InCenter Cloud 2.2.3 Getting Started Guide

Table of Contents

1. Overview
2. Connecting to the InCenter Cloud
3. Adding Firewalls to InCenter
4. Local cOS Core Setup
4.1. Configuring a Log Receiver
4.2. Configuring a VPN Tunnel

Chapter 1: Overview

[Note] Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.

It is also available in a framed HTML version.

Introduction

The Clavister Cloud Service helps IT administrators to be pro-active in monitoring how well their security solution is protecting their organization. The service can provide both a holistic view of threats and traffic as well as drill down capabilities. Offered as a service, InCenter is simple to implement and is able to monitor any number of Clavister NetWall firewalls.

How the Cloud Service Works

Clavister NetWall firewalls sends log messages securely to the Clavister Cloud where each customer has their own InCenter instance. A standard standard web browser can then be used to log in to this InCenter instance over the Internet and analysis of the collected log data can be performed.

The Purpose of this Getting Started Guide

This guide is designed to provide the minimum information necessary to begin using the InControl Cloud service. The principle steps to achieve this consist of the following:

  1. Access the MyClavister web page that provides the login plus firewall configuration data and then login to the InControl Cloud service. This is described in Chapter 2, Connecting to the InCenter Cloud.

  2. Add the nodes to be monitored to InControl. This is described in Chapter 3, Adding Firewalls to InCenter.

  3. Locally configure NetWall firewalls so they send log event messages to the InControl Cloud service. This is described in Chapter 4, Local cOS Core Setup.

Further information about the InControl Cloud service can be found in the separate and more comprehensive InControl Cloud Administration Guide.

Chapter 2: Connecting to the InCenter Cloud

This section describes how to begin using the InCenter Cloud service.

The Initial InCenter Cloud Service Configuration

After subscribing to the InCenter Cloud service, log into the MyClavister section of the Clavister website and select the InCenter Cloud link from the navigation menu.

MyClavister InCenter Option

Figure 2.1. MyClavister InCenter Option

Should the MyClavister account not be enabled for the InCenter Cloud then selecting the InCenter option from the navigation menu will give a message like the one below.

Cloud Access Disallowed

Figure 2.2. Cloud Access Disallowed

Provided InCenter Cloud service access is enabled for the MyClavister account then a cloud setup information page like the one below is displayed. This provides all the information required for configuring cOS Core firewalls as well as he information needed to access the cloud.

Some of the fields in this image, such as URL, Log Receiver IP, Remote Endpoint and Remote Network, would normally contain values that are specific to a particular InCenter Cloud user. The URL field is particularly important since this is the URL that is used to access the InCenter Cloud service.

Cloud Access Information Page

Figure 2.3. Cloud Access Information Page

Adding NetWall Firewalls to the InCenter Cloud

For each firewall to be analyzed by InCenter, the following needs to be done:

  • Add the firewall to InCenter. Doing this is described in Chapter 3, Adding Firewalls to InCenter.

  • Locally configure the firewall to send log messages to InCenter. Doing this is described in Chapter 4, Local cOS Core Setup.

  • If necessary, create any configuration objects in cOS Core that will generate the log messages that the log receiver sends to InCenter. These may already exist. The types of configuration objects that generate logs recognized by InCenter are discussed further in the separate InCenter Cloud Administration Guide.

Note that the firewalls that InCenter can monitor must be running cOS Core 12.00.16 or later.

How to Login Into InCenter

To log into the InCenter Cloud, use the URL link given at the top of the information page shown in Figure 2.3, “Cloud Access Information Page”. This is a customer specific URL of the form: 

https://<customer>.cloud.clavister.net

Where <customer> will be different for each cloud service customer. This URL will not change and it is therefore best to bookmark it in the browser. The URL will take the browser to a cloud login dialog like the one shown below. The username and password credentials given in the setup information page should be entered. In this case, the username is admin.

InCenter Cloud Login Dialog

Figure 2.4. InCenter Cloud Login Dialog

After logging in, the InCenter interface will appear in the browser and the default overview dashboard will be displayed. An example of this is shown below.

InCenter Cloud Interface

Figure 2.5. InCenter Cloud Interface

InCenter provides a set of dashboards for monitoring different aspects of the firewalls sending log messages back to the cloud service and these are accessible through the Analyze option in the navigation pane on the left.

