NetShield 300 Series Getting Started Guide

Table of Contents

1. NetShield 300 Series Overview
1.1. Unpacking
1.2. Interfaces and Ports
1.3. Hardware Sensor Monitoring
2. Installation
2.1. General Installation Guidelines
2.2. Flat Surface and Rack Installation
2.3. Management Computer Connection
2.4. Local Console Port Connection
2.5. Connecting Power
3. cOS Stream Configuration
3.1. The NetShield 300 Series Default Configuration
3.2. CLI Access
3.3. Manual IPv4 Internet Connection Set Up
3.4. The Boot Menu
3.5. Setup Troubleshooting
3.6. Going Further with cOS Stream
4. Resetting to Factory Defaults
5. Warranty Service
6. Safety Precautions
A. NetShield 300 Series Specifications

Chapter 1: NetShield 300 Series Overview

[Note] Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at

It is also available in a framed HTML version.

[Important] Important: Only cOS Stream version 3.90.00 or later is supported

The NetShield 300 Series hardware can run any cOS Stream version from 3.90.00 onwards. Earlier versions are not supported and a downgrade should not be attempted.

1.1. Unpacking

An Unpacked NetShield 300 Series Unit

Figure 1.1. An Unpacked NetShield 300 Series Unit

This section details the unpacking of a single NetShield 300 Series device. Open the packaging box used for shipping and carefully unpack the contents. The packaging should contain the following:

  • The NetShield 300 Series appliance.

  • Power cable.

  • Power adapter.

  • Rack mount kit.

[Note] Note: Report any items that are missing

If any items are missing from the packaging, please contact your sales office.

Support Agreements

All purchasers of a new NetShield hardware product must also subscribe to one of the available cOS Stream support agreements. These provide access to cOS Stream updates and provide a hardware replacement service in the event of a hardware fault. The terms of warranty are described in Chapter 5, Warranty Service, along with a description of the hardware replacement procedure.

The Cold Standby Service

To ensure maximum uptime, a Cold Standby (CSB) Service is available from Clavister as an addition to certain cOS Stream support agreements. This service allows a second, identical NetShield 300 Series unit to be purchased at a discount so that it can quickly substitute for the original unit in case of failure, with the ability to quickly reassign the original cOS Stream license to the standby unit. When the faulty unit is returned to Clavister, a new cold standby unit is immediately sent back.

Downloading NetShield 300 Series Resources

All documentation, version upgrades and other resources for the NetShield 300 Series can be downloaded from the Clavister website after logging into the relevant MyClavister account.

Contacting Clavister Product Support

Clavister customer support can be contacted by logging into and reporting an issue online. Alternatively, the direct support telephone number is +46 (0)660-29 77 55 (answered 24/7). Sales enquiries should be directed to the head office number +46 (0)660-29 92 00 or a local sales office during the relevant business hours.

End of Life Disposal

The NetShield 300 Series appliance is marked with the European Waste Electrical and Electronic Equipment (WEEE) directive symbol which is shown below.

The product, and any of its parts, should not be discarded using a regular refuse disposal method. At end-of-life, the product and parts should be given to an appropriate service that deals with the disposal of such specialist materials.



1.2. Interfaces and Ports

This section is an overview of the NetShield 300 Series product's external connectivity options.

NetShield 300 Series Interfaces and Ports

Figure 1.2. NetShield 300 Series Interfaces and Ports

[Note] Note: The meaning of the terms "Front" and "Back"

The term "Front" will be used in this guide to refer to the side of the 300 Series that has the Ethernet ports and the term "Back" to the side that has the status lights.

The NetShield 300 Series features the following connection ports:

  • 6 x RJ45 Gigabit Ethernet interfaces

    These have the logical cOS Stream interface names G1 to G6. These names are written above each interface on the NetShield 300 Series casing.

    The G1 interface is used for initial management connection over a network. The G6 interface is normally used for the initial connection to the public Internet.

  • 2 x Gigabit SFP interfaces

    These have logical names S1 and S2.

    Note that only the SFP modules available from Clavister have been tested to function correctly with the 300 Series hardware. Clavister cannot guarantee that others will function correctly.

  • An RJ45 RS-232 console port

    This port (marked |O|O|) is used for direct access to the cOS Stream Boot Menu and the cOS Stream Command Line Interface (CLI). Connecting to this port is described in Section 2.4, Local Console Port Connection.

In the predefined default cOS Stream configuration, the G1 interface of the NetShield 300 Series has an IPv4 DHCP server enabled so it will automatically hand out IP addresses belonging to the default management network to a connecting client. In addition, both the G6 and S1 interfaces have an IPv4 DHCP client enabled so that they can automatically be assigned an IP address if either or both are connected to an ISP (dual connection can provide redundancy).

The default cOS Stream configuration contains a predefined IP rule set that allows clients on the G1 interface to automatically access the Internet via either G6 or S1. If both interfaces provide Internet access, S1 will take precedence because its predefined all-nets route has a lower metric value.

The default cOS Stream configuration is discussed further in Section 3.1, The NetShield 300 Series Default Configuration.

[Note] Note: The two USB Type A ports are not currently used

The two USB Type A ports on the 300 Series front panel are for future functionality and are not currently used by cOS Stream.

NetShield 300 Series Ethernet Interfaces

Figure 1.3.  NetShield 300 Series Ethernet Interfaces

The full connection capabilities of all the NetShield 300 Series Ethernet interfaces are listed at the end of Appendix A, NetShield 300 Series Specifications.

RJ45 Ethernet Interface Status LEDs

The status lights on the NetShield 300 Series RJ45 Ethernet interface sockets indicate the following states for each interface:

  • Left LED:

    1. Solid Green - The interface has power.
    2. Flashing Green - The interface is active.
  • Right LED:

    1. Dark - 10 Mbit link or no link.
    2. Green - 100 Mbit link.
    3. Yellow - 1000 Mbit link.

System Status Indicator LEDs

The two status LEDs on the 300 Series indicate the following:

  • Power - This shows power is supplied to the unit.

  • Status - This shows that cOS Stream is running.

