Table of Contents
|Note: This document is also available in other formats|
A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.
It also available in a framed HTML version.
IntroductionThe Clavister Cloud Service helps IT administrators to be pro-active in monitoring how well their security solution is protecting their organization. The service can provide both a holistic view of threats and traffic as well as drill down capabilities. Offered as a service, InCenter is simple to implement and is able to monitor any number of Clavister NetWall firewalls.
How the Cloud Service WorksClavister NetWall firewalls sends log messages securely to the Clavister Cloud where each customer has their own InCenter instance. A standard standard web browser can then be used to log in to this InCenter instance over the Internet and analysis of the collected log data can be performed.
The Purpose of this Getting Started GuideThis guide is designed to provide the minimum information necessary to begin using the InControl Cloud service. The principle steps to achieve this consist of the following:
Access the MyClavister web page that provides the login plus firewall configuration data and then login to the InControl Cloud service. This is described in Chapter 2, Connecting to the InCenter Cloud.
Add the nodes to be monitored to InControl. This is described in Chapter 3, Adding Firewalls to InCenter.
Locally configure NetWall firewalls so they send log event messages to the InControl Cloud service. This is described in Chapter 4, Local cOS Core Setup.
Further information about the InControl Cloud service can be found in the separate and more comprehensive InControl Cloud Administration Guide.
This section describes how to begin using the InCenter Cloud service.
The Initial InCenter Cloud Service ConfigurationAfter subscribing to the InCenter Cloud service, log into the MyClavister section of the Clavister website and select the InCenter Cloud link from the navigation menu.
Should the MyClavister account not be enabled for the InCenter Cloud then selecting the InCenter option from the navigation menu will give a message like the one below.
Provided InCenter Cloud service access is enabled for the MyClavister account then a cloud setup information page like the one below is displayed. This provides all the information required for configuring cOS Core firewalls as well as he information needed to access the cloud.
Some of the fields in this image, such as URL, Log Receiver IP, Remote Endpoint and Remote Network, would normally contain values that are specific to a particular InCenter Cloud user. The URL field is particularly important since this is the URL that is used to access the InCenter Cloud service.
Adding NetWall Firewalls to the InCenter CloudFor each firewall to be analyzed by InCenter, the following needs to be done:
Add the firewall to InCenter. Doing this is described in Chapter 3, Adding Firewalls to InCenter.
Locally configure the firewall to send log messages to InCenter. Doing this is described in Chapter 4, Local cOS Core Setup.
If necessary, create any configuration objects in cOS Core that will generate the log messages that the log receiver sends to InCenter. These may already exist. The types of configuration objects that generate logs recognized by InCenter are discussed further in the separate InCenter Cloud Administration Guide.
Note that the firewalls that InCenter can monitor must be running cOS Core 12.00.16 or later.
How to Login Into InCenterTo log into the InCenter Cloud, use the URL link given at the top of the information page shown in Figure 2.3, “Cloud Access Information Page”. This is a customer specific URL of the form:
Where <customer> will be different for each cloud service customer. This URL will not change and it is therefore best to bookmark it in the browser. The URL will take the browser to a cloud login dialog like the one shown below. The username and password credentials given in the setup information page should be entered. In this case, the username is admin.
After logging in, the InCenter interface will appear in the browser and the default overview dashboard will be displayed. An example of this is shown below.
InCenter provides a set of dashboards for monitoring different aspects of the firewalls sending log messages back to the cloud service and these are accessible through the Analyze option in the navigation pane on the left.
Using these dashboards is explained further in the separate InCenter Cloud Administration Guide.
The log message data for the dashboards comes from the configured configuration objects. However, even with an almost empty configuration containing no IP policies, cOS Core will regularly send back basic telemetry messages to InCenter. This data is summarized in the Health display which will indicate recent and current firewall CPU usage, memory usage, data traffic and active traffic connections This is accessed by selecting a firewall that has been added to InCenter and selecting the Health option to the right of the firewall list.
Changing the Default Administrator PasswordIt is recommended to change the password for the administrator account after logging in for the first time. This is done by selecting the Manager User option in the top right of the interface.
This opens a list of all the users. Select the Edit Properties option for the administrator user to change the password.
Further DocumentationOnce connected to the InCenter Cloud, further details about using the service can be found in the separate InCenter Cloud Administration Guide.
This section describes how to define a NetWall firewall to the InCenter Cloud. Adding firewalls is not mandatory for analysis to be possible. If a firewall is not added, the InCenter cloud will still accept log messages sent by the firewall and analysis will still be possible. However, important filtering options based on the firewall will not be available.
Note that NetWall systems are generically referred to as nodes in the context of InCenter.
Steps for Firewall AdditionTo add a firewall to the InCenter cloud WebUI, select the Gateways option from the Manage section in the navigation pane.
Press the Add button and select Gateway.
