate

This is mandatory and is the Certificate object corresponding to the host SSL certificate files (public and private key files).
IntermediateCerts

This is the Certificate object corresponding to any certificate chain file provided by an intermediate CA. If there is no chain then no value would be specified for this property.

The SSL Inspection Processing Sequence

The following sequence occurs during SSL inspection processing:

A new flow arrives on an Ethernet port which triggers the IPRule targeting SSL traffic.
If the flow is not SSL but the rule triggers anyway (perhaps because the Service of the IPRule includes other protocols) then the traffic is processed by the rule as normal but without SSL inspection being involved.
If the traffic is an SSL flow that triggers the IPRule and its TLS/SSL version is allowed by the rule's SSLInspectionProfile then all the profile's SSLServer children are scanned for a match.
Selecting an SSLServer object is done using the Server Name Indication (SNI) value sent by the SSL client (most web browsers support this feature). The SNI is sent by the client during the initial SSL handshake and indicates which server the client is trying to connect to (for example, "server.example.org"). It is compared against the ServerNameIndication property of each SSLServer in the list and scanning stops after the first match is found.
If no match is found, or if the SSL client did not send an SNI value, the first SSLServer object in the list is always used as the default server.
The SSL certificate (and any chain) associated with the matched SSLServer object selected are then sent to the client exactly as the server would have done.
As traffic flows, cOS Stream decrypts it and applies any other triggering rule to the resulting plain text data (for example, an IPSRule).
If the unencrypted flow is not dropped by another rule, it is forwarded to the destination server, with the firewall now pretending to be the client.

Note that the forwarding is done using plain text or re-encrypted into SSL depending on the value of the ServerConnection property of the SSLInspectionProfile object. By default, it is re-encrypted.
The destination server now processes the traffic that has come from the client, unaware that it has been forwarded by the firewall.
The server sends its reply back to the firewall and if it is encrypted it is unencrypted by the cOS Stream and subject to the same processing as the original client traffic.
If the returning traffic is not dropped by any security checks, it is re-encrypted by the cOS Stream and returned to the client as though it had come directly from the server.
The client receives the encrypted reply from the server and is not aware that the firewall has mediated the communication.

Example 15.1. Setting Up SSL Inspection

This example shows how to set up SSL inspection for clients sending HTTP and HTTPS traffic across the Internet to a web server located behind a Clavister NetShield Firewall on a DMZ. The following assumptions will be made:

The firewall's Ethernet interface if2 is connected to the Internet and has the public IPv4 address wan_ip.
The protected server is located on the network if3_net which is connected to the firewall's if3 Ethernet interface.
The server has the private IPv4 address my_server_ip and the URL www.example.com.
The server has SSL certificate files as well as a certificate chain file which are available for upload to the firewall.
HTTP and HTTPS flows to the server will be subject to a SAT rule which will translate the destination IP address from if2_ip to my_server_ip.
HTTPS flows between the firewall and the server will also be encrypted using SSL and returning traffic from the server will therefore also be subject to SSL inspection and be examined for threats using IPS. HTTP flows will also be subject to IPS processing but they will automatically bypass SSL inspection.
Following SSL inspection, traffic will be re-encrypted into SSL before forwarding to the server.

Command-Line Interface

1. Upload the server's SSL certificate files to the firewall using SCP

2. Create Certificate objects for the uploaded files:

Create a CertificateStore for SSL inspection:

System:/> add CertificateStore sslins

Add the Certificate objects as children of the store:

System:/> cc CertificateStore sslins
System:/CertificateStore/sslins> add Certificate my_ssl_cert
			Type=Local
			CertificateData=file://my_ssl_cert.cer
			PrivateKey=file://my_ssl_cert.key

System:/CertificateStore/sslins> add Certificate my_ssl_chain_cert
			Type=Remote
			CertificateData=file://my_ssl_chain.cer

System:/CertificateStore/sslins> cc
System:/>

3. Create an SSLInspectionProfile object:

System:/> add SSLInspectionProfile my_ssl_prof
			ServerConnection=SSL/TLS

4. Create an SSLServer object as a child for the server:

System:/> cc SSLInpectionProfile my_ssl_prof
System:/SSLInspectionProfile/my_ssl_prof> add SSLServer
			ServerNameIndication=www.example.com
			Certificate=sslins/my_ssl_cert
			IntermediateCerts=sslins/my_ssl_cert_chain
			Name=example_server
System:/SSLInpsectionProfile/my_ssl_prof> cc
System:/>

5. Create a custom service for HTTP/HTTPS traffic:

System:/> add Service ServiceTCPUDP http-all DestinationPorts=80,443

6. Create a 1:1 SAT rule for flows from the Internet to the server:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule
			SourceInterface=if2
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=http-all
			Action=Allow
			DestinationTranslation=SAT
			SetDestinationAddress=Offset
			NewDestinationIP4=my_server_ip
			SSLInspectionProfile=my_ssl_prof
			Name=http_wan_to_server
System:/IPRuleSet/main> cc
System:/>

7: Create an IPS signature group to apply to the decrypted SSL traffic:

System:/> cc IntrusionPrevention 
System:/IntrusionPrevention> add IPSSignatureGroup my_ssl_group
			IncludeCategory=IPS_WEB_*

8. Create an IPS rule that triggers on the same SSL traffic:

System:/IntrusionPrevention> add IPSRule
			SourceInterface=if2
			SourceNetwork=all-nets-ip4
			DestinationInterface=core
			DestinationNetwork=wan_ip
			Service=http-all
			Name=ssl_ips

9. Add the signature group to the IPS rule:

System:/IntrusionPrevention> cc IPSRule 1(srv_rule) 
System:/IntrusionPrevention/IPSRule/1(ssl_ips)> add IPSRuleAction
			Action=Protect
			SignatureGroup=my_ssl_group

Chapter 16: Certificate Management

16.1. Configuring Certificates

Overview

The Clavister NetShield Firewall supports digital certificates that comply with the ITU-T X.509 standard. This involves the use of an X.509 certificate hierarchy with public-key cryptography to accomplish key distribution and entity authentication. References in this document to a certificate means an X.509 certificate.

A certificate is a digital proof of identity. It links an identity to a public key in order to establish whether a public key truly belongs to the presumed owner. By doing this, it prevents data transfer interception by a malicious third-party who might post a fake key with the name and user ID of an intended recipient.

Certificate Components

A certificate consists of the following:

A public key: The "identity" of the user, such as name and user ID.
Digital signatures: A statement that tells the information enclosed in the certificate has been vouched for by a Certificate Authority (CA).

By binding the above information together, a certificate is a public key with identification attached and is coupled with a stamp of approval by a trusted party.

Certificate Authorities

A certificate authority (CA) is a trusted entity that issues certificates to other entities. The CA digitally signs all certificates it issues. A valid CA signature in a certificate verifies the identity of the certificate holder, and guarantees that the certificate has not been tampered with by a third party.

A CA is responsible for making sure that the information in every certificate it issues is correct. It also has to make sure that the identity of the certificate matches the identity of the certificate holder.

Certificate Chains

A CA can also issue certificates to other intermediate authorities which themselves can issue host certificates, such as SSL server certificates. This leads to a chain-like certificate hierarchy. The highest certificate is called the Root Certificate and this is signed by the Root CA. Each certificate in the chain is signed by the CA of the certificate directly above it in the chain. However, the root certificate is signed by itself (it is "self-signed"). Any certificates in the chain between the root certificate and the end certificate are called Intermediate Certificates and are often packaged in a certificate chain file provided by intermediate issuing authorities.

A Certification Path refers to the path of certificates from one certificate to another. When verifying the validity of a user certificate, the entire path from the user certificate up to the trusted CA root certificate has to be examined before establishing the validity of the host certificate.

The maximum length of a certificate chain is 7 for cOS Stream. In VPN scenarios with roaming clients, the client's certificate will be the bottom of a certificate chain.

Certificate Validity Time

A certificate is not valid forever. Each certificate contains the dates between which the certificate is valid. When this validity period expires, the certificate can no longer be used, and a new certificate has to be issued.

	Important: Set the system date and time correctly
	Make sure the system date and time in the firewall are set correctly when using certificates. Using NTP servers is the recommended method of doing this.

Trusting Certificates

When using certificates, cOS Stream can trust any party whose certificate is signed by a given CA, either directly or via a chain. Before a certificate is accepted, the following steps are taken to verify its validity:

Construct a certification path up to the trusted root CA.
Verify the signatures of all certificates in the certification path.
Fetch the CRL for each certificate to verify that none of the certificates have been revoked.

Uploading Certificates

Certificates are uploaded to cOS Stream using Secure Copy (SCP). When cOS Stream receives such files, it recognizes them as certificates and stores them until they are referenced in a CLI command to create a Certificate object.

The upload process will usually consist of a CA Root Certificate and Host Certificate upload plus any intermediate chain certificate files that will be required. The CA root certificate consists of a single certificate file. The host certificate has 2 parts added: a certificate file and a private key file. The files can be in either ASCII PEM format or binary DEM format. Using SCP is described further in Section 2.1.5, Secure Copy.

Self-signed certificates can also be used instead of CA signed certificates.

Creating Certificate Objects and Using Certificate Stores

Once certificate files are uploaded using SCP, Certificate configuration objects have to be created which are associated with these files. When a Certificate object is created, it is added as a child to a CertificateStore object.

By default, there is always a single CertificateStore called ipsec and this is the store that must be used for certificates used with IPsec tunnels. However, any number of other named CertificateStore objects can be created so that all the certificates for a particular purpose can be kept together in a single store.

Whenever a reference is made to a Certificate object in the firewall configuration, the reference must be qualified by the name of its parent CertificateStore object. For example, the reference to the Certificate object called my_ca_cert which is located in the store called ipsec would be ipsec/my_ca_cert.

An Example of Certificate Store and Certificate Object Creation

Assume that a CA root certificate file has the filename ca_cert.cer and the host certificate files have the filenames host_cert.cer and host_cert.key. Also assume that in this example there is also a certificate chain file called chain.cer because the host certificate has been issued by an intermediate authority and not a CA.

First, the individual files are uploaded to the firewall using SCP. A typical SCP console command on an external management computer might look like the following:

> scp ca_cert.cer admin@192.168.3.1:

Next, in the firewall configuration, create a CertificateStore for the certificates:

System:/> add CertificateStore mycerts

Change the CLI context to be the store:

System:/> cc CertificateStore mycerts
System:/CertificateStore/mycerts>

Then add the Certificate objects as children of the store. The first object is the CA certificate which has its Type property set to Remote:

System:/CertificateStore/mycerts> add Certificate my_ca_cert
			Type=Remote
			CertificateData=file://ca_cert.cer

The second object is the host certificate which has its Type property set to Local:

System:/CertificateStore/mycerts> add Certificate my_host_cert
			Type=Local
			CertificateData=file://host_cert.cer
			PrivateKey=file://host_cert.key

The third object is the certificate chain which has its Type property set to Remote:

System:/CertificateStore/mycerts> add Certificate my_chain
			Type=Remote
			CertificateData=file://chain.cer

Finally, change the CLI context back to the default:

System:/CertificateStore/mycerts> cc
System:/>

Any reference to these new Certificate objects in the configuration must now be qualified with the name of the CertificateStore that contains them. For example, the CA root certificate would be referenced as mycerts/my_ca_cert. Note that for use with IPsec tunnels, certificates must be placed in the predefined CertificateStore called ipsec. The ipsec store does not need to be created.

Deleting Certificate Stores

Like other object types, deleting a certificate store cannot be done without deleting all the children first. However, this behavior can be changed by using the delete command with the -force option, in which case any children will be deleted with the parent.

Certificates Can be Reused

Certificates are global objects that can be reused between, for example, VPN tunnels. Even though a certificate is associated with one VPN tunnel in cOS Stream, it can still be reused with any number of other, different VPN tunnels.

Encrypted Private Keys

The private key of a certificate can be encrypted and access to the key will then require a password. This means that software that uses the certificate will require the password to be entered before the private key can be accessed. Currently, cOS Stream does not provide the ability to allow an encrypted private key to be used.

Manually Creating Windows CA Server Requests

To request certificates from a CA server or CA company, the best method is to send a CA Certificate Request which is a file that contains a request for a certificate in a well known, predefined format.

It is possible to manually create the required files for a Windows CA server using the following procedure:

Create a host certificate on the Windows CA server and export it as a file in the .pfx format.
Convert the .pfx file into the .pem format.
Take out the relevant parts of the .pem file to form the required .cer and .key files.

The detailed steps for the above procedure are as follows:

Create the host certificate on the Windows CA server and export it to a .pfx file on the local management workstation disk.

Now, convert the local .pfx file to a .pem file. This can be done with the OpenSSL utility using the CLI command line:

> openssl pkcs12 -in host.pfx -out host.pem -nodes

In this command line example, the file exported from the CA server is assumed to be called host.pfx and it is assumed to be in the same local directory as the OpenSSL executable.

The original host.pfx file contained 3 certificates: CA root certificate, a personal certificate and a private key certificate. The host.pem file now contains these in a format which can be cut and pasted with a text editor.

	Note
	OpenSSL is being used here as a conversion utility and not in its normal role as a communication utility.

Create two blank text files with a text editor, such as Windows Notepad. Give the files the same filename but use the extension .cer for one and .key for the other. For example, host.cer and host.key might be the names.
Start a text editor and open the downloaded .pem file and locate the line that begins:
```
-----BEGIN RSA PRIVATE KEY-----
```
Mark and copy into the system clipboard that line and everything under it, up to and including the line:
```
-----END RSA PRIVATE KEY-----
```
Now paste the copied text into the .key file and save it.
Back in the .pem file, locate the line that begins:
```
-----BEGIN CERTIFICATE-----
```
and copy into the system clipboard that line and everything under it, up to and including:
```
-----END CERTIFICATE-----
```
Now paste this copied text into the .cer file and save it.

The saved .key and .cer files are now ready for upload.

16.2. CA Server Access

Overview

Certificate validation can be done by accessing a separate Certifícate Server (CA). For example, the two sides of an IPsec tunnel would exchange their certificates during the tunnel setup negotiation and either side might then try to validate the received certificate by accessing a CA server.

A certificate contains a Fully Qualified Domain Name (FQDN) which specifies the textual address of the validating CA server as well as the protocol used for accessing the server. For example, server access could require an HTTP request or possibly an LDAP request.

CA Server Types

CA servers can be one of the following two types:

A Commercial CA Server

Commercial CA servers are operated by one of the commercial certificate issuing companies. These are accessible over the public Internet and their FQDNs are resolvable through the public Internet DNS server system.
A Private CA Server

A private CA server will be operated by the same organization setting up the VPN tunnel. The IPv4 or IPv6 address of a private server will not be known to the public DNS system unless it is explicitly registered. It also will not be known to an internal network unless it is registered on an internal DNS server.

For LTE scenarios in a telecoms environment, a private CA server is most often used, with server requests sent using the LDAP protocol. However, the protocol used is determined by the settings within the certificate.

Access Considerations

The following considerations should be taken into account for CA server access to succeed:

Either side of a VPN tunnel may issue a validation request to a CA server.
For a certificate validation request to be issued, the FQDN of the certificate's CA server must first be resolved into an IP address. The following scenarios are possible:
1. The CA server is a private server behind the Clavister NetShield Firewall and the tunnels are set up over the public Internet but to clients that will not try to validate the certificate sent by cOS Stream.
  
  In this case, the IPv4 address of the private server needs only be registered on a private DNS server so the FQDN can be resolved. This private DNS server will also have to be configured in cOS Stream so it can be found when cOS Stream issues a validation request. This will also be the procedure if the tunnels are being set up entirely internally without using the public Internet.
2. The CA server is a private server with tunnels set up over the public Internet and with clients that will try to validate the certificate received from cOS Stream. In this case the following must be done:
  1. A private DNS server must be configured so that cOS Stream can locate the private CA server to validate the certificates coming from clients.
  2. The external IP address of the Clavister NetShield Firewall needs to be registered in the public DNS system so that the FQDN reference to the private CA server in certificates sent to clients can be resolved. For example, cOS Stream may send a certificate to a client with an FQDN which is ca.company.com and this will need to be resolvable by the client to a public external IP address of the Clavister NetShield Firewall through the public DNS system.
  The same steps should be followed if the other side of the tunnel is another firewall instead of being many clients.
3. The CA server is a commercial server on the public Internet. In this, the simplest case, public DNS servers will resolve the FQDN. The only requirement is that cOS Stream will need to have at least one public DNS server address configured to resolve the FQDNs in the certificates it receives.
It must be also possible for a server request to pass from the validation request source (either the Clavister NetShield Firewall or a client) to the CA server and the reply to be received. If the request is going to pass through the Clavister NetShield Firewall, the appropriate rules in the IP rule set need to be defined to allow this traffic through. The Service object used in the IP rules should be chosen to match the protocols that may be used for the request.

IP rules are not required if it is cOS Stream itself that is issuing the request to the CA server. Actions taken by cOS Stream are trusted by default. This is the case when cOS Stream must validate certificates in an LTE telecoms scenario and is a general rule that also applies to DNS resolution requests issued by cOS Stream.
If LDAP requests are going to be sent to a CA server then the server must be configured to accept anonymous LDAP requests. Microsoft documentation may refer to this as Anonymous LDAP Binding.

For example, the default setting for some Windows Active Directory servers is to reject anonymous LDAP requests so this must be changed.

cOS Stream always queries LDAP servers with anonymous requests and if the server is not configured to accept them, authentication will fail.

	CA servers with IPv4 or IPv6 addresses are Supported
	If the DNS resolution of a CA server name results in an IPv6 address instead of an IPv4 address then this is fully supported by cOS Stream. CRL lookup can be performed using either IPv4 or IPv6 addresses.

Placement of Private CA Servers

The simplest solution for placement of a private CA server is to have it on the unprotected side of the Clavister NetShield Firewall. This however, is not recommended from a security viewpoint. It is better to place it on the inside (or preferably in the DMZ if available) and to have cOS Stream control access to it.

As explained previously, the FQDN address of the private CA server must be resolvable through public DNS servers for certificate validation requests coming from the public Internet. If the certificate queries are coming only from the Clavister NetShield Firewall and the CA server is on the internal side of the firewall then the IP address of the internal DNS server must be configured in cOS Stream so that these requests can be resolved and this is the case in the LTE telecoms scenario.

CA server access with LTE configuration is described further in the separate Clavister NetShield Firewall Use Case Guide.

Figure 16.1. Certificate Validation Components

Turning Off Certificate Validation

One of the ways to troubleshoot problems with CA server access can be done by turning off the requirement to validate certificates. By default, checking is always enabled.

Attempts to access CA servers by cOS Stream can be disabled by setting the CRLChecks option for a certificate object to Disabled (the default is Yes. For example:

System:/> cc CertificateStore ipsec
System:/CertificateStore/ipsec> set Certificate my_cert
			CRLChecks=Disabled

This means that checking against the CA server's revocation list (CRL) will be turned off and access to the server will not be attempted.

When switching off CRL checking, it may not be necessary to apply the CRLChecks=Disabled option to all certificates. This option follows the chain of certificate dependency. If it is applied to the root certificate of the chain then it is automatically applied to all dependent certificates.

Configuring LDAP Servers

If the FQDN in a certificate uses the LDAP protocol, then this can be specified in one of two ways:

With the prefix ldap:// - the URL of the LDAP server immediately follows the prefix.
With the prefix ldap:/// - the server URL is not specified and a default server is expected.

In the second case where the LDAP URL is not specified, the LDAP server to use is specified with the LDAPServer property of the certificate object. This property is set to a single LDAPServer object (a list of servers is not possible) which has already been defined in the configuration. The LDAPServer object specifies the IPv4 or IPv6 address of the server.

Example 16.1. Specifying an LDAP Server

This example creates an LDAPServer object called my_ldap_server which is then assigned to the Certificate object my_cert.

It is assumed that the IPv4 address of the LDAP server is 192.168.1.10. It is also assumed that the Certificate object my_cert already exists is located in the CertificateStore called ipsec.

Command-Line Interface

First, define the LDAPServer object:

System:/> add LDAPServer my_ldap_server IPAddress=192.168.1.10

Next, assign this server to the certificate:

System:/> cc CertificateStore ipsec
System:/CertificateStore/ipsec> set Certificate my_cert
			LDAPServer=my_ldap_server

CA Server Redundancy

It is possible to have redundancy of CA servers with any of the following methods:

The FQDN in the certificate can resolve to more than one IP address. This provides alternative servers to use if the first IP fails to return a response.
There can be more than one FQDN in the certificate. Again, this provides alternative servers if the first fails to respond. In this case, the protocols of the FQDNs are usually different with one being HTTP and the other being LDAP.

However, there can only be a single LDAP server explicitly specified in the LDAPServer property of a Certificate object.

16.3. CRL Distribution Point Lists

The Clavister NetShield Firewall allows the administrator to define one or more CRL Distribution Point List (CDPL) objects. Each list is composed of one or more entries, each entry specifying the URL of a server that can provide a Certificate Revocation List (CRL) to cOS Stream for validating the certificate.

To use CDPLs in cOS Stream, the following steps are used:

If it has not already been uploaded, load the certificate into cOS Stream and create a Certificate object that is associated with the upload.
Define a CRLDistPointList object which will be a list of the distribution points.
Add one or more CRLDistPoint objects to the list. Each defines a single distribution point.
Associate the CRLDistPointList with the Certificate object.

Once the association is made between a certificate and a CDPL, all CRL lookups for that certificate are done using the entries in the associated CDPL. The first entry in the associated list is tried first and if that fails the second is tried, and so on. It does not matter if the certificate has its own embedded CDPL or not, the CDPL associated with it in cOS Stream will always be used.

In the case of a certificate chain, only the certificate at the top of the chain needs to be associated with the CDPL defined in cOS Stream. This CDPL will then take precedence over any CDPL embedded in the top level certificate or any certificate at a lower level of the chain.

By forcing certificates to use the CDPL defined by the administrator instead of any CDP embedded in the certificate, the administrator can ensure access to a functioning and accessible CA server.

Example 16.2. Using a CRL Distribution Point List

This example creates a CRLDistPointList object called my_cdpl with a single CRLDistPoint which has the URL http://crls.example.com. The CRLDistPointList is then associated with the Certificate object called my_cert.

It is assumed that the my_cert object already exists in the system configuration and is located in the CertificateStore called ipsec.

The CRL checks property for the certificate will be left as the default value of Enforced which means that a CRL check against the list retrieved from the http://crls.example.com server will always be done.

Command-Line Interface

A. Configure the distribution point list:

First, add the distribution point list:

System:/> add CRLDistPointList my_cdpl

Next, change the CLI context to be the list:

System:/> cc CRLDistPointList my_cdpl

Then add the distribution point to the list:

System:/CRLDistPointList/my_cdpl> add CRLDistPoint
			URL=http://crls.example.com

Finally, change the CLI context back to the default:

System:/my_cdpl> cc
System:/>

B. Associate the distribution point list with the certificate:

System:/> cc CertificateStore ipsec
System:/CertificateStore/ipsec> set Certificate my_cert
			CRLDistPointList=my_cdpl

16.4. Management with CMP

Overview

Certificate Management Protocol (CMP) is a method of obtaining and maintaining digital certificates using a Public Key Infrastructure (PKI). Version 2 of this protocol (CMPv2) is defined by RFC 4210 and is usually encapsulated in the HTTP protocol.

The Clavister NetShield Firewall has the capability to act as a CMP client, communicating with the CMP server of a Certificate Authority (CA) in order to fetch the certificate files required for the Certificate objects in a configuration.

Summary of Setup Steps

The setup of CMP requires the following steps:

Upload a CA root certificate to cOS Stream which can be used to authenticate the CMP server's identity.
Create a Certificate object in cOS Stream configuration for the uploaded CA root certificate file. Its Type property should be set to Remote.

Note that Certificate objects must be added as children of a CertificateStore object. The default store called ipsec could be used for this purpose but it is often better to create a new store and give it a name such as cmp. Any reference to a Certificate object must be qualified by the name of the store in which it is found. For example, mystore/my_ca_cert.
Create a CMPServer object. This will refer to the Certificate object created in the previous step.
Create one or more Certificate objects in the configuration which will hold certificates retrieved from the CMP server. Each Certificate object must be associated with the CMPServer object created in the previous step.
Use the CLI certmgr command to perform one of the following operations:
1. Initiate
  
  An existing Certificate object has no valid certificate associated with it. cOS Stream authenticates with the CMP server by using a pre-shared key (PSK), generating an RSA key pair, sending the public key to the server and getting back a signed certificate which it then associates with the Certificate object.
  
  Authenticating the client (cOS Stream) with the CMP server is done using a pair of values consisting of a username (the reference number) and a password (the PSK).
2. Update
  
  A Certificate object already has a certificate associated with it which is to be updated. cOS Stream sends a request to the CMP server to renew an existing certificate by authenticating with the current valid certificate, generating an RSA key pair, sending the public key to the server and getting back a new, signed certificate.

The above setup steps will now be described in detail in the sections that follow.

Defining a CMPServer

The CMPServer object provides the definition to locate a CMP server. The CMPServer object has the following properties:

Name

This is a human-readable string given to the object for identification purposes.
IPAddress

This defines the IP address of the server. Either the IPAddress property or the FQDN property (see below), and only one of them, is defined for a CMPServer object.
FQDN

This defines the Full Qualified Domain Name of the server. Either the IPAddress property or the FQDN property (see above), and only one of them is defined for a CMPServer object.
Port

This is the TCP port on which the CMP server will listen for HTTP/CMP traffic.
Path

This is the path to use in the HTTP request URL. See Example 16.3, “Defining a CMP Server” below for how this is specified.
CACert

This is set to be a Certificate object which already exists in the configuration. The certificate must be a CA root certificate and is used to authenticate the CMP server's identity. It is not optional at this time even if the server is trusted. A certificate must be specified.

Example 16.3. Defining a CMP Server

This example defines a CMPServer object called my_cmp_server.

It is assumed that the CMP server's CA root certificate has already been defined in the configuration as a Certificate object called cacert and this is located in the CertificateStore called cmp.

The CMP server URL is assumed to be http://ca.example.com:3076/cmp/.

Command-Line Interface

System:/> add CMPServer my_cmp_server
			CACert=cmp/cacert 
			FQDN=ca.example.com
			Port=3076
			Path=cmp/

Defining a CMP Client Certificate

A Certificate object for the client needs to be defined and associated with a CMP server before any CMP operation can be performed with it. To do this, the following Certificate properties must be set:

Type

In addition to the types Local and Remote, a Certificate object can have the type CMPv2 to indicate management with CMP. In other respects, a certificate of type CMPv2 behaves like a certificate with a type of Local.
CMPServer

This is a reference to a previously defined CMPServer object. This is the server that cOS Stream will use to manage the certificate.

Example 16.4. Adding a Client Certificate with CMP Management

In this example, a Certificate object called clcert is created and will use the CMPServer object called my_cmp_server for CMP management.

The certificate will be located in a CertificateStore called cmp which it is assumed has already been created and contains the CA root certificate:

Command-Line Interface

First, change the CLI context to the certificate store called cmp:

System:/> cc CertificateStore cmp
System:/CertificateStore/cmp>

Next, add the certificate to the store:

System:/CertificateStore/cmp> add Certificate clcert
			Type=CMPv2
			CMPServer=my_cmp_server

The CLI certmgr Command

The CLI certmgr command is used in the first step to initiate or update a certificate. A typical initiate operation would use a CLI command of the form:

System:/> certmgr -clientcert=cmp/clcert
			-initiate
			-username=user
			-password=pwd
			-subject="CN=seg.example.com"

Here, the username and password could be specified in hexadecimal by adding the -hex option. The -subject parameter must be specified

A typical update operation would use a CLI command of the form:

System:/> certmgr -update -clientcert=cmp/clcert

As shown in the examples below, after either an initiate or update operation, it is necessary to perform a second step of explicitly associating the received certificate files with the relevant certificate object.

Initiating a Certificate

When initiating a new certificate being sent from a CMP server, a Certificate object with its Type property set to CMPv2 is required which specifies the CMP server. Authentication of the client (cOS Stream) with the remote CMP server requires that the following certmgr command options must be included:

-username

This is usually the Reference Number that is required by the CMP server.
-password

This is usually the Private Shared Key (PSK) that is required by the CMP server.
-subject

Although not a direct part of authentication, the subject field of the certificate must also be specified for an initiate operation.

The way these options are used depends on the way the CMP server is configured. Usually with a public CA, both the reference number and Private Shared Key are required and these will be issued by the CA.

After the initiate operation succeeds, the certificate and private key are stored as local files and the administrator must perform the following actions manually to complete the process:

The files retrieved from the CMP server must be explicitly associated with the relevant Certificate object.
After the configuration change, an activate and commit operation must be performed so the changes become persistent.

If these manual actions are not performed, the retrieved certificate and generated private key will be lost when cOS Stream restarts.

Example 16.5. Initiating a Certificate

This example shows how the initiate operation is performed for the Certificate object called clcert using a reference number and PSK to authenticate the client (cOS Stream) with the CMP server:

It is assumed that clcert is found in the CertificateStore called cmp.

The CMP server is configured to accept a reference value of my_reference and secret value of my_secret.

Command-Line Interface

System:/> certmgr -clientcert=cmp/clcert
			-initiate
			-username=my_reference
			-password=my_secret
			-subject="CN=seg.example.com"

The administrator must now manually update the Certificate object with the following CLI commands:

System:/> cc CertificateStore cmp
System:/CertificateStore/cmp> set Certificate clcert 
			CertificateData=file://cl_newcert.der 
			PrivateKey=file://cl_newkey.pem
				
System:/CertificateStore/cmp> cc
System:/> activate

System:/> commit

Updating a Certificate

A current certificate stored by cOS Stream can be updated with a new certificate automatically retrieved from a CMP server. This time, the -username and -password options are not needed. Instead, authentication of the CMP client (cOS Stream) is done by using the still-valid certificate itself.

The newly generated private key and retrieved newly created certificate are stored as new files after download from the server. As with the initiate operation above, a manual operation is still needed to associate the received files with the relevant Certificate object. Doing this, is described as part of the example below.

Example 16.6. Updating a Certificate

This example shows how to perform an update operation for the Certificate object called clcert.

It is assumed that clcert is found in the CertificateStore called cmp.

Command-Line Interface

System:/> certmgr -update -clientcert=cmp/clcert

The administrator must now manually update the Certificate object with the following CLI commands:

System:/> cc CertificateStore cmp
System:/CertificateStore/cmp> set Certificate clcert 
			CertificateData=file://cl_newcert.der 
			PrivateKey=file://cl_newkey.pem
				
System:/CertificateStore/cmp> cc
System:/> activate

System:/> commit

Revoking a Certificate

A current certificate stored by cOS Stream can be explicitly revoked by the administrator.

Example 16.7. Revoking a Certificate

This example shows how to perform a revoke operation for the Certificate object called clcert.

It is assumed that clcert is located in the CertificateStore called cmp.