1.3. Hardware Sensor Monitoring

The NetShield 300 Series is equipped with sensors that provide cOS Stream with information about operational parameters such as CPU temperature. This information is available to the administrator through the cOS Stream management interfaces.

In addition, log message alerts can be automatically generated if a sensor reaches a value outside of its normal operational range.

Configuring this feature, as well as a list of all the sensors available on each Clavister hardware model and their normal ranges, can be found in the Hardware Monitoring section of the separate cOS Stream Administration Guide.

Chapter 2: Installation

2.1. General Installation Guidelines

Follow these general guidelines when installing the NetShield 300 Series appliance:

  • Safety

    Take notice of the safety guidelines laid out in Chapter 6, Safety Precautions. These are specified in multiple languages.

  • Power

    Make sure that the power source circuits are properly grounded and then use the power cord supplied with the appliance to connect it to the power source.

  • Using Other Power Cords

    If your installation requires a different power cord than the one supplied with the appliance, be sure to use a cord displaying the mark of the safety agency that defines the regulations for power cords in your country. Such marks are an assurance that the cord is safe.

  • Power Overload

    Ensure that the appliance does not overload the power circuits, wiring and over-current protection.

    To determine the possibility of overloading the supply circuits, add together the ampere ratings of all devices installed on the same circuit as the appliance and compare the total with the rating limit for the circuit. The maximum ratings for the 300 Series are listed in Appendix A, NetShield 300 Series Specifications.

  • Surge Protection

    A third party surge protection device should be considered and is strongly recommended as a means to prevent electrical surges reaching the appliance. This is mentioned again in Section 2.5, Connecting Power.

  • Temperature

    Do not install the appliance in an environment where the ambient temperature during operation might fall outside the specified operating range. This range is documented in Appendix A, NetShield 300 Series Specifications.

    The intended operating temperature range is "room temperature". That is to say, the temperature most commonly found in a modern office and in which humans feel comfortable. This is usually considered to be between 20 and 25 degrees Celsius (68 to 77 degrees Fahrenheit). Special rooms for computer equipment may use a lower range and this is also acceptable.

  • Airflow

    Make sure that airflow around the appliance is not restricted.

  • Dust

    Do not expose the appliance to environments with elevated dust levels.

[Note] Note: The specifications appendix provides more details

Detailed information concerning power supply range, operating temperature range and other operating details can be found at the end of this document in Appendix A, NetShield 300 Series Specifications.

2.2. Flat Surface and Rack Installation

The NetShield 300 Series can be mounted on any appropriate stable, flat, level surface that can safely support the weight of the appliance and its attached cables.

[Important] Important: Always leave space around the appliance

Always ensure there is adequate space around the appliance for ventilation and for easy access to switches and cable connectors. No objects should be placed on top of the casing.

The NetShield 300 Series can also be rack mounted in a standard 19-inch rack using the kit that is included with the appliance. The kit is mounted by attaching the two side-brackets, as shown below.

NetShield 300 Series Rack Mount Kit Attachment

Figure 2.1. NetShield 300 Series Rack Mount Kit Attachment

Once the brackets are firmly attached on either side, the unit can be mounted in a rack. Rear support is not required.

NetShield 300 Series Ready For Rack Mounting

Figure 2.2. NetShield 300 Series Ready For Rack Mounting

2.3. Management Computer Connection

cOS Stream Starts After Power Up

It is assumed that the NetShield 300 Series unit is now unpacked, positioned correctly and power is applied. If not, the earlier chapters in this guide should be referred to before continuing.

Clavister's cOS Stream software is preloaded on the NetShield 300 Series and will automatically boot up after power is applied. After the start-up sequence is complete, an external management computer can be used to configure cOS Stream.

cOS Stream Access Methods for Setup

Initial cOS Stream software configuration can be done in one of the following ways:

  • Using CLI commands across a network connection

    The setup process can be performed using CLI commands which are input into a remote management computer running an SSH client. The management computer is linked across a network to an Ethernet interface on the firewall.

    Once a network link to the CLI has been established, the manual configuration steps using the CLI are described in Section 3.2, CLI Access.

  • Using CLI commands via the local console

    Alternatively, CLI access is possible using console emulation software running on an external computer connected directly to the RJ45 local console port on the 300 Series hardware. Direct console connection is described in Section 2.4, Local Console Port Connection.

    In the default NetShield 300 Series configuration, no login credentials are enabled for the local console.

The Default Management Ethernet Interface

After first-time startup, cOS Stream automatically makes network management access available on a single predefined Ethernet interface and assigns to it the private IPv4 address and network In addition, this interface has a DHCP server enabled. This means that any DHCP client that connects can be automatically assigned a private IPv4 address so it can communicate with the firewall.

For the NetShield 300 Series, the physical default management Ethernet interface is G1.

This network connection could be made via a local switch using standard Ethernet cables, as shown in the illustration below.

Direct local Ethernet connection to the G1 interface can be done without a switch by using a suitable crossover cable. However, all the RJ45 interfaces on the NetShield 300 Series support Automatic MDI-X so a crossover cable is not necessary.

Connection to an ISP for Internet Access

For access to the public Internet, another 300 Series Ethernet interface should be selected for connection to an ISP. For example, G2 could be selected, although any other available interface could be used instead.

Note that in the default cOS Stream configuration for the NetShield 300 Series, the G6 and S1 interfaces already have a DHCP client enabled so an IP addresses can be automatically assigned by an ISP on connection.

[Tip] Tip: Connect the Internet before the management computer

If the G6 or S1 interface is connected to an ISP before the management computer is connected to the G1 interface, DNS addresses for resolving URIs will be received from the ISP and then relayed in the DHCP lease sent to a connecting management computer.

If the management computer is connected first, it may get its IP assigned by the firewall with a DHCP lease that will not contain DNS addresses and the lease lifetime will be 24 hours. Renewing the lease, for example with a management computer restart, may be necessary to get DNS addresses after they are received on the G6 or S1 interface. Alternatively, DNS addresses could be entered into the management computer manually.

Management Computer Ethernet Interface Setup

The only requirement for the Ethernet interface used for connection on the management computer is that DHCP is enabled. cOS Stream automatically enables a DHCP server on the firewall's G1 interface and this will allocate the relevant IP address to the management computer using DHCP.

