Home  Prev  Clavister NetEye Cloud Getting Started Guide  Next

Chapter 3: cOS Core Setup

This section describes the steps needed for configuring a cOS Core firewall to connect with the NetEye Cloud service.

The user interface used to configure a firewall can be either the WebUI or CLI (command line interface). The WebUI is recommended for simplicity. Both methods are described in this section.

A Summary of cOS Core Setup Steps

The setup that must be performed locally on a cOS Core firewall consists of the following steps:

  1. Make sure that cOS Core already has Internet access and that a public DNS server is configured. This is required to resolve the FQDN of the NetEye cloud instance.

  2. Create a new FQDN Address object which contains the FQDN of the NetEye cloud instance. This FQDN comes from the NetEye connection parameters specified in the relevant MyClavister account.

  3. Create a new PSK object which contains the shared secret key to use with the IPsec tunnel. This key also comes from the NetEye parameters in the relevant MyClavister account.

  4. Create a new LAN to LAN VPN object in the cOS Core configuration. This is the IPsec tunnel that will connect to the NetEye cloud instance and transport data between the firewall and NetEye.

  5. Create a new Routing Table. This will be used to route traffic to NetEye.

  6. Add a route to the new routing table which routes all-nets traffic on the IPsec tunnel.

  7. Create a Policy-based Routing Rule that triggers on the target HTTP/HTTPS traffic and uses the new routing table for forward traffic and the original client routing table (usually the main table) for return traffic.

  8. Create an IP policy that allows traffic to flow from the clients into the IPsec tunnel.

  9. After the above steps are completed, the changes should be activated and the configuration saved.

Configuration of cOS Core can be performed using any of the management interfaces. The following sections describe in detail the setup using either the WebUI and CLI.

3.1. Setup Using the WebUI

This section describes how to use the cOS Core WebUI to set up communication with the NetEye Cloud. It is assumed that the HTTP/HTTPS clients are located on the network called lan_net which is connected to the firewall Ethernet interface called lan.

A. Configure an FQDN Address Object for the Tunnel Endpoint

The IPsec tunnel endpoint of the NetEye Cloud instance is specified as an FQDN in the relevant MyClavister account. For example, the FQDN might be 1010.ne.clavister.net. This must be configured in cOS Core as an FQDN Address object. This is done by selecting Objects > Address Book > Add > FQDN Address in the WebUI.

Add FQDN Address

Figure 3.1. Add FQDN Address

Specify the FQDN for NetEye connection using a suitable name. Note that the FQDN used below is just an example and every customer will have a unique FQDN.

Add FQDN Address Dialog

Figure 3.2. Add FQDN Address Dialog

B. Configure an IPsec Tunnel

Before configuring the IPsec tunnel itself, a Pre-shared Key object must first be created that contains the pre-shared key value for the tunnel. To create this, select Objects > Key Ring > Add > Pre-Shared Key in the WebUI.

Add Pre-Shared Key

Figure 3.3. Add Pre-Shared Key

The dialog for the pre-shared key can then be filled in, as shown in the example below. The name can be any suitable text. The key type must be set to the value Hexadecimal key. The key value should be copied from the NetEye parameter list in the relevant MyClavister account and pasted into the Passphrase field.

Add Pre-Shared Key Dialog

Figure 3.4. Add Pre-Shared Key Dialog

To configure the IPsec tunnel, select Network > Interfaces and VPN > IPsec > Add > LAN to LAN VPN in the WebUi.

Add VPN Tunnel

Figure 3.5. Add VPN Tunnel

The first part of the dialog for a new tunnel can then be filled in, as shown in the example below.

Add VPN Tunnel Dialog

Figure 3.6. Add VPN Tunnel Dialog

The following values must be entered:

  • Name - Any suitable name for the tunnel object.

  • Remote Endpoint - This is the FQDN address object created earlier which contains the FQDN of the NetEye instance. This will be resolved using DNS to an IPv4 address so the cOS Core must have a DNS server configured.

  • Local Network - Set this to all-nets.

  • Remote Network - Set this to all-nets.

  • Add route statically - This option should be disabled since the route will be added manually.

The second part of the dialog specifies the authentication used for the tunnel. The method should be set to Pre-shared Key and the value of the key should be set to the pre-shared key object created previously.

Add VPN Tunnel Dialog - Authentication

Figure 3.7. Add VPN Tunnel Dialog - Authentication

C. Create a New Routing Table

Select Network > Routing > Routing Tables > Add > Routing Table in the WebUI.

Add Routing Table

Figure 3.8. Add Routing Table

Give the new table a suitable name and leave the Ordering property at the default value.

Add Routing Table Dialog

Figure 3.9. Add Routing Table Dialog

D. Add an all-nets Route

Add a route to the new routing table by selecting the table in the WebUI and then selecting Add > Route IPv4.

Add a Route

Figure 3.10. Add a Route

The Network should be set to all-nets and the Interface should be set to the IPsec tunnel name.

Add a Route Dialog

Figure 3.11. Add a Route Dialog

E. Configure a Policy-based Routing Rule

A Policy-based Routing Rule is required so that the target traffic will use the new routing table and the all-nets route it contains for routing. To do this, select Network > Routing > Policy-based Routing Rules > Add > Routing Rule in the WebUI.

Add a Policy-based Routing Rule

Figure 3.12. Add a Policy-based Routing Rule

Enter a suitable name for the routing rule and set the forward routing table to the table created above. The return routing table should be set to the original routing table used to reach clients and this will normally be the main routing table.

Policy-based Routing Rule Dialog

Figure 3.13. Policy-based Routing Rule Dialog

For the routing rule filter, specify a destination of all-nets for the network and any for the interfaces. The source network and interface should be the relevant values for the location of the clients (in this example, lan_net and lan). The service should be set to the targeted traffic, in this case the predefined service object http-all which includes both HTTP and HTTPS using the standard port numbers.

Policy-based Routing Rule Filter

Figure 3.14. Policy-based Routing Rule Filter

Note that if non-standard HTTP/HTTPS port numbers are used then a custom service object would need to be first created and then used with the routing rule instead of http-all.

F. Configure an IP Policy

An IP Policy object must be added to allow traffic to flow through the tunnel. Select Policies > Firewalling > Main IP Rules > Add > IP Policy in the WebUI.

Add IP Policy

Figure 3.15. Add IP Policy

Enter values into the new IP policy dialog. The destination interface should be the name of the IPsec tunnel object created earlier and the destination network should be set to all-nets. The source network and interface should be the relevant values for the location of the clients.The service can be set to http-all to allow only HTTP and HTTPS traffic.

Add IP Policy Dialog

Figure 3.16. Add IP Policy Dialog

The source destination and source interface could be made more restrictive if traffic from only certain users is to be allowed into the tunnel. The service can be set to all-services to allow all traffic. Non-HTTP/HTTPS traffic will pass through NetEye without any security processing being applied.

The changed cOS Core configuration can now be activated and committed. It is assumed that an IP policy already exists which will allow non-NetEye client traffic to flow directly to the Internet.

Home  Prev   Next