Command-Line Interface

System:/> certmgr -revoke -clientcert=cmp/clcert

Chapter 17: Authentication

17.1. Authentication Profiles

Authentication refers to the process of verifying user identity before allowing access. The configuration object which controls authentication in cOS Stream is the AuthenticationProfile object. Each profile defines a specific set of parameters for performing authentication.

To enable authentication, authentication profiles must be associated with other configuration objects. For example, an IPsec interface can have a profile associated with it so that roaming clients that connect through the IPsec tunnel, trigger the authentication described by the profile.

An AuthenticationProfile object has the following key properties:

Agent Type

This is the type of authentication that will be used. The choices are:
1. BASIC - This is the default and indicates standard username/password authentication. For example, the profile associated with the RemoteMgmtSSH object should have this agent type to allow administration SSH access.
2. EAP - This option is used in I-WLAN scenarios with IKEv2 IPsec tunnels. It encompasses three types of EAP payloads:
  - SIM
  - AKA
  - MD5
  Any of these EAP types can be explicitly disabled in the AuthenticationProfile object. For example, to disable MD5, the property AllowEAP_MD5 would be given a value of No.
LocalUserDB

This is the LocalUserDatabase that will be used to authenticate users. If no local database is used, it should be set to an empty string: LocalUserDB="".
RemoteServer

This is a list of one or more RadiusServer that will be used for authentication. They can be used instead of a user database.
RemoteLoadBalance

This is the algorithm that is used to spread RADIUS requests amongst multiple RADIUS servers.
AuthOrder

If both a local database and RADIUS server(s) are specified, this determines which to use first for authentication.
MultipleLogins

This determines if multiple logins by the same username are allowed. If they are, the maximum number of logins is controlled by the MaxMultipleSessions property. The possible options are:
1. AllowOne - Allow only one login. Any new login will not be allowed.
2. AllowMultiple - Allow multiple simultaneous logins.
3. ReplaceExisting - Allow one login but a new login will logout the existing.
SessionTimeout

The amount of time with no activity before the session is disconnected.
LoginAttempts

The maximum number of attempts to login before a username is locked out.
MaxLockoutTime

The time that a username is prevented from trying to log in once a lockout occurs.
BruteForceAttackPrevention

This sets a rate limit on the number of retries that can be attempted from the same IP address. This is enabled by default.

Example 17.1. Creating an Authentication Profile with a Local User Database

This example creates an authentication profile called int_auth that will reference a local user database called int_users that has already been defined. No RADIUS servers will be used.

Command-Line Interface

System:/> add AuthenticationProfile int_auth
			LocalUserDB=int_users

Example 17.2. Creating an Authentication Profile with RADIUS Servers

This example creates an authentication profile called ext_auth that will reference two RADIUS servers called rad1_server and rad2_server. A local database will not be used.

Command-Line Interface

System:/> add AuthenticationProfile ext_auth
			LocalUserDB=""
			RemoteServer=rad1_server,rad2_server

17.2. RADIUS Authentication

Centralizing Authentication

In a larger network topology with a larger administration workload, it is often preferable to have a central authentication database on a dedicated server. When there is more than one Clavister NetShield Firewall in the network and thousands of users, maintaining separate authentication databases on each device becomes problematic. Instead, an external authentication server can validate username/password combinations by responding to requests from cOS Stream.

The RADIUS Solution

To provide a centralized external authentication source, cOS Stream supports the Remote Authentication Dial-in User Service (RADIUS) protocol. RADIUS is an Authentication, Authorization and Accounting (AAA) protocol widely used to implement the central database approach.

RADIUS Architecture

The RADIUS protocol is based on a client/server architecture. The Clavister NetShield Firewall acts as the client of the RADIUS server, creating and sending requests to a dedicated server(s). In RADIUS terminology, the firewall acts as the Network Access Server (NAS).

For user authentication, the RADIUS server receives authentication requests and then verifies the user's credentials by consulting its database. It then returns either an "accept" or "reject" reply to the requesting client.

Configuring RADIUS Servers

RADIUS servers are configured as separate objects in cOS Stream. A RADIUS server object's properties are:

Name

A suitable logical name for the object.
IPAddress

The IP address of the server. This could be an IP address object from the address book.
Port

The port used for the connection by cOS Stream. This default value is 1812.
RetryTimeout

This is the length of time in milliseconds after which a RADIUS request will have assumed to fail and a retry is attempted.

This value cannot be less than 500 with no upper limit. The default value is 2000.
NumRetries

When a RADIUS request times out, the request is retried. This happens for NumRetries times. The retry minimum is 1 and the maximum is 10. The default is 3.
Shared Secret

To provide request security, a common Shared Secret is configured on both the RADIUS client and the server. This secret enables encryption of the messages sent from the RADIUS client to the server and is commonly configured as a relatively long text string. The string can contain up to 100 characters and is case sensitive.

RADIUS uses PPP to transfer username/password requests between client and RADIUS server, as well as using PPP authentication schemes such as PAP and CHAP. RADIUS messages are sent as UDP messages via UDP port 1812.
NAS-Identifier

This value is required when sending requests to some RADIUS servers.

Example 17.3. Configuring a RADIUS Server

In this example, a RADIUS server will be configured with an IPv4 address of 198.10.2.1 and the shared secret specified as mysecret.

Command-Line Interface

System:/> add RadiusServer IPAddress=198.10.2.1 SharedSecret=mysecret

Using RADIUS Authentication

A RADIUS server is used for authentication with the following steps:

Create a RADIUS server object as described above.
Create an Authentication Profile object that uses the RADIUS server as its Authentication Source.
Associate the profile with an IP rule. When the IP rule triggers, authentication of user credentials will then be required to set up the traffic flow.

17.3. The radiussnoop Command

To troubleshoot problems, cOS Stream provides the ability to examine the interactions that take place between itself and RADIUS servers. This is done using the CLI command radiussnoop.

The command works in a similar way to the ike -snoop command. It is enabled from the CLI console and while it is enabled, any interactions with RADIUS servers is shown in console output messages. The amount of detail in this output can be adjusted.

17.4. Multi-Factor Authentication

When a roaming client tries to access resources located behind a Clavister firewall, RADIUS based authentication can be strengthened by utilizing multi-factor authentication. This is sometimes also referred to as 2-factor authentication or 2-step authentication. The first factor is usually a conventional username and password credential combination. The other factor is typically a multi-character code which is sometimes referred to as a one-time password (OTP).

Multi-Factor Support is Automatic

By default, cOS Stream provides automatic support for multi-factor authentication by being able to recognize a RADIUS Access-Challenge message and requiring that an additional code is provided by the authenticating client. The code that the client returns might be sent to the user at the time of authentication by the RADIUS server, perhaps using SMS or email. Alternatively, the code might be generated by the user with a code generation application which has been previously synchronized with the server.

The PhenixID Authentication Server (PAS) product is an example of a RADIUS server that provides these multi-factor capabilities (PhenixID is a Clavister subsidiary). See the separate PhenixID documentation for a description of how to set up different multi-factor RADIUS authentication scenarios.

Multi-Factor Processing Sequence

The sequence of processing for multi-factor authentication with cOS Stream is as follows:

Authentication is set up as normal using authentication profiles and suitable IP rule set entries. The authentication method in the authentication profile that triggers will be an external RADIUS server that has been configured to perform multi-factor authentication. Perhaps, a PhenixID authentication server.
A client tries to access resources through the Clavister firewall and is required to authenticate.
The client returns basic access credentials. Typically, this might be username and password.
cOS Stream sends these credentials to the RADIUS server for authentication in a RADIUS Access-Request message.
In multi-factor authentication, the RADIUS server will do two things:
1. It informs cOS Stream that multi-factor authentication must be used by sending back a RADIUS Access-Challenge message.
2. As mentioned previously, the RADIUS server may need to take an additional action for multi-factor authentication, such as sending a one-time code to the user. However, the user may be able to generate this code themselves.

The diagram below illustrates all the steps up to this point. In this diagram, it is assumed that the RADIUS server sends an SMS message with a one-time code to the user's smartphone.

Figure 17.1. Multi-Factor Authentication Processing

The process now completes with the following steps:

The client returns the requested code and cOS Stream relays this to the RADIUS server in another Access-Request message.
The RADIUS server verifies the code. If the user is authenticated then an Access-Accept is sent back to cOS Stream and the client is given access to the requested resources. If it is not verified, the server sends back an Access-Reject message and access is denied by cOS Stream.

Notes on Multi-Factor Authentication

The following points should be noted about setting up multi-factor authentication with cOS Stream:

The multi-factor feature does not need to be enabled in cOS Stream. Requests for extra login factors sent back from RADIUS servers are automatically forwarded to clients.
A challenge code could be generated by a local code generating method (such as RSA SecureID™) or the RADIUS server can cause the code to be sent to the user.
The RADIUS server must be configured appropriately and the server's documentation should be consulted on how to do this.
When the RADIUS server causes a code to be sent to the user, this is done independently of the firewall. Various third party solutions are available to generate this code and it will not be discussed further in this document.

Chapter 18: Access Rules

18.1. Overview

One of the principal functions of cOS Stream is to allow only authorized connections access to protected data resources. Access control is primarily addressed by the IP rule set in which a range of protected LAN addresses are treated as trusted hosts, and traffic flow from untrusted sources is restricted from entering trusted areas.

Before a new connection is checked against the IP rule set, cOS Stream checks the connection source against the set of AccessRule objects. An AccessRule object can be used to specify what traffic source is expected on a given interface and also to automatically drop traffic originating from specific sources. Access rules provide an efficient and targeted initial filter for new connection attempts.

The Default Access Rule

Even if the administrator does not explicitly specify any custom access rules, one predefined access rule is always applied by cOS Stream and this is known as the Default Access Rule.

This default access rule is not a rule in the usual sense. What it does is check the validity of incoming traffic by performing a reverse lookup in the firewall's routing tables. This lookup validates that the incoming traffic is originating from a source that the routing tables indicate is accessible via the interface on which the traffic arrives. If this reverse lookup fails then the connection is dropped and a Disallowed by Access Rule log message will be generated.

When troubleshooting dropped connections, the administrator should look out for Disallowed by Access Rule messages in the logs. If there is a problem with the default access rule unexpectedly dropping traffic then one solution is to create a route for the interface where the connection arrives so that the route's destination network is the same as or contains the incoming connection's source IP.

Custom Access Rules are Optional

For most configurations, the default access rule is sufficient and the administrator does not need to explicitly specify other access rules. The default rule can, for instance, protect against IP spoofing, which is described in the next section. If access rules are explicitly specified, then the default access rule is still applied if a new flow does not match any of the custom access rules.

The recommendation is to initially configure cOS Stream without any custom access rules and add them if there is a requirement for stricter checking on new flows.

IP Spoofing

Traffic that pretends it comes from a trusted host can be sent by an attacker to try and get past a firewall's security mechanisms. Such an attack is commonly known as Spoofing.

IP spoofing is one of the most common types of spoofing attacks. Trusted IP addresses are used to bypass filtering. The header of an IP packet indicating the source address of the packet is modified by the attacker to be a local host address. The firewall will believe the packet came from a trusted source. Although the packet source cannot be responded to correctly, there is the potential for unnecessary network congestion to be created and potentially a Denial of Service (DoS) condition could occur. Even if the firewall is able to detect a DoS condition, it is hard to trace or stop because of its nature.

VPNs provide one means of avoiding spoofing but where a VPN is not an appropriate solution then access rules can provide an anti-spoofing capability by providing an extra filter for source address verification. An access rule can verify that packets arriving at a given interface do not have a source address which is associated with a network of another interface. In other words:

Any incoming traffic with a source IP address belonging to a local trusted host is NOT allowed.
Any outgoing traffic with a source IP address belonging to an outside untrusted network is NOT allowed.

The first point above prevents an outsider from using a local host's address as its source address. The second point prevents any local host from launching the spoof.

18.2. Creating Access Rules

cOS Stream has a predefined object called AccessRules which is initially empty since the default access rule is not visible. One or more child AccessRule objects can then be added to this AccessRules parent object. Each AccessRule consists of interface and network values used to filter new flows, as well as an action to take when a flow match is triggered.

Access Rule Filtering Properties

The access rule filtering properties used to trigger a rule are:

Interface - The firewall interface that the packet arrives on.
Network - The IP range that the source address belongs to.

Access Rule Action Property

The access rule Action property can take either of the following values:

Drop - Discard the packets that trigger the access rule.
Accept - Accept the packets that trigger the access rule so they can be processed by other rule sets.

	Note: By default, access rule logging is enabled
	Logging can be enabled or disabled for when an access rule triggers. By default, it is enabled.

Turning Off Disabled by Access Rule Messages

If, for some reason, the Disabled by Access Rule log message is continuously being generated by some source and needs to be turned off, then the way to do this is to create a new AccessRule object for that source with an action of Drop.

Troubleshooting Access Rule Related Problems

It should be noted that access rules are a first filter of traffic before any other subsystems can see it. Sometimes problems can appear, such as setting up VPN tunnels, precisely because of this. It is always advisable to check access rules when troubleshooting puzzling problems in case a rule is preventing some other function, such as VPN tunnel establishment, from working properly.

Example 18.1. Setting up an Access Rule

A rule is to be defined that ensures no traffic with a source address within the network bad_net is accepted on the if1 interface.

Command-Line Interface

First, change the context to the access rule set:

System:/> cc AccessRules

The prompt will change to indicate the new context. Now, add the access rule:

System:/AccessRules> add AccessRule Name=rule1
			Interface=if1
			Network=bad_net
			Action=Drop

The contents of the rule set can now be checked:

System:/AccessRules> show

AccessRule

   #  Name  Action  Interface  Network
   -  ----  ------  ---------  -------
+  1  rule1 Drop    if1   bad_net

Finally, return to the default CLI context:

System:/AccessRules> cc

Chapter 19: GTP Inspection

The GPRS Tunneling Protocol (GTP) is a communication protocol used to carry data between telecom networks. The GTP Inspection feature in cOS Stream provides the ability to apply a range of integrity checks to GTP traffic. Specifically, it protects the P-GW in an LTE/4G network (or the GGSN in a GPRS/3G network) when a S-GW (or SGSN) is communicating with the P-GW (or GGSN) over an untrusted network like the Internet.

The remote interface behind which the firewall sits to inspect traffic is known as the S8 interface in LTE/4G networks (the Gp interface in 3G networks). GTP inspection examines the traffic passing through this interface as it flows between a visited (remote) network and the home (local) network.

Naming Conventions

For convenience, the rest of this section will use only the LTE/4G naming conventions. The naming of object properties within the firewall CLI interface also uses only LTE/4G naming conventions. However, all the principles described can be applied to 3G networks.

In an LTE/4G network, the S-GW side will be referred to as the downlink (or user) side and the P-GW side will be referred to as the uplink (or network) side. The terms downlink and uplink are used by the firewall's CLI.

GTP Inspection Features

The GTP inspection feature in cOS Stream provides a defense against the following kinds of potential security threats:

Malformed GTP traffic. This can include IE manipulation, missing information elements, invalid values, invalid header or IE's structure.
Request/response mismatches.
Raw data traffic causing a denial of service.
GTP inside GTP. This could result in traffic reaching nodes in the core network that should be inaccessible to roaming partners.

The following methods are used by GTP inspection to protect against the threats listed above:

GTP-C/U message validation.
GTP-C/U session tracking. This only allows GTP-U traffic to be forwarded for established GTP-U bearers.
State tracking for some GTP-C message types (but not GTP-U types).
GTP-in-GTP detection for GTP-U tunneled traffic.

In addition, the administrator can set the following limits in the GTP inspection feature:

GTP session and bearer timeout values.
The maximum number of GTP sessions and bearers allowed.

IPv6 Support

The GTP inspection feature fully supports IPv6. This means the following:

GTP messaging using either UDP with IPv4 or UDP with IPv6 is supported.
The tunneled GTP traffic can be either IPv4 or IPv6.
GTP in GTP tunnel detection will function regardless of the IP protocols used.

Steps For GTP Inspection Setup

The following steps are required to set up GTP inspection:

Define a new GTPInspectionProfile object that is configured to perform the required checks on GTP traffic. This same profile can be used for both traffic directions as well as being used across multiple IP rules.
Define IPRule objects that trigger on each direction of traffic flow and associate the GTPInspectionProfile object from the previous step with the GTPInspectionProfile property of both rules.

The service associated with the IP rules should either be the predefined service object called gtpc-udp or a similar administrator defined service object.

GTP Profile Object Properties

The following mandatory properties are the minimum that must be configured in a new GTPProfile object:

DownlinkSourceInterface

The allowed source interface(s) for GTP-U traffic originating from the SGSN/S-GW.
DownlinkNetwork

An S-GW address filter for GTP-U traffic.
UplinkSourceInterface

The allowed source interface(s) for GTP-U traffic originating from the GGSN/P-GW.
UplinkNetwork

A P-GW address filter for GTP-U traffic.

All the properties for the GTPInspectionProfile object are listed in the separate CLI Reference Guide.

Specifying the GTP Version

The optional property GTPVersion specifies the allowed GTP version or versions. The default value is GTPv2 and this should be used for LTE scenarios. The value can be specified as GTPv1 instead or both versions can be allowed by specifying GTPv1,GTPv2.

Sessions Maximums are Cumulative Per Profile

It should be noted that the property MaxSessions, like all the other session maximum properties, apply to the cumulative sessions for a single GTPInspectionProfile object. This is true, regardless of how many IPRule objects reference the object.

The following is a list of all the session maximum properties:

MaxSessions

The maximum number of concurrent GTP-C sessions allowed by the profile object. The default value is 1024.
MaxSessionsPerSourceIP

The maximum number of concurrent GTP-C sessions allowed for each unique source IP address. The default value is 1024.
MaxBearersPerSession

The maximum number of bearers allowed for each GTP-C session. The default value is 16.

Global Behavior Settings

Several global settings are available for controlling the behavior of all GTPInspectionProfile objects. These settings, with their default values, are listed in the GTPInspectionSettings section of the separate CLI Reference Guide.

Example 19.1. Setting Up GTP Inspection for LTE

This example shows how GTP inspection can be set up for traffic flowing between the S-GW and the P-GW in an LTE scenario.

As illustrated in the diagram below, it is assumed that the S-GW's network s_gw_net is connected to the firewall's if1 interface and the P-GW's network p_gw_net is connected to the if2 interface. It is also assumed that both the S-GW and P-GW are using the default ports of 2123 for GTP-C and 2152 for GTP-U.

Note that the GTP version will be explicitly specified in this example for clarity, even though it defaults to the required value of GTPv2 for LTE.

Command-Line Interface

A. Define a new GTPInspectionProfile:

System:/> add GTPInspectionProfile my_s8_profile
			GTPVersion=GTPv2
			DownlinkSourceInterface=if1
			DownlinkNetwork=s_gw_net
			UplinkSourceInterface=if2
			UplinkNetwork=p_gw_net

B. Define an IPRule that allows GTP-C traffic to the P-GW:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			Service=gtpc-udp
			SourceInterface=if1
			SourceNetwork=s_gw_net
			DestinationInterface=if2
			DestinationNetwork=p_gw_net
			Name=my_gtp_uplink_rule
			GTPInspectionProfile=my_s8_profile

C. Define an IPRule that allows GTP-C traffic from the P-GW:

System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> add IPRule Action=Allow
			Service=gtpc-udp
			SourceInterface=if2
			SourceNetwork=p_gw_net
			DestinationInterface=if1
			DestinationNetwork=s_gw_net
			Name=my_gtp_downlink_rule
			GTPInspectionProfile=my_s8_profile

The gtpinspection CLI Command

The CLI command gtpinspection can provide a summary of the activity of GTPInspectionProfile objects For example, the command with the -show option will display the current state of all profile objects:

System:/> gtpinspection -show=brief
		
                                 Active GTP-C Sessions

ID  Age  Orig                          Term                           
--  ---  ----------------------------  -----------------------------  
1   92   if2:192.168.20.210:2123:0x7a  if2:192.168.20.220:2123:0x443  
2   79   if2:192.168.20.210:2123:0x87  if2:192.168.20.220:2123:0x451  

Version   Bearers
--------  -------
GTP-C v2  1
GTP-C v2  1

This is equivalent to using the gtpinspection command with no options. The above output shows two active GTP sessions. The Orig (origin) and Term (termination) columns listing the IP address and port number plus a hexadecimal Tunnel Endpoint Identifier (TEID) value.

Many filtering options exist to limit the scope of the output. For example, the following command would show the activity for only the GTPInspectionProfile object called my-gtp-profile.:

System:/> gtpinspection -show -profile=my-gtp-profile

The -close option can be used to close the current sessions on a particular profile or all profiles. For example, the following command will close all active GTP sessions currently active through the profile object called my-gtp-profile:

System:/> gtpinspection -close -profile=my-gtp-profile

Closing a flow can be useful where there is a need to force the GTP endpoints to reestablish sessions and bearers.

The full list of gtpinspection command options can be found in the separate CLI Reference Guide.

GTP Inspection Snooping

The gtpinspection command also has a -snoop option which allows GTP interactions and traffic to be monitored in real time with details of GTP interactions displayed on the console as they occur. The snooping option must be first enabled and then left to run. For example, the following command would enable snooping for the profile object called my-gtp-profile and might result in the accompanying output:

System:/> gtpinspection -snoop=brief -profile=my-gtp-profile
		
Setting GTP snoop level to 'brief' with filter:
  profile=my-gtp-profile origiface=any
  origip=0.0.0.0/0,::/0 termip=0.0.0.0/0,::/0
SNOOP: my-gtp-profile : <UDP if2;192.168.20.21:2123 -> 192.168.20.22:2123>
<UDP if2;192.168.20.22:2123 -> 192.168.20.21:2123>, Type: Echo request

The option -snoop=full will provide more extensive details on the GTP activity, such as the following truncated example, which shows just the initial session request:

System:/> gtpinspection -snoop=full -profile=my-gtp-profile
		
Setting GTP snoop level to 'full' with filter:
  profile=my-gtp-profile origiface=any
  origip=0.0.0.0/0,::/0 termip=0.0.0.0/0,::/0
SNOOP:  GTPINSPECTION-2  : if1:192.168.20.21:2123 -> 
if2:192.168.20.22:2123
        GTP Version: GTPv2-C
        Type: Create Session Request (32)
        Length: 124
        TEID: 0x0
          IE (Information Elements): 9
            IMSI: 2400100
            MSISDN: 466609700000
            RAT Type: EUTRAN (WB-E-UTRAN) (6)
            F-TEID: (TEID: 0x3c8, Ifacetype: 6, 192.168.20.21)
            APN: test
            Bearer Context:
              IE (Grouped): 3
                EBI: 5
                Bearer Level Quality of Service:
                F-TEID: (TEID: 0x3cd, Ifacetype: 4, 192.168.20.22)
            PDN Type:
            PAA: 10.10.3.200
            Recovery: 1

Using the -snoop=off option will terminate all snooping activity:

System:/> gtpinspection -snoop=off

Chapter 20: Events and Logging

20.1. Overview

The ability to log and analyze system activities is an essential feature of cOS Stream. Logging enables not only the monitoring of system status and health, but also allows auditing of network usage and assists in trouble-shooting.

Log Message Generation

A large number of different log event messages can be generated as a result of associated system events. Examples of such events are the establishment and ending of flows, receipt of malformed packets and the dropping of traffic according to filtering policies.

Log events are always generated for certain aspects of cOS Stream such as buffer usage, DHCP clients, high availability and IPsec. The generation of events for other subsystems such as DHCP Relay, DHCP Servers and IP Rules can be enabled as needed.

Event Types

Several hundred events exist for which log messages can be generated. The events range from high-level, customizable, user events down to low-level and mandatory system events.

The flow_open event, for example, is a typical high-level event that generates an event message whenever a new flow is established, given that the matching security policy rule has defined that event messages should be generated for that flow.

An example of a low-level event would be the startup_normal event, which generates a mandatory event message as soon as the system starts up.

Message Format

All event messages have a common format, with attributes that include category, severity and recommended actions. These attributes enable easy filtering of messages, either within cOS Stream prior to sending to an event receiver, or as part of the analysis after logging and storing messages on an external log server.

A list of all event messages can be found in the separate cOS Stream Log Reference Guide. The document also describes the design of event messages, the meaning of severity levels and the various attributes available.

Event Severity

The severity of each event is predefined and it can be, in order of severity, one of:

Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug

By default, cOS Stream sends all messages of level Info and above to configured log servers. The Debug category is not sent by default and is intended for troubleshooting only and should only be turned on if required when trying to solve a problem. All log messages of all severity levels are found listed in the separate cOS Stream Log Reference Guide.

The Dynamic Severity

There is an additional severity type called Dynamic which does not fit into the progressive severity list given above. A severity of Dynamic means that the severity of the log event can change. There are two uses for this severity type:

cOS Stream can set the severity of the event to a specific level to indicate that the triggering condition has not been dealt with.
The severity of the event can be explicitly set by the administrator.

The logtrace Parameter

All log event messages contain a parameter called logtrace which is assigned an integer value. This value is used by Clavister support specialists during troubleshooting to determine where in the system the log message originated since the same log message can potentially be generated from more than one place within cOS Stream.

Log Receivers

To distribute and log the event messages generated by cOS Stream, it is necessary to define one or more event receivers that specify what events to capture, and where to send them.

cOS Stream can be configured to distribute log event messages in different ways:

Real-Time Log Event Display with the log Command

The CLI console can act as a log receiver, displaying new log messages as they are generated in real-time. The feature can be turned on using the CLI log command.

This receiver type is discussed further below in Section 20.2, Using the log Command.
Syslog Receivers

An external server that will collect Syslog log messages sent by cOS Stream can be defined with a LogReceiverSyslog object. Syslog is the de-facto standard for logging events from network devices. If other network devices are already logging to Syslog servers, using Syslog with cOS Stream log messages can simplify overall administration.

This receiver type is discussed further below in Section 20.3, Logging to Syslog Servers.
SNMP Traps

An LogReceiverSNMP2c object can be defined for an external server that will collect SNMP Trap log messages sent by cOS Stream. Such receivers are typically used to collect and respond to critical alerts from network devices.

This receiver type is discussed further below in Section 20.5, SNMP Traps.

20.2. Using the log Command

Log event messages can be displayed in real-time on a CLI console by entering the command:

System:/> log -on

All messages are then displayed as they are generated as well as being sent to any configured log servers.

To switch off logging, use the command:

System:/> log -off

The key combination Ctrl-C can also be used to terminate message display at the console.

A typical sequence of turning on, then turning off logging is shown below with one intervening log message:

System:/> log -on
Logging on

LOG: Jun 17 00:22:20 RULE: prio=Warning id=00000 event=no_route_to_source
     iface=wan srcip=172.22.0.5 pkt_flowdir=n/a 
     pkt_srchw=00:1b:11:5a:0e:c9 pkt_ipver=4 pkt_proto=IGMP pkt_recvif=wan
     pkt_srcip=172.22.0.5 pkt_destip=239.255.255.100 
     pkt_srcport=0 pkt_destport=65178 action=drop logtrace=02404889
     
System:/> log -off
Logging off

System:/>

Each new log message is preceded by the text "LOG:".

Limiting Message Display

With large numbers of log messages being generated, it can be useful to limit the number of messages displayed. The -rate option of the log command restricts the number of messages per second that are displayed with the excess being discarded. For example, to limit the displayed rate to one message per second, enter the command:

System:/> log -on -rate=1

Another way to limit the total number of log messages displayed is by using the -num option. For example, if only one log message is to be displayed before logging is disabled, the following CLI command would be used:

System:/> log -on -num=1
Logging on

LOG: Jun 17 00:22:20 RULE: prio=Warning id=00000 event=no_route_to_source
     iface=wan srcip=172.22.0.5 pkt_flowdir=n/a 
     pkt_srchw=00:1b:11:5a:0e:c9 pkt_ipver=4 pkt_proto=IGMP pkt_recvif=wan
     pkt_srcip=172.22.0.5 pkt_destip=239.255.255.100 
     pkt_srcport=0 pkt_destport=65178 action=drop logtrace=02404889
     
Received 1 logs. Closing due to limit.

System:/>

See the separate CLI Reference Guide for a description of log command options.

Using Filters

It is possible to specify a range of different filter parameters with the log so that only log events that match a specific set of criteria are displayed.

Consider a simple example of only seeing log event messages where the source interface is if2. The CLI command to start logging would be:

System:/> log -on -srciface=if2

Not all log events have a source interface specified. Most rules, such as IP rules, would have this field. Another optional parameter that is like this is -action=. This would typically be related to the action of an IPRule object generating an event message although some other configuration objects can have an associated action.

One of the most useful filtering parameters is ID where a particular log event ID is of interest, regardless of what is generating it. Leading zeros are not required. For example:

System:/> log -on -ID=00600001

Note that the entire ID must be specified, including leading zeros. All log event ID numbers are listed in the separate Clavister NetShield Firewall Log Event Reference Guide.

Filtering can be built up into combinations of criteria:

System:/> log -on -ID=00600001 -srciface=if2

With combinations there is a logical AND between the criteria so all have to be true for the event to appear.

If he filtering parameters are to be changed, then a new log command needs to be issued with the -on option. For example, if we are now interested in the same log ID on the if3 port, the command would be:

System:/> log -on -ID=00600001 -srciface=if3

Note that this new command also terminates the execution of any previously issued log -on command.

Instead of specifying a specific field, it is possible to filter events using a general text field. For example, if the only events to be displayed are ones that contain the IP address 203.0.113.12, the CLI command could be:

System:/> log -on -text=203.0.113.12

A refinement of this is to use a regular expression. If we are only interested in events that contain at least one IP address string beginning with 203.0.113. then the CLI command could be:

System:/> log -on -regexp=203\.0\.113\.\d{1,3}

These text based filters will search the entire log event message searching for a match.

All of the log command's options are listed in the separate Clavister NetShield Firewall CLI Reference Guide.

20.3. Logging to Syslog Servers

Overview

Syslog is a standardized protocol for sending log data although there is no standardized format for the log messages themselves. The format used by cOS Stream is well suited to automated message processing, filtering and searching.

Although the exact format of each log entry depends on how a Syslog receiver works, most are very much alike. The way in which logs are read is also dependent on how the Syslog receiver works. Syslog daemons on UNIX servers usually log to text files, line by line.

Message Format

Most Syslog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data:

Feb 5 2000 09:45:23 firewall.ourcompany.com

This is followed by the text the sender has chosen to send.

Feb 5 2000 09:45:23 firewall.ourcompany.com EFW: DROP:

Subsequent text is dependent on the event that has occurred.

In order to facilitate automated processing of all messages, cOS Stream writes all log data to a single line of text. All data following the initial text is presented in the format name=value. This enables automatic filters to easily find the values they are looking for without assuming that a specific piece of data is in a specific location in the log entry.

	Note: The Prio and LogSeverity fields
	The Prio= field in Syslog messages contains the same information as the LogSeverity field for Clavister Logger messages. However, the ordering of the numbering is reversed.