If the management computer is configured manually, the following settings could be used:

  • IP address:

  • Subnet mask:

  • Default gateway:

[Tip] Tip: Using another management interface IP address

The IPv4 address assigned to the management computer's Ethernet interface could be any address from the network. However, the IP chosen must be different from which is used by cOS Stream's default management interface.

2.4. Local Console Port Connection

The local console port allows direct management connection to the NetShield 300 Series unit from an external computer acting as a console terminal. This local console access can then be used for both management of cOS Stream with CLI commands or to enter the boot menu in order to access firmware loader options. The boot menu is described further in the separate cOS Stream Administration Guide.

The local console port is the physical RJ45 RS-232 port on the left-hand side of the NetShield 300 Series's connector panel and is marked |O|O|.

NetShield 300 Series RJ45 Local Console Port Connection

Figure 2.3. NetShield 300 Series RJ45 Local Console Port Connection

Requirements for NetShield 300 Series Local Console Connection

To get management access via the local console port, the following is needed:

  • An external computer with a serial port and the ability to emulate a console terminal (for example, using the open source puTTY software).
  • The terminal console should have the following settings:

    1. 115,200 bps.
    2. No parity.
    3. 8 bits.
    4. 1 stop bit.
    5. No flow control.

  • An RS-232 cable with appropriate terminating connectors.

Connection Steps

To connect a terminal to the local console port, perform the following steps:

  1. Check that the console connection settings are configured as described above.

  2. Connect one of the connectors on the cable directly to the local console port on the 300 Series.

  3. Connect the other end of the cable to a console terminal or to the serial connector of a computer running console emulation software.

Remote Console Connection Using SSH

An alternative to using the local console port for CLI access is to connect remotely over a network via a physical Ethernet interface and using a Secure Shell (SSH) client on the management computer to issue CLI commands. This is discussed further in Section 2.3, Management Computer Connection.

2.5. Connecting Power

This section describes connecting power. As soon as power is applied, the NetShield 300 Series will boot-up and cOS Stream will start.

[Important] Important: Review the safety information

Before connecting power, please review the electrical safety information found in Chapter 6, Safety Precautions.

Connecting AC Power

To connect power, follow these steps:

  1. Connect the end of the power adapter's power cord to the power inlet on the NetShield 300 Series. The 300 Series has a threaded connector which must be screwed firmly in place to prevent the power cable accidentally detaching.
NetShield 300 Series Power Supply Connection

Figure 2.4. NetShield 300 Series Power Supply Connection

  1. Plug the power adapter into a suitable AC power outlet.

  1. There is no On/Off switch. The 300 Series will boot up as soon as power is applied and cOS Stream will start. The progress of the process can be seen on a CLI console connected to the local console port.

  1. After a brief period of time, cOS Stream will be fully initialized and the NetShield 300 Series is then ready for configuration using a direct console connection or via a network connection to the default management Ethernet interface.

    Initial cOS Stream configuration is described in Chapter 3, cOS Stream Configuration..

The Recessed Reset and Restart Buttons

Located to the left of the power connector are two recessed buttons that can be pushed in with a suitable pointed tool. An opened paper-clip could be used for this.

The 300 Series Restart Button (below the reset button)

Figure 2.5. The 300 Series Restart Button (below the reset button)

The top button (solid inverted triangle) is for resetting to factory defaults and its usage is discussed in Chapter 4, Resetting to Factory Defaults. The lower button (circular arrow) will immediately restart the 300 Series unit if it is pushed in momentarily but will not alter the current cOS Stream configuration. Note that all current traffic connections will be lost following a restart.

[Important] Important: Consider power surge protection

It is recommended to consider the purchase and use of a separate surge protection unit from a third party for the power connection to the NetShield 300 Series hardware. This is to ensure that the appliance is protected from damage by sudden external electrical power surges through the power cable.

Surge protection is particularly important in locations where there is a heightened risk of lightning strikes and/or power grid spikes.

Any surge protection unit should be installed exactly according to the manufacturer's instructions since correct installation of such units is vital for them to be effective.

Chapter 3: cOS Stream Configuration

[Tip] Tip: Upgrade to the latest cOS Stream version

A new 300 Series unit may not have the very latest cOS Stream version pre-installed. After the initial configuration described in this section, it is recommended to upgrade to the latest available version. The steps for upgrading are described in the separate cOS Stream Administration Guide.

3.1. The NetShield 300 Series Default Configuration

This section describes the predefined entries in the default cOS Stream configuration that are unique to the NetShield 300 Series.

Ethernet Interface DHCP settings

The NetShield 300 Series appliance comes with a default cOS Stream configuration with the following settings on the Ethernet interfaces:

  • The G1 interface has a DHCP server enabled. This means connecting clients will be automatically allocated an IP address by cOS Stream, providing the client has DHCP enabled on its connecting interface. Clients will also be allocated DNS server addresses if cOS Stream itself has received them from an ISP.

  • The G6 and S1 interfaces both have a DHCP client enabled. This means they can be automatically assigned an IP address if either is connected to an ISP. DNS server addresses can also be received by cOS Stream.

The Predefined IP Rule Set

The default configuration also contains a predefined IP rule set that allows traffic to flow from the G1 interface and its network to any other interfaces. The traffic will have NAT translation applied using the outgoing interface's IP as the source address. This means that protected clients on G1 will have predefined access to the Internet through S1, or alternatively G6 if S1 is not available.

The Predefined all-nets Routes

There is a predefined all-nets route for both the G6 and S1 interfaces. The S1 route has a lower value for its Metric property which means it will take precedence over G6 for Internet traffic if both are connected to an ISP. However, should the S1 connection become unavailable, cOS Stream will automatically route all-nets traffic through G6, providing redundancy.

Changing the Default Configuration

Note that there are no restrictions on how cOS Stream is configured in the NetShield 300 Series product or how the Ethernet interfaces are used. The administrator is free to change or delete any of the default configuration components.

3.2. CLI Access

The cOS Stream CLI is accessible using either of the following two methods:

  • Using the Local Console

    Using a management computer running a console emulator connected directly to the local console port on the NetShield 300 Series. This connection is described in Section 2.4, Local Console Port Connection.

