| Home Prev |  InCenter 2.2.5 On-Premises Administration Guide
|
Next |
|---|
When InCenter, they can become subject to centralized management by InCenter. The functions provided by centralized management are discussed in Chapter 10, Centralized Management Control.
![[Note]](images/note.png) |
Note: Skip this section if setting up monitoring only |
|---|---|
|
It is possible to enable monitoring only for a node without also enabling centralized management. To enable monitoring only, follow the steps described in Section 6.3, Setting Up Monitoring. |
To bring a node under centralized management control, setup steps are required on both the InCenter so that the two can communicate using the relevant keys. After setting up this communication, the node is added to InCenter and its configuration imported.
The following list summarizes the process of centralized management setup:
Set up the NetWall node to communicate with InCenter. Doing this is described in Section 6.2.1, NetWall Node Centralized Management Setup.
Set up InCenter to communicate with the node. Doing this is described in Section 6.2.2, InCenter Centralized Management Setup.
Add the NetWall node in InCenter so its configuration is imported and centralized management becomes enabled. Doing this is described in Section 6.2.3, Adding NetWall Nodes with the CLI.
The steps listed above are covered sequentially in more detail in the sections that follow.
|
Note: InCenter and InControl management are incompatible |
|---|---|
|
Do not try to set up InCenter centralized management for a NetWall node that is already being centrally managed by the Clavister InControl product. Centralized management by InControl should be disabled first. However, monitoring by InCenter is still possible even though a node is under InControl management. |
This section describes the detailed steps for setting up NetWall nodes for centralized management. These operations are performed as a local administrator of the firewall and not through InCenter.
1. Set the name on the node
If it has not been done already, set the name of the node's CLI with the following command:Device:/> set Device Name=<device-name>2. Copy the InCenter SSH Key
The first step is to copy the InCenter public SSH key into a file. This is done by first listing the key in the InCenter CLI with the following command:admin@InCenter:/> nodeserver -showkeyCreate a new text file containing this key using copy and paste from the console output.
Note that the sshserver command is not used since that is for a different SSH server from the one used by InCenter to communicate with NetWall nodes and the two servers use different public keys. The nodeserver key is always automatically the same on a second redundant InCenter node and can be regenerated with the command nodeserver -keygen.
3. Add an SSH Public Key object
In the NetWall node WebUI, go to Object > Key Ring and select Add > SSH Public Key. Enter a suitable name and select Upload SSH public key file so the file created in the previous step can be uploaded.This step could alternatively be done by using SCP to upload the file to the sshpublickeys folder of the node.
Another way to do it is using the NetWall node's CLI. An example CLI command would be the following:
Device:/> add SSHPublicKey my-pub-key PublicKey="ssh-rsa AADAB3NzaC1y23"The key value in the above command has been truncated and a real key would be much longer.
4. Add a Remote Management object
In the NetWall node's WebUI, go to System > Remote Management and select Add > InCenter Management. Set the Primary IP property to the IP address of the InCenter server (this IP could be first defined as an address book object) and set the SSH server public key property to the SSH Public Key object created in the previous step.Note that the Secondary IP property is only used when a second InCenter node is available to provide redundancy.
If required, an alternate routing table can also be selected for management traffic that is outgoing to the InCenter server. By default, the main routing table will be used.
Using the NetWall node's CLI, the command to set up a remote management object would be:
Device:/> add RemoteManagement RemoteMgmtInCenter
InCenterPrimaryIP=<InCenter-IP>
InCenterKey=<key-object>The next section describes how to set up InCenter.
The section described the detailed steps for setting up InCenter for centralized management of a particular NetWall node.
1. Copy the SSH key from the NetWall Node
In the WebUI of the NetWall node, go to Objects > Key Ring and open the RSA 2048 bit object in the list. Select the OpenSSH format option and then copy and paste the key to a local text file with a filetype of .pub.In the cOS Core CLI, the key can be displayed with the following command:
Device:/> show SSHHostKey RSA
2. Create an SSHPublicKey object in InCenter
Upload the key file from the previous step to InCenter using SCP and then create a new SSHPublicKey with the following CLI command:admin@InCenter:/> add SSHPublicKey Name=my-sshkey
PublicKey=my-keyfile.pub
The next section describes how to add the node to InCenter. When added, the node's PublicKey property will be set to the SSHPublicKey object value created in the last step above.