The Syslog ALG

cOS Stream provides an ALG that can filter Syslog traffic as it passes through the firewall. The ALG is not applicable to Syslog traffic generated by the firewall itself. This feature is fully explained in Section 10.5, Syslog ALG.

Example 20.1. Enable Logging to a Syslog Host

In this example, logging will be enabled for all events with a severity greater than or equal to Notice to a Syslog server with IPv4 address 10.1.1.3. The logical name for the receiver in cOS Stream will be my_syslog.

Command-Line Interface

System:/> add LogReceiver LogReceiverSyslog my_syslog IPAddress=10.1.1.3

	Note: Syslog servers may need configuring
	Syslog servers may have to be configured appropriately to receive log messages from cOS Stream. Please refer to the documentation the specific Syslog server software in order in order to configure it correctly.

Limiting the Sending Rate

The configuration of a log receiver can also include the property SendRateLimit. This setting specifies how many log messages cOS Stream may send per second. Log messages that exceed this limit are dropped. The default value is 2000 messages per second.

This setting can be useful in scenarios where the receiving log server might become overloaded. The value should never be set too low, as this may result in important events not being logged.

20.4. Filtering Log Messages

It is possible to specify filters which decide which messages are sent to a log receiver. This can be done in either or both the following ways:

By specifying the LogSeverity property of a log receiver object. This means that only messages of the severities specified will be generated.
By associating one or more LogReceiverMessageException objects with a log receiver object. Each LogReceiverMessageException object can specify a set of filtering criteria which can include the category, ID or severity of messages and specify if the filtered messages are to be sent or not sent.

Multiple LogReceiverMessageException objects associated with a log receiver will be processed sequentially looking for a match. This processing will stop as soon as one exception triggers.

These methods are described next.

Filtering on Log Severity

The optional LogSeverity property of a log receiver object can be used to specify what severities are sent to the receiver. By default, all log messages except those with the Debug severity are sent. However, an administrator may only want certain severities sent. For example, it might be desirable to send only Emergency and Alert messages and no other severities.

This is achieved by setting the LogSeverity property to a list of the severities to be sent. For example, if only the Alert severity is specified then only that severity will be sent.

Example 20.2. Configuring the Log Severity Property

In this example, it is assumed that a Syslog server has already been configured in cOS Stream with the logical name my_syslog. The aim is to have only the log messages with a severity of Emergency or Alert sent to this server.

Command-Line Interface

System:/> set LogReceiver LogReceiverSyslog my_syslog
			LogSeverity=Emergency,Alert

Log Receiver Message Exceptions

After the LogSeverity property is applied, any associated LogReceiverMessageException filters are applied. These exceptions can explicitly include or exclude log messages of certain types for sending to the log server.

LogReceiverMessageException objects are created as one or more children to the log receiver object. Each child object acts as a filter for its parent and can have a combination of the following properties:

LogCategory

This property is optional and specifies the category, or categories, of log messages that will be filtered out by the exception. For example, the following would filter out all messages that have a log category of ARP :
```
			LogCategory=ARP
```
A log event message can belong to more than one category. A match is found when any of the log message's categories matches the specified category.

It is possible to specify a list of categories for the filter. If this is done then the message must belong to all the specified categories to be caught. For example, the following would filter out messages that belong to both the ARP category and the VALIDATE category :
```
			LogCategory=ARP,VALIDATE
```
It is possible to specify that something should not be in a category by preceding the category name with a minus "-" sign. For example, the following would specify all log messages not in the ARP category :
```
			LogCategory=-ARP
```
Categories that must be present can be combined with categories that should not. For example, the following specifies that filtered messages must belong to the category ARP but should not belong to the category VALIDATE :
```
			LogCategory=ARP,-VALIDATE
```

LogID

This specifies a specific log message ID to which the filter applies. The ID of specific log messages can be found in the separate Clavister NetShield Firewall Log Reference Guide. The LogID property is treated as a string value and any leading zeros can be omitted. For example, to filter for the log message with the ID of 269 :
```
			LogID=269
```
Since this identifies a unique message, neither LogCategory or LogSeverity properties should be specified along with the ID.

If the LogID is not specified then it defaults to "*" which is all IDs. This can also be explicitly stated as :
```
			LogID=*
```

Action

This is a mandatory property and can be one of the following:
1. EXCLUDE (the default)
  
  This will exclude the filtered log messages from being sent to the receiver.
2. INCLUDE
  
  This will include the filtered log messages for sending to the log receiver.

LogSeverity

This is an optional property to specify that the severity level will be filtered. To filter all messages with a severity of Emergency :
```
			LogSeverity=Emergency
```
Multiple severities can be specified. To filter out all messages with either a severity of Emergency or Alert :
```
			LogSeverity=Emergency,Alert
```
As discussed before, filtering is for only the severities specified. There is no automatic inclusion of lesser or greater severities.

	Note: The log event message severity cannot be changed
	Each log event message has a single severity already assigned to it. This severity is fixed and cannot be changed. Each message's severity is documented in the separate Clavister NetShield Firewall Log Reference Guide.

Example 20.3. Adding a Log Message Exception

In this example, it is assumed that a Syslog server has already been configured in cOS Stream with the logical configuration name my_syslog. The requirement is to exclude the log message 161 ("Failed to Rekey IKE SA").

Command-Line Interface

First, change the current context to be the log receiver object:

System:/> cc LogReceiver LogReceiverSyslog my_syslog

Now, add the message exception:

System:/LogReceiverSyslog/my_syslog> add LogReceiverMessageException
			LogID=161
			Action=EXCLUDE

All the message exceptions can be listed for this receiver:

System:/LogReceiverSyslog/my_syslog> show

LogReceiverMessageException

  # Category Log Message ID Action
  - -------- -------------- -------
+ 1 IKE      161            EXCLUDE

Note that the object gets a unique index number to identify it, in this case 1, and this is used to refer to the exception in the CLI.

Finally, change back to the default CLI context:

System:/LogReceiverSyslog/my_syslog> cc
System:/>

20.5. SNMP Traps

The SNMP protocol

Simple Network Management Protocol (SNMP) is a means for communicating between a Network Management System (NMS) and a managed device. SNMP defines 3 types of messages: a Read command for an NMS to examine a managed device, a Write command to alter the state of a managed device and a Trap which is used by managed devices to send messages asynchronously to an NMS about a change of state. This section discusses how to set up SNMP trap message generation in cOS Stream, using both the SNMP2c and SNMPv3 trap standards.

	Note: SNMP Trap standards used by cOS Stream
	cOS Stream sends SNMP2c traps which are based on the SNMPv2c standard defined by RFC1901, RFC1905 and RFC1906. The SNMPv3 traps sent by cOS Stream conform to RFC 3413, RFC 3414 and RFC 3415.

The SNMP Trap MIB File

The file CLAVISTER-STREAM-TRAPS.mib is included with the system software. This defines the available objects and data types that are used to describe an SNMP Trap message received from cOS Stream.

The file can be downloaded directly from cOS Stream using SCP. For example, a typical command line to download all .mib files via the admin user could be the following:

> scp admin@192.168.1.17:/*.mib .

The SCP client should then prompt for the password.

Types of Trap Receiver

The SNMP traps generated by cOS Stream can be sent to receivers defined by two types of configuration objects:

Log receiver objects.
Trap receiver objects.

A configuration object can be created for either of these types for both SNMP2c and SNMPv3 and these are listed below. The only difference between the SNMP2c object and its SNMPv3 counterpart is the addition of the option to provide authentication and/or encryption with SNMPv3 receivers.

SNMP Trap Receiver Objects Types

The following types of SNMP trap receiver objects can be configured in cOS Stream:

LogReceiverSNMP2c

A LogReceiverSNMP2c object processes any log events it is configured to receive and will send those events using a Generic OID that is the same for all events. The LogSeverity property determines which severities are sent and it defaults to Emergency, Alert, Critical, Error, Warning, Notice, Information.

A LogReceiverSNMP2c object can optionally have one or more LogReceiverMessageException objects added as children. Each exception has an Action property which can be set to Exclude or Include for a filtering combination of log category, severity and ID.
TrapReceiverSNMP2c

A TrapReceiverSNMP2c object uses unique OIDs and can only send certain Standard and Enterprise events. The TrapCategory property determines which types of traps are sent and it defaults to STARTUP,LINK,SNMP.

A TrapReceiverSNMP2c object can optionally have one or more TrapException objects added as children. Each TrapException object has an Action property which can be set to Exclude or Include for specific log IDs.
LogReceiverSNMP3

This is similar to the LogReceiverSNMP2c object but with the addition of optional authentication/encryption. One or more optional child LogReceiverMessageException objects can be added to a parent LogReceiverSNMP3 object and these function in the same way as described previously for a LogReceiverSNMP2c object.
TrapReceiverSNMP3

This is similar to the TrapReceiverSNMP2c object but with the addition of optional authentication/encryption. One or more optional child TrapException objects can be added to a parent TrapReceiverSNMP3 object and these function in the same way as described previously for a LogReceiverSNMP2c object.

Note that the IP address of any of the above types of receiver can be specified as either an IPv4 or IPv6 address.

Exception Processing Logic

There is a logical OR relationship between any receiver parent object and its child exception objects. This mean that exceptions can override filtering so that even if the parent object includes/excludes an event, a child exception could still exclude/include it.

SNMPv3 Security and Encryption

In contrast to SNMP2c receiver objects, the LogReceiverSNMP3 and TrapReceiverSNMP3 objects can optionally provide encryption and/or authentication by setting their SecurityLevel property to one of the following values:

NoAuthNoPriv - No authentication and no encryption.
AuthNoPriv - Authentication but no encryption.
AuthPriv - Authentication and AES encryption.

If authentication is enabled, the AuthenticationMethod property can be used to set the method. This defaults to HMAC-SHA1-96 but can be set to the alternative value of HMAC-MD5-96.

The credentials required for authentication are specified by the object properties UserName, AuthenticationPassword and PrivacyPassword.

If encryption is enabled, cOS Stream will use only AES encryption. DES encryption (as specified in the SNMPv3 RFC) is not supported as this is now considered to be insecure.

Event Types Sent to Receivers

The types of events that cOS Stream can send to SNMP receivers are the following:

Generic

These are events which use the generic OID. Such events will be sent to the server defined by any configured LogReceiverSNMP2c or LogReceiverSNMP3 object, if allowed by the object's filtering properties.
Standard

These are standard system events, such as coldStart, which have a unique OID. This OID does not contain the Clavister vendor ID. Such events will be sent to the server defined by any configured TrapReceiverSNMP2c or TrapReceiverSNMP3 object, if allowed by the object's filtering properties.
Enterprise

These are firewall specific system events, such as HA related events, which have a unique OID and this OID contains the Clavister vendor ID. Such events will be sent to any TrapReceiverSNMP2c or TrapReceiverSNMP3 configured, if allowed by the object's filtering properties.

The Log Event and Trap Reference Guides

Standard events and Specific Enterprise events are listed in the Clavister NetShield Firewall Log Reference Guide as well as the separate Clavister NetShield Firewall Trap Event Reference Guide. Such double listed events will include the following extra information in the Log Reference Guide: SNMP Trap Category, SNMP Trap MIB Name and SNMP MIB OID.

Any event listed in the Log Reference Guide or Trap Event Reference Guide can become a generic enterprise trap event by using the appropriate filtering with a configured LogReceiverSNMP2c LogReceiverSNMP3 object.

All events have a unique LogID identifier which can be found in either of the two reference guides and this can be used with filtering.

The Generic Trap Object

Generic Enterprise events use a common trap object called OSGenericTrap. This generic object includes the following properties:

System - cOS Stream generating the message.
Severity - The severity of the message.
Category - What subsystem is generating the message.
ID - A unique identifier for the message.
Description - A short textual description of the condition.
Action - What action is being taken by cOS Stream, if any.
Parameters - A formatted string with all parameters from the corresponding log message.

The SNMP Reboot Counter

cOS Stream has an SNMP reboot counter which will normally increment following a system restart. With SNMPv3, this counter acts as a way to prevent replay attacks and also as a seed value for message encryption. The counter has a maximum value of 2,147,483,647 and will start at the value 1 after cOS Stream starts for the first time.

Normally, the SNMP reboot counter should never reach its maximum value. However, the following should be noted about the counter's behavior:

The reboot counter is reset to zero when a firewall is reset to its factory defaults.
The reboot counter is not saved as part of a system backup.
If, for some reason, cOS Stream is unable to read the file containing the reboot counter then it will set the counter to its maximum value.
When the reboot counter reaches its maximum value, a warning message is generated by cOS Stream and the counter will remain at that value if no further action is taken by the administrator. While the counter stays at its maximum, cOS Stream will not send any authenticated SNMPv3 responses or authenticated SNMPv3 trap messages. If authentication is not enabled then message sending will not be affected.

Note that SNMPv3 polling will also cease to work when the reboot counter reaches its maximum if it is also using authentication.
The reboot counter will be reset to zero if the SNMPv3 engine ID is changed by the administrator and how to do this is described later in this section.

Changing the SNMPv3 Engine ID

The global configuration setting SNMPv3EngineID determines the value for the current SNMPv3 engine ID. This property is set to Auto by default which means that the engine ID is an auto-generated value based on the MAC address of the first Ethernet interface in the firewall's configuration.

Alternatively, the SNMPv3EngineID property can be set to a specific new ID value, in which case the reboot counter will also be reset when the change is made. The ID is specified as a string of up to 27 characters in length, with no white space included. For example:

System:/> set Settings RemoteMgmtSettings SNMPv3EngineID="MyFirewall"

SNMP Trap Setup Examples

The examples below show how setup can be performed for all the SNMP trap receiver types.

Example 20.4. Setting Up a LogReceiverSNMP2c Object

In this example, generic enterprise and specific enterprise SNMP traps are to be sent for events with a severity equal to Emergency to an SNMPv2 server with the IP address 203.0.113.5.

Command-Line Interface

System:/> add LogReceiver LogReceiverSNMP2c my_receiver
			IPAddress=203.0.113.5
			LogSeverity=Emergency

Example 20.5. Setting Up a TrapReceiverSNMP2c Object

In this example, standard and/or specific enterprise SNMP traps are to be sent for events with a category value of STARTUP. These are to be sent to a trap server with the IP address 203.0.113.7.

Command-Line Interface

System:/> add LogReceiver TrapReceiverSNMP2c my_traps
			IPAddress=203.0.113.7
			TrapCategory=STARTUP

Example 20.6. Setting Up a LogReceiverSNMP3 Object

In this example, generic enterprise and specific enterprise SNMP traps with a severity equal to Emergency are to be sent to an SNMPv3 server with the IP address 203.0.113.5.

An exception will be added so that any log message with the ID 275 will always be sent to the receiver.

Both SHA-1 authentication and AES encryption will be enabled so the SecurityLevel property is set to AuthPriv.

Command-Line Interface

Add the log receiver:

System:/> add LogReceiver LogReceiverSNMP3 my_v3_receiver
			IPAddress=203.0.113.5
			LogSeverity=Emergency
			SecurityLevel=AuthPriv
			UserName=my-username
			PrivacyPassword=my-privacy-password
			AuthenticationPassword=my-auth-password

Add the exception to the receiver:

System:/> cc LogReceiver LogReceiverSNMP3 my_v3_receiver
System:/LogReceiver/my_v3_receiver> add LogReceiverMessageException
			LogID=275
			Action=Include

Example 20.7. Setting Up a TrapReceiverSNMP3 Object

In this example, standard and/or specific enterprise SNMP traps with a category value of STARTUP are to be sent to an SNMPv3 server with the IP address 203.0.113.7.

An exception will be added so that any log message with the ID 275 will always be sent to the receiver.

Both SHA-1 authentication and AES encryption will be enabled so the SecurityLevel property is set to AuthPriv.

Command-Line Interface

Add the trap receiver:

System:/> add LogReceiver TrapReceiverSNMP3 my_v3_traps
			IPAddress=203.0.113.7
			TrapCategory=STARTUP
			SecurityLevel=AuthPriv
			UserName=my-username
			PrivacyPassword=my-privacy-password
			AuthenticationPassword=my-auth-password

Add the exception to the receiver:

System:/> cc LogReceiver TrapReceiverSNMP3 my_v3_traps
System:/LogReceiver/my_v3_traps> add TrapException
			LogID=275
			Action=Include

Chapter 21: DHCP

21.1. Overview

IP Address Assignment

Dynamic Host Configuration Protocol (DHCP) is a protocol that allows the automatic assignment of IPv4 addresses to connecting hosts and clients. The task of assigning addresses to connecting DHCP clients is performed by a DHCP Server. The Clavister NetShield Firewall can behave as a DHCP server.

With DHCP, assigned addresses come from a predefined IPv4 address pool which the DHCP server manages. When the server receives a DHCP request, it returns a set of parameters to the client in a unicast message. These parameters typically include assigned IPv4 addresses, MAC address, domain name, and a DHCP Lease.

DHCP Leases

Compared to static IP assignment where the client can be said to own the address, a DHCP server leases addresses to each client for a predefined period of time. During the lifetime of the lease, the client has permission to keep the assigned address and is guaranteed to have no address collision with other clients which also receive leases from the same DHCP server.

Lease Expiration

Before the expiration of a lease, the client must renew the lease from the server in order to keep using assigned IPv4 addresses. Alternatively, the client may decide at any time that it no longer requires a lease and can terminate it, releasing IP addresses back to the pool.

The lease time can be configured in the DHCP server by the administrator.

21.2. DHCP Servers

A DHCP server hands out the IPv4 addresses taken from a specified IP address range. The DHCP server is not limited to serving a single range of IPv4 addresses but can use any IPv4 range that can be specified by an address book object.

This section describes how to set up a DHCP server and also the options that are available for a server.

21.2.1. Defining DHCP Servers

In the system there exists only one, single DHCPServer object. This exists as a predefined object in a configuration and by default, does nothing.

In order to activate the DHCP function, a DHCPServerRule object must be added to the DHCPServer object as a child. In order for the DHCP server to respond there must be a match with both of the following DHCPServerRule properties.

Interface

This is the system interface on which the DHCP requests are received.

This should be set to core if DHCP will hand out addresses to fill an IPPool being used with an IPsec tunnel. This is discussed further in Section 13.3.3, IKE Config Mode.
RelayerFilter

The relayer IP address in the IP packet is also used to determine the server. The default value of all-nets-ip4 means that any IPv4 address is acceptable and only the interface match is considered. The other options for this property are described further below.

There can be many DHCPServerRule objects added to the DHCPServer object. Each can define different properties.

Searching the Server List for Matches

Multiple DHCPServerRule objects will form a list, the last one defined being at the bottom of the list. When cOS Stream searches for a DHCPServerRule to service a request, it goes through the list from top to bottom and uses the first rule it finds with a matching combination of interface and relayer IP filter value. If there is no match in the list then the request is ignored.

Providing Multiple Matching Rules

Sometimes it is desirable to provide more than one rule with the same triggering criteria. The rule property AllowFurtherMatching has a default value of Yes and this means that if the matching rule cannot provide an IP address for some reason (the available IPs might be exhausted), scanning of the rules will continue for another match.

Using Relayer IP Filtering

As explained above, a DHCPServerRule is selected based on a match of both the interface and the relayer IP filter. The possible values for the RelayerFilter property are as follows:

all-nets-ip4

The default value is all-nets-ip4 (0.0.0.0/0). This means all DHCP requests will match this filter value regardless if the DHCP requests comes from a client on the local network or has arrived via a DHCP relayer.
A value of 0.0.0.0

The value 0.0.0.0 will match DHCP requests that come from a local client only. DHCP requests that have been relayed by a DHCP relayer will be ignored.
Specific IP addresses.

This is an IP address filter for the DHCP relayer through which the DHCP request has come. Requests from local clients or other DHCP relayers will be ignored.

DHCP Server Rule Properties

The following are the full list of properties for a DHCPServerRule object:

Name

A symbolic name for the server. Used as an interface reference but also used as a reference in log messages.

AllowFurtherMatching

If the rule cannot provide an IP, are the rules searched for another match. This is enabled by default.

Interface

The source interface on which cOS Stream will listen for DHCP requests. This can be a single interface or a group of interfaces. It can also be specified as core when the rule is providing addresses to the IPPool object of an IPsec tunnel.

IPAddressPool

An IP range, group or network that the DHCP server will use as an IP address pool for handing out DHCP leases.

Netmask

The netmask which will be sent to DHCP clients.

DefaultGateway

This specifies what IP should be sent to the client for use as the default gateway (the router to which the client connects).

Domain

The domain name used for DNS resolution. For example, somedomain.com.

LeaseTime

The time, in seconds, that a DHCP lease is provided. After this time the DHCP client must renew the lease.

	Note
	In telecom applications, such as I-WLAN deployments, the recommended setting for the lease time is 86,400 seconds (equivalent to 24 hours).

DNS1

The IP of the primary DNS server.

DNS2

The IP of the secondary DNS server.

NBNS1

IP of the primary Windows Internet Name Service (WINS) server that are used in Microsoft environments which uses the NetBIOS Name Servers (NBNS) to assign IP addresses to NetBIOS names.

NBNS2

IP of the secondary Windows Internet Name Service (WINS) server.

NextServer

Specifies the IP address of the next server in the boot process. This is usually a TFTP server.

Example 21.1. Activating a DHCP server

This example shows how to activate a DHCP server by adding a DHCPServerRule called my_dhcp_rule to the DHCPServer object.

The rule will hand out the addresses defined in an IPv4 object called my_dhcp_range which already exists in the address book. Requests will arrive on the if1 interface and the netmask handed out will be 255.255.255.0.

Command-Line Interface

First, change to the DHCPServer context:

System:/> cc DHCPServer

Now, add a DHCPServerRule object:

System:/DHCPServer> add DHCPServerRule my_dhcp_rule
			Interface=if1
			IPAddressPool=my_dhcp_range
			Netmask=255.255.255.0

To change back to the default CLI context:

System:/DHCPServer> cc

Finally, commit the configuration changes in the normal way.

The rule name my_dhcp_rule is used in the dhcpserver command to manage the rule.

Using the dhcpserver CLI Command

DHCP operation can be managed using the CLI command dhcpserver. For example, to get a brief summary of DHCP operations since the last restart or reconfiguration:

System:/> dhcpserver -information

DHCP Server general information:

Log enabled                         : TRUE
Blacklist Timeout                   : 3600s
Autosave the lease database to disk : Disabled.
DHCP Server up running time         : 3052s

To see a summary of DHCP server activity:

System:/> dhcpserver -statistics
				
Rejected count:               : 54

Rule Name                     : ServerRule1
  Usage                       : 100
  Usage percentage            : 2%
  Active clients              : 50
  Active clients percentage   : 1%
  Pool size                   : 5000
  Rejected count              : 50

Rule Name                     : ServerRule2
  Usage                       : 5
  Usage percentage            : 100%
  Active clients              : 3
  Active clients percentage   : 60%
  Pool size                   : 5
  Rejected count              : 2

In the above output, the Rejected count is all IPs rejected by either client or server. Some rejections occur before reaching a rule so the total may be higher than the sum of rule rejections. The Usage is the IP pool size minus the free IPs. The Active clients is the current number of active leases.

To see a summary of the current DHCP server rule set:

System:/> dhcpserver -rules

To display the mappings of IPv4 addresses to MAC addresses from allocated leases:

System:/> dhcpserver -mappings

                      DHCP Server mappings:

Rule          Client IP    MAC/Identifier       Status    Static
------------  -----------  -------------------  --------  ------
ServerRule2  172.22.12.2   <18:04:73:e4:d0:19>  INACTIVE  STATIC
ServerRule1  10.6.12.254   [01005056c00002]     INACTIVE  STATIC

The [identifier] means that the DHCP server is not tracking the client using a MAC address but instead tracks it using the identifier given by the client to the server.

To see a list of the current DHCP server leases:

System:/> dhcpserver -leases
				
Active DHCP leases:

Rule         Iface    Client MAC/Identifier       Client IP  Expire
-----------  -------  --------------------------  ---------  ------
ServerRule1  dev_le0  [01100000f418490000000002]  10.6.12.2  15419s

The DHCP Server Blacklist

Sometimes, an IP address offered in a lease is rejected by the client. This may be because the client detects that the IP address is already in use by issuing an ARP request. When this happens, the server is informed and cOS Stream then adds that rejected to the DHCP server blacklist.

An IP address only ever stays on the blacklist for a finite amount of time. The duration is controlled by the advanced setting BlackListTimeout.

The CLI can be used to display the DHCP server blacklist with the command:

System:/> dhcpserver -blacklist
				
DHCP Server blacklisted addresses:

Rule         Blacklisted IP  Remaining time
-----------  --------------  --------------
ServerRule1  10.6.12.1       20s

The Remaining time is the time left on the blacklist.

The entire blacklist can be cleared with the command:

System:/> dhcpserver -releaseblacklist
				
Removed 1 blacklisted IP(s)

It is also possible to direct blacklist commands at specific rules by using the -rule parameter.

DHCP Snooping

For troubleshooting purposes, it is possible to examine the client interactions with the DHCP server using the CLI command:

System:/> dhcpserver -snoop=on

Server/client exchanges are then displayed on the CLI console. A typical sequence might be as follows, starting with an IP sent out by the server rule ServerRule1 in response to a client request:

 SNOOP:  DHCPSERVER: ServerRule1: Received DISCOVER from client.
 Sending IP offer. [srchw=10:00:00:f4:18:49] [knownip=10.6.12.1]

Next, the client declines the IP and the server blacklists it:

 SNOOP:  DHCPSERVER: ServerRule1: Client declined IP,
 blacklisted it.[srchw=10:00:00:f4:18:49] [clientip=10.6.12.1]

Then, the client issues another request and another IP is sent:

 SNOOP:  DHCPSERVER: ServerRule1: Received DISCOVER from client.
 Sending IP offer. [srchw=10:00:00:f4:18:49] [knownip=10.6.12.2]

Finally, the client accepts the IP:

 SNOOP:  DHCPSERVER: ServerRule1: Client accepted and bounded with IP
 [srchw=10:00:00:f4:18:49] [clientip=10.6.12.2]

Snooping can be turned off with:

System:/> dhcpserver -snoop=off

It is possible to specify snooping for a specific DHCPServerRule. For example, to enable snooping for ServerRule2, the CLI command would be:

System:/> dhcpserver -snoop=on -rule=ServerRule2

Additional Server Settings

A DHCPServerRule can have two other sets of objects associated with it:

Static Hosts.
Custom Options.

These two rule options are discussed in the sections that follow.

21.2.2. Static DHCP Hosts

Where the administrator requires a fixed relationship between a client and the assigned IPv4 address, cOS Stream allows the assignment of a given IP to a specific MAC address. In other words, the creation of a static host. This is done by adding DHCPStaticPoolStaticHost objects to DHCPServerRule objects as children.

DHCPStaticPoolStaticHost Object Properties

More than one DHCPStaticPoolStaticHost objects can be added as children of a single DHCP server. The following are the important properties:

Host: This is the IPv4 address that will be handed out to the client.
MACAddress: This is the MAC address of the client. Either the MAC address can be used or the alternative Client Identified parameter can be used.
ClientIdent: If the MAC address is not used for identifying the client then the client can send an identifier in its DHCP request. The value of this identifier can be specified as this property. The option exists to also specify if the identifier will be sent as an ASCII or Hexadecimal value.
ClientIdentType: This property specifies if ClientIdent will be sent as an ASCII or Hexadecimal value.

Example 21.2. Static DHCP Host Assignment

This example shows how to assign the IPv4 address 192.168.1.1 to the MAC address 00-90-12-13-14-15. The example assumes that the DHCP server my_DHCPServer has already been defined.

Command-Line Interface

First, change to the my_DHCPServer context:

System:/> cc DHCPServer my_DHCPServer

Next, change to the relevant DHCPServerRule context:

System:/DHCPServer> cc DHCPServerRule my_dhcp_rule

Add the static DHCP assignment:

System:/DHCPServer/my_DHCPServer/my_dhcp_rule> 
			add DHCPServerStaticHost
			Host=192.168.1.1
			MACAddress=00-90-12-13-14-15

21.2.3. DHCP Server Custom Options

It is possible to customize a DHCPServerRule object so the DHCP server sends specific pieces of information to DHCP clients in the DHCP leases that are sent out. This is done by adding DHCPServerCustomOption objects to DHCPServerRule objects as children.

An example of this is certain types of network switches that require the IP address of a TFTP server to be included in the DHCP information sent by the server. The TFTP server is then queried by the switches to get additional network information.

DHCPServerCustomOption Object Properties

The following properties can be specified for a DHCPServerCustomOption property:

Code: This is the code that describes the type of information being sent to the client. A large list of predefined codes exists as part of the DHCP standard.
Type: This describes the type of data which will be sent. For example, if the type is String then the data is a character string.
Param: This is the information that will be sent in the lease. The meaning of what is sent is determined by the specified Code. For example, if the code is 66 (TFTP server name) then the Type might be String and the Param could be tftp.mycompany.com.

Example 21.3. Adding DHCP Server Custom Options

This example adds a custom option for an FTP server to the DHCPServerRule object called my_dhcp_rule.

Command-Line Interface

First, change to the DHCPServer context:

System:/> cc DHCPServer

Next, change to the relevant DHCPServerRule context:

System:/DHCPServer> cc DHCPServerRule my_dhcp_rule

Add the custom options to the rule:

System:/DHCPServer/DHCPServerRule/my_dhcp_rule> 
			add DHCPServerCustomOption
			Code=66
			Type=String
			Param="tftp.mycompany.com"

21.2.4. DHCP Server Advanced Settings

DHCP leases are, by default, remembered by cOS Stream between system restarts. DHCP advanced settings can be adjusted to control how often the lease database is saved to non-volatile memory. These settings are system wide.

There are two advanced settings which apply to the DHCP server and any server rules:

AutoSaveLeasePolicy

The policy for saving the lease database to disk. The options are:
1. Never - Never save the database.
2. ReconfShut - Save the database on a reconfigure or a shutdown. This is the default.
3. ReconfShutTimer - Save the database on a reconfigure or a shutdown and also periodically. The amount of time between periodic saves is specified by the next property, AutoSaveLeaseInterval.
AutoSaveLeaseInterval

The number of seconds between auto saving the lease database to disk. The default value is 86400 seconds.
BlackListTimeout

The number of seconds before an IP is removed from the blacklist. The default value is 36000 seconds.

When an IP address is placed on the blacklist, it only stays there for this amount of time. When the timeout has expired, it is removed from the blacklist and becomes available again for handing out.

Example 21.4. Changing DHCP Server Advanced Settings

This example changes the advanced settings of the DHCP server feature.

Command-Line Interface

System:/> set Settings DHCPServerSettings
			AutoSaveLeaseInterval=3600
			AutoSaveLeasePolicy=ReconfShutTimer

21.3. DHCP Client

All the Ethernet and VLAN interfaces have the ability to act as a DHCP client and have their associated IPv4 addresses dynamically allocated by an external DHCP server. This feature could, for example, be used to receive external IP address information from an ISP's DHCP server so they are assigned to an Ethernet interface for public Internet connection. By default, DHCP is not enabled on Ethernet or VLAN interfaces and it must be explicitly enabled on an individual interface.