    Initially, there is no requirement to enter any login credentials when accessing the CLI through the local console port. Local console access is controlled by a predefined configuration object called ComPortAccess. A password can be set by defining an appropriate AuthenticationProfile object and associating it with ComPortAccess.

  • Using a Network Connection

    Using an external management computer running an SSH (Secure Shell) client. The computer connects via its Ethernet interface across an IP network to the IPv4 address on the default management Ethernet interface. For the 300 Series, this default interface is G1.

    Setting up the physical network connection for the computer running the SSH client is described in Section 2.3, Management Computer Connection. Network access to the management CLI also needs to be enabled in cOS Stream using the local console CLI.

    First, enable the predefined RemoteMgmtSSH rule:

    Device:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH -enable

    Then the allowed interface and network must be set:

    Device:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH

    Authentication is controlled by the AuthProfile property of the RemoteMgmtSSH rule. By default, this is set to a predefined AuthenticationProfile object called MgmtAuthProfile.

Confirming the CLI Connection

Once connection is made to the CLI, pressing the Enter key should get a response from cOS Stream. The response will be a normal CLI prompt if connecting directly through the local console port and a username/password combination will not be required (a password for this console can be set later).
If connecting remotely through an SSH client, an administration username/password must first be entered and the initial default values for these are:
  • Username: admin

  • Password: admin

When these are accepted by cOS Stream, a normal CLI prompt will appear and CLI commands can be entered.

Changing the admin Password

It is strongly recommended to change the password of the admin user as the first task in cOS Stream setup. To do this, use the set command to change the current CLI object category (also referred to as the context) to be the LocalUserDatabase called AdminUsers.
Device:/> cc LocalUserDatabase AdminUsers

[Tip] Tip: Using tab completion with the CLI

The tab key can be pressed at any time so that cOS Stream gives a list of possible options in a command.

Next, set a new password for the administrator. Both are case sensitive. In the example below, the the password is set to the value my_new_password.

Device:/AdminUsers> set User admin Password=my_new_password

The next step is to return back to the default CLI context:

Device:/AdminUsers> cc

Setting the Date and Time

Many cOS Stream functions, such as event logging and certificate handling, rely on an accurate date and time. It is therefore important that this is set correctly using the time command. A typical usage of this command might be:
Device:/> time -set 2021-03-24 14:43:00
Notice that the date is entered in yyyy-mm-dd format and the time is stated in 24 hour hh:mm:ss format.

Ethernet Interfaces

Network connection to the firewall is via the various Ethernet interfaces provided by the 300 Series. On first-time startup, cOS Stream scans for all Ethernet interfaces, determines which are available then allocates their names.

All Ethernet interfaces are logically equal in cOS Stream and although their physical capabilities may be different, any interface can perform any logical function. One of the interfaces will be automatically assigned as the default management interface (this management interface can be changed later).

On the 300 Series, the default management interface is the G1 interface.

The management interface of the 300 Series is enabled as an IPv4 DHCP server and will automatically assign an IPv4 address to a connecting client. The interface is also enabled to send out IPv6 router advertisements so that a connecting IPv6 client can also receive its IPv6 address automatically.

Note that a DNS server address for clients is also usually automatically allocated. However, if the client interface is IPV6 only (not in dual-stack mode) then the DNS address will have to be manually assigned to the address object called WAN_ip6_dns.

3.3. Manual IPv4 Internet Connection Set Up

This section describes manually setting up public Internet access using the CLI and IPv4 addresses.

For the 300 Series, this section may be useful if the predefined DHCP client on the S1 or G6 interface is not used to automatically assign IP addresses for Internet connection.

For this setup, it will be assumed that the G2 interface will be used for connection to the public Internet and the G1 interface will be used for connection to an internal, local network. However, any of the available Ethernet interfaces could be used for these purposes.

The first step is to set up a number of IPv4 address objects. If the interface used for Internet connection is G2 then this will have the IP address which belongs to the network It is also assumed that the ISP gateway's IPv4 address is

[Note] Note

Each installation's IP addresses for Internet connection will be different from the example IP addresses used in this section.

Set the IP address of the G2 interface:

Device:/> set Address IPAddress G2_ip Address=

Also, set the network for this interface:

Device:/> set Address IPAddress G2_net Address=

In addition, it is recommended to set the broadcast IP address for the interface:

Device:/> set Address IPAddress G2_broadcast Address=

If the broadcast address is not set, it will take the default value of

It is recommended to verify the properties of the G2 interface with the following command:

Device:/> show Interface EthernetInterface G2

The typical output from this command will be similar to the following:

                     Property  Value
-----------------------------  --------------------
                        Name:  G2
             EthernetAddress:  0:<empty>  1:<empty>
                      HAType:  Critical
              MonitorTargets:  <empty>
                   Backplane:  No
              EthernetDevice:  0:G2  1:<empty>
            VLANOutboundPrio:  0
      VLANOutboundPrioPolicy:  Set (Set priority)
                   PrivateIP:  0:<empty>  1:<empty>
  RouterAdvertisementProfile:  DefaultProfile
                         MTU:  1500
                   IPAddress:  G2_ip
                IP4Broadcast:  G2_broadcast
      RoutingTableMembership:  <all>
SecurityEquivalentInterfaces:  <empty>
                     UseDHCP:  <empty>
                    Comments:  <empty>

Next, add an all-nets-ip4 route to the main routing table. This will route outgoing IPv4 Internet traffic through the G2 interface. This Route object must also specify the IP address of the ISPs gateway (the next router hop), so an IP address object needs to be created for this. If we call the object wan_gw, the command would be:

Device:/> add Address IPAddress wan_gw Address=

Now, create the route. This is done by changing the CLI context to be main routing table:

Device:/> cc RoutingTable main

Then, add the route to this routing table:

Device:/RoutingTable/main> add Route

Change back to the default context:

Device:/RoutingTable/main> cc

Even though an all-nets-ip4 route exists, no traffic can flow without the addition of at least one IPRule object to allow the flow. Assume that web browsing to the Internet is to be allowed from the protected network on the interface G1. To do this, add an IP rule called lan_to_wan.