The Dashboard Menu

Figure 2.6. The Dashboard Menu

Using these dashboards is explained further in the separate InCenter Cloud Administration Guide.

The log message data for the dashboards comes from the configured configuration objects. However, even with an almost empty configuration containing no IP policies, cOS Core will regularly send back basic telemetry messages to InCenter. This data is summarized in the Health display which will indicate recent and current firewall CPU usage, memory usage, data traffic and active traffic connections This is accessed by selecting a firewall that has been added to InCenter and selecting the Health option to the right of the firewall list.

The Health Display Option

Figure 2.7. The Health Display Option

Changing the Default Administrator Password

It is recommended to change the password for the administrator account after logging in for the first time. This is done by selecting the Manager User option in the top right of the interface.

InCenter Cloud Manage User

Figure 2.8. InCenter Cloud Manage User

This opens a list of all the users. Select the Edit Properties option for the administrator user to change the password.

InCenter Cloud Edit User Properties

Figure 2.9. InCenter Cloud Edit User Properties

Further Documentation

Once connected to the InCenter Cloud, further details about using the service can be found in the separate InCenter Cloud Administration Guide.

Chapter 3: Adding Firewalls to InCenter

This section describes how to define a NetWall firewall to the InCenter Cloud. Adding firewalls is not mandatory for analysis to be possible. If a firewall is not added, the InCenter cloud will still accept log messages sent by the firewall and analysis will still be possible. However, important filtering options based on the firewall will not be available.

Note that NetWall systems are generically referred to as nodes in the context of InCenter.

Steps for Firewall Addition

To add a firewall to the InCenter cloud WebUI, select the Gateways option from the Manage section in the navigation pane.

Manage Nodes

Figure 3.1. Manage Nodes

Press the Add button and select Gateway.

Add Node Option

Figure 3.2. Add Node Option

This starts the new node wizard which will go through the following steps:

  1. Properties

    Select the NetWall option and specify a logical name for the node with an optional comment.

    Add cOS Core Firewall Wizard - Properties

    Figure 3.3. Add cOS Core Firewall Wizard - Properties

    [Important] Important: The InCenter name must match the firewall name

    The node name specified in InCenter must match the local device name on the firewall itself. In addition, the firewall name should not be duplicated within the InControl instance. Therefore, the name may need to be changed locally to a new value in cOS Core before performing the addition in InCenter.

  2. Done

    In the last step, a summary is displayed to confirm the details of the addition.

    Add cOS Core Firewall Wizard - Done

    Figure 3.4. Add cOS Core Firewall Wizard - Done

  3. Pressing the Done button will now close the wizard and the added firewall will appear in the node list.

InCenter Changes Must be Activated

Changes like the addition of a new firewall to the InCenter Cloud need to be activated before the firewall appears in the firewall list. Pending changes that require activation will be indicated by the number of changes appearing next to the spanner (configuration changes) icon at the top of the WebUI.

The Activation Pending Icon

Figure 3.5. The Activation Pending Icon

By pressing the spanner icon, the Changes display will open with a list of pending changes. An example with the single addition of a new user called Test is shown below.

Pending InCenter Changes

Figure 3.6. Pending InCenter Changes

Now press the Commit Changes button to confirm the addition of one or more firewalls to InCenter.

Chapter 4: Local cOS Core Setup

This section describes the steps needed for locally configuring a NetWall firewall so it sends the correct log messages in the correct format to a particular instance of the InCenter Cloud Service.

The interface used to configure a firewall can be either the WebUI or CLI (command line interface). The WebUI is recommended for simplicity.

The setup that must be performed locally on each firewall consists of the following:

  1. Add a Syslog Receiver receiver object that sends log messages back to InCenter. The InCenter Compatible option must also be enabled for this object.

    Doing this is described further in Section 4.1, Configuring a Log Receiver.

  2. Add an LAN to LAN VPN tunnel object which provides an encrypted IPsec tunnel between the firewall and InCenter. The log messages sent by the Syslog Receiver object will flow through this tunnel. Creating the tunnel will require that a new Pre-Shared Key object is first created.

    Setting up the tunnel is described further in Section 4.2, Configuring a VPN Tunnel.

  3. After the above steps are completed, the changes should be activated and the configuration saved.

The sections that follow describe these configuration steps in detail.