Enabling the DHCP Client Feature

Both the EthernetInterface and the VLAN configuration objects have a property called DHCPEnabled. This should be set to Yes to enable DHCP. For example, if the interface name is if1, the command would be:

System:/> set Interface EthernetInterface if1 DHCPEnabled=Yes

DHCP Client Options

If DHCP is enabled for a EthernetInterface or VLAN object, both objects have the following key properties which allow the administrator to control how the interface behaves as a DHCP client.

DHCPPreferredIP

This is optional and specifies the IPv4 address that the client prefers.
DHCPServerFilter

This is an optional address object that specifies what the acceptable IP address range for the DHCP server.
DHCPAdressFilter

This is an optional address object that specifies what the acceptable IP address range for the IP addresses sent by the DHCP server.

Interface Properties for Display Only

The following EthernetInterface and VLAN interface object properties are used only as place holders for information received from a DHCP server so the information can be appear in CLI output:

DHCPPrimaryDNS
DHCPSecondaryDNS
DefaultGateway
DHCPNetwork
DHCPPrimaryNBNS
DHCPSecondaryNBNS

A full list of all DHCP client related properties for the EthernetInterface and VLAN objects can be found in their respective entries in the separate Clavister NetShield Firewall CLI Reference Guide.

Assignment to Interface Address Book Objects

An interface that receives a DHCP lease will already have related address objects in the system address book. It is always these address objects which are used to refer to the IP addresses received. For example, the Ethernet interface if1 will have the following associated address objects in the default configuration:

if1_ip
if1_net
if1_gw
if1_broadcast
if1_dns1
if1_dns2
if1_nbns1
if1_nbns2

The ActiveAddress Property

All address objects have two IP address properties: the statically assigned Address property and the dynamically assigned ActiveAddress property. When a DHCP lease is received and an assignment is done to any of the objects listed above, cOS Stream will assign the address to their ActiveAddress property without changing the Address property. The ActiveAddress now becomes the IP address of the object.

When the ActiveAddress is no longer in use, such as when the DHCP lease expires, the IP address of the object will revert back to the Address property and the ActiveAddress will revert back to a value of <empty>.

Interfaces Always Use Default Address Objects

During address assignment, cOS Stream will also make sure that the objects in the default list shown above are the address objects assigned to the relevant properties of the interface. For example, if the IPAddress property of the EthernetInterface object called if1 has been previously set to the IP address object my_alternative_ip, it will be set back to if1_ip when the interface's IP address is assigned as a DHCP client. This reassignment remains in place even when the DHCP lease ends.

Also note that the DNS server addresses contained in a lease received by the interface if1 will be assigned to the address objects if1_dns1 and if1_dns2.

Viewing Interface Address Changes

When an interface address is assigned using DHCP, both the original IP address and the assigned IP address will be visible when the interface properties are displayed. This is shown in the following example output for the if1 interface (only the first 3 object properties are shown):

System:/> show Address IPAddress if1_ip           

        Property  Value            Remarks
----------------  ---------------  --------------------
           Name:  if1_ip
        Address:  192.168.229.71
  ActiveAddress:  192.168.229.128  Dynamically assigned

Here, the Address is the original IP address and the ActiveAddress has been assigned by DHCP.

The dhcpclient Command

The dhcpclient CLI command displays information relating to the DHCP status of interfaces with the DHCP client option enabled. The dhcpclient command with no options will show the current interfaces with DHCP enabled and their DHCP status. For example, if only the interface if1 is enabled then the output might be as follows:

System:/> dhcpclient
			
                      DHCP Client List

Interface  IP Address    DHCP State              Renew in
---------  ------------  ----------------------  ----------
if1        192.20.2.100  BOUND (for 0h 00m 09s)  0h 30m 0s

Here, the output indicates that the interface if1 is currently BOUND to a lease it received 9 seconds ago from an external DHCP server and the lease is due to be renewed in 30 minutes. The current IP address assigned to the interface is 192.20.2.100.

To expand the above output and examine the current lease on a particular interface, the dhcpclient command can be followed by the interface name:

System:/> dhcpclient if1

  Interface     : if1
  Assigned IP   : 192.20.2.100
  Broadcast IP  : 192.20.2.255
  Gateway IP    : <Empty>
  DNS1 IP       : <Not resolved>
  NBNS1 IP      : <Not resolved>
  DHCPD IP      : 192.20.2.2
  Lease time    : 0h 10m 00s
  Renew in      : 0h 04m 54s
  Rebind in     : 0h 08m 39s
  Expire in     : 0h 09m 54s
  State         : BOUND (for 0h 00m 06s)

The output provides detailed information about the current lease. In the above, some values have not been assigned by the lease such as the gateway and DNS server.

The -snoop Option

The -snoop option of the dhcpclient command allows the administrator to get console output to show the DHCP negotiations that take place.

For example, DHCP snooping is turned on for the if1 interface with the command:

System:/> dhcpclient -snoop=On if1

Information messages like the following sequence will now appear on the console:

SNOOP:  DHCPCLIENT-1  : if1 (0.0.0.0) - Sending DISCOVER
        [request 0.0.0.0] [src 0.0.0.0] [dest 255.255.255.255]
SNOOP:  DHCPCLIENT-17 : if1 (0.0.0.0) - Receiving OFFER
        [offer 192.20.2.100] [src 192.20.2.2] [dest 255.255.255.255]
SNOOP:  DHCPCLIENT-18 : if1 (0.0.0.0) - Sending REQUEST
        [request 192.20.2.100] [src 0.0.0.0] [dest 255.255.255.255]
SNOOP:  DHCPCLIENT-19 : if1 (0.0.0.0) - Receiving ACK
        [offer 192.20.2.100] [src 192.20.2.2] [dest 255.255.255.255]

This sequence indicates how the interface sent out a DISCOVER message and received an OFFER from a server. This was then followed by the client receiving and acknowledging an IP lease from the server.

Snooping is turned of with the following command:

System:/> dhcpclient -snoop=Off if1

A full list of all the dhcpclient command options can be found in the separate Clavister NetShield Firewall CLI Reference Guide.

Chapter 22: High Availability

22.1. Overview

HA Clusters

The High Availability (HA) feature provides hardware redundancy for Clavister NetShield Firewall installations. HA works by adding a back-up slave Clavister NetShield Firewall to an existing master firewall.

The master and slave are connected together and make up a logical HA Cluster. One of the units in a cluster will be active when the other unit is inactive and on standby. The master and slave are also referred to as cluster peers or nodes.

Initially, the cluster slave will be inactive and will only monitor the activity of the master, mirroring the master's internal state as closely as possible. If the slave detects that the master has a malfunction, an HA failover takes place and the slave becomes active, assuming processing responsibility for all traffic.

If the master later becomes operative again, the slave will continue to be active but the master will now monitor and mirror the slave with failover only taking place if the slave malfunctions. This is sometimes known as an active-passive cluster implementation.

The Master and Active Units

When reading this section, it should be kept in mind that the master unit in a cluster is not always the same as the active unit in a cluster.

The active unit is the firewall that is actually processing all traffic at a given point in time. This could be the slave after a failover has occurred.

Connecting Together Cluster Interfaces

Interface pairs should be connected together via switches. Note that inter-device communication is not routable. For supported virtual environments, interface connection is described in detail in the HA section of the separate cOS Stream Virtual Series Getting Started Guide

Note that there should be identical logical naming of the interfaces in each pair.

The Sync Interface

In a cluster, the master and slave must be directly connected to each other by the connection known as the Sync interface. The purpose of the Sync interface is to carry state synchronization traffic between the HA cluster peers and the interface should therefore not be used for normal traffic.

The information transferred over the Sync interface includes state information for the following:

Established flows.
IPsec tunnels.
ALG sessions.
DHCP leases.
Dynamic routes.

In addition, because the configurations of the HA peers must be aligned, their configurations are also sent over the Sync interface.

A matching interface pair on the master and the slave should be dedicated for this purpose, so that the link carries only synchronization traffic. These interfaces need to be connected to each other via a common network segment that is fully separated from other traffic. This can be accomplished by, for example, using a crossover cable or a dedicated switch. In a virtual environment, a dedicated virtual switch can be used for this purpose.

For security reasons and to avoid HA performance problems, connection of Sync interfaces via a shared switch that is also carrying other traffic is not recommended. Such a setup is only acceptable if the switch ports used for sync traffic are isolated from other ports by using VLAN separation or similar.

Setting Up the Sync Interface

To set up the Sync interface, the HAType property of an interface's EthernetInterface object must be set to the value Sync as shown in the example CLI below:

System:/> set Interface EthernetInterface if1 HAType=Sync

By default, the type defaults to Critical.

Cluster Heartbeats

Special Ethernet frames, known as heartbeats, are continually sent by cOS Stream between the peers in the cluster across the Sync interface and any other interfaces which have their HAType property set to Critical (the default HAType value is Critical). Heartbeats are sent in both directions so that the passive peer knows about the health of the active peer and the active knows about the passive.

Any interfaces which have an HAType value of NonCritical in the configuration do not have heartbeats sent over them and will not cause an HA failover if they fail. Failure of a Sync or Critical interface will cause a failover to occur once cOS Stream confirms the failure.

The heartbeat mechanism is discussed further in Section 22.2, HA Mechanisms.

Cluster Management and Configuration Synchronization

When changing the configuration of one cluster peer, changes are automatically duplicated on the other peer provided that the property AutoSyncCfg in the cluster HighAvailability object is enabled (by default, it is enabled).

When the AutoSyncCfg property is enabled, it is recommended to make configuration changes on the inactive cluster peer since this will result in only a single failover as the two peers synchronize after changes are activated. Changing the active peer will result in two failovers.

The AutoSyncCfg setting is disabled with the following command and this must be applied separately to each peer in the cluster:

System:/> set HighAvailability AutoSyncCfg=No

Once this setting is disabled, each cluster peer configuration must be changed separately via a separate management interface since changes on one device will not be automatically copied to the other.

If required, it is possible to use the following command to manually force the sending of the configuration on a cluster peer to the other peer so they are synchronized:

System:/> ha -sendconf

To manually force a peer to synchronize by retrieving the configuration from the other cluster peer, use the following command:

System:/> ha -receiveconf

Load-sharing

HA clusters do not provide load-sharing since only one unit will be active while the other is inactive and only two Clavister NetShield Firewalls, the master and the slave, can exist in a single cluster. The only processing role that the inactive unit plays is to mirror the state of the active unit and to take over all traffic processing after a failover if it determines that the active unit has failed.

Hardware Duplication

An HA cluster can only be set up between two Clavister NetShield Firewalls. As the internal operation of different manufacturer's software is completely dissimilar, there is no common method available to communicating state information to a dissimilar device.

It is strongly recommended that the Clavister NetShield Firewalls used in an HA cluster have identical processing platforms. In a virtual environment this means that the Clavister NetShield Firewalls have identical resources allocated to them. Where applicable, they must also have identical firewall licenses which allow identical capabilities, including the ability to run in an HA cluster.

Extending Redundancy

Implementing an HA Cluster will eliminate one of the points of failure in a network. Routers, switches and Internet connections can remain as potential points of failure and redundancy for these should also be considered.

Setup with IPv6

HA clusters can be set up using IPv4 or IPv6 addresses or in combination with IPv4. With IPv6, the principles of a shared IP address are the same but instead of ARP, IPv6 mechanisms are used.

HA can be set up using IPv6 addresses exclusively. There is no necessity to include IPv4 as part of cluster setup.

22.2. HA Mechanisms

This section discusses in more depth the mechanisms that Clavister NetShield Firewalls use to implement the HA feature.

Basic Principles

An HA cluster provides a redundant, state-synchronized hardware configuration. The state of the active unit, which includes the flow table and other vital information, is continuously copied to the inactive unit via a single Sync interface. When cluster failover occurs, the inactive unit knows which connections are active, and traffic can continue to flow after the failover with negligible disruption.

The inactive system detects that the active system is no longer operational when it no longer detects sufficient cluster heartbeats.

Heartbeats have the following characteristics:

Heartbeats are Ethernet frames and not IP packets.
Heartbeats cannot be forwarded by a router since they do not contain an IP header.
The Ethernet source and destination address is based on the cluster ID and the role of the sending and receiving unit.
The Ethernet frame type is set as 0xC14B.

Heartbeat Monitoring

cOS Stream sends a given number of heartbeats per second on the Sync interface and any interfaces designated as Critical. The interval is made long enough to not be mistaken for a delay that could occur during normal operation.

Both peers send heartbeats to each other and both monitor missed heartbeats in the following way:

If either cluster node misses a given number of heartbeats over a given period of time, that peer enters a state known as Early Interface Failure Detection. By default, this period of time is 1900 milliseconds but it can be manually changed by setting the global property PeerDead in HASettings. The separate CLI Reference Guide provides a detailed description of this setting.

This state means that the peer will send out queries (ARP for IPv4, NDP for IPv6) from the suspect interface to preconfigured IP addresses to see if any replies are received. This allows cOS Stream to determine if the failure is in the local Ethernet interface or if the problem is the peer failing to send heartbeats.

Queries are sent to all the IP addresses configured in the MonitorTargets property of the suspect interface's EthernetInterface object. These IPs could be a range and could be a mixture of IPv4 and IPv6 addresses. For example, if an address book object called mon_range defines these addresses, the CLI to use the range would be:

System:/> set Interface EthernetInterface if1 MonitorTargets=mon_range

	Note: Use MonitorTargets with Ethernet interfaces only
	The MonitorTargets property should only be used with Ethernet interfaces. Do not use it with VLAN or any other type of interface.

Queries are sent to all configured MonitorTargets addresses. If no reply has been received after a given period of time, the peer will consider the local interface to be malfunctioning and generate the log message HA interface offline. If replies are received but no new heartbeats are received after the time period, the other peer is considered to have a malfunctioning interface.

A failover then occurs if the active peer detected the malfunction. Depending on certain internal conditions, this can be followed by an automatic restart of the now inactive peer in an attempt to resolve the problem.

The administrator can investigate the failed interface further by using the ifstat command and if possible checking the cabling to the interface. Restarting the hardware could clear the problem.
The failure of the Sync interface means the peers can no longer be synchronized. Since IP monitoring is not possible, the peer that has the failed interface cannot be determined and the active peer continues as an independent firewall. A log event message indicating this is generated and cluster functionality only returns when the Sync interface problem is resolved.

Limits of monitored IP addresses

The MonitorTargets property has a limit of up to 10 IPv6 and 10 IPv4 IP addresses. If this limit is exceeded, the interface monitoring feature for the address type will not function.

For example, if 20 IPv6 addresses are configured as well as 8 IPv4 addresses. None of the IPv6 addresses will be monitored but all the IPv4 addresses will be.

Failover Time

The time for failover is typically within seconds which means that clients may experience a failover as a slight burst of packet loss. In the case of TCP, the failover time is well within the range of normal retransmit timeouts so TCP will retransmit the lost packets within a very short space of time and continue communication. UDP does not allow retransmission since it is inherently an unreliable protocol.

Shared IPv4 Addresses and ARP

Both master and slave units in a cluster are aware of the shared IP addresses. However, ARP queries for the shared IPv4 address, or any other IP address published via ARP configuration or through Proxy ARP, are answered by the active unit only.

The hardware address of the shared IPv4 address and other published addresses are not related to the actual MAC addresses of the Ethernet interfaces. Instead, a new MAC address is constructed by cOS Stream. The first part of the constructed address is always 10:00:00. The second part is based on the configuration including the cluster ID.

As the shared IP address always has the same hardware address, there will be no latency time in updating ARP caches of units attached to the same LAN as the cluster when a failover occurs.

When a cluster member discovers that its peer is not operational, it broadcasts gratuitous ARP queries on all interfaces using the shared MAC address as the sender. This allows switches to re-learn within milliseconds where to send packets destined for the shared address. Therefore, the only failover delay is in detecting that the active unit is down.

ARP queries are also broadcast periodically to ensure that switches do not forget where to send packets destined for the shared hardware address.

22.3. Setting Up HA

Preconditions for Creating an HA Cluster

When setting up an HA cluster, the following is required:

Two Clavister NetShield Firewalls with identical hardware configurations both running the same version of software. For blade based platforms, these should be two separate blades in the same or different chassis. For virtual systems, the resources available to each firewall should be the same. One firewall should be designated the master node, the other is designated the slave node.
The interfaces of both cluster nodes are connected via a common switch as shown in the illustration below. The interface names on both firewalls must be identical. The sync interfaces do not need to be connected via a switch since chassis based platforms often provide backplane connection.

Figure 22.1. HA Cluster Setup

Setup Steps

The steps necessary for cluster setup can be summarized as:

Ensure the EthernetDevice settings are correct.
Set the interface shared and private IP addresses of all interface pairs for both master and slave. If the private IP is not going to be used it should be set the local host address.
Set the interface type of all interface pairs for both master and slave.
Activate HA on both master and slave.

Details of how to perform these steps is explained below.

Checking EthernetDevice Settings

The EthernetDevice:0 and EthernetDevice:1 properties for each interface on both master and slave should be the same and set to the Ethernet device name for that interface. The current values of these settings can be checked with the command:

System:/> show Interface EthernetInterface if1
		
                     Property  Value
-----------------------------  ----------------------------------
                        Name:  if1
             EthernetAddress:  0:<empty>  1:<empty>
       HAEthernetAddressMode:  PrivateSharedMAC
                      HAType:  Critical
              MonitorTargets:  <empty>
                   Backplane:  No
              EthernetDevice:  0:if1  1:if1
            VLANOutboundPrio:  0
      VLANOutboundPrioPolicy:  Set (Set priority)
                   PrivateIP:  0:<empty>  1:<empty>
  RouterAdvertisementProfile:  DefaultProfile
                         MTU:  1500
                   IPAddress:  if1_ip
                IP4Broadcast:  <empty>
      RoutingTableMembership:  <all>
                 DHCPEnabled:  <empty>
SecurityEquivalentInterfaces:  <empty>
    IPv6AddressConfiguration:  Static
                        Zone:  <empty>
                    Comments:  <empty>

Note that the private IP in the above has not been set.

In the example above, EthernetDevice:1 is incorrectly set to <empty>. To fix this, use the command:

System:/> set Interface EthernetInterface if1 EthernetDevice:1=if1

The device name can be the same as the interface name, as is the case here, but this is not always true. Note that the EthernetAddress values are <Empty> because the actual MAC addresses are being used.

Setting Interface IP Addresses

Each interface on both the master and slave units has two IP addresses associated with it:

The Shared IP Address

The shared IP address is the address that is used during general operation of the HA cluster and is the address used in constructing configuration security policies. It is always the same for each of the interfaces in a matching pair on the master and the slave. If the interface if1 is to have the shared IPv4 address 10.6.12.1 then the CLI command to set this is:
```
System:/> set Interface EthernetInterface if1 IPAddress=10.6.12.1
```
This command is repeated for both the master and slave.
The Private IP Address

A private IPv4 address is also assigned to each interface but it is not the same for a pair of interfaces. Each interface gets a unique address so that it is possible to connect to a specific interface on a specific node in the cluster. Connection to this address could be for the purpose of management or to ping the interface.

For allocating the private IP, each interface has two properties associated with it: PrivateIP:0 and PrivateIP:1. PrivateIP:0 is the private IPv4 address of the master interface in an interface pair and PrivateIP:1 is the private address of the corresponding slave interface in a pair.

For example, if 10.6.12.10 is the private IPv4 address of the interface if1 on the master and 10.6.12.11 is the private IP of interface if1 on the slave then the following command should be applied:
```
System:/> set Interface EthernetInterface if1
			PrivateIP:0=10.6.12.10 PrivateIP:1=10.6.12.11
```
This command is repeated for both the master and slave and can be combined with the command for setting the shared IPv4 address. As seen in this example, it is usual to use private and shared IPv4 addresses from the same network.

It may seem redundant that the private IP of both master and slave are set on both cluster nodes. However, like other elements of a configuration, these private IPv4 addresses are mirrored between master and slave. If a management interface is connected to the master and the private address PrivateIP:1 for the slave is changed only on the master, it allows the address to be automatically copied over to the slave's configuration.

All interfaces in a cluster will require a shared IP and also a private IP. A unique private IP address is required to allow pinging of the interface or if the interface is to be used for SSH management access or if log messages are sent by the interface and therefore need a unique source IP. If the private IP is not going to be used for these purposes it can be set to the local host address.

Setting the Interface Type

The HAType for each interface should be set to either Critical, NonCritical or Sync and this setting must agree between master/slave interface pairs. At least one interface must be set as Sync. The default is Critical.

Setting the interface type can be done in the same CLI command that sets the interface IP addresses. For example:

System:/> Set Interface EthernetInterface if1 HAType=Sync

This command should be repeated for both the master and slave.

Activating HA on the Master Node

To activate HA on the master, the following properties must be set:

Role: Master.
ClusterID: A unique ID between 1 and 63.
AutoSyncCfg: Yes/No depending on if resynchronization should be automatic after reconfiguration.
Enabled: Yes

This is done using the CLI command:

System:/> set HighAvailability Role=Master ClusterID=1
			AutoSyncCfg=Yes Enabled=Yes

The changed master configuration should finally be activated and committed.

Activating HA on the Slave Node

To activate HA on the slave, the following properties must be set:

Role: Slave.
ClusterID: Same ID used for the master.
AutoSyncCfg: Yes/No depending on if resynchronization should be automatic after reconfiguration.
Enabled: Yes

This is done using the CLI command:

System:/> set HighAvailability Role=Slave ClusterID=1
			AutoSyncCfg=Yes Enabled=Yes

The changed slave configuration should finally be activated and committed.

Verifying Synchronization

Once the slave configuration is activated, synchronization between the cluster nodes will take place. The CLI command ha will indicate that both systems are running in HA mode and that the nodes are alive.

If a firewall is not part of a HA cluster, the output when CLI command ha is applied to it will be:

System:/> ha
This device is a standalone system (HA not configured)

If it is the master node in an HA cluster, the output will be similar to the following:

System:/> ha
This device is a HA MASTER
This device is currently Active (for 17h 10m 17s)
HA cluster peer is ALIVE
HA object sync 97%

The time shown in parentheses is the length of time that the cluster node has been in its current active or inactive state. When the state changes, this time counter is reset to zero.

Similarly, when the same CLI command is applied to the slave, the output could be something similar to the following:

System:/> ha
This device is a HA SLAVE
This device is currently Active (for 17h 10m 11s)
HA cluster peer is ALIVE
HA object sync 95%

If the cluster peers are in the process of synchronizing, the last line will be similar to the following:

HA object sync: 12% (RE-SYNCING)

The HA object sync percentage in the above output gives a quick indication if there are any synchronization problems in the cluster. As synchronization begins, this number will start at zero and then climb. In a fully functioning cluster where both nodes have had time to synchronize, the HA object sync percentage should typically be above 95%. A consistently lower figure should be investigated by using the following CLI command to look deeper into cluster behavior:

System:/> ha -status -module

This will list the synchronized objects by type. For example, the number of IPsec tunnel objects that are synchronized. Where the synchronized object number does not match the number that should be synchronized, this indicates an area for further investigation.

The HA object sync percentage can be lowered by certain types of system activity such as large numbers of IPsec tunnels being set up and taken down.

Using Actual MAC Addresses and Disabling Promiscuous Mode

By default, HA in cOS Stream will use synthetic MAC addresses and it will also use promiscuous mode. Both of these can be disabled by setting the property HAEthernetAddressMode on the relevant EthernetInterface objects to the value InterfaceMAC (the default value is PrivateSharedMAC). For example:

System:/> set Interface EthernetInterface if1
			HAEthernetAddressMode=InterfaceMAC

This disables promiscuous mode on the interface and also forces cOS Stream to use the actual MAC addresses of the Ethernet interface. In a virtual environment, this is the MAC assigned to the interface, although that address might have been overridden by a MAC configured in cOS Stream itself.

Changing the HAEthernetAddressMode property to the value InterfaceMAC may be needed in either or both of the following situations:

Using promiscuous mode is undesirable.
A virtual environment does not allow synthetic MAC addresses to be used. In particular, this can be relevant when using SR-IOV in a virtual environment and this is also discussed in the separate Virtualization Guide
.

The following should be noted if the administrator sets the HAEthernetAddressMode property to the value InterfaceMAC:

If no HA peer MAC addresses are configured, the peers will try to learn these addresses from the heartbeats that are broadcast on the sync interface.
All devices in the same layer 2 network segment as the interface should be configured to accept gratuitous ARP packets (for IPv4) or NDP packets (for IPv6).

This is important because after an HA failover occurs, the caches of devices in the same network segment must be updated with the MAC address of the newly active HA peer. Note also that this updating of device caches may increase the HA failover time slightly.
There should be at least one critical interface in the HA cluster that has the property HAEthernetAddressMode set to PrivateSharedMAC, or has it set to InterfaceMAC and also has a manually configured MAC address.
If an interface with the property HAEthernetAddressMode set to InterfaceMAC uses DHCP to fetch its IP addresses, the DHCP server should be able to handle DHCP option 61 (the DHCP client identifier), as specified in RFC 2131. If this is not the case, the interface may get a different IP address from the address assigned by the DHCP server after an HA failover.
When the InterfaceMAC option is used, and because of broadcast on the sync interface, it is recommended that the sync interfaces are placed in their own broadcast domain. In other words, both sync interfaces should either be directly connected, or they should not share their network segment with any other HA interfaces from their own or any other HA cluster.

22.4. Upgrading an HA Cluster

The software versions running on the master and slave units in an HA cluster should be the same. When a new software version becomes available and is to be installed on both units, the upgrade is performed on one unit at a time.

The central principle in the cluster upgrade process is that upgrading the inactive unit will not affect the operation of the cluster and only momentarily make the inactive unit unavailable.

HA Upgrade Steps

The sequence of steps for an HA version upgrade is the following:

Identify which unit is inactive and upgrade it first, as though it was standalone.
When the inactive unit is once again synchronized with the active unit, manually cause a handover to occur so that the inactive becomes the active unit.
Now upgrade the inactive unit as though it was standalone. Both units will then resynchronize and both will have the new software version.

The above steps will now be broken down into more detailed descriptions.

A. Identify which is the inactive unit in the cluster

The currently inactive unit will be upgraded first so it is necessary to identify it. To do this, connect a CLI console to one of the cluster units and issue the ha command. Some typical output if the unit is active is shown below.

System:/> ha
		
This device is a HA SLAVE
This device is currently Active (for 51m 29s)
HA cluster peer is ALIVE
HA object sync: 100%

This unit is the currently active unit, so the other one is the inactive unit.

B. Upgrade the inactive unit

Once the inactive device is identified, upgrade it with the new software version. This is done exactly as though the device were a standalone device and not in a cluster. The upgrade procedure is described in Section 2.5, Upgrading Software.

Important: Ensure the inactive unit is fully synchronized

Before going to the next step make sure the inactive unit is fully operational and also fully synchronized with the active unit after the software upgrade completes.

To confirm this, issue the CLI ha command on the inactive unit. The output from the command should indicate that the object synchronization is 100%, as shown in the example output below:

System:/> ha
			
This device is a HA SLAVE
This device is currently Inactive (for 45s)
HA cluster peer is ALIVE
HA object sync: 100%

C. Manually cause a handover to occur

Now, connect to the active unit (which is still running the old software version) with a CLI console and issue the ha -deactivate command. This will cause a handover to occur so the active unit becomes inactive, and the inactive unit becomes active.

System:/> ha -deactivate
			
Performing deactivation.

To check that the handover has completed successfully, the ha command can be entered again and the text "Inactive" and "is ALIVE" should appear in the output.

D. Upgrade the newly inactive unit

When the handover is complete, upgrade the newly inactive unit with the new software version. Just as in step B, this is done in the normal way, as though the unit were standalone and not part of a cluster.

E. Wait for resynchronization

Once the second software upgrade is complete, two HA peers will automatically resynchronize and the cluster will continue operation. The roles of active and inactive unit will now have been reversed.

If it is desirable to make the active unit inactive, and the inactive unit active, the CLI command ha -activate can be entered on the inactive unit.

22.5. HA Issues

The following points should be noted when managing and configuring an HA Cluster.

Some ALGs Are Not Synchronized

The FTP and DNS ALGs are not synchronized when an HA failover event occurs. For the FTP ALG, this means restarting file transfers. The SIP ALG has partial synchronization and this is described further at the end of Section 10.3, SIP ALG.

All Cluster Interfaces Need IP Addresses

All interfaces on both HA cluster units should have a valid private IP address object assigned to them. The predefined IP object local host could be assigned for this purpose. The need to assign an address is true even if an interface has been disabled.

Logging

Log data will be coming from both master and slave. This means that the log receiver will have to be configured to receive logs from both. It also means that all log queries will likely have to include both master and slave as sources which will give all the log data in one result view. Normally, the inactive unit will not be sending log entries about live traffic so the output should look similar to that from a single firewall.

Using Private Individual IP Addresses

The unique individual IP addresses of the master and slave cannot safely be used for anything but management. Using them for anything else, such as for source IPs in dynamically NATed flows or publishing services on them, will inevitably cause problems since unique IPs will disappear when the firewall they belong to does.

Changing the Cluster ID

Changing the cluster ID in a live environment is not recommended for two reasons. First, this will change the hardware address of the shared IPs and will cause problems for all units attached to the local LAN, as they will keep the old hardware address in their ARP caches until it times out. Such units would have to have their ARP caches flushed.

Secondly this breaks the connection between the firewalls in the cluster for as long as they are using different configurations. This will cause both firewalls to go active at the same time.

HA Limitations with IPsec

Established IPsec tunnels are preserved during an HA failover. However, the IKE negotiation phase of tunnel setup is not preserved by a failover. In this case, the tunnel will need to be set up again from the beginning.

Statistics and SNMP

System statistics values are HA node specific in order to enable monitoring of each node. This means that statistical values are not explicitly synchronized between HA nodes. However, some statistical values for features that are HA synchronized will be aligned.

Generally, this means that when HA nodes are fully in sync, statistics for the "current state" (like active sessions) are normally aligned between the nodes, while "historical" values (like received packets on an interface) are, in most cases, different. When using SNMP or the CLI command statistics to monitor statistics for an HA cluster, both firewalls in the cluster need to be polled separately.

Duplicate Interface IDs

Each physical Ethernet interface in a firewall has a unique ID and this ID is inspected by both units in a cluster. If the IDs of the two interfaces which make up a cluster interface pair do not match then both master and slave units will register this and both will generate the log event message HA_CfgNotInSync. In addition, a message will appear on their consoles which includes the line:

In VLAN vl: Interface ID change of 'vl'(nnnn->mmmm) is not supported.

Where nnnn and mmmm are the conflicting IDs. The reason for the ID conflict could be, for example, that the interfaces have been added to the configuration in a different order on each cluster unit.