A default cOS Stream IP rule set called main always exists by default. Change the CLI context to be this rule set:

Device:/> cc RuleSet IPRuleSet main

Now, add the required IPRule object:

Device:/IPRuleSet/main> add IPRule

This IP rule would be correct if the internal network hosts have public IPv4 addresses but in most scenarios this will not be true and internal hosts will have private IPv4 addresses. In that case, we must use NAT to send out traffic so that the apparent source IP address is the IP of the interface connected to the ISP. To do this, keep the Action property as Allow but add the SourceTranslation and SetSourceAddress properties to specify that NAT will be used and the address of the outgoing interface will be used as the source address:

Device:/IPRuleSet/main> add IPRule

The service used in the IP rule is http and this will allow basic web browsing. Note that this service does not include the HTTPS protocol, so a custom service will need to be created for HTTPS and then this is used in a new ServiceGroup object which will be associated with an IP rule.

The http service also does not include the DNS protocol to resolve URIs into IP addresses. For configuration clarity, it is recommended to create a separate IP rule for DNS:

Device:/IPRuleSet/main> add IPRule

Finally, change the CLI context back to the default context (this is sometimes called the root context):

Device:/IPRuleSet/main> cc

When adding IP rules later in this section, the changing between CLI contexts will not be explicitly stated. The context is indicated by the command prompt.

It is recommended that at least one DNS server is also defined in cOS Stream. This DNS server or servers (a maximum of three can be configured) will be used when cOS Stream itself needs to resolve URIs, which will be the case when a URI is specified in a configuration instead of an IP address. If we assume IP address objects called dns1_address and dns2_address have already been defined, the command to specify these as DNS servers is:

Device:/> set DNS DNSServers=dns1_address,dns2_address

Activating and Committing Changes

After any changes are made to a cOS Stream configuration, they will be saved as a new configuration but will not yet be activated. To activate all the configuration changes made since the last activation of a new configuration, the following command must be issued:
Device:/> activate
Although the new configuration is now activated, it does not become permanently activated until the following command is issued within 30 seconds following the activate:
Device:/> commit
The reason for two commands is to prevent a configuration accidentally locking out the administrator. If a lock-out occurs then the second command will not be received and cOS Stream will revert back to the original configuration after the 30 second time period (this time period is a setting that can be changed).

DHCP Server Setup

If the Clavister Firewall is to act as a DHCP server then this can be set up in the following way:

First, define an IPv4 address object with the address range that will be handed out. Here, we will use the IPv4 range - as an example and this range will be available on the G1 interface which is connected to the protected internal network:

Device:/> add Address IPAddress dhcp_range

A DHCPServerRule is now configured using this IP address object for the relevant interface. In this case the G1 interface:

Change the CLI context to be DHCPServer:

Device:/> cc DHCPServer

Add a DHCPServerRule object:

Device:/DHCPServer> add DHCPServerRule my_dhcp_clients

Change back to the default context:

Device:/DHCPServer> cc

It is assumed that the IP address object dns1_address for the DNS server was created previously.

It is important to specify the default gateway for the DHCP server since this will be handed out to DHCP clients on the internal network so that they know where to find the public Internet. The default gateway is always the IP address of the interface on which the DHCP server is configured. In this case, the address G1_ip.

NTP Server Setup

Network Time Protocol (NTP) servers can optionally be configured to maintain the accuracy of the system date and time. The following commands set up synchronization with the NTP server at IPv4 address
Device:/> set DateTime TimeSyncEnabled=Yes
Change to the DateTime context:
Device:/> cc DateTime
Add the time server:
Device:/DateTime> add TimeServer IP= Name=my_tsrv
Change back to the default (root) context:
Device:/DateTime> cc

Syslog Server Setup

Although logging may be enabled, no log messages are captured unless a server is set up to receive them and Syslog is the most common server type. If the Syslog server's address is then the command to create a log receiver object called my_syslog which enables logging is:
Device:/> add LogReceiverSyslog my_syslog IPAddress=

Allowing ICMP Ping Requests

As a further example of setting up IP rules, it can be useful to allow ICMP Ping requests to flow through the firewall. It should be remembered that cOS Stream will drop any traffic unless an IP rule explicitly allows it. Let us suppose that we wish to allow the pinging of external hosts on the Internet by computers on the internal network G1_net network.

To set this up, add an IPRule object called allow_ping_outbound. This will be done in the IPRuleSet/main CLI context:

Device:/IPRuleSet/main> add IPRule

The IP rule again has the NAT action and this is necessary if the protected local hosts have private IPv4 addresses. The ICMP requests will be sent out from the Clavister Firewall with the IP address of the interface connected to the ISP as the source interface. Responding hosts will send back ICMP responses to this single IP and cOS Stream will then forward the response to the correct private IP address.

Adding a Drop All Rule

Scanning of the IP rule set is done in a top-down fashion. If no matching IP rule is found for a new connection then the default rule is triggered. This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop.

In order to gain control over the logging of dropped traffic, it is recommended to create a drop all rule as the last rule in the main IP rule set. This rule has an Action of Drop with the source and destination network set to all-nets and the source and destination interface set to any.

The service for this rule must also be specified and this should be set to all_services in order to capture all types of traffic. The command for creating this rule in the IPRuleSet/main CLI context is the following:

Device:/IPRuleSet/main> add IPRule

3.4. The Boot Menu

Entering the Boot Menu

When the 300 Series starts up, and before it has finished initializing, the startup process can be suspended and the boot menu entered by repeatedly pressing the Esc key on the keyboard of cOS Stream's local console (connecting this is described in Section 2.3, Management Computer Connection). The boot menu provides a number of options related to the loading of cOS Stream.

Boot Menu Options

The choices displayed in the boot menu are the following:

  1. Boot system <version-number>

    This will exit the boot menu and initialization of cOS Stream will resume.

  2. Boot-failure recovery

    The NetShield 300 Series will boot using its own internal system memory. cOS Stream will then run in a safe mode. This means the the system will function but only limited resources will be available. However, these resources are sufficient for cOS Stream to be used with a full CLI command set to troubleshoot problems.

  3. Reset system to factory default

    This restores both the current configuration and the cOS Stream version to the factory settings. Any cOS Stream version upgrades that have been installed will be lost.