4.1. Configuring a Log Receiver

Configuring a Log Receiver with the WebUI

To configure a Syslog log receiver in the cOS Core WebUI, open the WebUI in a browser and go to: System > Device > Log Receivers. Then press the Add button and select the option Syslog Receiver.

Add Syslog Receiver

Figure 4.1. Add Syslog Receiver

The dialog for this new object can then be filled in, as shown in the example below.

Add Syslog Receiver Dialog

Figure 4.2. Add Syslog Receiver Dialog

The option to make log messages InControl compliant must also be enabled and this is found in the Advanced tab. Note that this setting can only be found in cOS Core version 12.00.16 or later.

Log Message Compliance

Figure 4.3.  Log Message Compliance

Configuring a Log Receiver with the CLI

The cOS Core CLI could be used instead to configure the log receiver. The following is an example of a command to do this: 

Device:/> add LogReceiver LogReceiverSyslog my-syslog-receiver
			IPAddress=203.0.113.10
			InCenterCompatibility=Yes

4.2. Configuring a VPN Tunnel

This section describes how to secure the connection between individual NetWall firewalls and the InCenter Cloud service using a VPN tunnel.

When using the InCenter Cloud service, Syslog messages must be sent from firewalls to the cloud through a VPN tunnel and this tunnel must be locally defined in the firewall's configuration using a LAN to LAN VPN object.

Note that where multiple firewalls are sending their log messages to the same InCenter Cloud instance, either each firewall can have its own tunnel, or multiple firewalls can route log messages via a single edge firewall with a single VPN tunnel.

Configuring a VPN Tunnel with the WebUI

Before configuring the VPN tunnel itself, a Pre-shared Key object must first be created that contains the pre-shared key value for the tunnel. To create this, go to Objects > Key Ring, press the Add button and select the Pre-Shared Key option.

Add Pre-Shared Key

Figure 4.4. Add Pre-Shared Key

The dialog for the pre-shared key can then be filled in, as shown in the example below. The name can be any suitable text but the key must set to the type Hexadecimal key and the key value copied from the cloud details page and pasted into the Passphrase field. The size should be left at the default value of 512.

Add Pre-Shared Key Dialog

Figure 4.5. Add Pre-Shared Key Dialog

To configure a VPN tunnel in the cOS Core WebUI, open the WebUI in a browser and go to: Network > Interfaces and VPN > IPsec. Then press the Add button and select the option LAN to LAN VPN.

Add VPN Tunnel

Figure 4.6. Add VPN Tunnel

The first part of this dialog for this new tunnel object can then be filled in, as shown in the example below.

Add VPN Tunnel Dialog

Figure 4.7. Add VPN Tunnel Dialog

The following values must be entered:

  • Name - Any suitable name for the tunnel object.

  • Remote Endpoint - This is the IP address of the remote tunnel endpoint which is provided on a customer's web access information page for the InCenter cloud. An IP address can be entered directly. However, if an FQDN is used then an FQDN Address object must be created first and then that object is used in this field.

  • Local Network - This can be any local IP address. The IP address object for the local Ethernet interface could be used, as shown in the example screenshot above. However, the IP used must not be a public IP address.

  • Remote Network - This is the IP address of the log receiver which is also provided on the web access information page. It is the same IP address that is specified for the Syslog receiver object.

  • Add route statically - This option must be enabled (by default, it is) so that Syslog traffic is routed through the tunnel.

The second part of the dialog specifies the authentication used for the tunnel. The method should be set to Pre-shared Key and the value of the key should be set to the pre-shared key object created previously.

Add VPN Tunnel Dialog - Authentication

Figure 4.8. Add VPN Tunnel Dialog - Authentication

Configuring a VPN Tunnel with the CLI

Alternatively, the following CLI commands could be used instead. First, to configure the pre-shared key: 

Device:/> add PSK my-psk Type=HEX PSKHex=<paste key here>

Next, to configure the tunnel: 

Device:/> add Interface LANtoLANVPN my_incenter_tunnel
			LocalNetwork=G1_ip
			RemoteNetwork=203.0.113.5
			PSK=my_psk

Configuring a Lan to Lan VPN object is described further in the separate cOS Core Administration Guide.

Activate All Changes

All the changes made to the cOS Core configuration should now be activated and committed by selecting the Save and Activate option from the toolbar.

Activate and Save Configuration Changes

Figure 4.9. Activate and Save Configuration Changes