This section describes how to add a new NetWall node to InCenter so that centralized control is enabled for the node. It is assumed that the setup has already be done so InCenter and the node can communicate.
This section does not apply if InCenter is being used for monitoring only (without centralized management). For monitoring only, nodes must be first configured to send log messages to the InCenter server and then added using the WebUI, which is described in Section 6.3, Setting Up Monitoring.
To add any NetWall node so it comes under centralized management control for the first time, the steps are as follows:
If it has not been done already, perform the centralized management setup described previously in Section 6.2, Setting Up Centralized Management.
Access the InCenter CLI using an SSH client.
Add the Clavister Next Generation Firewall as a standalone node.
Activate and commit the change.
Import the node's configuration to the InCenter database.
Make any required changes to the node configuration.
Activate all changes and commit them.
Adding any node and importing its configuration into InCenter usually only has to be done once. However, there are exceptions. For example, after upgrading the firewall software version, a node must be re-imported.
|
Note: Add nodes in batches of no more than 500 |
|---|---|
|
When adding a large number of nodes, no more than 500 nodes should be added in any one batch before the changes are activated. This is true both for the add operation and the import operation. |
Adding a Node
When a node is added, the PublicKey property of the StandaloneNode must be specified for authentication. This property is assigned a SSHPublicKey object that will have been already created by the administrator during centralized management setup. An example CLI command to do this would be the following:admin@InCenter:/> add StandaloneNode
Name=my-node1
NodeType=NetWall
PublicKey=my-node-keySaving Changes
The addition of a node, and any subsequent configuration change made with the InCenter, will not be saved or deployed to a node until an activate command is issued. This must be followed by a commit command to make changes permanent:admin@InCenter:/> activate Activate successful admin@InCenter:/> commit Committed admin@InCenter:/>
Note that the activate command will apply all pending changes to affected nodes at the same time. If an error occurs, all changes are rolled back. If all changes are successful, the commit command will make the changes permanent.
Verifying the Connection to the Node
Once the node addition is activated, the node will be able to connect to InCenter. There will be a brief delay before the node establishes a connection with InCenter. This connection can be verified in InCenter by using the following command:admin@InCenter:/> node <node-name> statusImporting the Node Configuration
After the communication with InCenter is established, the next step is to import the firewall configuration into InCenter. This is done with the following command sequence:admin@InCenter:/> node my-node1 import Importing configuration from: my-node1 Import done admin@InCenter:/> activate Activate successful admin@InCenter:/> commit Committed admin@InCenter:/>
This sequence results in the node configuration being read and saved in the InCenter configuration database on the server. Subsequent configuration changes made through InCenter will now be reflected in both the node configuration and InCenter's database copy.
In addition, the node is brought under centralized management control by InCenter and it will no longer be possible to change the configuration of the node by direct connection to it. This is explained further in Chapter 10, Centralized Management Control.
|
Note: Import requires an Activate/Commit |
|---|---|
|
An import command must be followed by an activate then a commit command for the import into the InCenter to be completed. |
If an import operation is not performed, it will not be possible to make node configuration changes under the control of InCenter.
A node Can Also Be Exported
InCenter provides an export operation for a standalone node which is the opposite to import. This will push the current configuration held in the InCenter database out to the node so that it synchronizes with the database. For example:admin@InCenter:/> node my-node1 export
The export command is discussed further in
Section 4.4, Activating Changes
Editing Node Properties with the CLI
After adding to InCenter, a node's properties can be changed using the set command. For example, to change the name of the node called my-node1 to my-new-name, the following command could be used:admin@InCenter:/> set StandaloneNode my-node1 Name=my-new-name