    Using this option is discussed further in Chapter 4, Resetting to Factory Defaults. However, note this reset will only affect cOS Stream and will not reset the whole 300 Series system.

  4. Restore system default configuration

    This restores only the default configuration. No cOS Stream version upgrades that have been installed will be lost. This is the recommended option unless a full reset is required.

The boot menu is also discussed in the separate cOS Stream Administration Guide.

3.5. Setup Troubleshooting

This section deals with connection problems that might occur when connecting an external management computer to cOS Stream. It is assumed that the 300 Series system has been successfully powered up and initial management connection is first being attempted over a network to a physical Ethernet interface.

If the management Ethernet interface does not respond after the 300 Series has powered up and cOS Stream has started, the following steps can be used to help troubleshoot connection problems:

1. Check that the correct Ethernet interface is being used.

The most obvious problem is that the wrong Ethernet interface has been used for the initial connection. Only the first interface found by cOS Stream is will allow the initial management connection after cOS Stream starts for the first time.

2. Check that interface characteristics match.

If a firewall's Ethernet interface characteristics are configured manually then the interface on an external computer or switch to which it is connected should be configured with the same characteristics. For example, link speed settings should match. This problem will not occur if the interfaces are set for automatic configuration on both sides.

3. Check that the management computer IP/Network is configured correctly.

Check that the IP address and network of the management computer Ethernet interface is configured correctly so it can communicate with the management interface of the firewall.

4. Is the management interface properly connected?

Where relevant, check the link LED lights on the connected Ethernet interface. This can identify a cable problem.

5. Using the ifstat CLI command.

To investigate a connection problem further, connect a computer running console emulation software directly to the local console port on the firewall. Once cOS Stream has started, it should respond with the standard CLI prompt when the enter key is pressed. Now enter the following command once for each interface:

Device:/> ifstat <if-name>

Where <if-name> is the name of the management interface. This will display a number of counters for that interface. The ifstat command on its own can list the names of all the interfaces.

If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the firewall in the first place. This can be confirmed with a packet sniffer, if it is available.

If the Input counters are increasing, the management interface may not be attached to the correct physical network. There may also be a problem with the routing information in any connected hosts or routers.

6. Using the arpsnoop CLI command.

A diagnostic test to try with IPv4 connections is using the console command:

Device:/> arpsnoop all

This will display console messages that show all the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces. To look at the ARP activity only a particular interface, follow the command with the interface name:

Device:/> arpsnoop <interface>

To switch snooping off, use the command:

Device:/> arpsnoop none

7. Check the management access rules for a network connection.

When connecting to the default management interface over a network connection, check that the management access rules are correctly configured to allow access through the interface and from the desired source IP range. These rules can be displayed with the CLI command:

Device:/> show RemoteManagement

3.6. Going Further with cOS Stream

After initial setup is complete, the administrator is ready to go further with configuring cOS Stream to suit the requirements of a particular networking scenario.

The primary reference documentation consists of:

  • cOS Stream Administrators Guide.
  • cOS Stream CLI Reference Guide.
  • cOS Stream Log Reference Guide.

Other available documents in PDF format are:

  • cOS Stream Data Collection Guide.
  • cOS Stream Use Case Guide
  • cOS Stream Statistics Reference Guide.
  • cOS Stream SNMP Trap Reference Guide.

In addition, each cOS Stream release has an associated Release Notes document that lists new features, fixes and known issues.

All documents can be downloaded in PDF format by logging into and going to the downloads for the relevant cOS Stream release. Alternatively, documentation for the latest cOS Stream release can be read in HTML format at

The cOS Stream Administrators Guide

This guide is a comprehensive description of all cOS Stream features and includes a detailed table of contents with a comprehensive index to quickly locate particular topics.

Examples of the setup for various scenarios are included but screenshots are kept to a minimum since the user has a variety of management interfaces to choose from.

Basic cOS Stream Objects and Rules

As a minimum, the new administrator should become familiar with the cOS Stream Address Book for defining IP address objects and the cOS Stream IP rule set for defining IP Rule objects which allow or block different traffic and which can also be used to set up NAT address translation.

IP rules identify the targeted traffic using combinations of the source/destination interface/network combined with protocol type. By default, no IP rules are defined so all traffic is dropped. At least one IP rule needs to be defined before traffic can traverse the Clavister Firewall.

In addition to rules, Route objects need to be defined in a Routing Table so that traffic can be sent on the correct interface to reach its final destination. Traffic will need both a relevant IP rule and route to exist in order for it to traverse the firewall.

VPN Setup

A common requirement is to quickly setup VPN networks based on Clavister Firewalls. The cOS Stream Administration Guide includes an extensive VPN section.

Included with the quick start section is a checklist for troubleshooting and advice on how best to deal with the networking complications that can arise with certificates.

Log Messages

By default, certain events will generate log messages and at least one log server should be configured in cOS Stream to capture these messages. The administrator should review what events are important to them and at what severity. The cOS Stream Log Reference Guide provides a complete listing of the log messages that cOS Stream is capable of generating.

The CLI Reference Guide

The CLI Reference Guide provides a complete listing of the available CLI commands with their options. A CLI overview and feature summary is also included as part of the cOS Stream Administration Guide.

cOS Stream Education Courses

For details about classroom and online cOS Stream education as well as cOS Stream certification, visit the Clavister company website at or contact your local sales representative.

Staying Informed

Notifications of new cOS Stream releases are sent out to the email address associated with MyClavister accounts. Email preferences can be adjusted by choosing the Settings option after logging into the relevant account at the following URL:

Chapter 4: Resetting to Factory Defaults

In some circumstances, it may be necessary to reset the NetShield 300 Series appliance to the state it was in when it left the factory and before it was delivered to a customer. This process is known as a reset to factory defaults or simply a factory reset.

[Caution] Caution: cOS Stream upgrades and current configuration are lost

Resetting to defaults means that the default cOS Stream configuration will be restored as well as the original version of cOS Stream that the product left the factory with. The will mean the following:

  • Any cOS Stream upgrades that have been performed since the product left the factory will be lost. An upgrade to a newer cOS Stream version must be repeated.