There are two ways to resolve this condition:

Use the following command on the active unit in the cluster:
```
System:/> ha -sendconf -reboot
```
This synchronizes the configurations by sending the configuration of the active unit to the inactive unit which then reboots after it has received the copy.

If the above command is issued on the active unit, no failover will occur since it is the passive unit that reboots. However, if the command is issued on the passive unit, a failover will occur since the active unit will reboot and the roles of the cluster nodes will be reversed.
Alternatively, use the following command on the inactive unit in the cluster:
```
System:/> ha -recvconf -reboot
```
This synchronizes the configurations by fetching the configuration of the active unit to the inactive unit which then reboots after it has received the copy.

This command is the mirror image of the previous command. If it is issued on the inactive unit, no failover will occur since it is the passive unit that reboots. However, if the command is issued on the active unit, a failover will occur since the active unit will reboot and the roles of the cluster nodes will be reversed.

Chapter 23: Traffic Shaping

23.1. Overview

23.1.1. Traffic Shaping Objectives

QoS with TCP/IP

A weakness of TCP/IP is the lack of true Quality of Service (QoS) functionality. QoS is the ability to guarantee and limit network bandwidth for certain services and users. Solutions such as the Differentiated Services (DiffServ) architecture have been designed to try and deal with the QoS issue in large networks by using information in packet headers to provide network devices with QoS information.

Traffic Shaping in cOS Stream

QoS architectures like DiffServ fall short if applications themselves supply the network with QoS information. In most networks, it is usually unwise to let the users of the network decide the priority of their own traffic. The network equipment must make the decisions concerning priorities and bandwidth allocation.

The Clavister NetShield Firewall provides QoS control by allowing the administrator to apply limits and guarantees to the network traffic passing through the system. This approach is often referred to as traffic shaping and is well suited to managing bandwidth for local area networks as well as managing the bottlenecks that might be found in larger wide area networks. It can be applied to any traffic, including that passing through VPN tunnels.

Traffic Shaping Objectives

Traffic shaping operates by measuring and queuing IP packets with respect to a number of configurable parameters. The principal objectives are the following:

Applying bandwidth limits and queuing packets that exceed configured limits, then sending them later when bandwidth demands are lower.
Dropping packets if packet buffers are full. The packets to be dropped should be chosen from those that are responsible for the congestion.
Prioritizing traffic according to administrator decisions. If traffic with a high priority increases while a communication line is full, traffic with a low priority can be temporarily limited to make room for the higher priority traffic.
Providing bandwidth guarantees. This is typically accomplished by treating a certain amount of traffic (the guaranteed amount) as high priority. The traffic that is in excess of the guarantee then has the same priority as other traffic, competing with all the other non-prioritized traffic.

Traffic shaping does not typically work by queuing large amounts of data and then sorting out the prioritized traffic to send before sending non-prioritized traffic. Instead, the amount of prioritized traffic is measured and the non-prioritized traffic is limited dynamically so that it will not interfere with the throughput of prioritized traffic.

23.1.2. Traffic Shaping Implementation

The Clavister NetShield Firewall offers extensive traffic shaping capabilities for the packets passing through a Clavister NetShield Firewall. Different rate limits and traffic guarantees can be assigned based on the traffic's source, destination and protocol.

The configuration objects used for for traffic shaping are as follows:

Traffic Shaping Profiles

A TrafficProfile object specifies which Pipe object or objects are to be used to shape traffic and in what direction. A TrafficProfile object can be used in one of the following ways:
- One way to enable traffic shaping, is associating a TrafficProfile object with a TrafficShapingRule object. When the TrafficShapingRule triggers on the targeted traffic, its associated TrafficProfile is applied to that traffic.
- Alternatively, a TrafficProfile object can be associated with an IP Rule object to enable traffic shaping. In this case, the profile is applied when the IP rule triggers.
  
  It should be noted that an IPRule triggers and applies its traffic shaping before a TrafficShapingRule triggers for the same traffic and both can apply different types of traffic shaping to that traffic. In other words a TrafficShapingRule could add further shaping to that applied by an IPRule.
  
  It should also be noted that it is also possible to use the same TrafficProfile with multiple rules so that the profile can be applied to different traffic flows.
  
  It is also possible for a traffic shaping rule and an IP rule to trigger on the same traffic and for both to apply a different TrafficProfile and a different set of Pipe objects to the same traffic (the IP rule traffic shaping will always be applied first if this happens).
Pipes

Each TrafficProfile object has properties called the ForwardChain (outgoing traffic) and the ReturnChain (incoming traffic). Each of these chain properties is assigned one or more Pipe objects. Up to 8 pipes are allowed in one chain of a TrafficProfile object.

A Pipe object is the fundamental building block for traffic shaping and is a conceptual channel through which traffic can flow. Various properties can be set to define how traffic passing through it is handled.

Pipes do not care about the types of traffic that pass through them nor the direction of that traffic. They simply measure the aggregate data flow and then apply the configured limits for the pipe as a whole or the limits for Precedences and/or Groups (these concepts are explained later in Section 23.3, Using Precedences and Section 23.4, Grouping Users).

Hundreds of pipes can be handled simultaneously, but in reality most scenarios require only a handful of pipes. It is possible that dozens of pipes might be needed in scenarios where individual pipes are used for individual protocols. Large numbers of pipes might also be needed in an ISP scenario where individual pipes are allocated to each client.
Traffic Shaping Rules and the Traffic Shaping Rule Set

A TrafficShapingRule object has filtering criteria, similar to an IPRule, so it can trigger on a given combination of source/destination interface/network and a given Service.

TrafficShapingRule objects are added to the TrafficShapingRules object. There can only be one TrafficShapingRules object and this exists by default and does not need to be created.

As mentioned previously, an IPRule object can perform the same triggering function as a TrafficShapingRule object, providing an additional way of enabling traffic shaping. The IPRule traffic shaping will always be applied first if both trigger on the same traffic.

Explicitly Excluding Data from Traffic Shaping

Suppose that no pipes are assigned to a TrafficProfile object. Traffic that triggers an associated TrafficShapingRule or IPRule object will not flow through any pipes. It also means that the triggering traffic will not be subject to any other matching rules found later in the rule sets.

This provides a means to explicitly exclude particular traffic from traffic shaping. Such rules are not absolutely necessary but if placed at the beginning of the pipe rule set, they can guard against accidental traffic shaping by rules that are lower down in rule sets.

23.2. Use Case Examples

This section examines how traffic shaping can be used in a variety of scenarios. The configurations discussed are described generally in terms of Pipe objects and traffic filtering criteria. They could be implemented using TrafficProfile objects associated with either IPRule or TrafficShapingRule objects. What is important is to illustrate how Pipe objects are used.

The bandwidth units used throughout are in bits per second but packets per second values could be used instead by setting the corresponding PPS property in Pipe objects. It is possible to also specify both bits per second and packets per second property values for bandwidth limits. When both types of property are specified, the first limit reached is used.

23.2.1. Simple Bandwidth Limiting

The simplest use of pipes is for bandwidth limiting. This is a scenario that does not require much planning. The example that follows applies a bandwidth limit to inbound traffic only. This is the direction most likely to cause problems for Internet connections.

The examples below show how simple bandwidth can be done in two ways. The first example uses a TrafficShapingRule object, and the second uses an IP Rule object. Both, use a TrafficProfile object and a Pipe object to define the traffic limits.

Example 23.1. Bandwidth Limiting using a Traffic Shaping Rule

This example will use a simple pipe to limit inbound traffic to 2 megabits per second, regardless of what kind of traffic it is.

Command-Line Interface

First, create a Pipe object with the required limit:

System:/> add Pipe std-in-pipe LimitBpsTotal=2M

Next, create a TrafficProfile object that uses this pipe for inbound traffic:

System:/> add TrafficProfile std-prof ReturnChain=std-in-pipe

To create a TrafficShapingRule object that applies the profile to the targeted traffic. Change the CLI context to be the main traffic shaping rule set:

System:/> cc TrafficShapingRules

Now, add the rule:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets
			TrafficProfile=std-prof
			Service=all_services
			Name=Outbound

Here, we are setting a limit for return traffic for connections that are initiated from the if1_net network out onto the public Internet. No priorities are applied, and neither is any dynamic balancing.

Example 23.2. Bandwidth Limiting using an IP Rule

This example duplicates the previous example but uses an IPRule object to target specific traffic instead of using a TrafficShapingRule object.

Command-Line Interface

First, create a Pipe object with the required limit:

System:/> add Pipe std-in-pipe LimitBpsTotal=2M

Next, create an TrafficProfile object that uses this pipe for inbound traffic:

System:/> add TrafficProfile std-prof ReturnChain=std-in-pipe

Now, create an IPRule object to apply the profile to the targeted traffic. Change the CLI context to be the main rule set:

System:/> cc RuleSet IPRuleSet main

Now, add the rule:

System:/IPRuleSet/main> add IPRule
			Acton=Allow
			SourceInterface=if1
			SourceNetwork=if1_net
			DestinationInterface=wan
			DestinationNetwork=all-nets
			Service=all_services
			Name=Outbound
			TrafficProfile=std-prof

Return to the default CLI context:

System:/IPRuleSet/main> cc
System:/>

Units for Specifying Bandwidth

When specifying bandwidth values there are two considerations:

Bits or Packets per Second

Bandwidth can be specified as being either as Bits Per Second or as Packets Per Second. The traffic shaping objects have two corresponding properties for specifying these values. For example, the Pipe object in the above examples used a bits per second total limit that was specified as follows:
```
System:/> add Pipe std-in-pipe LimitBpsTotal=2M
```
The limit might have been alternatively specified in terms of some packets per second value:
```
System:/> add Pipe std-in-pipe LimitPpsTotal=4.2M
```
Where 4.2M means 4.2 million packets per second.
Units as bps/pps, K, M, G or %

In the above examples, the bandwidth was specified as 2M, where the letter M immediately following the number indicates that the value is in megabits/seconds. The units must be specified when entering bandwidths. The choices are the following:
- bps - bits/second (where applicable).
- pps - packets/second (where applicable).
- K - Kilobits/second or Kilopackets/second.
- M - Megabits/second or Megapackets/second.
- G - Gigabits/seconds or Gigapackets/second.
- % - percentage of the total (where applicable).
Note that the units bps or pps can only be used where the property expects that type of value. For example:
```
System:/> add Pipe std-in-pipe LimitPpsTotal=400pps
```
Specifying the value as a percentage using the percent sign can only be done where a percentage of a total is being expressed, such as with precedences. A percentage cannot be used with properties that express a total amount, such as with LimitPpsTotal or LimitBpsTotal for a Pipe object.

The number entered before the unit designation does not have to be an integer. It can also be decimal. For example, 2500000bps could be entered as 2500K or 2.5M .

23.2.2. Limiting Bandwidth in Both Directions

Using a Single Pipe for Both Directions

A single pipe does not care in which direction the traffic through it is flowing when it calculates total throughout. Using the same pipe for both outbound and inbound traffic is allowed but this will not partition the pipe limit exactly in two between the two directions.

In the previous example, only bandwidth in the inbound direction is limited. In most situations, this is the direction that becomes full first. But what if the outbound traffic must be limited in the same way?

Just inserting std-in in the forward chain will not work since we probably want the 2 Mbps limit for outbound traffic to be separate from the 2 Mbps limit for inbound traffic. If 2 Mbps of outbound traffic attempts to flow through the pipe in addition to 2 Mbps of inbound traffic, the total attempting to flow is 4 Mbps. Since the pipe limit is 2 Mbps, the actual flow will be close to 1 Mbps in each direction.

Raising the total pipe limit to 4 Mbps will not solve the problem since the single pipe will not know that 2 Mbps of inbound and 2 Mbps of outbound are the intended limits. The result might be 3 Mbps outbound and 1 Mbps inbound since this also adds up to 4 Mbps.

Using Two Separate Pipes for Each Direction

The recommended way to control bandwidth in both directions is to use two separate pipes, one for inbound and one for outbound traffic. In the scenario under discussion, each pipe would have a 2 Mbps limit to achieve the desired result. The following example goes through the setup for this.

Example 23.3. Limiting Bandwidth in Both Directions

This example continues on from the previous example and adds a second pipe for outbound traffic which will impose a limit of 2 Mbps.

Command-Line Interface

Create a second pipe for outbound traffic:

System:/> add Pipe std-out LimitBpsTotal=2M

Set the ForwardChain property of the TrafficProfile:

System:/> set TrafficProfile std-prof ForwardChain=std-out

This results in all outbound connections from if1_net being limited to 2 Mbps in each direction.

23.2.3. Creating Differentiated Limits Using Chains

In the previous examples a static traffic limit for all outbound connections was applied. What if the aim is to limit web surfing more than other traffic? Assume that the total bandwidth limit is 250 Kbps and 125 Kbps of that is to be allocated to inbound web surfing traffic.

The Incorrect Solution

Two "surfing" pipes for inbound and outbound traffic could be set up. However, it is not usually required to limit outbound traffic since most web surfing usually consists of short outbound server requests followed by long inbound responses.

Perhaps the solution could be to create a pipe called surf-in with a 125 Kbps limit? A new TrafficProfile could be created to use this as its ReturnChain and the profile could be associated with a new TrafficShapingRule or IPRule object that triggers on the surfing traffic. This new rule would then be placed so it triggers before the rule that directs everything else through the pipe called std-in. That way web surfing traffic goes through the new pipe and everything else is handled by the pipe, profile and rule created earlier.

Unfortunately this will not achieve the desired effect, which is allocating a maximum of 125 Kbps to inbound surfing traffic as part of the 250 Kbps total. Inbound traffic will pass through one of two pipes: one that allows 250 Kbps, and one that allows 125 Kbps, giving a possible total of 375 Kbps of inbound traffic but this exceeds the actual total limit of 250 Kbps.

The Correct Solution

The solution is to create a chain of the pipes surf-in followed by std-in in the TrafficProfile object associated with the TrafficShapingRule or IPRule object that triggers on the surfing traffic.

Inbound surfing traffic will now first pass through surf-in and be limited to a maximum of 125 Kbps. Then, it will pass through std-in along with other inbound traffic, which will apply the 250 Kbps total limit.

Figure 23.1. Differentiated Limits Using Chains

If web surfing uses the full limit of 125 Kbps, those 125 Kbps will occupy half of the std-in pipe leaving 125 Kbps for the rest of the traffic. If no surfing is taking place then all of the 250 Kbps allowed through std-in will be available for other traffic.

This does not provide a bandwidth guarantee for web browsing but instead limits it to 125 Kbps and provides a 125 Kbps guarantee for everything else. For web browsing the normal rules of first-come, first-forwarded will apply when competing for the 125 Kbps bandwidth. This may mean 125 Kbps, but it may also mean much slower speed if the connection is flooded.

Setting up pipes in this way only puts limits on the maximum values for certain traffic types. It does not give priorities to different types of competing traffic.

23.3. Using Precedences

The Default Precedence is Zero

All packets that pass through Pipe objects have a Precedence. In the examples so far, precedences have not been explicitly set and so all packets have had the same default precedence which is 0.

A Pipe can have 8 Precedence Levels

Traffic flowing through a pipe can be assigned one of eight Precedences which are numbered from 0 to 7. Precedence 0 is the lowest priority and precedence and 7 is highest priority. A precedence can be viewed as a separate traffic queue. Traffic with a precedence of 2 inside a pipe will be forwarded before traffic with a precedence of 0. Traffic with a precedence of 4 will be forwarded before traffic with a precedence of 2.

Figure 23.2. The Eight Pipe Precedences

Precedence Priority is Relative

The priority of a precedence comes from the fact that it is either higher or lower than another precedence and not from the number itself. For example, if two precedences are used in a traffic shaping scenario, choosing precedences 4 and 6 instead of 0 and 3 will makes no difference to the end result.

Allocating Precedence to Traffic

The way precedence is assigned to traffic before it enters a pipe is specified by the PrecedenceMethod property of the TrafficProfile object associated with the traffic. This property can have one of the following settings:

Override

The traffic will always get the precedence level which is set in the PrecedenceLevel property of the TrafficProfile associated with the traffic.
PipeDefault

Each Pipe object has a PrecedenceDefault property that has a default value of 0. If a packet does not already have a precedence assigned, it will take the precedence of the PrecedenceDefault property for the first Pipe it passes through.

This method is the default value for the PrecedenceMethod property.

SetDefault

If a packet enters the first pipe in the pipe chain without its precedence level set, it will always get the precedence which is set in the PrecedenceLevel property of the TrafficProfile associated with the traffic.

The PrecedenceLevel property can have a value of 0 to 7 but it can also take a value of MapDSCP. A setting of MapDSCP means that the packet's DSCP bits will determine the precedence value. DSCP is a subset of the DiffServ architecture where the Type of Service (ToS) bits are included in the IP packet header.

	Note: The DSCP bits can also be set by traffic shaping
	Conversely, it is possible to set the DSCP bits of the traffic emerging from traffic shaping to the precedence of the last pipe that the traffic passes through. This is done by enabling the updateDSCP property of the associated TrafficProfile object.

Pre-assigned Precedence

In the above explanations, packets are described as possibly already having a precedence assigned. This can happen when both an IPRule followed by a TrafficShapingRule trigger on the same traffic. The IPRule is always processed first in this situation, so the packets processed by the TrafficShapingRule will already have a precedence assigned to them.

Specifying Precedences Within Pipes

When a pipe is configured, the properties PrecedenceDefault, PrecedenceMin and PrecedenceMax can be specified. The default precedences are:

PrecedenceMin: 0
PrecedenceDefault: 0
PrecedenceMax: 7

The PrecedenceDefault property specifies the precedence taken by a packet when the PrecedenceMethod property of the pipe's associated TrafficProfile object is set to PipeDefault.

The minimum and maximum pipe precedences define the precedence range that the pipe will handle. If a packet arrives with an allocated precedence below the pipe minimum then its precedence is changed to be the minimum. Similarly, if a packet arrives with an already allocated precedence above the pipe maximum, its precedence is changed to be the maximum.

For each pipe, separate bandwidth limits may be optionally specified for each precedence level. These limits can be specified in units of bits per second and/or packets per second (if both are specified then the first limit reached will be the limit that is used).

Precedence Limits are also Guarantees

A precedence limit is both a limit and a guarantee. The bandwidth specified for precedence is also a guarantee that that bandwidth will be available at the expense of lower precedence traffic. If the specified bandwidth is exceeded, the excess traffic falls to the lowest precedence. The lowest precedence has a special meaning which is explained next.

The Lowest (Best-Effort) Precedence

The precedence which is the minimum (lowest priority) pipe precedence has a special meaning. It acts as the best-effort Precedence. All packets processed at this precedence will always be processed on a "first come, first forwarded" basis.

Packets with a higher precedence than best-effort and that exceed the limit of their precedence will automatically be transferred down into the lowest (best-effort) precedence and they are treated the same as other packets at the lowest precedence.

In the illustration below the minimum precedence is 2 and the maximum precedence is 6. Precedence 2 is taken as the best-effort precedence.

Figure 23.3. Minimum and Maximum Pipe Precedence

Lowest Precedence Limits

It is usually not required to have a limit specified for the lowest (best-effort) precedence since this precedence simply uses any spare bandwidth not used by higher precedences. However, a limit could be specified if there is a need to restrict the bandwidth used by the lowest precedence. This might be the case if a particular traffic type always gets the lowest precedence but needs to have restricted bandwidth usage.

Precedences Only Apply When a Pipe is Full

Precedences have no effect until the total limit specified for a pipe is reached. This is true because until the pipe limit is reached (it becomes "full") there is no competition between precedences.

When a pipe becomes full, traffic is prioritized according to precedence so that higher precedence packets that do not exceed the precedence limit are sent before lower precedence packets. Lower precedence packets are buffered until they can be sent. If the buffer space becomes exhausted then they are dropped.

If a total limit for a pipe is not specified, it is the same as saying that the pipe has unlimited bandwidth and consequently it can never become full so precedences have no meaning.

Applying Precedences

Continuing to use the previous traffic shaping example, let us add the requirement that SSH and FTP traffic is to have a higher priority than all other traffic. To do this we add a rule specifically for SSH and FTP and set the priority in the rule to be a higher priority, say 2. We specify the same pipes in this new rule as are used for other traffic.

The effect of doing this is that the SSH and FTP rule sets the higher priority on packets related to these services and these packets are sent through the same pipe as other traffic. The pipe then makes sure that these higher priority packets are sent first when the total bandwidth limit specified in the pipe's configuration is exceeded. Lower priority packets will be buffered and sent when higher priority traffic uses less than the maximum specified for the pipe. The buffering process is sometimes referred to as "throttling back" since it reduces the flow rate.

The Need for Guarantees

A problem can occur however if prioritized traffic is a continuous stream such as real-time audio, resulting in continuous use of all available bandwidth and resulting in unacceptably long queuing times for other traffic types such as HTTP. A means is required to ensure that lower priority traffic gets some portion of bandwidth and this is done with Bandwidth Guarantees.

Using Precedences as Guarantees

Specifying a limit for a precedence also guarantees that there is a minimum amount of bandwidth available for that precedence. Traffic flowing through a pipe will get the guarantee specified for the precedence it has, at the expense of traffic with lower precedences.

To change the prioritized SSH and FTP traffic from the previous example to a 96 Kbps guarantee, the precedence 2 limit for the std-in pipe is set to be 96 Kbps.

This does not mean that inbound SSH and FTP traffic is limited to 96 Kbps. Limits in precedences above the best-effort precedence will only limit how much of the traffic gets to pass in that specific precedence.

If more than 96 Kbps of precedence 2 traffic arrives, any excess traffic will be moved down to the best effort precedence. All traffic at the best-effort precedence is then forwarded on a first-come, first-forwarded basis.

Additional Notes on the Best-Effort Precedence

Below are some notes about using the lowest, best-effort precedence:

Setting a limit on the best-effort precedence usually serves no purpose except for special cases where there is a need to restrict best-effort from exceeding the total pipe limit.
The sum of all the limits for the individual precedences does not need to equal the limit for the pipe. When the best-effort precedence has no limit, it is only the total limit for the pipe that will restrict the precedence.

For example, if all precedences have a 5Mbps limit and the total pipe limit is 10 Mbps, precedences are no longer a guarantee since that would require a total limit of 40 Mbps. In this case, precedence 7 and 6 will be able to claim 5 Mbps each at the expense of precedence 5-0, even though precedence 5 is not best-effort. If precedence 7 only uses 2.5 Mbps but precedence 6 is using its full 5 Mbps, then precedence 5 will be able to use the last 2.5 Mbps at the expense of precedences 4,3,2,1 and 0.
When some precedence levels are unlimited, the lowest precedence does not need to be one of them. For example, all precedences can be set to 5 Mbps, except precedence 6 which is left unlimited. The total pipe limit is 10 Mbps. If precedence 7 is less than 5 Mbps (or zero), then precedence 6 will still be able to claim all of the whole total limit (that precedence 7 has not already claimed) at the expense of precedences 5, 4, 3, 2, 1 and 0.
Another case is where precedence 0 has a limit of 0, and the total pipe limit is 10M. This pipe will now only prioritize traffic. Precedences 7, 6, 5, 4, 3, 2 and 1 will be involved in a direct competition with each other for the total pipe limit. Precedence 7 can claim the whole 10 Mbps, in which case nothing else goes through. If, instead, each precedence is trying to to claim 2 Mpbs each, precedences 7, 6, 5, 4 and 3 will get 2 Mbps each and precedences 2, 1 and 0 get nothing (precedence 0 will never be able to claim anything).

Differentiated Guarantees

A problem arises if the aim is to give a specific 32 Kbps guarantee to FTP traffic, and a specific 64 Kbps guarantee to SSH traffic. A 32 Kbps limit could be set for precedence 2, a 64 Kbps limit set for precedence 4 and then pass the different types of traffic through each precedence. However, there are two obvious problems with this approach:

Which traffic is more important? This question does not pose much of a problem here, but it becomes more pronounced as the traffic shaping scenario becomes more complex.
The number of precedences is limited. This may not be sufficient in all cases, even without the "which traffic is more important?" problem.

The solution is to create two new pipes. One for FTP traffic, and one for SSH traffic. This is much like the "surf" pipe that was created earlier.

First, remove the 96 Kbps limit from the std-in pipe, then create two new pipes: ssh-in and ftp-in. Set the default precedence for both pipes to 2, and the precedence 2 limits to 32 and 64 Kbps, respectively.

Then, split the previously defined rule covering ports 22 through 23 into two rules, covering 22 and 23, respectively:

Keep the forward chain of both rules as std-out only. Again, to simplify this example, we concentrate only on inbound traffic, which is the direction that is the most likely to be the first one to fill up in client-oriented setups.

Set the return chain of the port 22 rule to ssh-in followed by std-in.
Set the return chain of the port 23 rule to ftp-in followed by std-in.
Set the priority assignment for both rules to Use defaults from first pipe and the default precedence of both the ssh-in and ftp-in pipes is 2.

Using this approach rather than hard-coding precedence 2 in the rule set, it is easy to change the precedence of all SSH and FTP traffic by changing the default precedence of the ssh-in and ftp-in pipes.

Notice that we did not set a total limit for the ssh-in and ftp-in pipes. We do not need to since the total limit will be enforced by the std-in pipe at the end of the respective chains.

The ssh-in and ftp-in pipes act as a "priority filter" and they make sure that no more than the reserved amount, 64 and 32 Kbps, of precedence 2 traffic will reach std-in. SSH and FTP traffic exceeding their guarantees will reach std-in as precedence 0, which is the best-effort precedence of the std-in and ssh-in pipes.

	Note: The return chain ordering is important
	Here, the ordering of the pipes in the return chain is important. Should std-in appear before ssh-in and ftp-in, then traffic will reach std-in at the lowest precedence only and hence compete for the 250 Kbps of available bandwidth with other traffic.

Example 23.4. Traffic Shaping with Precedences

This simple example shows how the three protocols SSH, FTP and HTTP can be prioritized with different precedences through a single traffic shaping pipe with a capacity of 1 Gigabit/second. HTTP traffic will be given the highest precedence of 2, FTP traffic will be given the next highest precedence of 1 and SSH traffic will be given the best-effort precedence of 0.

It is assumed that flows will originate from wan_net on the wan interface with a destination of the server at the IP address my_server_ip on the dmz interface.

Command-Line Interface

First, create the Pipe object with the required limit:

System:/> add Pipe my-pipe LimitBpsTotal=1G

Next, create a TrafficProfile with a precedence of 2:

System:/> add TrafficProfile prec2-tp
			ForwardChain=my-pipe
			PrecedenceMethod=Override
			PrecedenceLevel=2

Create another TrafficProfile with a precedence of 1:

System:/> add TrafficProfile prec1-tp
			ForwardChain=my-pipe
			PrecedenceMethod=Override
			PrecedenceLevel=1

Create a final TrafficProfile for the best-effort precedence of 0:

System:/> add TrafficProfile best-effort-tp
			ForwardChain=my-pipe
			PrecedenceMethod=Override
			PrecedenceLevel=0

There is no predefined service object for SSH so create one:

System:/> add Service ServiceTCPUDP ssh
			DestinationPorts=22
			Type=TCP
			PassICMPReturn=Yes

Now, add the TrafficShapingRule objects that will filter the traffic. Change the CLI context to be TrafficShapingRules:

System:/> cc TrafficShapingRules

Add a rule to give HTTP the highest precedence of 2:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my-server-ip
			Service=http
			TrafficProfile=prec2-tp

Continue with a rule that gives FTP the next highest precedence of 1:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my-server-ip
			Service=ftp
			TrafficProfile=prec1-tp

The final rule gives SSH the lowest (best-effort) precedence of 0:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my_server_ip
			Service=ssh
			TrafficProfile=prec0-tp

Return to the default CLI context:

System:/TrafficShapingRules> cc
System:/>

Example 23.5. Traffic Shaping with Precedence Limits - Solution 1

This example repeats the scenario from the previous example but this time HTTP is to be guaranteed 85% of the 1 Gbyte pipe capacity, FTP is to be guaranteed 10% and SSH is to be guaranteed 5%. These are minimums so that, for example, in the absence of other traffic, SSH could use 100% of the pipe's bandwidth.

Note that the best-effort precedence of 0 is not assigned to SSH. It gets precedence 1 instead.

Note that with this solution, HTTP traffic that is above the 85% guarantee will compete at the lowest best-effort precedence of 0 on equal terms with any FTP or HTTP traffic that is also above its guarantee.

Command-Line Interface

Create a single Pipe object with the required limit as in the previous example but this time specify the limits for the 3 precedences that will be assigned to the different protocols:

System:/> add Pipe my-pipe
			LimitBpsTotal=1G
			LimitBps3=85%
			LimitBps2=10%
			LimitBps1=5%

Next, create a TrafficProfile with a precedence of 3:

System:/> add TrafficProfile prec3-tp
			ForwardChain=my-pipe
			PrecedenceMethod=Override
			PrecedenceLevel=3

Create another TrafficProfile with a precedence of 2:

System:/> add TrafficProfile prec2-tp
			ForwardChain=my-pipe
			PrecedenceMethod=Override
			PrecedenceLevel=2

Create a final TrafficProfile with a precedence of 1:

System:/> add TrafficProfile prec1-tp
			ForwardChain=my-pipe
			PrecedenceMethod=Override
			PrecedenceLevel=1

There is no predefined service object for SSH so create one:

System:/> add Service ServiceTCPUDP ssh
			DestinationPorts=22
			Type=TCP
			PassICMPReturn=Yes

Now, add the TrafficShapingRule objects that will filter the traffic. Change the CLI context to be TrafficShapingRules:

System:/> cc TrafficShapingRules

Add a rule to give HTTP the highest precedence of 3 with an 85% of capacity guarantee:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my_server_ip
			Service=http
			TrafficProfile=prec3-tp

Continue with a rule that gives FTP the next highest precedence of 2 with a 10% of capacity guarantee:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my_server_ip
			Service=ftp
			TrafficProfile=prec2-tp

The final rule gives SSH a precedence of 1 with a 5% of capacity guarantee:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my_server_ip
			Service=ssh
			TrafficProfile=prec1-tp

Example 23.6. Traffic Shaping with Precedence Limits - Solution 2

This example repeats the previous example, where HTTP is guaranteed 85%, FTP is guaranteed 10% and SSH is guaranteed 5%. However this time, the precedences of HTTP, FTP, and SSH decide how any available capacity above their guarantee is to be allocated.

To achieve this, a separate pipe is created for HTTP and another for FTP which will also allocate their precedences. These pipes are then fed into the main pipe which they will share with SSH traffic.

The precedences of 5, 4 and 3 will be initially assigned to HTTP, FTP and SSH. The precedences of HTTP and FTP will be given a minimum precedence of 2 and 1 by their associated Pipe objects. This means that when they exceed their guarantee and compete for any available bandwidth, their precedences cannot drop below these minimums. However, SSH traffic will still drop to precedence 0 when it competes for bandwidth beyond its guarantee.

Command-Line Interface

Create a Pipe object for HTTP:

System:/> add Pipe my-http-pipe
			LimitBpsTotal=1G
			LimitBps5=85%
			PrecedenceDefault=5
			PrecedenceMin=2
			PrecedenceMax=5

Create another Pipe object for FTP:

System:/> add Pipe my-ftp-pipe
			LimitBpsTotal=1G
			LimitBps5=10%
			PrecedenceDefault=4
			PrecedenceMin=1
			PrecedenceMax=4

Create the Pipe that the previous pipes will feed into:

System:/> add Pipe my-main-pipe
			LimitBpsTotal=1G
			LimitBps3=5%

Next, create a TrafficProfile for HTTP:

System:/> add TrafficProfile http-tp
			ForwardChain=my-http-pipe,my-main-pipe
			PrecedenceMethod=PipeDefault

Create another TrafficProfile for FTP:

System:/> add TrafficProfile ftp-tp
			ForwardChain=my-ftp-pipe,my-main-pipe
			PrecedenceMethod=PipeDefault

Create a final TrafficProfile for SSH with a precedence of 3:

System:/> add TrafficProfile ssh-tp
			ForwardChain=my-main-pipe
			PrecedenceMethod=Override
			PrecedenceLevel=3

There is no predefined service object for SSH so create one:

System:/> add Service ServiceTCPUDP ssh
			DestinationPorts=22
			Type=TCP
			PassICMPReturn=Yes

Now, add the TrafficShapingRule objects that will filter the traffic. Change the CLI context to be TrafficShapingRules:

System:/> cc TrafficShapingRules

Add a rule to for HTTP:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my-server-ip
			Service=http
			TrafficProfile=http-tp

Add a rule for FTP:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my-server-ip
			Service=ftp
			TrafficProfile=ftp-tp

Add a final rule for SSH:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my-server-ip
			Service=ssh
			TrafficProfile=ssh-tp

23.4. Grouping Users

A further level of control is provided within a pipe by being able to split pipe bandwidth into individual resource usage by specifying a grouping. A limit and guarantee can then be specified for each user within the group.

Specifying the Grouping Type

A group is specified by setting a value to the Grouping property of a Pipe object. The possible values for this property can be one of the following:

None (the default - no grouping)
DestinationInterface
DestinationPort
PreviousPipe
SourceNetwork
DestinationIP
SourceInterface
SourcePort
DestinationNetwork
PreviousGroup
SourceIP
TrafficProfile

With the Grouping property set, the default behavior is to share the available bandwidth evenly between "users". The term "user" in this context means the set of flows belonging to a unique value within the grouping. For example, if the Grouping property is set to SourceIP, each user corresponds to a unique source IP address.

Grouping by Networks Requires the Size

If the grouping is by source or destination network then these can be specified as either an IPv4 or IPv6 network. In either case, the network size must also be specified using one of the two following Pipe object properties:

GroupingIP4NetworkSize
GroupingIP6NetworkSize

Specifying Group Limits

Individual users within a grouping can have a limit specified for them in the Pipe object by setting one of the following Pipe properties:

UserLimitBpsTotal
UserLimitPpsTotal

Both properties can be set if either limit is to be applied.

For example, if grouping is by SourceIP and the pipe's UserLimitBpsTotal is specified as 300 Kbps then no single IP address will be allowed more than 300 Kbps of bandwidth. Note that either user limit could also be specified as a percentage (for example, 40%) of the pipe's total capacity.

Dynamic Balancing

A mechanism that is automatically applied when a grouping is used is dynamic balancing. This means that when users in a grouping are competing for the same bandwidth, cOS Stream will distribute the bandwidth evenly across the users.

However, this even competition can be deliberately distorted by allocating different precedences to different users within a grouping. Using precedences with grouping is discussed later in this section.

A Simple Grouping Example

Consider another situation where the total bandwidth limit for a pipe is 2 Gigabits/second. If the aim is to allocate this bandwidth amongst many source IP addresses so that no single IP address can take more than 300 Kbps of bandwidth, the following assignments are needed in the Pipe object:

Set the pipe's LimitBpsTotal property to 2G.
Set the Grouping property for the pipe to be SourceIP.
Set the pipe's UserLimitBpsTotal property to 300 Kbps.

Bandwidth is now allocated on a "first come, first forwarded" basis but no single source IP address can ever take more than 300 Kbps. No matter how many connections are involved, the combined total bandwidth can still not exceed the pipe's total limit of 2 Gigabits/second.

Example 23.7. Traffic Shaping with Grouping

It is assumed in this example that HTTP flows will originate from wan_net on the wan interface with a destination of the server at the IP address my-server-ip on the dmz interface.

The objective is to have these flows pass through a single traffic shaping pipe with a capacity of 2 Gigabits/second and give each source IP address a limit (and therefore guarantee) of 300K Bps.

Command-Line Interface

First, create a Pipe object with the required limits:

System:/> add Pipe my-group-pipe
			LimitBpsTotal=2G
			Grouping=SourceIP
			UserLimitBpsTotal=300K

Next, create a TrafficProfile:

System:/> add TrafficProfile my-group-tp
			ForwardChain=my-group-pipe

Add the TrafficShapingRule objects that will filter the traffic. Change the CLI context to be TrafficShapingRules:

System:/> cc TrafficShapingRules

Add a rule for HTTP traffic:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my-server-ip
			Service=http
			TrafficProfile=my-group-tp

Return to the default CLI context:

System:/TrafficShapingRules> cc
System:/>

User Precedence Limits within a Grouping

Different users within a grouping could be assigned different precedences. In addition to the user limit being specified in a Pipe object, individual user precedence limits can also be specified in the Pipe object. User precedence limits can be considered as guarantees for each user within a grouping. For example, precedence 3 might have a limit of 500 Kbps specified and this is saying that a user (for example, each source IP) with precedence 3 will be guaranteed 500 Kbps at the expense of lower precedences.

User precedence limits can be specified using one of the following Pipe object properties:

UserLimitBpsN - where N is the precedence.
UserLimitPpsN- where N is the precedence.

Combining the user precedence limit and the user limit means that:

The users for the grouping are first separated by the triggering rules. The TrafficProfile associated with the triggering rule will also set the precedence.
The users are then subject to the user precedence limit.
The combined traffic is subject to the user limit.

Combining Pipe and User Precedence Limits

Let us suppose that grouping is enabled by one of the options, such as source IP, and some user precedence limits (UserLimitBpsN) have been specified. How do these combine with the precedences limits specified for the pipe (LimitBpsN)?

In this case where both pipe and user precedence limits are specified, the user precedence limit is a guarantee and the pipe precedence limit is still a limit. For example, if traffic is grouped by source IP and the user limit for precedence 5 (the property UserLimitBps5) is 50 Kbps and the pipe limit for this precedence (LimitBps5) is 200 Kbps then after the fourth unique source IP (4 x 50 = 200 Kbps), the pipe precedence limit is reached and the guarantees may no longer be met.

The illustration below shows this situation, with the grouping selected to be the source IP.

Figure 23.4. Traffic Grouped By IP Address

Example 23.8. Traffic Shaping with Grouping and Precedences

It is assumed in this example that all flows will originate from wan_net on the wan interface with a destination of the server at the IP address my_server_ip on the dmz interface.

The objective is to have these flows pass through a single traffic shaping Pipe object with a capacity of 1 Gbps and group the traffic according to its source network. The pipe's UserLimitBpsTotal property will be set so that no single user can utilize more than 95% of the pipe's capacity.

The precedence of traffic inside the group will be set according to the DSCP bits within each packet so only a single TrafficProfile object is needed with the PrecedenceLevel set to MapDSCP.

The pipe's LimitBps7 property will be set to 40% so that this precedence cannot use more than 40% of the pipe's capacity when it competes with other precedences for any bandwidth above the bandwidth "guarantee". The "guarantee" is dynamic and will be the pipe capacity divided by the number of current users. Only when the guarantee is exceeded would a user compete with other users for any spare capacity and the precedence would decide who got that capacity first.

Command-Line Interface

First, create a Pipe object with the required limits:

System:/> add Pipe my-group-prec-pipe
			LimitBpsTotal=1G
			Grouping=SourceNetwork
			GroupingIP4NetworkSize=32
			GroupingIP6NetworkSize=112
			UserLimitBpsTotal=95%
			LimitBps7=40%

Next, create a TrafficProfile:

System:/> add TrafficProfile my-group-prec-tp
			ForwardChain=my-group-prec-pipe
			PrecedenceMethod=SetDefault
			PrecedenceLevel=MapDSCP

Add the TrafficShapingRule object that will filter the traffic. Change the CLI context to be TrafficShapingRules:

System:/> cc TrafficShapingRules

Add a rule for HTTP traffic:

System:/TrafficShapingRules> add TrafficShapingRule
			SourceInterface=wan
			SourceNetwork=wan_net
			DestinationInterface=dmz
			DestinationNetwork=my_server_ip
			Service=all_services
			TrafficProfile=my-group-prec-tp

Return to the default CLI context:

System:/TrafficShapingRules> cc
System:/>

For the above setup, assume there are 3 users (from 3 different source networks) called A, B and C. Their precedence is set by their DSCP bits. The three users will each be guaranteed one third (0.33 Gbps) of the pipe's capacity.

If one user is using less than one third of the pipe capacity then the remaining two will compete for the spare capacity if they are already at the one third limit. Their precedence will then decide who wins this competition. However, the highest precedence 7 will be only allowed a maximum of 40% of the pipe. In the absence of precedence 7 traffic, no user will be allowed to use more than 95% of the pipe's capacity.

23.5. Summary

This section looks at the key principles of setting up traffic shaping and recommendations to follow when setting it up.

23.5.1. Traffic Shaping Principles

The following list summarizes the key principles involved in traffic shaping:

The base object for traffic management is a Pipe object.
Each pipe has a maximum bandwidth limit assigned to it. This is the capacity of the pipe.
A single pipe should handle traffic in only one direction (although 2 way pipes are allowed). Normally, a traffic flow will have a different pipe for each direction.
A TrafficProfile object defines which Pipe object (or objects) are associated with its forward and return traffic flows.
Pipes can be chained by specifying a list in the TrafficProfile object so that one pipe's traffic feeds into another pipe.
Enable traffic shaping by associating a TrafficProfile object with a TrafficShapingRule or an IPRule object.
Specific traffic types can be assigned a priority within a pipe. There are 8 precedence levels, from 0 (the lowest) to 7 (the highest).
Priorities can be assigned a maximum limit which is also a guarantee. Traffic that exceeds this will be sent at the minimum precedence which is known as the best-effort precedence.
At the best-effort precedence all packets are treated on a "first come, first forwarded" basis.
Within a pipe, traffic can also be separated on a Group basis. For example, by source IP address. Each user in a group (for example, each source IP address) can be given a maximum limit and precedences within a group can be given a limit/guarantee.
A pipe bandwidth limit need not be specified if the group members have a maximum limit assigned.
Dynamic Balancing can be enabled to specify that all users in a group get a fair and equal amount of bandwidth.

23.5.2. Setup Recommendations

The Importance of a Pipe Limit

Traffic shaping only comes into effect when a pipe is full. That is to say, it is passing as much traffic as the total limit allows. If a 500 Kbps pipe is carrying 400 Kbps of low priority traffic and 90 Kbps of high priority traffic then there is 10 Kbps of bandwidth left and there is no reason to throttle back anything. It is therefore important to specify a total limit for a pipe so that it knows what its capacity is and the precedence mechanism is totally dependent on this.

VPN Pipe Limits and Overhead

Traffic shaping measures the traffic inside VPN tunnels. This is the raw unencrypted data without any protocol overhead so it will be less than the actual VPN traffic. VPN protocols such as IPsec can add significant overhead to the data and for this reason it is recommended that the limits specified in the traffic shaping pipes for VPN traffic are set at around 20% below the actual available bandwidth.

However, traffic shaping does take into account the overhead involved in Ethernet and VLANs. Although the 4 CRC32 bytes applied by Ethernet hardware is not included in the traffic calculations.

Limits should not be more than the Available Bandwidth

If pipe limits are set higher than the available bandwidth, the pipe will not know when the physical connection has reached its capacity. If the connection is 500 Kbps but the total pipe limit is set to 600 Kbps, the pipe will believe that it is not full and it will not throttle lower precedences.

Limits should be less than Available Bandwidth

Pipe limits should be slightly below the network bandwidth. A recommended value is to make the pipe limit 95% of the physical limit. The need for this difference becomes less with increasing bandwidth since 5% represents an increasingly larger piece of the total.

The reason for the lower pipe limit is how cOS Stream processes traffic. For outbound connections where packets leave the Clavister NetShield Firewall, there is always the possibility that cOS Stream might slightly overload the connection because of the software delays involved in deciding to send packets and the packets actually being dispatched from buffers.

For inbound connections, there is less control over what is arriving and what has to be processed by the traffic shaping subsystem and it is therefore more important to set pipe limits slightly below the real connection limit to account for the time needed for cOS Stream to adapt to changing conditions.

Attacks on Bandwidth

Traffic shaping cannot protect against incoming resource exhaustion attacks, such as DoS attacks or other flooding attacks. cOS Stream will prevent these extraneous packets from reaching the hosts behind the Clavister NetShield Firewall, but cannot protect the connection becoming overloaded if an attack floods it.

Watching for Leaks

When setting out to protect and shape a network bottleneck, make sure that all traffic passing through that bottleneck passes through the defined pipes.

If there is traffic going through the Internet connection that the pipes do not know about, cOS Stream cannot know when the Internet connection becomes full.

The problems resulting from leaks are exactly the same as in the cases described above. Traffic "leaking" through without being measured by pipes will have the same effect as bandwidth consumed by parties outside of administrator control but sharing the same connection.

Troubleshooting

For a better understanding of what is happening in a live setup, the pipe CLI command can be used. For example, to examine the activity of a particular pipe:

System:/> pipe <pipename>

can be used to display a list of currently active users in each pipe.

Chapter 24: Threshold Rules

Overview

The objective of the threshold rules feature is to provide a means of reacting to abnormal flow activity. An example of such activity might be an internal host becoming infected with a virus so that it repeatedly opens new flows to external IP addresses.

Alternatively, an external network device might try to open excessive numbers of flows to some protected resource. (A "flow" in this context refers to any type of connections, such as TCP, UDP or ICMP, which is being tracked by the system's state-engine).

Threshold Rule Object Structure

The object structure used with threshold rules is as follows:

ThresholdRules

This is a predefined top level object. Only one exists and its only purpose is to be a parent to one or more ThresholdRule objects.
ThresholdRule

Multiple of these can be added to the ThresholdRules object as children. This object defines the filter that targets specific traffic. The filter includes source/destination network/interface plus the service.
ThresholdSet

Multiple of these can be added to a ThresholdRule object as children. This object defines an action to be taken when all the set's associated ThresholdDefinitions objects trigger, as well as the logging performed when they do.
ThresholdDefinition

Multiple of these can be added to a ThresholdSet as children. Each defines either a level of concurrent flows or rate of new flow establishment as a trigger. The action of the parent ThresholdSet is only applied when all of its child ThresholdDefinition objects are triggered.

ThresholdRule Properties

A ThresholdRule object is a child of the single predefined ThresholdRules object and has the properties listed below to filter the targeted traffic:

SourceInterface
SourceNetwork
DestinationInterface
SourceNetwork
Service

This filtering combination of source/destination network/interface and service is common to other rules, such as IPRule objects.

ThresholdSet Properties

A ThresholdSet object is a child of a ThresholdRule object and has the following key properties:

Action

This is the response of the rule when the limit is exceeded. The options are:
1. None - Leave the flow intact but generate a log event message.
2. Drop - Drop the triggering flow.
3. RandomDrop - Drop triggering flows randomly using the Probability property.
4. Blacklist - Add the source IP to the system blacklist. It will stay on the blacklist for the number of seconds specified by the Timeout property. The blacklisting action will be ignored for IPs on the system whitelist.
  
  When the blacklist is listed with the blacklist CLI command, the name of this set's parent ThresholdRule will be displayed in the Rule column for entries added by this action.

ActionLog

This decides if logging is to be done or not. The possible values are:
1. ObeyRule - This is the default value. Logging is decided by the logging setting on the associated IP rule.
2. NeverLog - No logging is done.
3. AlwaysLog - Logging is always done.

ActionLogSeverity

This is the log severity with which log messages will be sent to log receivers.

Probability

If the Action property is set to RandomDrop, this is an integer value that specifies the percentage of flows that will be dropped.

Timeout

This property is only used if the Action is set to Blacklist and must be specified if the action is set to this. It specifies the time in seconds that the source IP will remain on the blacklist.

If the value is specified as 0 then the source IP will remain on the blacklist until the system is restarted or if the IP is removed manually from the blacklist using the blacklist CLI command. The blacklist command is described further in Section 25.1, Blacklisting.

ThresholdDefinition Properties

One or more ThresholdDefinition objects are children of a ThresholdSet object and the threshold limit(s) that must be triggered before the parent ThresholdSet action is applied.

The key properties for this object are the following:

Type

The rule can be specified to limit either one of the following:
1. FlowRate - The number of new flows opened per second.
2. ConcurrentFlows - The total number of concurrent flows.

Limit

This is the numerical maximum threshold for the Type.

This setting takes an integer value with a minimum of 1 and an upper limit of 2 billion.

Note: Limit can optionally have a unit specified

The property Limit can optionally be specified with a unit of measurement. Any of the following unit notations can be used:

K - Thousands (examples: 2K, 2.5K, 900K)
M - Millions (examples: 5M, 2.25M).
G - Billions (examples: 3G, 4.125G).

As shown in the above examples, the numeric value used can be integer or decimal. Also, different units cannot be mixed in a single value.

Interval

This is the number of seconds during which all the limits of the Type are added together to get a sum. If this sum exceeds the Limit then triggering is ready but is still subject to the Duration property, which is explained next.

This setting can take time values between 1 second and any value. The default value is 1 second.

Duration

Once the sum of the Type exceeds the Limit value within the Interval number of seconds, another sum is calculated during the subsequent Duration number of seconds. If this sum also exceeds the Limit during this subsequent period then the threshold will now be triggered.

Following triggering, the summing of values begins again within the next Interval number of seconds, and the process repeats.

This value has no maximum limit. The default value is 0.

Note: Time values must be specified with a unit notation

Both the above time properties Interval and Duration must be specified with their units of measurement, unless the value is zero. Any of the following unit notations can be used:

s - Seconds (examples: 2s, 2.5s, 1000s)
m - Minutes (examples: 5m, 2.25m).
h - Hours (examples: 3h, 4.125h).
d - Days (examples: 1d, 3.5d). This can only be used with Duration.

As shown in the above examples, the numeric value used can be integer or decimal. Also, different units cannot be mixed in a single time value.

Grouping

The thresholds can be applied by grouping meaning that flows from a single grouping are considered together when calculating if a threshold has been exceeded. For example, if the Grouping property is set to SourceIP, then by default all the traffic from a single source IP address is added together when calculating if a threshold has been exceeded. However, this behavior can be altered using the Scope property (see below).
1. None - no grouping.
2. SourceIP.
3. SourceNetwork.
4. SourceInterface.
5. DestinationIP.
6. DestinationNetwork.
7. DestinationInterface.
Note grouping by interface is usually used with VLANs and VPN.

GroupingIP4NetworkSize

Used if the Grouping property is specified as SourceNetwork or DestinationNetwork. This is the size of the IPv4 network, specified as an integer. The default value is 16.

GroupingIP6NetworkSize

Used if the Grouping property is specified as SourceSubnet or DestinationSubnet. This is the size of the IPv6 network, specified as an integer. The default value is 64.

Scope

This specifies how the Grouping property is applied. It can have one the following values:
1. Group (the default)
  
  This setting applies the limit separately to each group. For example, with a total flow limit of 100 and 7 active groups then the effective limit is 100 flows for each group.
  
  Similarly, for a limit on flow setup rate, each group applies the limit separately from other groups.
2. Shared
  
  For a limit on the total number of flows, this setting applies the limit across all groups by dividing the total limit by the number of groups. For example, if the limit is 100 flows and there are 7 active groups then the limit becomes 14 flows per group.
  
  If the number of groups exceed the number of flows then cOS Stream will allocate the available flows on a randomized basis with the probability of allocation depending on the number of active groups and the flow limit.
  
  When the limit is on the rate of flow setup, all groups share the limit.

ThresholdLog

When enabled (the default), log messages are generated for each time this object triggers and when it stops triggering.

ThresholdLogSeverity

The severity of the log messages generated. The default severity is Default.

Triggering Multiple Actions

If one or more ThresholdSet objects trigger at the same time then the following rules apply to decide which action has priority:

If the Action property of the ThresholdSet objects has differing values then the following priority is used (where number 1 is the highest priority):
1. Drop.
2. RandomDrop.
3. None.
If the Action property of the ThresholdSet objects is the same value then the ordering of the ThresholdSet objects determines which one is used. The first ThresholdSet object found is used and the others are ignored.

Example 24.1. Creating a Threshold Rule

This example creates threshold rules that are applied to HTTP traffic passing between the if1 and if2 interface. Once the number of concurrent flows reaches 1000, subsequent new flows will be dropped.

Command-Line Interface

Change the current CLI context to be the threshold rule set:

System:/> cc ThresholdRules
System:/ThresholdRules>

Add a new ThresholdRule object:

System:/ThresholdRules> add ThresholdRule
			SourceNetwork=if1_net
			SourceInterface=if1
			DestinationNetwork=if2_net
			DestinationInterface=if2
			Service=http
			Name=my_rule

Change the CLI context to be the new ThresholdRule object:

System:/ThresholdRules> cc ThresholdRule my_rule

Note that the object could have been referred to by its name my_rule or its position in the set of rules, as shown below:

System:/ThresholdRules> cc ThresholdRule 1

Add a new ThresholdSet object:

System:/ThresholdRules/ThresholdRule/1(my_rule)> add ThresholdSet
			Action=Drop
			Name=my_set

Change the CLI context to be the new ThresholdSet object:

System:/ThresholdRules/ThresholdRule/1(my_rule)> cc ThresholdSet my_set

Add a new ThresholdDefinition object:

System:/ThresholdRules/ThresholdRule/1(my_rule)/ThresholdSet/1(my_set)> 
			add ThresholdDefinition
			Type=ConcurrentFlows
			Limit=1000
			Name=my_def

To return to the parent CLI context use the cc.. command:

System:/ThresholdRules/ThresholdRule/1(my_rule)/ThresholdSet/1(my_set)> 
			cc..
System:/ThresholdRules/ThresholdRule/1(my_rule)>

To return to the default top-level CLI context use the cc command:

System:/ThresholdRules/ThresholdRule/1(my_rule)/ThresholdSet/1(my_set)> cc
System:/>

Advanced Settings for Threshold Rules

The threshold rules subsystem has the following associated global setting which is a property of the MiscSettings object:

MaxThresholdMemUsage

This is the maximum percentage of system memory that the threshold subsystem can use. The default value is 10. This value may need to be increased when large numbers of flows trigger the subsystem.

If large numbers of the log event Random group replacement are generated during normal operation then increasing memory could reduce this problem. Note that a denial-of-service attack could also result in large quantities of this log message being generated.

Chapter 25: Black/Whitelists

Overview

The Clavister NetShield Firewall has the ability to Blacklist and Whitelist certain IP addresses. Traffic from a blacklisted IP is dropped by cOS Stream. Traffic from a whitelisted IP address is never blacklisted.

The sections that follow discuss these two functions in depth.

25.1. Blacklisting

Overview

The Clavister NetShield Firewall implements a Blacklist of traffic types which can be utilized to protect against traffic coming from specific Internet sources.

Certain subsystems have the ability to optionally blacklist an IP address when certain conditions are encountered. These subsystems are:

Threshold Rules. See Chapter 24, Threshold Rules for a discussion of using blacklisting.

	Note: A system restart will empty the blacklist
	The contents of the blacklist are lost between system restarts.

Blacklist Entry Data

Each entry in the blacklist holds the following set of data fields:

SourceInterface - The source interface of the blacklisted traffic.
SourceIP - The source IP address of the blacklisted traffic. This must be a single IP address.
DestinationIP - The destination IP of the blacklisted traffic. If specified manually this must be a single IP address. This property will take a default value of all-nets if not specified.
Proto - The protocol of the blacklisted traffic.
Port/ID - The port of the blacklisted traffic where the port is applicable (such as for TCP or UDP traffic). For ICMP traffic, the ID can be specified instead.

When adding a blacklist entry manually, the entry will not be added if an invalid protocol is specified.
Timeout - The number of remaining seconds an entry will remain on the list. If available, this value comes from the triggering object. A value of zero means an indefinite timeout, in which case it is displayed as n/a and the entry can only be removed manually or through a system restart.
Trigger Object - The name of the configuration object that added the blacklist entry.
Trigger System - The subsystem that added the entry. For example, the Threshold subsystem. This will say CLI if the entry was added manually.

When a rule, such as a threshold rule, is the triggering object and its action specifies to blacklist the traffic, an entry in the blacklist is created and many of the properties listed above are assigned the corresponding values from the triggering object.

The Service object used in the triggering object is not copied directly to the blacklist entry. Instead, it is broken down into its components and these are assigned to the Proto and Port properties of the blacklist entry. This is because the entries in the blacklist are not configuration objects as they are with the whitelist.

The blacklist CLI Command

The administrator can manually add, list and delete blacklist entries using the CLI command blacklist. It is also possible to display the entries in the Whitelist configuration object but not edit it. Editing the whitelist is discussed in Section 25.2, Whitelisting.

The basic form of the command without options will list both the current blacklist and whitelist:

System:/> blacklist
		
                 Whitelisted Addresses

Source Interface  Source IP        Destination IP  Service
----------------  ---------------  --------------  -------
if1               203.0.113.9      all-nets        all_tcp

                               Blacklisted Addresses

        Source  Source       Dest      Dest              Trigger   Trigger
Proto   Iface   IP           IP        Port/ID  Timeout  System    Object
------  ------  ------------ --------- -------- -------- --------- -------
ALL     if1     203.0.113.1  all-nets  0-65535  n/a      CLI       n/a

To get just the blacklist or just the whitelist, use the -show=blacklist or -show=whitelist options:

System:/> blacklist -show=blacklist

The option -show=all is the same as blacklist with no options.

Manually Adding a Blacklist Entry

To manually add a blacklist entry, use the -add option. The following command blocks the source IPv4 address 203.0.113.2 arriving at the if1 interface:

System:/> blacklist -add -srciface=if1 -srcip=203.0.113.2
		
                    Added entry to blacklist:
										
        Source   Source       Dest       Dest     
Proto   Iface    IP           IP         Port/ID    Timeout
------  -------  -----------  ---------  ---------  -------
ALL     if1      203.0.113.2  all-nets   0-65535    n/a

The source address could have been specified as an address object called my_bad_address:

System:/> blacklist -add -srciface=if1 -srcip=my_bad_src_address

Note that in either case, only a single IPv4 or IPv6 address can be specified as the source IP. A range or network cannot be specified.

Also, as a minimum, the -srcip and -srciface options must both be specified when adding a blacklist entry. The destination IP will default to all-nets if not specified and the Proto and Port properties will match all protocols if not specified (as shown in the example above).

Manually adding whitelist entries is done by adding WhitelistRule object as children to the predefined Whitelist configuration object. This is discussed in Section 25.2, Whitelisting.

Manually Removing a Blacklist Entry

It is possible to manually remove a blacklist entry with the -remove option. Like adding an entry, at least the -srciface and -srcip options must be specified:

System:/> blacklist -remove -srciface=if1 -srcip=203.0.113.2

Searching for Blacklist Entries

The -lookup option will list blacklist entries that match a set of criteria. To display all entries with a source IP of 203.0.113.2, the command would be the following:

System:/> blacklist -lookup -srcip=203.0.113.2
		
                    Matched Blacklist Entries
										
       Source  Source       Dest      Dest               Trigger    Trigger
Proto  Iface   IP           IP        Port/ID   Timeout  System     Object
-----  ------  -----------  --------  -------   -------  ---------  -------
ALL    if1     203.0.113.2  all-nets  138       42       Threshold  myrule1

Processing Duplicate Blacklist Entries

When a new blacklist entry is added, cOS Stream searches the existing entries to make sure that it is not a duplicate of an existing entry. A duplicate means that all parameters are the same except for the timeout. When a duplicate is detected, the entry with the longer timeout is retained in the list and the one with the shorter timeout is discarded.

25.2. Whitelisting

Overview

To ensure that certain traffic coming from trusted sources is never blacklisted under any circumstances, a single, predefined Whitelist object exists in cOS Stream. This object is the parent to one or many child WhitelistRule objects which can be added by the administrator. Each WhitelistRule has the following properties to specify the type of traffic that must never be blacklisted:

Name - A logical name for the rule.
SourceInterface - The source interface for the traffic. This can be any.
SourceIP - The source IP address or IP range for the traffic.
DestinationIP - The destination IP or IP range for the traffic.
Service - A Service object reference that specifies the protocol.

	Tip: Management traffic should be whitelisted
	It is recommended to add the management traffic for the Clavister NetShield Firewall itself to the whitelist since blacklisting of this traffic could potentially mean that the administrator loses access to cOS Stream.

It is also important to understand that although whitelisting prevents particular traffic from being blacklisted, it still does not prevent cOS Stream mechanisms such as threshold rules from dropping or denying connections that meets whitelisting criteria. All whitelisting does is prevent the traffic being added to a blacklist.

	Note: System restarts do not affect the whitelist
	The contents of the whitelist is not lost between system restarts.

Example 25.1. Adding a Whitelist Entry

In this example, a WhitelistRule object is created that will prevent any traffic from the network mgmt_net arriving on the interface if1 from being blacklisted. The destination IP for this traffic will be if1_ip.

Command-Line Interface

Change the CLI context to be the predefined Whitelist object:

System:/> cc Whitelist

Add the WhitelistRule object:

System:/Whitelist> add WhitelistRule
			SourceInterface=if1
			SourceIP=mgmt_net
			DestinationIP=if1_ip
			Service=all_services
			Name=whitelist_mgmt_traffic

Change the CLI context back to the default:

System:/Whitelist> cc
System:/>

Chapter 26: Application Control

Overview

The Application Control feature in cOS Stream allows IP rules to generate log messages which identify the type of application that is causing an IP rule set entry to trigger. A simple example of such an application might be the peer-to-peer file sharing protocol BitTorrent.

The current application control implementation provides an auditing function only and it is not possible to automatically block specific applications. However, it is possible to manually close specific flows based on the related application using the flow command.

Behavior on License Validity Expiry

Note that if the Upgrades Valid Until date in the firewall's license has passed, the application control subsystem will no longer scan traffic even if it has been enabled to do so. Application control will also not block any traffic.

Application Control Setup Steps

The following steps are required to set up application control:

Application control must be enabled globally for the configuration. By default, application control is enabled. If application control has been switched off and needs to be re-enabled, the command would be the following:
```
System:/> set Settings AppControlSettings AppControlEnabled=Yes
```
Enable application control log message generation for a given IP rule set entry. For example:
```
System:/> cc RuleSet IPRuleSet main
System:/IPRuleSet/main> set IPRule 1 AppControl=Yes
```
Note that the index number of the entry must be specified.

Application Control Signatures

The application control engine is driven using a database of application signatures. Each signature is a definition used by the engine to identify the application in a flow. The latest database update is integrated into each software release for cOS Stream. Each signature in the database corresponds to one type of application.

The complete application signature database is listed in a separate document titled Application Control Signatures. In this document, it can be seen that each signature has the following properties associated with it:

Name

This is a unique name for each signature and used to identify individual applications. For example, bittorrent.
Family

This is a parent grouping to Name and collects together related signatures. For example, the signature BitTorrent belongs to the family called peer_to_peer. The signature called yahoo_groups belongs to the family forum.

A signature can belong to only one family.
Tag

There can be multiple Tag values for each signature and each provides alternative ways of grouping signatures which can be used in searches. For example, the signature called bittorrent has the Tag value of p2p_file_sharing associated with it.
Risk

The Risk value is a number between 1 and 5 which indicates the seriousness of the security risk posed by the application. A value of 1 is the lowest risk and 5 is the highest.

This grading of risk reflects the degree of danger which allowing the application's data traffic poses to protected resources. For example, some applications with a high risk might facilitate the transmission of malicious software.

Naming Conventions in the CLI and Signature Reference Guide

Application control names, for example for applications and tags, can have two different forms. One form is that used as the description in the signature reference guide that includes uppercase and spaces. The second form is all lowercase and spaces are replaced by underscore characters. This second form is used with the CLI. For example, bittorrent. In some isolated cases, the names can have different lengths. For example, the tag Software Update becomes updater in the CLI. The best approach to naming in the CLI is to use the tab completion feature for the correct name.

Browsing the Application Control Signature Database

In the CLI, the command appcontrol can be used to examine the database of application signatures. Without any parameters, this command shows a summary of all the signatures in the current database. Here is an example of the output for an example database version:

System:/> appcontrol

 Application control system information

Number of applications 3208
Number of families 32
Number of tags 40
Active Yes
License until 2021-12-30
Application library version 1.420.2
Application engine version 5.4.0-46
Application definition version 1.420.0-43
Application data version 1.420.0-43
Number of flows currently being analyzed 1

To display individual application signatures, use the -show-applications parameter. Without any other parameters, this will display the entire database in blocks of 20 entries. This is obviously a long list so other command parameters can be used to restrict the selection. For example, the -num parameter determines the number of signatures displayed by the command:

System:/> appcontrol -show-applications -num=5
		
Name        Full Name
----------  ---------------------------
base        Base virtual protocol
unknown     Unknown virtual protocol
malformed   Malformed virtual protocol
incomplete  Incomplete virtual protocol
8021q       802.1Q Ethernet VLAN

Displaying Application Families

The -family parameter can be used to filter the signatures within a given family. The following incomplete command uses a tab character to display all the families:

System:/> appcontrol -show-applications -family=<tab>
		
 antivirus            file_server        network_management  telephony
 application_service  file_transfer      network_service     terminal
 audio_video          forum              peer_to_peer        thin_client
 authentication       game               printer             tunneling
 compression          instant_messaging  qosmos              unclassified
 database             mail_protocols     routing             wap
 encrypted            microsoft_office   security_service    web
 erp                  middleware         standard            webmail

These families contain the individual signature definitions. For example, to view the signatures in the compression family, use the command:

System:/> appcontrol -show-applications -family=compression

Name  Full Name
----  ----------------------------
ccp   Compression Control Protocol
comp  COMP

To view the details of signatures, the -verbose option can be used with the other criteria such as the -name option. For example, to display details of the comp application from the list above, the following command can be used:

System:/> appcontrol -show-applications -name=comp -verbose
		
Listing applications with NamesFilter='comp'.

comp - COMP
COMP protocol is used for data compression over PPP.
Family:      Compression
Risk Level:  1 - Very low risk
Tags:        Network Layer Protocols
Revision:    18

The Risk Level indicates the degree of threat that this particular application poses. The Tag data (there can be multiple tags) provides more information about the data traffic related to the application. For example, the High Bandwidth tag indicates that the application has the ability to consume significant amounts of bandwidth.

In summary, it is possible to search the signature database by using any combination of the following filter parameters with the command appcontrol -show-applications:

-name
-family
-risk
-tag

Using Wildcards with Name

Only the -name parameter can accept the asterisk "*" character as a wildcard. For example:

System:/> appcontrol -show-applications -name=n* -family=web -risk=HIGH

Name     Full Name
-------  ----------
netload  Netload.in
ngrok    ngrok

Risk Guidelines

The following are guidelines for how the risk parameter for each application control signature should be viewed by the administrator:

Risk Level 5

Very high risk. This traffic should be blocked unless special circumstances or requirements exist. For example, PHP-, CGI-, HTTPS-proxies; known attack sites.
Risk Level 4

High risk. This traffic should be reviewed and a block or allow action taken. Site-to-site tunneling should be used where possible. For example, SSH, LDAP, RADIUS, Dropbox and similar.
Risk Level 3

Medium risk. Signatures with this risk level can affect network security, bandwidth usage and company integrity if care is not taken. For example, Facebook and other social networks, Google Analytics and similar aggregators, P2P/filesharing
Risk Level 2

Moderate risk. Signatures with this risk level can affect network security and/or affect bandwidth usage. For example, video streaming sites, Java/Flash game sites
Risk Level 1

Low-risk. Signatures that could be candidates for blocking. Typically not a threat. For example, E-commerce sites, news portals.

Log Message Generation

When configured on an IP rule set entry, application control will generate a log message when either of the following occurs:

Application Detected for a New Flow

A new flow is established and the current application for that flow is classified. Below is a typical example of such a log message where the application dns is detected:

APPCONTROL: prio=information id=00000 event=application_identified
flow_proto=UDP flowfwd_recvif=if1 flowfwd_recvzone=n/a
flowfwd_srcip=192.168.10.20 flowfwd_srcport=54701
flowfwd_destip=192.168.5.120 flowfwd_destport=53
flowrev_recvif=if3 flowrev_recvzone=n/a
flowrev_srcip=192.168.5.120 flowrev_srcport=53
flowrev_destip=192.168.10.20 flowrev_destport=54701
flowfwd_totpkts=4 flowfwd_totbytes=300 flowrev_totpkts=0
flowrev_totbytes=0 app_new=dns app_old=unclassified
appfwd_totpkts=3 appfwd_totbytes=225 apprev_totpkts=0
apprev_totbytes=0 user=n/a userid=n/a action=none

Detected Application Changes for an Existing Flow

The application for an established flow changes. Below is a typical example of this type of log message where the dns application found in the previous log message changes to the dns_tunnel application which indicates an attempt at DNS tunneling:

APPCONTROL: prio=information id=00000 event=application_changed
flow_proto=UDP flowfwd_recvif=if1 flowfwd_recvzone=n/a
flowfwd_srcip=192.168.10.20 flowfwd_srcport=22223
flowfwd_destip=192.168.5.120 flowfwd_destport=53
flowrev_recvif=if3 flowrev_recvzone=n/a
flowrev_srcip=192.168.5.120 flowrev_srcport=53
flowrev_destip=192.168.10.20 flowrev_destport=22223
flowfwd_totpkts=4 flowfwd_totbytes=503 flowrev_totpkts=0
flowrev_totbytes=0 app_new=dns_tunnel app_old=dns
appfwd_totpkts=3 appfwd_totbytes=279 apprev_totpkts=0
apprev_totbytes=0 user=n/a userid=n/a action=none

Displaying Flows with Application Information

By adding the -app option to the flow -show command, an extra column called App will appear in the output which shows the application classification for each flow. Below is an example which shows a single flow classified by application control as being DNS traffic:

System:/> flow -show -app
		
         Source                          Dest                   ID /            
Proto    Iface    IP              Port   Iface  IP              Port
-------  -------  --------------  -----  -----  --------------  -----
UDP      if1(0)   192.168.10.20   39415  if3    192.168.5.120   53

Timeout  App
-------  ------------------
    126  dns

Here, the individual signature name appears in the App column. If application control has not yet classified the flow, the text not_yet_classified will appear. If the flow cannot be classified, the text n/a will appear.

If the -verbose option is added to the above command, a path appears in the App column which reflects the internal hierarchy of the signature database:

System:/> flow -show -app -verbose
		
         Source                          Dest                   ID /            
Proto    Iface    IP              Port   Iface  IP              Port
-------  -------  --------------  -----  -----  --------------  -----
UDP      if1(0)   192.168.10.20   39415  if3    192.168.5.120   53

Timeout  App
-------  ------------------
    126  ip.udp.dns

In addition, the -verbose option will also show the return part of a bi-directional flow.

To filter the applications displayed by the flow command, the -appfilter= option can be used. For example, to display DNS flows, the following command might be used:

System:/> flow -show -app -appfilter=dns

The string specified with -appfilter cannot contain wildcards and cannot be a list. However, the -appfilter option works by searching for all flows that contain the specified text string anywhere in the full application path of the flow. An example application path is ip.udp.dns and the string .udp. would match this path (and all other UDP flows).

Closing Flows Based on the Application

The flow command with the -close and -appfilter options can be used to close all flows for a single or range of applications. For example, the following would close all flows that are currently classified as being bittorrent traffic:

System:/> flow -close -appfilter=bittorrent

As described previously, the whole application path will be searched for the string specified in the -appfilter option. For example, the following would close all flows with application paths that contain the characters ".udp." anywhere (and consequently, all UDP flows):

System:/> flow -close -appfilter=.udp.

Application Control Licensing

Application control is a subscription service and the expiry date for the current subscription is specified by a line in the system license. The current status of the application control system can be viewed by using the command appcontrol with no parameters. Example output when the feature has not expired is shown earlier in this section. After expiry, the following will be seen:

System:/> appcontrol
Application control is not allowed by the current license.

When the application control subscription expires, the following will happen:

A log message is generated at system startup or on reconfiguration to indicate subscription expiry.
A console warning message is generated at system startup or on reconfiguration for each IP rule set entry that is configured to use application control.
No application control log messages are generated if a flow triggers an IP rule set entry which has application control enabled. However, the rule set entry will function as normal.

Chapter 27: IPS

27.1. Overview

Computer servers can sometimes have vulnerabilities which leave them exposed to attacks carried by network traffic. Worms, trojans and backdoor exploits are examples of such attacks which, if successful, can potentially compromise or take control of a server. A generic term that can be used to describe these server orientated threats are intrusions.

Intrusions differ from viruses in that a virus is normally contained in a single file download and this is often downloaded to a client system which it then can infect. An intrusion manifests itself as a malicious pattern of Internet data aimed at bypassing server security mechanisms. Intrusions are not uncommon and they can constantly evolve because their creation can be automated by the attacker.

Intrusion Prevention with the Clavister NetShield Firewall

The Intrusion Prevention System (IPS) in cOS Stream provides an important defense against intrusion attempts. IPS works by scanning flows through the Clavister NetShield Firewall, searching for data patterns that indicate an intrusion is being attempted. Once detected, the administrator can choose what action to take, including dropping the flow.

Which data flows that IPS scans is determined by defining one or more IPSRule objects in the cOS Stream configuration. The data patterns that IPS searches for are contained in one or more signature files which reside on the firewall disk storage. These can consist of a single Clavister supplied signature file and/or multiple or a single custom signature file in Snort format.

	Note: IPS will never scan firewall management traffic
	The IPS feature in cOS Stream will never scan any management traffic. This includes SSH and SNMP traffic as well any log messages that are sent. This ensures that IPS cannot interrupt the ability to manage the firewall.

IPS and Scanning Encrypted SSL Traffic

Using the feature called SSL Inspection, it is possible for IPS to scan encrypted SSL traffic passing through the firewall. Configuring this is described in Chapter 15, SSL Inspection.

Behavior on License Validity Expiry

Note that if the Upgrades Valid Until date in the firewall's license has passed, the IPS subsystem will no longer scan traffic even if it has been enabled to do so. IPS will also not block any traffic.

IPS Configuration Objects

The following configuration objects are used to configure IPS:

IntrusionPrevention

This exists by default and is the parent object for all IPSRule objects created.
IPSRule

IPSRule objects should be defined to determine what traffic should be scanned. They are independent of IPRule objects and all flows are checked against the IPSRule set.

Each rule has a set of filtering criteria so that triggering traffic will be subject to the rule's IPSRuleAction children.

IPS is enabled when one or more IPSRule objects exist in a cOS Stream configuration. There is no global setting to enable or disable it.
IPSRuleAction

One or more IPSRuleAction objects are added as children to an IPSRule object. The Action property of the object determines what action should be taken when the parent rule triggers AND one of the object's filtering criteria triggers. The filtering criteria are the IPS signatures specified by the SignatureCategory and/or SignatureGroup properties.

The SignatureCategory and/or the SignatureGroup properties can be assigned a comma separated list. However, if a value is not specified for either property, the IPSRuleAction object will never be triggered and its associated action never taken.

Note that a category exists in the vendor signature file for each signature. For custom signature files added to cOS Stream by the administrator, the category of all signatures in the file is the filename itself. Multiple categories can be specified using the asterisk '*' wildcard character to represent any combination of characters. For example: IPS_WEB_*.
IPSSignatureGroup

A list of one or more IPSSignatureGroup objects can be assigned to an IPSRuleAction object. Each group represents one or more IPS signatures that are to be used when the traffic is scanned. No signatures are installed in a default configuration.

The IPSSignatureGroup object has many filtering options which are described next.

Using IPSSignatureGroup Filters

A list of one or more IPSSignatureGroup object can be assigned to the SignatureGroup property of an IPSAction object. An IPSSignatureGroup provides a means to specify individual or collections of signatures that are to be applied to the traffic specified by the associated IPSAction's parent IPSRule.

There are several filtering options for the IPSSignatureGroup which are specified using the following object properties:

IncludeVendorSignature

This specifies a list of one or more individual signature SIDs which may be found in the active vendor signature file.
IncludeCustomSignature

This specifies a list of one or more individual signature SIDs which may be found in the active custom signature file.

If both this and the IncludeVendorSignature property are specified then the two are combined using a logical OR. The complete logic applied to all the filters is described at the end of this property list.
IncludeSignatureGroup

This specifies a list of one or more other SignatureGroup objects. These member groups will then be filtered by the FilterBy properties specified below.
IncludeCategory

The categories to be selected. Different signatures in the vendor file can have different categories. All signatures in the custom file have the same category and that category is the name of the active custom file. For example, if the active custom file is called my_sigs.sig then the assigning this category would be done with:
```
		IncludeCategory=my_sigs.sig
```
FilterByCVE

The CVE (Common Vulnerabilities and Exposures) code is set for some of the signatures. The CVE for vendor signatures can be found in the advisory associated with a signature.
FilterBySeverity

This property can take one of the following values:
1. Attack or Scan for vendor signatures.
2. Custom for all signatures in the custom file.
FilterByString

This property provides the ability to perform a search for an arbitrary character sequence within the name and content of currently included filtering signatures.
CreatedAfter

Only individual signatures created after a certain date will be included. All the vendor signatures will have a creation date. Custom signatures may have a creation date.

The value specified for this property must be in the format yyyy-mm-dd. For example, to include the date 2019-03-22 and any later dates, the property would be set as:
```
	CreatedAfter="2019-03-21"
```

When multiple filter properties of the IPSSignatureGroup object are used, they are combined using the following logic:

(IncludeVendorSignature OR IncludeCustomSignature OR
		IncludeSignatureGroup OR IncludeCategory)
	AND FilterByCVE AND FilterBySeverity
	AND FilterByString AND CreatedAfter

IPS Processing Steps

The steps in IPS processing are the following:

A packet arrives at an interface and cOS Stream performs normal verification. If the packet is part of a new flow then it is checked against the IP rule set first before being passed to the IPS subsystem. If the packet is part of an existing connection it is passed straight to the IPS system.
Provided that the IP rules allow a flow, all traffic is checked against the IPSRule object list.
If an IPSRule triggers, its child IPSRuleAction objects are processed in order. The signatures specified for each child action are applied to the traffic until one of them triggers.
If the traffic finds a match in the IPSRuleAction signatures specified by the SignatureCategory or SignatureGroup, the Action property specifies what to do. The action performed can be be one of the following:
- Ignore - Do nothing if an intrusion is detected and allow the flow to stay open.
- Audit - Allow the flow to stay open but log the event.
- Protect - This option drops the flow and logs the event. This is the default.

HTTP Normalization

An IPSRule object has a number of properties that can be used for HTTP normalization. This allows the administrator to choose the actions that should be taken when IPS finds inconsistencies in the URIs embedded in incoming HTTP requests. Some server attacks are based on creating URIs with sequences that can exploit weaknesses in some HTTP server products.

The IPSRule properties related to HTTP normalization are as follows:

URIInvalidUTF8

This looks for any invalid UTF8 characters in a URI. The default action when triggered is DropLog.
URIInvalidHex

A valid hex sequence is where a percentage sign is followed by two hexadecimal values to represent a single byte of data. An invalid hex sequence would be percentage sign followed by something which is not a valid hexadecimal value.

The default action when triggered is DropLog.
URIDoubleEnc

This looks for any hex sequence which itself is encoded using other hex escape sequences. An example would be the original sequence %2526 where %25 might be decoded by the HTTP server to '%' and results in the sequence '%26'. This is then finally decoded to '&'.

The default action when triggered is Ignore.

Setting a Scan Limit

In some circumstances, it may not be desirable to apply IPS scanning to more than an initial portion of the data sent in a flow. This may be done for performance reasons.

cOS Stream provides the ability to impose a scan limit which means that IPS will only scan a specified number of bytes at the beginning of a flow and then scanning will stop for the remainder of the flow.

By default, the scan limit feature is disabled. To enable it, the following properties of an IPSRule object are used:

ScanLimit

This is a boolean property that takes the value Yes or No. The default is No so no limit is applied. If set to Yes then a limit is applied to the number of initial bytes scanned by IPS in either direction.

ScanLimitBytes

If ScanLimit is enabled then this property specifies how many bytes are scanned by IPS in a flow, in either direction, before scanning stops.

The default value for this property is 800 bytes. This means that only the first 800 bytes for either direction of a flow will be scanned.

A CLI example of using these options can be found in Section 27.2, Setting Up IPS.

Notes About Setting a Scan Limit

The following points should be noted when using a scan limit with IPS:

The feature should be used with caution since an attacker might deliberately choose to insert an attack in a flow at some point after the limit given by ScanLimitBytes. However, typically it is more likely that an attack that can be detected by IPS will be present in the initial portion of a flow.
TCP flows are better candidates for applying a scan limit since the integrity of TCP flows is partially ensured by the mechanisms within the TCP protocol itself.

It should be noted that if the HTTP keepalive feature (also known as HTTP persistent connection) is used on a webserver protected by cOS Stream, it might be possible to insert an attack in HTTP requests that arrive after a scan limit is reached. For this reason, it is recommended to disable HTTP keepalive on the webserver when a scan limit is used.
Stateless protocols like UDP and ICMP are more exposed if a scan limit is applied since they lack the integrity mechanisms found in a stateful protocol like TCP.
Note that when a scan limit is enabled, no log event message is generated by cOS Stream to indicate that a scan ended because the limit was reached. Doing this could generate an overwhelming number of log messages.

27.2. Setting Up IPS

The steps for setting up IPS are as follows:

Create any required SignatureGroup objects as children of the predefined IntrusionPrevention object. This will not be needed if the signatures to be used can be specified by category.
Add an IPSRule object as a child of the predefined IntrusionPrevention object to specify the traffic to be processed.
Add one or more IPSRuleAction objects to the rule which specify:
- The IPS signatures to be used when scanning the traffic targeted by the rule. This can be done by specifying one or more signature categories and/or specifying one or more SignatureGroup objects. If both a category and a group is specified then a logical OR is used in combining them.
- The action to take when a signature triggers. As described previously, this can be one of of Protect (the default), Audit or Ignore.
At least one IPS signature file must be activated. Doing this is described in Section 27.3, IPS Signature Management.

Example 27.1. Setting up IPS for HTTP Server Protection

The following example details the steps needed to set up IPS for a simple scenario where an HTTP server is exposed to the Internet on the DMZ network with a public IPv4 address. The public Internet can be reached through the firewall on the WAN interface as illustrated below.

An IPSRule object called srv_rule will be created with the Service set to http. The SourceInterface and SourceNetwork defines where traffic is coming from, in this example the external network. The DestinationInterface and DestinationNetwork define where traffic is directed to, in this case the server.

Command-Line Interface

Change the context to be the IntrusionPrevention object which is predefined:

System:/> cc IntrusionPrevention 
System:/IntrusionPrevention>

Create a signature group for the signature as a child:

System:/IntrusionPrevention> 
		add IPSSignatureGroup my_group
		IncludeCategory=IPS_WEB_*

Create a rule as a child:

System:/IntrusionPrevention> 
		add IPSRule
		SourceInterface=wan
		SourceNetwork=wan_net
		DestinationInterface=dmz
		DestinationNetwork=http_server_ip
		Service=http
		Name=srv_rule
Added IPSRule/1(srv_rule)

Note that the Name property is optional.

Change the CLI context to be the rule:

System:/IntrusionPrevention> 
		cc IPSRule 1(srv_rule) 
System:/IntrusionPrevention/IPSRule/1(srv_rule)>

Add the action as a child, including the group defined earlier:

System:/IntrusionPrevention/IPSRule/1(srv_rule)> 
		add IPSRuleAction
		Action=Protect
		SignatureGroup=my_group

Note that the default action is Protect but it is included above for clarity.

Example 27.2. IPS Category Filtering Setup with Ignored Signatures

This example is similar to the previous but this time flows will be dropped if any signatures in the category IPS_WEB_POLICY are triggered. However, the vendor signature with the SID 64317, which is part of the IPS_WEB_POLICY category, will be an exception and will only cause a log message to be generated if it triggers.

To achieve this, two IPSRuleAction objects will be created. The first will trigger on the SID 64317 and the action taken will be Audit. The second will trigger on the category IPS_WEB_POLICY and the action will be Protect.

Command-Line Interface

Change the context to be the IntrusionPrevention object:

System:/> cc IntrusionPrevention 
System:/IntrusionPrevention>

Create a child signature group for the SID 64317 exception:

System:/IntrusionPrevention> 
		add IPSSignatureGroup my_sig_exception
		IncludeVendorSignature=64317

Add a single rule for the targeted traffic:

System:/IntrusionPrevention> 
		add IPSRule
		SourceInterface=wan
		SourceNetwork=wan_net
		DestinationInterface=dmz
		DestinationNetwork=http_server_ip
		Service=http
		Name=srv_rule
Added IPSRule/1(srv_rule)

Change the CLI context to be the rule:

System:/IntrusionPrevention> 
		cc IPSRule 1(srv_rule) 
System:/IntrusionPrevention/IPSRule/1(srv_rule)>

Add an action so that SID 64317 is logged but not dropped:

System:/IntrusionPrevention/IPSRule/1(srv_rule)>  
		add IPSRuleAction
		Action=Audit
		SignatureGroup=my_sig_exception

Add a second action so flows that trigger the IPS_WEB_POLICY category (with the exception of SID 64317) are dropped:

System:/IntrusionPrevention/IPSRule/1(srv_rule)>  
		add IPSRuleAction
		Action=Protect
		SignatureCategory=IPS_WEB_POLICY

Note that the default action is Protect but it is explicitly stated above for clarity.

Example 27.3. Setting an IPS Scan Limit

This example shows how an IPS scan limit of 2048 bytes can be set in the IPSRule from the previous example.

Command-Line Interface

From the previous example, add a single rule for the targeted traffic:

System:/IntrusionPrevention> 
		add IPSRule
		SourceInterface=wan
		SourceNetwork=wan_net
		DestinationInterface=dmz
		DestinationNetwork=http_server_ip
		Service=http
		Name=srv_rule
		ScanLimit=Yes
		ScanLimitBytes=2048
Added IPSRule/1(srv_rule)

27.3. IPS Signature Management

Supported Types of IPS Signature Files

The IPS subsystem can make use of the following types of IPS signature files:

Vendor Signatures

These are provided by Clavister as a set of predefined signatures in a single file. No vendor signature files are installed in the default configuration and they must be uploaded using SCP. These files can be downloaded from https://my.clavister.com.

There can be any number of vendor signature files present in cOS Stream storage at any one time. However, there can be only one active vendor file at any one time. Inactive vendor files will be deleted automatically after a firewall restart.

Unlike custom signature files, vendor signature files cannot be edited by the administrator.
Custom Signatures

These are files in the Snort format that can be created or edited by the administrator and they can be sourced from third parties. More than one can be installed onto the firewall by uploading with SCP. These files can be used with or instead of the vendor signatures.

A custom file must be activated through the CLI before it is used by IPS. Multiple custom files can be active at the same time. Inactive custom files will be automatically deleted after a firewall restart.

The Snort conventions supported by cOS Stream are described in Section 27.4, Snort File Usage.

Vendor Signature Types

The signatures in the vendor file can be further broken down into the following types:

Intrusion Protection Signatures (IPS)

The category of these signatures has the IPS_ prefix. They are highly accurate and a match is almost certainly an indicator of a threat. Using the Protect action is recommended. These signatures can detect administrative actions and security scanners.
Intrusion Detection Signatures (IDP)

The category of these signatures has the IDP_ prefix. They can detect events that may be intrusions. They have lower accuracy than the IPS_ signatures and may give some false positives so it is recommended that the Audit action is always used. Using them with the Protect action may interrupt normal traffic.

Signature File Uploading

All signature files are stored on the firewall in a folder called ipssigs. File uploading is done using SCP. A typical SCP client upload command might look like the following:

> scp custom.sig admin@192.168.26.200:ipssigs/

Note that SSH access should be enabled for SCP to function.

The following should be noted about signature file uploading:

There are no naming conventions expected by cOS Stream for the signature files and any filetype can be used. cOS Stream will recognize that the file is a vendor or custom signature file from its contents. For clarity in this section, the filetype '.sig' will be used for example signature filenames.
cOS Stream can automatically recognize signature files and it can distinguish between a vendor signature file and a custom file.
Uploaded custom signature files will remain in firewall storage until they are removed but only currently active files can be removed manually by the administrator. However, all inactive signature files will be removed if cOS Stream restarts and only the active ones will remain.
An uploaded signature file will only overwrite an existing file if it has the same name. If a file is uploaded that has the same name as an active file, the old file will continue to be active until the new file is activated, in which case the old file will be discarded.

Activating Signature Files

The ips command is used to activate a vendor or custom signature file:

System:/> ips -activate my_file.sig

The following should be noted about signature file activation:

A signature file is only used by IPS when it goes from an inactive state to an active state by being activated.
At least one signature file must be active for IPS to function.
Only one vendor file can be active at any one time but one or more custom files can be active simultaneously.
Vendor and custom files can be active at the same time but the active vendor file will be scanned first when looking for a signature match against traffic.

Signature File Validation

cOS Stream verifies the validity of signature files used with the IPS subsystem when they are activated. Files that are found to be invalid will produce an explanatory message on the console. Below is an example console message that indicates activation of the file my_file.sig has failed because it is invalid:

 File 'my_file.sig' is not a valid signature file.

When activating custom signature files only, the following additional steps are performed first, before trying to validate the file further:

cOS Stream verifies that timestamp information is present in the file. In other words, there must be a line that has a form similar to the following example:
```
 # Date 201903180603
```
If a timestamp is found, further validation proceeds.
If a timestamp is not found, the first non-commented line in the file will be parsed looking for a rule header. If a rule header is not found, the file will be deemed invalid and further validation will not occur. If a rule header is found, further validation proceeds.

Note that if a signature file is invalid at activation time, it is not deleted and continues to appear in the list of available signature files.

Signature File Deletion

Any active signature file, vendor or custom, can be deleted using the ips -remove command:

System:/> ips -remove my_file.sig

Inactive files cannot be deleted in this way but, as mentioned previously, will be deleted automatically if cOS Stream restarts.

Browsing Signature Files

The ips command can be used to browse through all signature files. For example, to show all the currently active signature files:

System:/> ips -show=file

File        Origin  Status
----------  ------  ------
vendor.sig  Vendor  Active
custom.sig  Custom  Active

To display all the categories available in the signature files:

System:/> ips -show=category

         IPS Signature categories

Category                   # of signatures
-------------------------  ---------------
custom.sig                               1
IPS_WEB_POLICY                          43
IPS_WEB_PACKAGES                         7
IPS_WEB_ACTIVEX                          1

Note here that all the signatures in the custom.sig file are listed as one single category that has the same name as the file. The other categories are found in the active vendor file.

To now view the signatures in one of the categories, name the category and use the -verbose option:

System:/> ips -show=category IPS_WEB_ACTIVEX -verbose
		
Category            Origin       SID  Signature
------------------  ------  --------  ------------------------------------
   IPS_WEB_ACTIVEX  Vendor  20041463  VerifyPackageCatalog.SiteMgr.ActiveX
                    Vendor  20047813  npdivx.DivX.ActiveX.A.Policy

The following command shows all the signatures in categories that begin with IPS_WEB_:

System:/> ips -show=category IPS_WEB_* -num=50 -verbose

The -verbose option must be used to show the whole signature instead of just the number of matching signatures. The -num option will cause only 50 matching signatures to be shown at a time. The -num option has a default value of 20. Note that the signature search is always through the active vendor file first and then any active custom files.

Displaying Currently Active Signatures

The ips -show=rule command can be used to display the number of signatures that all currently configured IPSRule objects can trigger during IPS processing:

System:/> ips -show=rule
				
              IPS Rules

Rule          Ignore  Audit  Protect
------------  ------  -----  -------
1(IPSRule_1)       0      1       42

Alternatively, the command could have shown the signatures for a particular rule but note the rule reference must be qualified with the IntrusionPrevention object prefix:

System:/> ips -show=rule  IntrusionPrevention/1

Adding the -verbose option will display the individual signatures:

System:/> ips -show=rule IntrusionPrevention/1 -verbose
		
                        IPS Signatures by Rule IPSRule_1

Rule          Action   Origin       SID  Signature
------------  -------  ------  --------  ------------------------------
1(IPSRule_1)  PROTECT  Vendor  20049377  CAB.File.Policy
              PROTECT  Vendor  20031289  CONNECT.HTTP-TUNNEL.POLICY
              PROTECT  Vendor  20046620  content.UUSee.Policy

Similarly, the -show=group option can show the number of signatures that are included in IPSSIgnatureGroup objects:

System:/>  ips -show=group IntrusionPrevention/my_grp
		
 IPS Signature Groups

Group   # of signatures
------  ---------------
my_grp                1

Adding the -verbose option will list the signatures:

System:/>  ips -show=group IntrusionPrevention/my_grp -verbose
		
                IPS Signatures by group my_grp

Group   Origin       SID  Signature        Category
------  ------  --------  ---------------  -----------------
my_grp  Vendor  20049378  ZIP.File.Policy  IPS_WEB_POLICY

Snort File Usage

As mentioned, a custom signature file is in Snort format and these can be created by third parties or by the system administrator. Snort is described in depth at https://snort.org. The standard form of Snort signatures is a filter followed by options:

action protocol src-net src-ports direction dest-net dest-ports ( options )

However, it is important to be aware of how some Snort file conventions are interpreted by cOS Stream and what limitations exist. This is described next.

27.4. Snort File Usage

As mentioned previously, a custom signature file is in Snort format and these can be created by third parties or by the system administrator. Snort is described in depth at https://snort.org. The standard form of Snort signatures is a filter followed by options:

action protocol src-net src-ports direction dest-net dest-ports ( options )

However, it is important to be aware of how some Snort file conventions are interpreted by cOS Stream and what limitations exist. This is described next.

Snort Filter Usage

The Snort filter is interpreted as follows:

action

Ignored. The actions associated with the triggering IPSRuleAction object are used instead.
protocol

Only the values tcp, udp or icmp are supported.
source-net

Ignored.
source-port

Syntax:
```
<min>
<min>:<max>
<min>:
:<max>
any
```
If <min> is left out, it defaults to 0. If <max> is left out it defaults to <min>, unless <min>: is supplied then <max> defaults to 65535. Only a single port range is supported, negated ranges not supported. Commonly used variables, such as $HTTP_PORTS, are not supported.
direction

Only -> is supported.
destination-net

Ignored
destination-port

This follows the same rules as source-port.

Supported Options

The following Snort options are supported with any restrictions listed:

content:[!]"string |0d 0a|";

Specifies a string to look for in the packet data. Hex data can be embedded, as shown. Some characters need to be escaped, like \, ", | and ;
uricontent:[!]"string |00|";

Specifies a string to look for in the normalized HTTP URI. Hex data can be embedded, as shown. Some characters need to be escaped, like \, ", | and ;
http_uri;

Modifies the preceding content option to look in the normalized HTTP URI instead of the raw packet data.
nocase;

Modifies the preceding content or uricontent to be case insensitive.
offset:<uint>;

Modifies the preceding content specifying that the search for it should start <uint> bytes into the packet. Only positive offsets supported.
depth:<uint>;

Modifies the preceding content specifying that it will only be looked for within <uint> bytes from the start of the packet or the content's offset (see above), if set.
distance:<uint>;

Modifies the preceding content specifying that the search for it should start <uint> bytes from the point where the previous content matched. Only positive distances are supported. This defaults to zero making all contents ordered.
within:<uint>;

Modifies the preceding content limiting the number of bytes that will be searched to find it to <uint> relative to the previous content match plus distance (if specified, see above). Only positive within values supported.
dsize:[<|>]<number>;

Packet size must be less than (<), equal to, or greater than (>) number. Packet size range in the syntax: dsize:<min><><max>; is not supported. isdataat is not supported.
flowbits:set,<flag>;

Set a flag in the flow that can be tested by other signatures.
flowbits:noalert;

This signature will never trigger log/drop action. Useful together with flowbits:set,<flag>; for signatures that will match quite often and in itself is not an attack but enables other signatures that otherwise would be prone to false-positives.
flowbits:isset,<flag>;

Specifies that a certain flag must be set in the flow for this signature to match.
flow:<keywords>;

A comma separated list of groups. Only the following options are supported:
to_client

from_client

to_server

from_server

established
msg:"message";

Message/name included in logs.
sid:<uint>;

Signature id, included in logs.
rev:<uint>;

Signature revision, included in logs.

reference:<type>,<id>;

Example:

reference:cve,2004-0646;
reference:cve,CAN-2005-1252;reference:bugtraq,9368;
reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html;
reference:nessus,11131;reference:cve,2017-5638;

metadata:<key> <value>(, <key> <value>)*;

Key and value are separated by space and may not contain " " (space), "," or ";". Multiple key-value pairs are separated by commas.

classtype:<class name>;

Defines the type of threat that this signature detects. Example:

attempted-admin, shellcode-detect, trojan-activity,
web-application-attack, misc-attack, network-scan

27.5. Best Practice Deployment

IPS Deployment Considerations

In order to have an effective and reliable IPS system, the following questions should be considered by the administrator:

What kinds of traffic should be analyzed?
What kinds of intrusions should be searched for in that traffic?
What action should be carried out if an intrusion attempt is detected?

IPS Deployment Recommendations

The following are the recommendations for IPS employment:

Enable only the IPS signatures for the traffic that is being allowed. For example, if the IP rule set is only allowing HTTP traffic then there is no point enabling FTP signatures.
Once the relevant IPS signatures are selected, initially run in Audit mode.
After running in Audit mode for a sample period with live traffic, examines the log messages generated. Check for the following:
1. When IPS triggers, what kind of traffic is it triggering on?
2. Is the correct traffic being identified?
3. Are there any false positives with the signatures that have been chosen?
Adjust the signature selection and examine the logs again. There may be several adjustments before the logs demonstrate that the desired effect is being achieved, with the very minimum of false positives.

If certain signatures are repeatedly triggering it may indicate a server is under attack.
After a short period running in Audit mode with satisfactory results showing in the logs, switch over IPS to Protect mode so that triggering connections are dropped by cOS Stream.

Chapter 28: Advanced Settings

28.1. Flow Timeout Settings

The settings in this section specify how long a flow can remain idle before being automatically closed. A flow is idle if no data being sent through it. Please note that each flow has two internal timeout counters: one for each direction. A flow is closed if either of the two counters reach zero.

Flow Lifetime TCP Init

Specifies in seconds how long a TCP flow that is not yet fully established is allowed to idle before being closed.

System:/> set Settings FlowTimeoutSettings FlowLifetimeTCPInit=60

Default: 60

Flow Lifetime TCP No Data

Specifies in seconds how long a newly established flow without any data being transmitted may be idle before being closed.

System:/> set Settings FlowTimeoutSettings FlowLifetimeTCPNoData=60

Default: 60

Flow Lifetime TCP Open

Specifies in seconds how long a fully established TCP flow may idle before being closed.

System:/> set Settings FlowTimeoutSettings FlowLifetimeTCPOpen=262144

Default: 262144

Flow Lifetime TCP Closing

Specifies in seconds how long a closing TCP flow may remain idle before finally being closed. Flows reach this state when a packet with its FIN flag on has passed in any direction.

System:/> set Settings FlowTimeoutSettings FlowLifetimeTCPClosing=80

Default: 80

Flow Lifetime TCP Stateless

Specifies in seconds the flow idle lifetime in seconds for stateless TCP connections.

System:/> set Settings FlowTimeoutSettings FlowLifetimeTCPClosing=130

Default: 130

Flow Lifetime UDP

Specifies in seconds how long UDP flows may idle before being closed. This timeout value is usually low, as UDP has no way of signaling when the flow is about to close.

System:/> set Settings FlowTimeoutSettings FlowLifetimeUDP=130

Default: 130

Flow Lifetime ICMP

Specifies in seconds how long an ICMP flow (for example, an ICMP ECHO) can remain idle before it is closed.

System:/> set Settings FlowTimeoutSettings FlowLifetimeICMP=8

Default: 8

Flow Lifetime SCTP Stateless

Specifies in seconds how long a stateless SCTP flow can remain idle before it is closed.

System:/> set Settings FlowTimeoutSettings FlowLifetimeSCTPStateless=130

Default: 130

Flow Lifetime SCTP Stateful

Specifies in seconds how long a stateful SCTP flow can remain idle before it is closed.

System:/> set Settings FlowTimeoutSettings FlowLifetimeSCTPStateful=600

Default: 600

Flow Lifetime Other

Specifies in seconds how long flows using an unknown protocol can remain idle before they are closed.

System:/> set Settings FlowTimeoutSettings FlowLifetimeOther=130

Default: 130

28.2. Length Limit Settings

This section contains information about the size limits imposed on the protocols directly under IP level, such as TCP, UDP and ICMP.

The values specified here concern the IP data contained in packets. In the case of Ethernet, a single packet can contain up to 1,480 bytes of IP data without fragmentation. In addition to that, there is a further 20 bytes of IP header and 14 bytes of Ethernet header, corresponding to the maximum media transmission unit on Ethernet networks of 1,514 bytes.

Max TCP Len

Specifies the maximum size of a TCP packet including the header. This value usually correlates with the amount of IP data that can be accommodated in an unfragmented packet, since TCP usually adapts the segments it sends to fit the maximum packet size. However, this value may need to be increased by 20-50 bytes on some less common VPN systems.

System:/> set Settings LengthLimSettings MaxTCPLen=1480

Default: 1,480

Max UDP Length

Specifies in bytes the maximum size of a UDP packet including the header. This value may well need to be quite high, since many real-time applications use large, fragmented UDP packets. If no such protocols are used, the size limit imposed on UDP packets can probably be lowered to 1,480 bytes.

System:/> set Settings LengthLimSettings MAxUDPLen=60000

Default: 60,000

Max ICMP Length

Specifies in bytes the maximum size of an ICMP packet. ICMP error messages should never exceed 600 bytes, although Ping packets can be larger if so requested. This value may be lowered to 1,000 bytes if it is undesirable to use large Ping packets.

System:/> set Settings LengthLimSettings MaxICMPLen=10000

Default: 10,000

Max GRE Length

Specifies in bytes the maximum size of a GRE packet. GRE, Generic Routing Encapsulation, has various uses, including the transportation of PPTP, Point to Point Tunneling Protocol, data. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes.

System:/> set Settings LengthLimSettings MaxGRELen=2000

Default: 2,000

Max ESP Length

Specifies in bytes the maximum size of an ESP packet. ESP, Encapsulation Security Payload, is used by IPsec where encryption is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes.

System:/> set Settings LengthLimSettings MaxESPLen=2000

Default: 2,000

Max AH Length

Specifies in bytes the maximum size of an AH packet. AH, Authentication Header, is used by IPsec where only authentication is applied. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes.

System:/> set Settings LengthLimSettings MaxAHLen=2000

Default: 2,000

Max SKIP Length

Specifies in bytes the maximum size of a SKIP packet.

System:/> set Settings LengthLimSettings MaxSKIPLen=2000

Default: 2,000

MaxOSPF Len

Specifies the maximum size of an OSPF packet. OSPF is a routing protocol mainly used in larger LANs.

System:/> set Settings LengthLimSettings MaxOSPFLen=1480

Default: 1,480

Max IPIP/FWZ Length

Specifies in bytes the maximum size of an IP-in-IP packet. IP-in-IP is used by Checkpoint Firewall-1 VPN connections when IPsec is not used. This value should be set at the size of the largest packet allowed to pass through the VPN connections, regardless of its original protocol, plus approx. 50 bytes.

System:/> set Settings LengthLimSettings MaxIPIPLen=2000

Default: 2,000

Max IPsec IPComp Length

Specifies in bytes the maximum size of an IPComp packet.

System:/> set Settings LengthLimSettings MaxIPCompLen=2000

Default: 2,000

Max L2TP Length

Specifies in bytes the maximum size of a Layer 2 Tunneling Protocol packet.

System:/> set Settings LengthLimSettings MaxL2TPLen=2000

Default: 2,000

Max Other Length

Specifies in bytes the maximum size of packets belonging to protocols that are not specified above.

System:/> set Settings LengthLimSettings MaxOtherSubIPLen

Default: 1,480

Log Oversized Packets

Specifies if cOS Stream will log occurrences of oversized packets.

System:/> set Settings LengthLimSettings LogOversizedPackets=Yes

Default: Yes

28.3. Fragmentation Settings

IP is able to transport up to 65,536 bytes of data. However, most media, such as Ethernet, cannot carry such huge packets. To compensate, the IP stack fragments the data to be sent into separate packets, each one given their own IP header and information that will help the recipient reassemble the original packet correctly.

Many IP stacks, however, are unable to handle incorrectly fragmented packets, a fact that can be exploited by intruders to crash such systems. Protection against fragmentation attacks is provided in a number of ways.

Pseudo Reass Max Concurrent

Maximum number of concurrent fragment reassemblies. To drop all fragmented packets, set PseudoReass_MaxConcurrent to 0.

System:/> set Settings FragSettings PseudoReass_MaxConcurrent=1024

Default: 1024

Illegal Fragments

Determines how cOS Stream will handle incorrectly constructed fragments. The term "incorrectly constructed" refers to overlapping fragments, duplicate fragments with different data, incorrect fragment sizes, etc. Possible settings include:

Drop – Discards the illegal fragment without logging it. Also remembers that the packet that is being reassembled is "suspect", which can be used for logging further down the track.
DropLog – Discards and logs the illegal fragment. Also remembers that the packet that is being reassembled is "suspect", which can be used for logging further down the track.
DropPacket – Discards the illegal fragment and all previously stored fragments. Will not allow further fragments of this packet to pass through during ReassIllegalLinger seconds.
DropLogPacket – As DropPacket, but also logs the event.
DropLogAll – As DropLogPacket, but also logs further fragments belonging to this packet that arrive during ReassIllegalLinger seconds.

The choice of whether to discard individual fragments or disallow the entire packet is governed by two factors:

It is safer to discard the whole packet.
If, as the result of receiving an illegal fragment, you choose to discard the whole packet, attackers will be able to disrupt communication by sending illegal fragments during a reassembly, and in this way block almost all communication.

System:/> set Settings FragSettings IllegalFrags=Drop

Default: DropLog – discards individual fragments and remembers that the reassembly attempt is "suspect".

Duplicated Fragment Data

If the same fragment arrives more than once, this can mean either that it has been duplicated at some point on its journey to the recipient or that an attacker is trying to disrupt the reassembly of the packet. In order to determine which is more likely, cOS Stream compares the data components of the fragment.

The comparison can be made in 2 to 512 random locations in the fragment, four bytes of each location being sampled. If the comparison is made in a larger number of samples, it is more likely to find mismatching duplicates. However, more comparisons result in higher CPU load.

System:/> set Settings FragSettings DuplicateFragData=Check8

Default: Check8 – compare 8 random locations, a total of 32 bytes

Failed Fragment Reassembly

Reassemblies may fail due to one of the following causes:

Some of the fragments did not arrive within the time stipulated by the ReassTimeout or ReassTimeLimit settings. This may mean that one or more fragments were lost on their way across the Internet, which is a quite common occurrence.
cOS Stream was forced to interrupt the reassembly procedure due to new fragmented packets arriving and the system temporarily running out of resources. In situations such as these, old reassembly attempts are either discarded or marked as "failed".
An attacker has attempted to send an incorrectly fragmented packet.

Under normal circumstances, you would not want to log failures as they occur frequently. However, it may be useful to log failures involving "suspect" fragments. Such failures may arise if, for example, the IllegalFrags setting has been set to Drop rather than DropPacket.

The following settings are available for FragReassemblyFail:

NoLog - No logging is done when a reassembly attempt fails.
LogSuspect - Logs failed reassembly attempts only if "suspect" fragments have been involved.
LogSuspectSubseq - As LogSuspect, but also logs subsequent fragments of the packet as and when they arrive
LogAll - Logs all failed reassembly attempts.
LogAllSubseq - As LogAll, but also logs subsequent fragments of the packet as and when they arrive.

System:/> set Settings FragSettings FragReassemblyFail=LogSuspectSubseq

Default: LogSuspectSubseq

Dropped Fragments

If a packet is denied entry to the system as the result of the settings in the Rules section, it may also be worth logging individual fragments of that packet. The DroppedFrags setting specifies how cOS Stream will behave. Possible settings for this rule are as follows:

NoLog – No logging is carried out over and above that which is stipulated in the rule set.
LogSuspect - Logs individual dropped fragments of reassembly attempts affected by "suspect" fragments.
LogAll - Always logs individual dropped fragments.

System:/> set Settings FragSettings DroppedFrags=LogSuspect

Default: LogSuspect

Duplicate Fragments

If the same fragment arrives more than once, this can mean either that it has been duplicated at some point on its journey to the recipient or that an attacker is trying to disrupt the reassembly of the packet. DuplicateFrags determines whether such a fragment should be logged. Note that DuplicateFragData can also cause such fragments to be logged if the data contained in them does not match up. Possible settings are as follows:

NoLog - No logging is carried out under normal circumstances.
LogSuspect - Logs duplicated fragments if the reassembly procedure has been affected by "suspect" fragments.
LogAll - Always logs duplicated fragments.

System:/> set Settings FragSettings DuplicateFrags=LogSuspect

Default: LogSuspect

Fragmented ICMP

Other than ICMP ECHO (Ping), ICMP messages should not normally be fragmented as they contain so little data that fragmentation should never be necessary. FragmentedICMP determines the action taken when cOS Stream receives fragmented ICMP messages that are not either ICMP ECHO or ECHOREPLY.

System:/> set Settings FragSettings FragmentedICMP=DropLog

Default: DropLog

Minimum Fragment Length

Minimum Fragment Length determines how small all fragments (with the exception of the final fragment) of a packet can be expressed in bytes.

Although the arrival of too many fragments that are too small may cause problems for IP stacks, it is usually not possible to set this limit too high. It is rarely the case that senders create very small fragments. However, a sender may send 1480 byte fragments and a router or VPN tunnel on the route to the recipient subsequently reduce the effective MTU to 1440 bytes. This would result in the creation of a number of 1440 byte fragments and an equal number of 40 byte fragments.

Because of the potential problems this can cause, the default settings are designed to allow the smallest possible fragments, 8 bytes, to pass. For internal use, where all media sizes are known, this value can be raised to 200 bytes or more.

System:/> set Settings FragSettings MinimumFragLength=8

Default: 8

Reassembly Timeout

A reassembly attempt will be interrupted if no further fragments arrive within Reassembly Timeout seconds of receipt of the previous fragment.

System:/> set Settings FragSettings ReassTimeout=65

Default: 65

Max Reassembly Time Limit

A reassembly attempt will always be interrupted Reassembly Time Limit seconds after the first received fragment arrived.

System:/> set Settings FragSettings ReassTimeLimit=90

Default: 90

Reassembly Done Linger Limit

Once a packet has been reassembled, cOS Stream is able to remember reassembly for this number of seconds in order to prevent further fragments, for example old duplicate fragments, of that packet from arriving.

System:/> set Settings FragSettings ReassDoneLinger=20

Default: 20

Reassembly Illegal Linger Limit

Once a whole packet has been marked as illegal, cOS Stream is able to retain this in memory for this number of seconds in order to prevent further fragments of that packet from arriving.

System:/> set Settings FragSettings ReassIllegalLinger=60

Default: 60

Reject Minimal Fragment

Send an ICMP parameter problem message when the non-last fragment is smaller than the minimum allowed length which is specified by IPv6MinNonFinalFragment.

System:/> set Settings FragSettings RejectMinimalFrag=No

Default: No

IPv6 Minimum Non-final Fragment

This is the minimum allowed length of non-last IPv6 fragments.

System:/> set Settings FragSettings IPv6MinNonFinalFragment=640

Default: 640

IPv6 Nop Fragments

The packet is the first and last fragment at the same time (and by definition not a fragment, though it has got a fragment header). Note that these packets are legal, and serves a purpose as an non-IPv6 to IPv6 connection mechanism (see RFC2460 for more details).

System:/> set Settings FragSettings IPv6NopFrags=Ignore

Default: Ignore

28.4. Local Fragment Reassembly Settings

Max Concurrent

Maximum number of concurrent local reassemblies.

System:/> set Settings LocalReassSettings LocalReass_MaxConcurrent=256

Default: 256

Max Size

Maximum size of a locally reassembled packet.

System:/> set Settings LocalReassSettings LocalReass_MaxSize=10000

Default: 10,000

Large Buffers

Number of large ( over 2K) local reassembly buffers (of the above size).

System:/> set Settings LocalReassSettings LocalReass_NumLarge=32

Default: 32

28.5. Path MTU Discovery

Path MTU Discovery is a method by which the MTU size of packets sent across the Internet can be adjusted to meet the MTU limits of traversed network equipment thus avoiding fragmentation. When a packet exceeds an MTU limit, ICMP messages are used to adjust the MTU size sent. It is defined by RFC 1981 (for IPv6) and RFC 1191 (for IPv4), and makes use of ICMP messages to communicate MTU requirements between equipment.

When external equipment receives traffic with an MTU size greater than the next hop MTU size, an ICMP message is sent back to the source so the sender's MTU can be adjusted accordingly. The Clavister NetShield Firewall can act both as the endpoint in these exchanges as well as forwarding messages between endpoints.

Path MTU discovery is enabled by default for IPv6 on all interfaces. For IPv4, it must be explicitly enabled. The current MTU used by cOS Stream for a destination can be viewed using the CLI flow command but only for locally initiated or terminated traffic.

The Clavister NetShield Firewall path MTU behavior is controlled by a set of advanced settings which are described in this section. They include settings from both the IPSettings and ICMPSettings object categories.

IP4PathMTUMin

This is the smallest size which path MTU discovery can decrease the MTU to for IPv4 traffic.

System:/> set Settings IPSettings IP4PathMTUMin=576

This setting is only relevant when the firewall acts as a traffic endpoint and controls whether cOS Stream uses the path MTU information received from another hop.

cOS Stream determines the next-hop MTU by using the MTU property value of the Route object in its configuration for the next hop. If this is not set (has a value of zero), the next-hop MTU defaults to the MTU property value of the interface associated with the next hop.

For RFC compatibility, this value should be set to 68 and this is the smallest value that should be used. Other common values are 576 and 65535. The value 576 is the smallest IP packet that a host is required to handle and is commonly used as the MTU size.

Default: 576

IP6PathMTUMin

This is the IPv6 equivalent of IP4PathMTUMin and has the same function as described above.

System:/> set Settings IPSettings IP6PathMTUMin=1280

The minimum allowed value for an IPv6 network is 96. If path discovery finds smaller than 1280 is needed, 1280 is used anyway but a specialized header is added to fragments. This can result in a fragment that is both the first and the last.

Default: 1280

	Note: Fragment requests below the minimum are ignored
	If cOS Stream receives a request to fragment, it is ignored if the MTU would become less than IP4PathMTUMin or IP6PathMTUMin. Instead, the MTU is reduced to these minimum value settings.

IP4PathMTULifetime

This controls how long a path MTU value should be considered valid in minutes for IPv4. A value of zero means infinite time.

System:/> set Settings IPSettings IP4PathMTULifetime=10

If somewhere along the path still requires a lower MTU after this many minutes, the data packet will be dropped and a new ICMP error will be received. In other words the process is restarted as if the path MTU is unknown.

Having a lower lifetime value can be advantageous if the network is unstable and the path MTU between source and destination fluctuates. The cost of a lower lifetime is that the MTU must be tested more often with multiple potential packet losses and retransmissions occurring each time the lifetime expires. A higher lifetime can be appropriate in stable networks where the path MTU changes infrequently.

Default: 10

IP6PathMTULifetime

This is the IPv6 equivalent of IP4PathMTULifetime and has the same function as described above.

System:/> set Settings IPSettings IP6PathMTULifetime=10

Default: 10

IP4OnPktTooBigAndDFSet

This setting is only used when processing a packet that is larger than the next hop and the Do Not Fragment (DF) flag is set. It enables or disables participation of the firewall in path MTU discovery and enables/disables the sending of discovery information to other hosts.

System:/> set Settings IPSettings  IP4OnPktTooBigAndDFSet=SendICMPNeedFrag

The default of SendICMPNeedFrag means that participation is enabled. An ICMP error message will be sent back to the source when an attempt is made to forward a packet that is too big for the next hop and the packet itself is being dropped. For IPv4, the DF flag is honored (the packet is fragmented if the flag is unset). This will only expose minimal information (the MTU used inside the network and the IP of the firewall).

Participation can be turned off (and the protected network's MTU hidden) by using the setting StripDFAndFragment to disable DF flag when the packet size goes below a given value.

This setting may break protocols that rely on a rejected packet really being dropped, or very security aware operating systems that constantly verify error messages against the packets that has been received at the other end-point (for example, the OpenBSD TCP stack).

Default: SendICMPNeedFrag

IP6OnPacketTooBig

This is the equivalent of IP4OnPktTooBigAndDFSet for IPv6 and has the same function as described above.

System:/> set Settings IPSettings IP6OnPacketTooBig=SendICMPPktTooBig

Default: SendICMPPktTooBig

StripDFOnSmall

This controls how small IPv4 packets can be to participate in the path discovery process and determines how to handle the DF flag when forwarding. Packets smaller than this value will have their DF flag cleared.

If a packet is smaller than this value, and a hop decides that it is too big, the packet will be fragmented and will not participate in the discovery process.

System:/> set Settings IPSettings StripDFOnSmall=65535

This setting only affects traffic being forwarded by cOS Stream and not traffic where the firewall is the traffic endpoint. It should be set to 65535 in order to block discovery one hop beyond the firewall and set to zero in order to fully support discovery.

In order to block discovery and fully hide the network topology beyond the firewall, StripDFOnSmall is set to 65535 and IP4OnPacketTooBig is set to the value Fragment.

Default: 65535

IP4FragmentationNeeded

This controls whether the error messages involved in discovery are allowed to be forwarded from the network beyond the firewall and back to the source.

System:/> set Settings ICMPSettings IP4FragmentationNeeded=ObeyServiceLog

This setting must be set to AllowAlways or ObeyServiceLog to fully support path discovery and to be RFC compliant. Dropping these error messages can silently create severe network problems. The Drop option should only be used when the consequences are understood.

If the setting's value is ObeyService or ObeyServiceLog then the Service object used with the IP rule for the relevant flow must have the property PassICMPReturn enabled (it is disabled by default). By disabling the PassICMPReturn property it is also possible to disable ICMP message forwarding for a particular IP rule instead of disabling it globally.

Default: ObeyServiceLog

IP6PacketTooBig

This is the IPv6 equivalent of IP4FragmentationNeeded and has the same function as described above.

System:/> set Settings ICMPSettings IP6PacketTooBig=AlwaysAllow

Default: AlwaysAllowLog

	Note: Allow protected networks to send error messages
	If a hop inside a network protected by a firewall is participating in Path MTU discovery, then the network must be allowed to send error messages to the unprotected side. Otherwise, flows will eventually be terminated.

Path MTU Discovery Setting Combinations

The following are recommended combinations of settings for enabling and disabling path discovery:

With RFC Compliance

These settings enable discovery in a RFC compliant "transparent" fashion which works both from the unprotected side to the protected side and the other way around.

For IPv4:
- IP4PathMTUMin: 68
- IP4OnPacketTooBigAndDFSet: SendICMPNeedFrag
- StripDFOnSmall: 0
- IP4FragmentationNeeded: AlwaysAllow
  (or AlwaysAllowLog or ObeyService or ObeyServiceLog)
For IPv6:
- IP6PathMTUMin: 0
- IP6OnPacketTooBig: SendICMPPktTooBig
- IP6PacketTooBig: AlwaysAllow
  (or AlwaysAllowLog or ObeyService or ObeyServiceLog)
If ObeyService or ObeyServiceLog is used, the property PassICMPReturn must be enabled on the relevant Service object.
With Standard Settings

These settings enable discovery in a way which is known to work over the Internet. Although RFC specifications are violated, security against attacks is better.

For IPv4:
- IP4PathMTUMin: 576
- IP4OnPacketTooBigAndDFSet: SendICMPNeedFrag
- StripDFOnSmall: 576
- IP4FragmentationNeeded: AlwaysAllow
  (or AlwaysAllowLog or ObeyService or ObeyServiceLog)
For IPv6: (the default settings)
- IP6PathMTUMin: 1280
- IP6OnPacketTooBig: SendICMPPktTooBig
- IP6PacketTooBig: AlwaysAllow
  (or AlwaysAllowLog or ObeyService or ObeyServiceLog)
If ObeyService or ObeyServiceLog is used, the property PassICMPReturn must be enabled on the relevant Service object.
With Path Discovery Disabled

These settings will completely disable Path MTU discovery.

For IPv4: (the default settings)
- IP4PathMTUMin: 65535
- IP4OnPacketTooBigAndDFSet: StripDFAndFragment
- StripDFOnSmall: 65535
- IP4FragmentationNeeded: Drop (or DropLog)
For IPv6:
- IP6PathMTUMin: 65535
- IP6OnPacketTooBig: Fragment
- IP6PacketTooBig: Drop (or DropLog)

	Caution: Disabling path MTU discovery can cause problems
	Disabling path MTU discovery can have unintended side effects. If the forwarding of ICMP errors is disabled, the packet flow can stop if an upstream router sends an ICMP error in order to lower the MTU and this is not forwarded. The above setting combination violates the RFC standard and can mean a normal packet flow never reaches its destination.

Path MTU Discovery Forwarding

The Clavister NetShield Firewall can forward any path discovery ICMP messages that need to traverse the firewall. Forwarding depends on the following two settings:

IP4FragmentationNeeded for IPv4.
IP6PacketTooBig for IPv6.

The following example shows how the advanced settings are used with and without forwarding.

Path MTU Discovery Examples

To better understand the use of the various advanced settings to control MTU path forwarding, consider the following two examples.

Example 1: The System is not the Endpoint

Shown below is a scenario where a client tries to connect to a server via a Clavister NetShield Firewall, the public Internet and a router.

Figure 28.1. MTU Path Discovery Forwarding Example

The path MTU discovery exchanges that take place are as follows:

The client tries to open a flow to the server via the firewall with a packet size of 1400 bytes. The packets sent have the DF flag enabled.
cOS Stream has IP4OnPktToBigAndDFSet set to SendICMPNeedFrag and sends back an ICMP message to the client to indicate that fragmentation is needed and the acceptable MTU for the next hop is 1300. The controlling setting with IPv6 would be IP6OnPktTooBig.

The value of 1300 is found by first looking at the MTU value for the corresponding Route object for the next hop. If this is not set then the MTU property value set for the interface object is used for the next hop.
The client sends packets with the 1300 size which are forwarded by cOS Stream towards the server.
The router in front of the server sends back an ICMP message to indicate that the packet size is too big and a size of 1000 is acceptable.
cOS Stream forwards this ICMP message to the client. This is controlled by the setting IP4FragmentationNeeded (IP6PacketTooBig with IPv6).
The client now sends with a packet size of 1000 which is acceptable to both the firewall and the router so the server is now accessible.

Example 2: The System as the Endpoint

In this example, the Clavister NetShield Firewall is the endpoint and a client tries to open a flow to it across the public Internet using the SSH protocol.

Figure 28.2. MTU Path Discovery Endpoint Example

The path MTU discovery exchanges that take place are as follows:

The client tries to open an IPv4 SSH flow to the firewall with a small MTU of 1200 that is within the maximum acceptable MTU for all network equipment in the path.
cOS Stream's SSH server responds with a large packet of 1500.
The router sends back an ICMP message to cOS Stream requesting fragmentation with an MTU value of 1300.
cOS Stream receives the request, fragments and retransmits with the lower MTU value of 1300. This is true unless the requested MTU is lower than IP4PathMTUMin in which case IP4PathMTUMin is used. The controlling setting with IPv6 would be IP6PathMTUMin.