This starts the new node wizard which will go through the following steps:
Select the NetWall option and specify a logical name for the node with an optional comment.
|Important: The InCenter name must match the firewall name|
The node name specified in InCenter must match the local device name on the firewall itself. In addition, the firewall name should not be duplicated within the InControl instance. Therefore, the name may need to be changed locally to a new value in cOS Core before performing the addition in InCenter.
In the last step, a summary is displayed to confirm the details of the addition.
InCenter Changes Must be ActivatedChanges like the addition of a new firewall to the InCenter Cloud need to be activated before the firewall appears in the firewall list. Pending changes that require activation will be indicated by the number of changes appearing next to the spanner (configuration changes) icon at the top of the WebUI.
By pressing the spanner icon, the Changes display will open with a list of pending changes. An example with the single addition of a new user called Test is shown below.
Now press the Commit Changes button to confirm the addition of one or more firewalls to InCenter.
This section describes the steps needed for locally configuring a NetWall firewall so it sends the correct log messages in the correct format to a particular instance of the InCenter Cloud Service.
The interface used to configure a firewall can be either the WebUI or CLI (command line interface). The WebUI is recommended for simplicity.
The setup that must be performed locally on each firewall consists of the following:
Add a Syslog Receiver receiver object that sends log messages back to InCenter. The InCenter Compatible option must also be enabled for this object.
Doing this is described further in Section 4.1, Configuring a Log Receiver.
Add an LAN to LAN VPN tunnel object which provides an encrypted IPsec tunnel between the firewall and InCenter. The log messages sent by the Syslog Receiver object will flow through this tunnel. Creating the tunnel will require that a new Pre-Shared Key object is first created.
Setting up the tunnel is described further in Section 4.2, Configuring a VPN Tunnel.
After the above steps are completed, the changes should be activated and the configuration saved.
The sections that follow describe these configuration steps in detail.
Configuring a Log Receiver with the WebUITo configure a Syslog log receiver in the cOS Core WebUI, open the WebUI in a browser and go to: System > Device > Log Receivers. Then press the Add button and select the option Syslog Receiver.
The dialog for this new object can then be filled in, as shown in the example below.
Configuring a Log Receiver with the CLIThe cOS Core CLI could be used instead to configure the log receiver. The following is an example of a command to do this:
Device:/> add LogReceiver LogReceiverSyslog my-syslog-receiver IPAddress=203.0.113.10 InCenterCompatibility=Yes
This section describes how to secure the connection between individual NetWall firewalls and the InCenter Cloud service using a VPN tunnel.
When using the InCenter Cloud service, Syslog messages must be sent from firewalls to the cloud through a VPN tunnel and this tunnel must be locally defined in the firewall's configuration using a LAN to LAN VPN object.
Note that where multiple firewalls are sending their log messages to the same InCenter Cloud instance, either each firewall can have its own tunnel, or multiple firewalls can route log messages via a single edge firewall with a single VPN tunnel.
Configuring a VPN Tunnel with the WebUIBefore configuring the VPN tunnel itself, a Pre-shared Key object must first be created that contains the pre-shared key value for the tunnel. To create this, go to Objects > Key Ring, press the Add button and select the Pre-Shared Key option.
The dialog for the pre-shared key can then be filled in, as shown in the example below. The name can be any suitable text but the key must set to the type Hexadecimal key and the key value copied from the cloud details page and pasted into the Passphrase field. The size should be left at the default value of 512.
To configure a VPN tunnel in the cOS Core WebUI, open the WebUI in a browser and go to: Network > Interfaces and VPN > IPsec. Then press the Add button and select the option LAN to LAN VPN.
The first part of this dialog for this new tunnel object can then be filled in, as shown in the example below.
The following values must be entered:
Name - Any suitable name for the tunnel object.
Remote Endpoint - This is the IP address of the remote tunnel endpoint which is provided on a customer's web access information page for the InCenter cloud. An IP address can be entered directly. However, if an FQDN is used then an FQDN Address object must be created first and then that object is used in this field.
Local Network - This can be any local IP address. The IP address object for the local Ethernet interface could be used, as shown in the example screenshot above. However, the IP used must not be a public IP address.
Remote Network - This is the IP address of the log receiver which is also provided on the web access information page. It is the same IP address that is specified for the Syslog receiver object.
Add route statically - This option must be enabled (by default, it is) so that Syslog traffic is routed through the tunnel.
The second part of the dialog specifies the authentication used for the tunnel. The method should be set to Pre-shared Key and the value of the key should be set to the pre-shared key object created previously.
Configuring a VPN Tunnel with the CLIAlternatively, the following CLI commands could be used instead. First, to configure the pre-shared key:
Device:/> add PSK my-psk Type=HEX PSKHex=<paste key here>
Next, to configure the tunnel:
Device:/> add Interface LANtoLANVPN my_incenter_tunnel LocalNetwork=G1_ip RemoteNetwork=203.0.113.5 PSK=my_psk
Configuring a Lan to Lan VPN object is described further in the separate cOS Core Administration Guide.
Activate All ChangesAll the changes made to the cOS Core configuration should now be activated and committed by selecting the Save and Activate option from the toolbar.