  • The current cOS Stream configuration will be lost but can be restored if a backup is available.

With the NetShield 300 Series, a reset can be done in one of the following ways:

  • Using the CLI

    The CLI can be used by connecting to one of the NetShield 300 Series's Ethernet interfaces using an SSH client over a network. A reset is performed by entering the following command:

    Device:/> backup -factoryreset

    Using this command is described further in the separate Administration Guide.

  • Using the Boot Menu

    The boot menu can be accessed through the local CLI console by repeatedly pressing the Esc key while cOS Stream is starting up. The resetting of Ethernet interface IP addresses will not affect the local console connection. The complete procedure is performed with the following steps:

    1. Make sure a separate management computer running as a console is attached to the local console port of the NetShield 300 Series.

    2. Power up the NetShield 300 Series unit. This may require a restart if the hardware is already powered up.

    3. As console output appears, repeatedly press the Esc key before cOS Stream has fully started.

    4. The boot menu will now be displayed on the console.

    5. Choose the Reset system to factory default option.

    Boot menu options are described further in Section 3.4, The Boot Menu and in the separate cOS Stream Administration Guide.

  • Performing a Reset Manually

    The 300 Series can be reset manually with the following steps:

    1. The progress of the reset can be followed using a local console connection. If that is required, open a console display window connected to the NetShield 300 Series local console port.

    2. While the unit is powered up, push in the recessed reset button on the unit with a suitable pointed tool and keep it pushed in. An opened paper-clip could be used for this.

      The button is located next to the power connector and is marked by an inverted solid triangle. It is above the restart button (both are shown below).

    3. Continue holding the button in for at least 10 seconds. The status LED will blink and when the blinking stops the reset is being performed.

    4. If a console was connected in step 1, the console output will indicate that the hardware has successfully been reset to its factory defaults.

    5. After completion of the reset, the NetShield 300 Series unit can now be set up again as though it had never been previously configured.

The 300 Series Reset Button (above the restart button)

Figure 4.1. The 300 Series Reset Button (above the restart button)

[Caution] Caution: Local console login credentials will be reset

The local console login credentials will be reset to the default values of username admin and password admin. Changing the cOS Stream admin user password as soon as possible is recommended.

Chapter 5: Warranty Service

Limitation of Warranty

Clavister warrants to the customer of the 300 Series Appliance that the Hardware components will be free from defects in material and workmanship under normal use for a period of two (2) years from the Start Date (as defined below). The warranty will only apply to failure of the product if Clavister is informed of the failure not later than two (2) years from the Start Date or thirty (30) days after that the failure was or ought to have been noticed by the customer.

The warranty will not apply to products from which serial numbers have been removed or to defects resulting from unauthorized modification, operation or storage outside the environmental specifications for the product, in-transit damage, improper maintenance, defects resulting from use of third-party software, accessories, media, supplies, consumables or such items not designed for use with the product, or any other misuse. Any replacement Hardware will be warranted for the remainder of the original warranty period or thirty days, whichever is longer.

Note that the term "Start Date" means the earlier of the product registration date OR ninety (90) days following the day of shipment by Clavister.

Obtaining Warranty Service with an RMA

Warranty service can be obtained within the warranty period with the following steps:

  1. Obtain a Return Material Authorization (RMA) Number from Clavister. This number must be obtained before the product is sent back.

    An RMA number can be obtained online by logging in to the Clavister website ( and selecting the Help Desk option.

  2. The defective unit should be packaged securely in the original packaging or other suitable shipping packaging to ensure that it will not be damaged in transit.

  3. The RMA number must be clearly marked on the outside of the package.

  4. The package is then shipped to Clavister with all the costs of mailing/shipping/insurance paid by the customer. The address for shipping is:

    Clavister AB
    Sjögatan 6J
    891 60 Örnsköldsvik

    If the product has not yet been registered with Clavister through its website, some proof of purchase (such as a copy of the dated purchase invoice) must be provided with the shipped product.

[Important] Important: An RMA Number must be obtained before shipping!

Any package returned to Clavister without an RMA number will be rejected and shipped back at the customer's expense. Clavister reserves the right in such a case to levy a reasonable handling charge in addition to mailing and/or shipping costs.

Data on the Hardware

Note that Clavister is not responsible for any of the software, firmware, information, or memory data contained in, stored on, or integrated with any product returned to Clavister pursuant to a warranty claim.

Contacting Clavister

Should there be a problem with the online form then Clavister support can be contacted by going to:

Customer Remedies

Clavister's entire liability according to this warranty shall be, at Clavister's option, either return of the price paid, or repair or replacement of the Hardware that does not meet Clavister's limited warranty and which is returned to Clavister with a copy of your receipt.

Limitations of Liability

Refer to the legal statement at the beginning of the guide for a statement of liability limitations.

Chapter 6: Safety Precautions

Safety Precautions

Clavister NetShield 300 Series devices are Safety Class I products and have protective ground terminals. There must be an uninterrupted safety earth ground from the main power source to the product’s input wiring terminals, power cord, or supplied power cord set. Whenever it is likely that the protection has been impaired, disconnect the power cord until the ground has been restored.

For LAN cable grounding:

  • If your LAN covers an area served by more than one power distribution system, be sure their safety grounds are securely interconnected.

  • LAN cables may occasionally be subject to hazardous transient voltage (such as lightning or disturbances in the electrical utilities power grid). Handle exposed metal components of the network with caution.

There are no user-serviceable parts inside these products. Only service-trained personnel can perform any adjustment, maintenance or repair.


Dessa produkter är säkerhetsklassade enligt klass I och har anslutningar för skyddsjord. En obruten skyddsjord måste finnas från strömkällan till produktens nätkabelsanslutning eller nätkabel. Om det finns skäl att tro att skyddsjorden har blivit skadad, måste produkten stängas av och nätkabeln avlägnas till dess att skyddsjorden har återställts.

För LAN-kablage gäller dessutom att:

  • Om LAN:et täcker ett område som betjänas av mer än ett strömförsörjningssystem måste deras respektive skyddsjord vara ihopkopplade.

  • LAN kablage kan vara föremål för farliga spänningstransienter (såsom blixtnedslag eller störningar i elnätet). Hantera metallkomponenter i förbindelse med nätverket med försiktighet.

Det finns inga delar i produkten som kan lagas av användaren. All service samt alla justeringar, underhåll eller reparationer får endast utföras av behörig personal.

Informations concernant la sécurité

Cet appareil est un produit de classe I et possède une borne de mise à la terre. La source d’alimentation principale doit être munie d’une prise de terre de sécurité installée aux bornes du câblage d’entree, sur le cordon d’alimentation ou le cordon de raccordement fourni avec le produit. Lorsque cette protection semble avoir été endommagée, débrancher le cordon d’alimentation jusqu’à ce que la mise à la terre ait été réparée.

Mise à la terre du câble de réseau local:

  • Si votre réseau local s’étend sur une zone desservie par plus d’un système de distribution de puissance, assurez-vous que les prises de terre de sécurité soint convenablement interconnectées.

  • Les câbles de réseaux locaux peuvent occasionnellement être soumis à des surtensions transitoires dangereuses (telles que la foudre ou des perturbations dans le réseau d’alimentation public). Manipulez les composants métalliques du réseau avec précautions.

Aucune pièce contenue à l’intérieur de ce produit ne peut être réparée par l’utilisateur. Tout dépannage, réglage, entretien ou réparation devra être confié exclusivement à un personnel qualifié.

Hinweise zur Sicherheit

Dies ist ein Gerät der Sicherheitsklasse I und verfügt über einen schützenden Erdungsterminal. Der Betrieb des Geräts erfordert eine ununterbrochene Sicherheitserdung von der Hauptstromquelle zu den Geräteingabeterminals, den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus. Sobald Grund zur Annahme besteht, dass der Schutz beeinträchtigt worden ist, das Netzkabel aus der Wandsteckdose herausziehen, bis die Erdung wiederhergestellt ist.

Für LAN-Kabelerdung:

  • Wenn Ihr LAN ein Gebiet umfasst, das von mehr als einem Stromverteilungssystem beliefert wird, müssen Sie sich vergewissern, dass die Sicherheitserdungen fest untereinander verbunden sind.

  • LAN-Kabel können gelegentlich gefährlichen Übergangsspannungen ausgesetz werden (beispielsweise durch Blitz oder Störungen in dem Starkstromnetz des Elektrizitätswerks). Bei der Handhabung exponierter Metallbestandteile des Netzwerkes Vorsicht walten lassen.

Dieses Gerät enthält innen keine durch den Benutzer zu wartenden Teile. Wartungs-, Anpassungs-, Instandhaltungs- oder Reparaturarbeiten dürfen nur von geschultem Bedieningspersonal durchgeführt werden.

Considerazioni sulla sicurezza

Questo prodotte è omologato nella classe di sicurezza I ed ha un terminale protettivo di collegamento a terra. Dev’essere installato un collegamento a terra di sicurezza, non interrompibile che vada dalla fonte d’alimentazione principale ai terminali d’entrata, al cavo d’alimentazione oppure al set cavo d’alimentazione fornito con il prodotto. Ogniqualvolta vi sia probabilità di danneggiamento della protezione, disinserite il cavo d’alimentazione fino a quando il collegaento a terra non sia stato ripristinato.

Per la messa a terra dei cavi LAN:

  • Se la vostra LAN copre un’area servita da più di un sistema di distribuzione elettrica, accertatevi che i collegamenti a terra di sicurezza siano ben collegati fra loro;

  • I cavi LAN possono occasionalmente andare soggetti a pericolose tensioni transitorie (ad esempio, provocate da lampi o disturbi nella griglia d’alimentazione della società elettrica); siate cauti nel toccare parti esposte in metallo della rete.

Nessun componente di questo prodotto può essere riparato dall’utente. Qualsiasi lavoro di riparazione, messa a punto, manutenzione o assistenza va effettuato esclusivamente da personale specializzato.

Consideraciones sobre seguridad

Este aparato se enmarca dentro de la clase I de seguridad y se encuentra protegido por una borna de puesta a tierra. Es preciso que exista una puesta a tierra continua desde la toma de alimentacíon eléctrica hasta las bornas de los cables de entrada del aparato, el cable de alimentación hasta haberse subsanado el problema.

Puesta a tierra del cable de la red local (LAN):

  • Si la LAN abarca un área cuyo suministro eléctrico proviene de más de una red de distribución de electricidad, cerciorarse de que las puestas a tierra estén conectadas entre sí de modo seguro.

  • Es posible que los cables de la LAN se vean sometidos de vez en cuando a voltajes momentáneos que entrañen peligro (rayos o alteraciones en la red de energía eléctrica). Manejar con precaución los componentes de metal de la LAN que estén al descubierto.

Este aparato no contiene pieza alguna susceptible de reparación por parte del usuario. Todas las reparaciones, ajustes o servicio de mantenimiento debe realizarlos solamente el técnico.

Appendix A: NetShield 300 Series Specifications

Dimensions and Weight

Height x Width x Depth (mm) 44 x 270 x 160
Hardware Unit Weight 1.35 kg
Hardware Form Factor Desktop
19-inch Rack Mountable Yes, using rack mount kit
MTBF 37,469 hours @ 20° C

Regulatory and Safety Standards

Safety CE, UL


Operating and Storage Humidity 0% to 95% (non-condensing)
Operating Temperature 5 to 35° C

Power Specifications

Rated Power Supply Input 100-240 VAC, 50-60 Hz, 1.2 A
Rated Power Supply Output 12 VDC, 3.34A, 40W
Maximum Power Consumption 19.5W
Typical Current 0.09A @AC input (0.1A at load)
BTU 80 BTU (at load)

Ethernet Interface Support

Gigabit RJ45 interfaces Automatic MDI-X
1000BASE-T (copper RJ45 100m)
100BASE-TX (copper RJ45 100m)
10BASE-T (copper RJ45 100m)
SFP interfaces 1000BASE-SX (multi-mode 550m)
1000BASE-LX (single-mode 10,40,80km)
1000BASE-T (copper RJ45 100m)
Note that only Clavister supplied SFP modules have been tested to function correctly with the 300 Series.

For more information about Clavister products, go to: