NetShield 500 Series Getting Started Guide


Table of Contents

1. NetShield 500 Series Overview
1.1. Unpacking
1.2. Interfaces and Ports
1.3. Hardware Sensor Monitoring
2. Installation
2.1. General Installation Guidelines
2.2. Flat Surface and Rack Installation
2.3. Management Computer Connection
2.4. RJ45 Console Port Connection
2.5. Micro-USB Console Port Connection
2.6. Connecting Power
3. cOS Stream Configuration
3.1. The NetShield 500 Series Default Configuration
3.2. CLI Access
3.3. Manual IPv4 Internet Connection Set Up
3.4. The Boot Menu
3.5. Setup Troubleshooting
3.6. Going Further with cOS Stream
4. Power over Ethernet Setup
5. Resetting to Factory Defaults
6. Warranty Service
7. Safety Precautions
A. 500 Series Specifications

Chapter 1: NetShield 500 Series Overview

[Note] Note: This document is also available in other formats

A PDF version of this document along with all current and older documentation in PDF format can be found at https://my.clavister.com.

It is also available in a framed HTML version.

[Important] Important: Only cOS Stream version 3.90.00 or later is supported

The NetShield 500 Series hardware can run any cOS Stream version from 3.90.00 onwards. Earlier versions are not supported and a downgrade should not be attempted.

1.1. Unpacking

An Unpacked NetShield 500 Series Unit

Figure 1.1. An Unpacked NetShield 500 Series Unit

This section details the unpacking of a single NetShield 500 Series device. Open the packaging box used for shipping and carefully unpack the contents. The packaging should contain the following:

  • The NetShield 500 Series appliance.

  • Power cable.

  • Single power adapter.

  • Basic rack mount kit.

Note that the NetShield 500 Series is capable of having two power adapters connected for redundancy. As standard, the product comes with only a single power adapter. A second adapter can be ordered separately from a Clavister sales office. An alternative rack mount kit that provides supporting shelves for PSUs is also available from Clavister as an option and this is described further in Section 2.2, Flat Surface and Rack Installation.

[Note] Note: Report any items that are missing

If any items are missing from the packaging, please contact your sales office.

Support Agreements

All purchasers of a new NetShield hardware product must also subscribe to one of the available cOS Stream support agreements. These provide access to cOS Stream updates and provide a hardware replacement service in the event of a hardware fault. The terms of warranty are described in Chapter 6, Warranty Service, along with a description of the hardware replacement procedure.

The Cold Standby Service

To ensure maximum uptime, a Cold Standby (CSB) Service is available from Clavister as an addition to certain cOS Stream support agreements. This service allows a second, identical NetShield 500 Series unit to be purchased at a discount so that it can quickly substitute for the original unit in case of failure, with the ability to quickly reassign the original cOS Stream license to the standby unit. When the faulty unit is returned to Clavister, a new cold standby unit is immediately sent back.

Downloading NetShield 500 Series Resources

All documentation, version upgrades and other resources for the NetShield 500 Series can be downloaded from the Clavister website after logging into the relevant MyClavister account.

Contacting Clavister Product Support

Clavister customer support can be contacted by logging into https://my.clavister.com and reporting an issue online. Alternatively, the direct support telephone number is +46 (0)660-29 77 55 (answered 24/7). Sales enquiries should be directed to the head office number +46 (0)660-29 92 00 or a local sales office during the relevant business hours.

End of Life Disposal

The NetShield 500 Series appliance is marked with the European Waste Electrical and Electronic Equipment (WEEE) directive symbol which is shown below.

The product, and any of its parts, should not be discarded using a regular refuse disposal method. At end-of-life, the product and parts should be given to an appropriate service that deals with the disposal of such specialist materials.

[Warning] WARNING: REPLACE INTERNAL BATTERIES CORRECTLY

THERE IS A RISK OF EXPLOSION IF AN INTERNAL BATTERY IS REPLACED WITH THE INCORRECT TYPE. DISPOSE OF ANY USED INTERNAL BATTERIES APPROPRIATELY.

1.2. Interfaces and Ports

This section is an overview of the NetShield 500 Series product's external connectivity options.

NetShield 500 Series Interfaces and Ports

Figure 1.2. NetShield 500 Series Interfaces and Ports

[Note] Note: The meaning of the terms "Front" and "Back"

The term "Front" will be used in this guide to refer to the side of the 500 Series that has the Ethernet ports and the term "Back" to the side that has the status lights.

The NetShield 500 Series features the following connection ports on the front panel:

  • An RJ45 RS-232 local console port

    This port (marked |O|O|) can used for direct access to the cOS Stream Boot Menu and the cOS Stream Command Line Interface (CLI). Connecting to this port is described in Section 2.4, RJ45 Console Port Connection.

  • A micro-USB (type micro-B) local console port

    This port (also marked |O|O|) provides an alternative means for a local console connection. Like the RJ45 console port, this is used for direct access to the cOS Stream Boot Menu and the cOS Stream Command Line Interface (CLI). Connection to this port is discussed in Section 2.5, Micro-USB Console Port Connection.

    If local console connections are made to the RJ45 and micro-USB ports at the same time, the micro-USB port will automatically take precedence.

  • 4 x RJ45 Gigabit Ethernet interface ports

    These ports have sequential logical cOS Stream interface names from G1 to G4. They all support 10BaseT, 100BaseTx and 1000BaseT.

    The G1 interface is used for initial management connection over a network. The G4 interface is intended to be used for the initial connection to the public Internet because it has a DHCP client enabled in the default configuration.

  • 2 x 10 Gigabit SFP+ Ethernet interfaces ports

    These ports have the logical cOS Stream interface names X1 and X2. They both support 10 Gigabit Enhanced Small Form-factor Pluggable (SFP+) modules.

    The X1 interface could be used for the initial connection to the public Internet as an alternative to G4 since it also has a DHCP client enabled in the default configuration.

    Note that only the SFP+ modules available from Clavister have been tested to function correctly with the 500 Series hardware. Clavister cannot guarantee that others will function correctly.

  • 2 x RJ45 Gigabit Ethernet interface ports with PoE

    The two right-most ports have logical cOS Stream interface names G5 and G6. They both support 10BaseT, 100BaseTx and 1000BaseT.

    These ports are also capable of providing Power over Ethernet (PoE). This is discussed further in Chapter 4, Power over Ethernet Setup.

In the predefined default cOS Stream configuration, the G1 interface of the NetShield 500 Series has an IPv4 DHCP server enabled so it will automatically hand out IP addresses belonging to the default management network to a connecting client. In addition, both the G4 and X1 interfaces have an IPv4 DHCP client enabled so that they can automatically be assigned an IP address if either or both are connected to an ISP (dual connection can provide redundancy).

The default cOS Stream configuration contains a predefined IP rule set that allows clients on the G1 interface to automatically access the Internet via either G4 or X1. If both interfaces provide Internet access, X1 will take precedence because its predefined all-nets route has a lower metric value.

The default cOS Stream configuration is discussed further in Section 3.1, The NetShield 500 Series Default Configuration.

[Note] Note: The two USB Type A ports are not currently used

The two USB Type A ports on the 500 Series front panel are for future functionality and are not currently used by cOS Stream.

NetShield 500 Series Ethernet Interfaces

Figure 1.3.  NetShield 500 Series Ethernet Interfaces

The full connection capabilities of all the NetShield 500 Series Ethernet interfaces are listed at the end of Appendix A, 500 Series Specifications.

RJ45 Ethernet Interface Status LEDs

The status lights on the NetShield 500 Series RJ45 Ethernet interface sockets indicate the following states for each interface:

  • Left LED:

    1. Solid Green - The interface has power.
    2. Flashing Green - The interface is active.
  • Right LED:

    1. Dark - 10 Mbit link or no link.
    2. Green - 100 Mbit link.
    3. Yellow - 1000 Mbit link.

System Status Indicator LEDs

The two status LEDs on the 500 Series indicate the following:

  • Power - This shows power is supplied to the unit.

  • Status - This shows that cOS Stream is running.

Note that there is a power status light above both power inlets on the 500 series which indicates if power is applied to that inlet.

1.3. Hardware Sensor Monitoring

The NetShield 500 Series is equipped with sensors that provide cOS Stream with information about operational parameters such as CPU temperature. This information is available to the administrator through the cOS Stream management interfaces.

In addition, log message alerts can be automatically generated if a sensor reaches a value outside of its normal operational range.

Configuring this feature, as well as a list of all the sensors available on each Clavister hardware model and their normal ranges, can be found in the Hardware Monitoring section of the separate cOS Stream Administration Guide.

Chapter 2: Installation

2.1. General Installation Guidelines

Follow these general guidelines when installing the NetShield 500 Series appliance:

  • Safety

    Take notice of the safety guidelines laid out in Chapter 7, Safety Precautions. These are specified in multiple languages.

  • Power

    Make sure that the power source circuits are properly grounded and then use the power cord supplied with the appliance to connect it to the power source.

  • Using Other Power Cords

    If your installation requires a different power cord than the one supplied with the appliance, be sure to use a cord displaying the mark of the safety agency that defines the regulations for power cords in your country. Such marks are an assurance that the cord is safe.

  • Power Overload

    Ensure that the appliance does not overload the power circuits, wiring and over-current protection.

    To determine the possibility of overloading the supply circuits, add together the ampere ratings of all devices installed on the same circuit as the appliance and compare the total with the rating limit for the circuit. The maximum ratings for the 500 Series are listed in Appendix A, 500 Series Specifications.

  • Surge Protection

    A third party surge protection device should be considered and is strongly recommended as a means to prevent electrical surges reaching the appliance. This is mentioned again in Section 2.6, Connecting Power.

  • Temperature

    Do not install the appliance in an environment where the ambient temperature during operation might fall outside the specified operating range. This range is documented in Appendix A, 500 Series Specifications.

    The intended operating temperature range is "room temperature". That is to say, the temperature most commonly found in a modern office and in which humans feel comfortable. This is usually considered to be between 20 and 25 degrees Celsius (68 to 77 degrees Fahrenheit). Special rooms for computer equipment may use a lower range and this is also acceptable.

  • Airflow

    Make sure that airflow around the appliance is not restricted.

  • Dust

    Do not expose the appliance to environments with elevated dust levels.

[Note] Note: The specifications appendix provides more details

Detailed information concerning power supply range, operating temperature range and other operating details can be found at the end of this document in Appendix A, 500 Series Specifications.

2.2. Flat Surface and Rack Installation

The NetShield 500 Series can be mounted on any appropriate stable, flat, level surface that can safely support the weight of the appliance and its attached cables.

[Important] Important: Always leave space around the appliance

Always ensure there is adequate space around the appliance for ventilation and for easy access to switches and cable connectors. No objects should be placed on top of the casing.

The NetShield 500 Series can also be rack mounted in a standard 19-inch rack using the kit that is included with the appliance. The kit is installed by attaching the two side-brackets, as shown below.

NetShield 500 Series Rack Mount Kit Attachment

Figure 2.1. NetShield 500 Series Rack Mount Kit Attachment

Once the brackets are firmly attached on either side, the unit can be mounted in a rack. Rear support is not required.

NetShield 500 Series Ready For Rack Mounting

Figure 2.2. NetShield 500 Series Ready For Rack Mounting

Note that the brackets could instead be attached to the other side of the unit, as shown below.

NetShield 500 Series Ready For Rack Mounting

Figure 2.3. NetShield 500 Series Ready For Rack Mounting

A different, optional kit is available from Clavister with shelf support for a single or a pair of PSUs. The image below shows how this kit is attached on each side.

NetShield 500 Series Rack Mount Kit Attachment With PSU Support

Figure 2.4. NetShield 500 Series Rack Mount Kit Attachment With PSU Support

Once the kit has been attached, PSUs can be placed on the shelf on either side of the unit with nylon ties securing them in place, as shown below.

NetShield 500 Series Ready For Rack Mounting With PSU Support

Figure 2.5. NetShield 500 Series Ready For Rack Mounting With PSU Support

2.3. Management Computer Connection

cOS Stream Starts After Power Up

It is assumed that the NetShield 500 Series unit is now unpacked, positioned correctly and power is applied. If not, the earlier chapters in this guide should be referred to before continuing.

Clavister's cOS Stream software is preloaded on the NetShield 500 Series and will automatically boot up after power is applied. After the start-up sequence is complete, an external management computer can be used to configure cOS Stream.

cOS Stream Access Methods for Setup

Initial cOS Stream software configuration can be done in one of the following ways:

  • Using CLI commands across a network connection

    The setup process can be performed using CLI commands which are input into a remote management computer running an SSH client. The management computer is linked across a network to an Ethernet interface on the firewall.

    Once a network link to the CLI has been established, the manual configuration steps using the CLI are described in Section 3.2, CLI Access.

  • Using CLI commands via the local console

    Alternatively, CLI access is possible using console emulation software running on an external computer connected directly to a local console port on the 500 Series hardware. Direct local console connection is described in Section 2.4, RJ45 Console Port Connection and Section 2.5, Micro-USB Console Port Connection (either is possible).

    In the default NetShield 500 Series configuration, no login credentials are enabled for the local console.

The Default Management Ethernet Interface

After first-time startup, cOS Stream automatically makes network management access available on a single predefined Ethernet interface and assigns to it the private IPv4 address 192.168.1.1 and network 192.168.1.0/24. In addition, this interface has a DHCP server enabled. This means that any DHCP client that connects can be automatically assigned a private IPv4 address so it can communicate with the firewall.

For the NetShield 500 Series, the physical default management Ethernet interface is G1.

This network connection could be made via a local switch using standard Ethernet cables, as shown in the illustration below.

Direct local Ethernet connection to the G1 interface can be done without a switch by using a suitable crossover cable. However, all the RJ45 interfaces on the NetShield 500 Series support Automatic MDI-X so a crossover cable is not necessary.

Connection to an ISP for Internet Access

For access to the public Internet, another 500 Series Ethernet interface should be selected for connection to an ISP. For example, G4 could be selected, although any other available interface could be used instead.

Note that in the default cOS Stream configuration for the NetShield 500 Series, the G4 and X1 interfaces already have a DHCP client enabled so an IP addresses can be automatically assigned by an ISP on connection.

[Tip] Tip: Connect the Internet before the management computer

If the G4 or X1 interface is connected to an ISP before the management computer is connected to the G1 interface, DNS addresses for resolving URIs will be received from the ISP and then relayed in the DHCP lease sent to a connecting management computer.

If the management computer is connected first, it may get its IP assigned by the firewall with a DHCP lease that will not contain DNS addresses and the lease lifetime will be 24 hours. Renewing the lease, for example with a management computer restart, may be necessary to get DNS addresses after they are received on the G4 or X1 interface. Alternatively, DNS addresses could be entered into the management computer manually.

Management Computer Ethernet Interface Setup

The only requirement for the Ethernet interface used for connection on the management computer is that DHCP is enabled. cOS Stream automatically enables a DHCP server on the firewall's G1 interface and this will allocate the relevant IP address to the management computer using DHCP.

If the management computer is configured manually, the following settings could be used:

  • IP address: 192.168.1.30

  • Subnet mask: 255.255.255.0

  • Default gateway: 192.168.1.1

[Tip] Tip: Using another management interface IP address

The IPv4 address assigned to the management computer's Ethernet interface could be any address from the 192.168.1.0/24 network. However, the IP chosen must be different from 192.168.1.1 which is used by cOS Stream's default management interface.

2.4. RJ45 Console Port Connection

The local console port allows direct management connection to the NetShield 500 Series unit from an external computer acting as a console terminal. This local console access can then be used for both management of cOS Stream with CLI commands or to enter the boot menu in order to access firmware loader options. The boot menu is described further in the separate cOS Stream Administration Guide.

The local console port is the physical RJ45 RS-232 port on the left-hand side of the NetShield 500 Series's connector panel and is marked |O|O|.

NetShield 500 Series RJ45 Local Console Port Connection

Figure 2.6. NetShield 500 Series RJ45 Local Console Port Connection

Note that the NetShield 500 Series has both an RJ45 console port and a micro-USB port (described in Section 2.5, Micro-USB Console Port Connection). Both can be used but if both are connected then the micro-USB port will automatically take precedence.

Requirements for NetShield 500 Series Local Console Connection

To get management access via the local console port, the following is needed:

  • An external computer with a serial port and the ability to emulate a console terminal (for example, using the open source puTTY software).
  • The terminal console should have the following settings:

    1. 115,200 bps.
    2. No parity.
    3. 8 bits.
    4. 1 stop bit.
    5. No flow control.

  • An RS-232 cable with appropriate terminating connectors.

Connection Steps

To connect a terminal to the local console port, perform the following steps:

  1. Check that the console connection settings are configured as described above.

  2. Connect one of the connectors on the cable directly to the local console port on the 500 Series.

  3. Connect the other end of the cable to a console terminal or to the serial connector of a computer running console emulation software.

Remote Console Connection Using SSH

An alternative to using the local console port for CLI access is to connect remotely over a network via a physical Ethernet interface and using a Secure Shell (SSH) client on the management computer to issue CLI commands. This is discussed further in Section 2.3, Management Computer Connection.

2.5. Micro-USB Console Port Connection

The local console port allows direct management connection to the 500 Series hardware from an external computer acting as a console terminal. Local console access can then be used for both management of cOS Stream with CLI commands or to enter the boot menu in order to access 500 Series firmware loader options. The boot menu is described further in the separate cOS Stream Administration Guide.

There is a physical micro-USB port (type micro-B) on the 500 Series hardware that allows local console connection. This is an alternative to using the RJ45 local console port on the appliance (described in Section 2.4, RJ45 Console Port Connection). However, the micro-USB port will automatically take precedence if both are connected.

The NetShield 500 Series Micro-USB Local Console Port

Figure 2.7. The NetShield 500 Series Micro-USB Local Console Port

Connection Steps

To connect a computer to the micro-USB local console port, perform the following steps:

  1. Connect a micro-USB connector directly to the local console port on the 500 Series.

  2. Connect the other end of the cable to a USB port on computer running console emulation software.

  3. After connection to a PC, Windows will try to recognize the device and automatically install the appropriate driver through the Windows Update™ feature. If Windows is unable to do this automatically, the driver should be downloaded and installed manually.

    To download micro-USB drivers manually, log into the relevant MyClavister account at https://my.clavister.com and go to Downloads > Tools & Utilities.

  4. Direct the terminal emulator on the computer to connect to the newly installed device. After successful connection, commands can be issued to the cOS Stream Command Line Interface (CLI).

Issuing CLI Commands

CLI commands can be issued via the local console port for both initial cOS Stream setup as well as for ongoing system administration.

Remote Console Connection Using SSH

An alternative to using the local console port for CLI access is to connect over a network via a physical Ethernet interface and using a Secure Shell (SSH) client on the management computer to issue CLI commands. This is discussed further in Section 2.3, Management Computer Connection.

2.6. Connecting Power

This section describes connecting power. As soon as power is applied, the NetShield 500 Series will boot-up and cOS Stream will start.

[Important] Important: Review the safety information

Before connecting power, please review the electrical safety information found in Chapter 7, Safety Precautions.

Front View of a NetShield 500 Series Unit

Figure 2.8. Front View of a NetShield 500 Series Unit

Note that the NetShield 500 Series is capable of having two power adapters connected for redundancy through the power inlets labeled DC1 and DC2. As standard, the product comes with only a single power adapter. A second, optional adapter can be purchased as a separate item.

Note that there is a power status light above both power inlets on the 500 Series which indicates if power is applied to that inlet.

Connecting AC Power

To connect power, follow these steps:

  1. Connect the end of the power adapter's power cord to the power inlet on the NetShield 500 Series. The 500 Series has a threaded connector which must be screwed firmly in place to prevent the power cable accidentally detaching.
  1. Plug the power adapter into a suitable AC power outlet.

  1. If a second power adapter is used for redundancy, the procedure for inserting the power cable should be repeated for this second power supply.

  1. The NetShield 500 Series has a push-button On/Off switch. The 500 Series will boot up as soon as power is applied and cOS Stream will start. The progress of the process can be seen on a CLI console connected to the local console port.

  1. After a brief period of time, cOS Stream will be fully initialized and the NetShield 500 Series is then ready for configuration using a direct console connection or via a network connection to the default management Ethernet interface.

    Initial cOS Stream configuration is described in Chapter 3, cOS Stream Configuration..

[Important] Important: Consider power surge protection

It is recommended to consider the purchase and use of a separate surge protection unit from a third party for the power connection to the NetShield 500 Series hardware. This is to ensure that the appliance is protected from damage by sudden external electrical power surges through the power cable.

Surge protection is particularly important in locations where there is a heightened risk of lightning strikes and/or power grid spikes.

Any surge protection unit should be installed exactly according to the manufacturer's instructions since correct installation of such units is vital for them to be effective.

Chapter 3: cOS Stream Configuration

[Tip] Tip: Upgrade to the latest cOS Stream version

A new 500 Series unit may not have the very latest cOS Stream version pre-installed. After the initial configuration described in this section, it is recommended to upgrade to the latest available version. The steps for upgrading are described in the separate cOS Stream Administration Guide.

3.1. The NetShield 500 Series Default Configuration

This section describes the predefined entries in the default cOS Stream configuration that are unique to the NetShield 500 Series.

Ethernet Interface DHCP settings

The NetShield 500 Series appliance comes with a default cOS Stream configuration with the following settings on the Ethernet interfaces:

  • The G1 interface has a DHCP server enabled. This means connecting clients will be automatically allocated an IP address by cOS Stream, providing the client has DHCP enabled on its connecting interface. Clients will also be allocated DNS server addresses if cOS Stream itself has received them from an ISP.

  • The G4 and X1 interfaces both have a DHCP client enabled. This means they can be automatically assigned an IP address if either is connected to an ISP. DNS server addresses can also be received by cOS Stream.

The Predefined IP Rule Set

The default configuration also contains a predefined IP rule set that allows traffic to flow from the G1 interface and its network to any other interfaces. The traffic will have NAT translation applied using the outgoing interface's IP as the source address. This means that protected clients on G1 will have predefined access to the Internet through X1, or alternatively G4 if X1 is not available.

The Predefined all-nets Routes

There is a predefined all-nets route for both the G4 and X1 interfaces. The X1 route has a lower value for its Metric property which means it will take precedence over G4 for Internet traffic if both are connected to an ISP. However, should the X1 connection become unavailable, cOS Stream will automatically route all-nets traffic through G4, providing redundancy.

Changing the Default Configuration

Note that there are no restrictions on how cOS Stream is configured in the NetShield 500 Series product or how the Ethernet interfaces are used. The administrator is free to change or delete any of the default configuration components.

3.2. CLI Access

The cOS Stream CLI is accessible using either of the following two methods:

  • Using the Local Console

    Using a management computer running a console emulator connected directly to the local console port on the NetShield 500 Series. This connection is described in Section 2.4, RJ45 Console Port Connection and Section 2.5, Micro-USB Console Port Connection.

    Initially, there is no requirement to enter any login credentials when accessing the CLI through the local console port. Local console access is controlled by a predefined configuration object called ComPortAccess. A password can be set by defining an appropriate AuthenticationProfile object and associating it with ComPortAccess.

  • Using a Network Connection

    Using an external management computer running an SSH (Secure Shell) client. The computer connects via its Ethernet interface across an IP network to the IPv4 address 192.168.1.1 on the default management Ethernet interface. For the 500 Series, this default interface is G1.

    Setting up the physical network connection for the computer running the SSH client is described in Section 2.3, Management Computer Connection. Network access to the management CLI also needs to be enabled in cOS Stream using the local console CLI.

    First, enable the predefined RemoteMgmtSSH rule:

    Device:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH -enable

    Then the allowed interface and network must be set:

    Device:/> set RemoteManagement RemoteMgmtSSH RemoteMgmtSSH
    			SourceInterface=G1
    			SourceNetwork=G1_net

    Authentication is controlled by the AuthProfile property of the RemoteMgmtSSH rule. By default, this is set to a predefined AuthenticationProfile object called MgmtAuthProfile.

Confirming the CLI Connection

Once connection is made to the CLI, pressing the Enter key should get a response from cOS Stream. The response will be a normal CLI prompt if connecting directly through the local console port and a username/password combination will not be required (a password for this console can be set later).
Device:/> 
If connecting remotely through an SSH client, an administration username/password must first be entered and the initial default values for these are:
  • Username: admin

  • Password: admin

When these are accepted by cOS Stream, a normal CLI prompt will appear and CLI commands can be entered.

Changing the admin Password

It is strongly recommended to change the password of the admin user as the first task in cOS Stream setup. To do this, use the set command to change the current CLI object category (also referred to as the context) to be the LocalUserDatabase called AdminUsers.
Device:/> cc LocalUserDatabase AdminUsers
Device:/AdminUsers> 

[Tip] Tip: Using tab completion with the CLI

The tab key can be pressed at any time so that cOS Stream gives a list of possible options in a command.

Next, set a new password for the administrator. Both are case sensitive. In the example below, the the password is set to the value my_new_password.

Device:/AdminUsers> set User admin Password=my_new_password

The next step is to return back to the default CLI context:

Device:/AdminUsers> cc
Device:/> 

Setting the Date and Time

Many cOS Stream functions, such as event logging and certificate handling, rely on an accurate date and time. It is therefore important that this is set correctly using the time command. A typical usage of this command might be:
Device:/> time -set 2021-03-24 14:43:00
Notice that the date is entered in yyyy-mm-dd format and the time is stated in 24 hour hh:mm:ss format.

The Management Ethernet Interface

Network connection to the firewall is via the various Ethernet interfaces provided by the 500 Series. On first-time startup, cOS Stream scans for all Ethernet interfaces, determines which are available then allocates their names.

All Ethernet interfaces are logically equal in cOS Stream and although their physical capabilities may be different, any interface can perform any logical function. One of the interfaces will be automatically assigned as the default management interface (this management interface can be changed later). This is the G1 interface on the 500 Series.

On the 500 Series, this default management interface is enabled as an IPv4 DHCP server and will automatically assign an IPv4 address to a connecting client. The interface is also enabled to send out IPv6 router advertisements so that a connecting IPv6 client can be assigned an IPv6 address automatically.

Note that a DNS server address for clients is also usually automatically allocated. However, if the client interface is IPV6 only (not in dual-stack mode) then the DNS address will have to be manually assigned to the address object called WAN_ip6_dns.

3.3. Manual IPv4 Internet Connection Set Up

This section describes manually setting up public Internet access using the CLI and IPv4 addresses.

For the 500 Series, this section may be useful if the predefined DHCP client on the G4 or X1 interface is not going to be automatically assigned IP addresses by an ISP for Internet connection.

For this setup, it will be assumed that the G2 interface will be used for connection to the public Internet and the G1 interface will be used for connection to an internal, local network. However, any of the available Ethernet interfaces could be used for these purposes.

The first step is to set up a number of IPv4 address objects. If the interface used for Internet connection is G2 then this will have the IP address 203.0.113.10 which belongs to the network 203.0.113.0/24. It is also assumed that the ISP gateway's IPv4 address is 203.0.113.1.

[Note] Note

Each installation's IP addresses for Internet connection will be different from the example IP addresses used in this section.

Set the IP address of the G2 interface:

Device:/> set Address IPAddress G2_ip Address=203.0.113.10

Also, set the network for this interface:

Device:/> set Address IPAddress G2_net Address=203.0.113.0/24

In addition, it is recommended to set the broadcast IP address for the interface:

Device:/> set Address IPAddress G2_broadcast Address=203.0.113.255

If the broadcast address is not set, it will take the default value of 127.0.2.255.

It is recommended to verify the properties of the G2 interface with the following command:

Device:/> show Interface EthernetInterface G2

The typical output from this command will be similar to the following:

                     Property  Value
-----------------------------  --------------------
                        Name:  G2
             EthernetAddress:  0:<empty>  1:<empty>
                      HAType:  Critical
              MonitorTargets:  <empty>
                   Backplane:  No
              EthernetDevice:  0:G2  1:<empty>
            VLANOutboundPrio:  0
      VLANOutboundPrioPolicy:  Set (Set priority)
                   PrivateIP:  0:<empty>  1:<empty>
  RouterAdvertisementProfile:  DefaultProfile
                         MTU:  1500
                   IPAddress:  G2_ip
                IP4Broadcast:  G2_broadcast
      RoutingTableMembership:  <all>
SecurityEquivalentInterfaces:  <empty>
                     UseDHCP:  <empty>
                    Comments:  <empty>

Next, add an all-nets-ip4 route to the main routing table. This will route outgoing IPv4 Internet traffic through the G2 interface. This Route object must also specify the IP address of the ISPs gateway (the next router hop), so an IP address object needs to be created for this. If we call the object wan_gw, the command would be:

Device:/> add Address IPAddress wan_gw Address=203.0.113.1

Now, create the route. This is done by changing the CLI context to be main routing table:

Device:/> cc RoutingTable main

Then, add the route to this routing table:

Device:/RoutingTable/main> add Route
			Interface=G2
			Network=all-nets-ip4
			Gateway=wan_gw

Change back to the default context:

Device:/RoutingTable/main> cc
Device:/> 

Even though an all-nets-ip4 route exists, no traffic can flow without the addition of at least one IPRule object to allow the flow. Assume that web browsing to the Internet is to be allowed from the protected network on the interface G1. To do this, add an IP rule called lan_to_wan.

A default cOS Stream IP rule set called main always exists by default. Change the CLI context to be this rule set:

Device:/> cc RuleSet IPRuleSet main
Device:/IPRuleSet/main> 

Now, add the required IPRule object:

Device:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceInterface=G1
			SourceNetwork=G1_net
			DestinationInterface=G2
			DestinationNetwork=all-nets
			Service=http
			Name=lan_to_wan

This IP rule would be correct if the internal network hosts have public IPv4 addresses but in most scenarios this will not be true and internal hosts will have private IPv4 addresses. In that case, we must use NAT to send out traffic so that the apparent source IP address is the IP of the interface connected to the ISP. To do this, keep the Action property as Allow but add the SourceTranslation and SetSourceAddress properties to specify that NAT will be used and the address of the outgoing interface will be used as the source address:

Device:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceInterface=G1
			SourceNetwork=G1_net
			DestinationInterface=G2
			DestinationNetwork=all-nets
			Service=http
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=lan_to_wan

The service used in the IP rule is http and this will allow basic web browsing. Note that this service does not include the HTTPS protocol, so a custom service will need to be created for HTTPS and then this is used in a new ServiceGroup object which will be associated with an IP rule.

The http service also does not include the DNS protocol to resolve URIs into IP addresses. For configuration clarity, it is recommended to create a separate IP rule for DNS:

Device:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceInterface=G1
			SourceNetwork=G1_net
			DestinationInterface=G2
			DestinationNetwork=all-nets
			Service=dns-all
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=lan_to_wan_dns

Finally, change the CLI context back to the default context (this is sometimes called the root context):

Device:/IPRuleSet/main> cc
Device:/> 

When adding IP rules later in this section, the changing between CLI contexts will not be explicitly stated. The context is indicated by the command prompt.

It is recommended that at least one DNS server is also defined in cOS Stream. This DNS server or servers (a maximum of three can be configured) will be used when cOS Stream itself needs to resolve URIs, which will be the case when a URI is specified in a configuration instead of an IP address. If we assume IP address objects called dns1_address and dns2_address have already been defined, the command to specify these as DNS servers is:

Device:/> set DNS DNSServers=dns1_address,dns2_address

Activating and Committing Changes

After any changes are made to a cOS Stream configuration, they will be saved as a new configuration but will not yet be activated. To activate all the configuration changes made since the last activation of a new configuration, the following command must be issued:
Device:/> activate
Although the new configuration is now activated, it does not become permanently activated until the following command is issued within 30 seconds following the activate:
Device:/> commit
The reason for two commands is to prevent a configuration accidentally locking out the administrator. If a lock-out occurs then the second command will not be received and cOS Stream will revert back to the original configuration after the 30 second time period (this time period is a setting that can be changed).

DHCP Server Setup

If the Clavister Firewall is to act as a DHCP server then this can be set up in the following way:

First, define an IPv4 address object with the address range that will be handed out. Here, we will use the IPv4 range 192.168.1.10 - 192.168.1.20 as an example and this range will be available on the G1 interface which is connected to the protected internal network:

Device:/> add Address IPAddress dhcp_range
			Address=192.168.1.10-192.168.1.20

A DHCPServerRule is now configured using this IP address object for the relevant interface. In this case the G1 interface:

Change the CLI context to be DHCPServer:

Device:/> cc DHCPServer

Add a DHCPServerRule object:

Device:/DHCPServer> add DHCPServerRule my_dhcp_clients
			IPAddressPool=dhcp_range
			Interface=G1
			Netmask=255.255.255.0
			DefaultGateway=G1_ip
			DNS1=dns1_address

Change back to the default context:

Device:/DHCPServer> cc
Device:/> 

It is assumed that the IP address object dns1_address for the DNS server was created previously.

It is important to specify the default gateway for the DHCP server since this will be handed out to DHCP clients on the internal network so that they know where to find the public Internet. The default gateway is always the IP address of the interface on which the DHCP server is configured. In this case, the address G1_ip.

NTP Server Setup

Network Time Protocol (NTP) servers can optionally be configured to maintain the accuracy of the system date and time. The following commands set up synchronization with the NTP server at IPv4 address 10.5.4.76:
Device:/> set DateTime TimeSyncEnabled=Yes
Change to the DateTime context:
Device:/> cc DateTime
Device:/DateTime> 
Add the time server:
Device:/DateTime> add TimeServer IP=10.5.4.76 Name=my_tsrv
Change back to the default (root) context:
Device:/DateTime> cc
Device:/> 

Syslog Server Setup

Although logging may be enabled, no log messages are captured unless a server is set up to receive them and Syslog is the most common server type. If the Syslog server's address is 192.0.2.55 then the command to create a log receiver object called my_syslog which enables logging is:
Device:/> add LogReceiverSyslog my_syslog IPAddress=192.0.2.55

Allowing ICMP Ping Requests

As a further example of setting up IP rules, it can be useful to allow ICMP Ping requests to flow through the firewall. It should be remembered that cOS Stream will drop any traffic unless an IP rule explicitly allows it. Let us suppose that we wish to allow the pinging of external hosts on the Internet by computers on the internal network G1_net network.

To set this up, add an IPRule object called allow_ping_outbound. This will be done in the IPRuleSet/main CLI context:

Device:/IPRuleSet/main> add IPRule
			Action=Allow
			SourceInterface=G1
			SourceNetwork=G1_net
			DestinationInterface=G2
			DestinationNetwork=all-nets
			Service=ping-outbound
			SourceTranslation=NAT
			SetSourceAddress=InterfaceAddress
			Name=allow_ping_outbound

The IP rule again has the NAT action and this is necessary if the protected local hosts have private IPv4 addresses. The ICMP requests will be sent out from the Clavister Firewall with the IP address of the interface connected to the ISP as the source interface. Responding hosts will send back ICMP responses to this single IP and cOS Stream will then forward the response to the correct private IP address.

Adding a Drop All Rule

Scanning of the IP rule set is done in a top-down fashion. If no matching IP rule is found for a new connection then the default rule is triggered. This rule is hidden and cannot be changed and its action is to drop all such traffic as well as generate a log message for the drop.

In order to gain control over the logging of dropped traffic, it is recommended to create a drop all rule as the last rule in the main IP rule set. This rule has an Action of Drop with the source and destination network set to all-nets and the source and destination interface set to any.

The service for this rule must also be specified and this should be set to all_services in order to capture all types of traffic. The command for creating this rule in the IPRuleSet/main CLI context is the following:

Device:/IPRuleSet/main> add IPRule
			Action=Deny
			SourceInterface=any
			SourceNetwork=all-nets
			DestinationInterface=any
			DestinationNetwork=all-nets
			Service=all_services
			OnDeny=DropSilent
			Name=drop_all

3.4. The Boot Menu

Entering the Boot Menu

When the 500 Series starts up, and before it has finished initializing, the startup process can be suspended and the boot menu entered by repeatedly pressing the Esc key on the keyboard of cOS Stream's local console (connecting this is described in Section 2.3, Management Computer Connection). The boot menu provides a number of options related to the loading of cOS Stream.

Boot Menu Options

The choices displayed in the boot menu are the following:

  1. Boot system <version-number>

    This will exit the boot menu and initialization of cOS Stream will resume.

  2. Boot-failure recovery

    The NetShield 500 Series will boot using its own internal system memory. cOS Stream will then run in a safe mode. This means the the system will function but only limited resources will be available. However, these resources are sufficient for cOS Stream to be used with a full CLI command set to troubleshoot problems.

  3. Reset system to factory default

    This restores both the current configuration and the cOS Stream version to the factory settings. Any cOS Stream version upgrades that have been installed will be lost.

    Using this option is discussed further in Chapter 5, Resetting to Factory Defaults. However, note this reset will only affect cOS Stream and will not reset the whole 500 Series system.

  4. Restore system default configuration

    This restores only the default configuration. No cOS Stream version upgrades that have been installed will be lost. This is the recommended option unless a full reset is required.

The boot menu is also discussed in the separate cOS Stream Administration Guide.

3.5. Setup Troubleshooting

This section deals with connection problems that might occur when connecting an external management computer to cOS Stream. It is assumed that the 500 Series system has been successfully powered up and initial management connection is first being attempted over a network to a physical Ethernet interface.

If the management Ethernet interface does not respond after the 500 Series has powered up and cOS Stream has started, the following steps can be used to help troubleshoot connection problems:

1. Check that the correct Ethernet interface is being used.

The most obvious problem is that the wrong Ethernet interface has been used for the initial connection. Only the first interface found by cOS Stream is will allow the initial management connection after cOS Stream starts for the first time.

2. Check that interface characteristics match.

If a firewall's Ethernet interface characteristics are configured manually then the interface on an external computer or switch to which it is connected should be configured with the same characteristics. For example, link speed settings should match. This problem will not occur if the interfaces are set for automatic configuration on both sides.

3. Check that the management computer IP/Network is configured correctly.

Check that the IP address and network of the management computer Ethernet interface is configured correctly so it can communicate with the management interface of the firewall.

4. Is the management interface properly connected?

Where relevant, check the link LED lights on the connected Ethernet interface. This can identify a cable problem.

5. Using the ifstat CLI command.

To investigate a connection problem further, connect a computer running console emulation software directly to the local console port on the firewall. Once cOS Stream has started, it should respond with the standard CLI prompt when the enter key is pressed. Now enter the following command once for each interface:

Device:/> ifstat <if-name>

Where <if-name> is the name of the management interface. This will display a number of counters for that interface. The ifstat command on its own can list the names of all the interfaces.

If the Input counters in the hardware section of the output are not increasing then the error is likely to be in the cabling. However, it may simply be that the packets are not getting to the firewall in the first place. This can be confirmed with a packet sniffer, if it is available.

If the Input counters are increasing, the management interface may not be attached to the correct physical network. There may also be a problem with the routing information in any connected hosts or routers.

6. Using the arpsnoop CLI command.

A diagnostic test to try with IPv4 connections is using the console command:

Device:/> arpsnoop all

This will display console messages that show all the ARP packets being received on the different interfaces and confirm that the correct cables are connected to the correct interfaces. To look at the ARP activity only a particular interface, follow the command with the interface name:

Device:/> arpsnoop <interface>

To switch snooping off, use the command:

Device:/> arpsnoop none

7. Check the management access rules for a network connection.

When connecting to the default management interface over a network connection, check that the management access rules are correctly configured to allow access through the interface and from the desired source IP range. These rules can be displayed with the CLI command:

Device:/> show RemoteManagement

3.6. Going Further with cOS Stream

After initial setup is complete, the administrator is ready to go further with configuring cOS Stream to suit the requirements of a particular networking scenario.

The primary reference documentation consists of:

  • cOS Stream Administrators Guide.
  • cOS Stream CLI Reference Guide.
  • cOS Stream Log Reference Guide.

Other available documents in PDF format are:

  • cOS Stream Data Collection Guide.
  • cOS Stream Use Case Guide
  • cOS Stream Statistics Reference Guide.
  • cOS Stream SNMP Trap Reference Guide.

In addition, each cOS Stream release has an associated Release Notes document that lists new features, fixes and known issues.

All documents can be downloaded in PDF format by logging into https://my.clavister.com and going to the downloads for the relevant cOS Stream release. Alternatively, documentation for the latest cOS Stream release can be read in HTML format at https://docs.clavister.com.

The cOS Stream Administrators Guide

This guide is a comprehensive description of all cOS Stream features and includes a detailed table of contents with a comprehensive index to quickly locate particular topics.

Examples of the setup for various scenarios are included but screenshots are kept to a minimum since the user has a variety of management interfaces to choose from.

Basic cOS Stream Objects and Rules

As a minimum, the new administrator should become familiar with the cOS Stream Address Book for defining IP address objects and the cOS Stream IP rule set for defining IP Rule objects which allow or block different traffic and which can also be used to set up NAT address translation.

IP rules identify the targeted traffic using combinations of the source/destination interface/network combined with protocol type. By default, no IP rules are defined so all traffic is dropped. At least one IP rule needs to be defined before traffic can traverse the Clavister Firewall.

In addition to rules, Route objects need to be defined in a Routing Table so that traffic can be sent on the correct interface to reach its final destination. Traffic will need both a relevant IP rule and route to exist in order for it to traverse the firewall.

VPN Setup

A common requirement is to quickly setup VPN networks based on Clavister Firewalls. The cOS Stream Administration Guide includes an extensive VPN section.

Included with the quick start section is a checklist for troubleshooting and advice on how best to deal with the networking complications that can arise with certificates.

Log Messages

By default, certain events will generate log messages and at least one log server should be configured in cOS Stream to capture these messages. The administrator should review what events are important to them and at what severity. The cOS Stream Log Reference Guide provides a complete listing of the log messages that cOS Stream is capable of generating.

The CLI Reference Guide

The CLI Reference Guide provides a complete listing of the available CLI commands with their options. A CLI overview and feature summary is also included as part of the cOS Stream Administration Guide.

cOS Stream Education Courses

For details about classroom and online cOS Stream education as well as cOS Stream certification, visit the Clavister company website at https://www.clavister.com or contact your local sales representative.

Staying Informed

Notifications of new cOS Stream releases are sent out to the email address associated with MyClavister accounts. Email preferences can be adjusted by choosing the Settings option after logging into the relevant account at the following URL:

https://my.clavister.com

Chapter 4: Power over Ethernet Setup

The G5 and G6 Ethernet ports on the NetShield 500 Series are also capable of supplying Power over Ethernet (PoE) to external devices. Each port can provide up to 30 Watts of DC power to an external device over a suitable Ethernet cable (Cat 5a or better).

A separate PSU that provides the PoE power to the expansion module must be plugged into the PoE power port on the front of the NetShield 500 Series.

Use the following steps when setting up PoE on the NetShield 500 Series appliance:

  1. Connect up the PoE PSU by plugging its power cable into an external power socket and then connect the PSU's other cable to the PoE power inlet on the front of the NetShield 500 Series appliance.
NetShield 500 Series PoE Power Inlet

Figure 4.1. NetShield 500 Series PoE Power Inlet

  1. Using a suitable Ethernet cable (Cat 5e or better), connect an external device to one of the Ethernet interface ports G5 or G6. The maximum load drawn from a single interface port should never be more than 30 Watts.
  2. Attach an additional external device in a similar way. Connections can be a mix of 15 Watts (802.3af) and the maximum of 30 Watts (802.3at Type 2).

    The total loading across both Ethernet ports should never exceed 60 Watts.

Chapter 5: Resetting to Factory Defaults

In some circumstances, it may be necessary to reset the NetShield 500 Series appliance to the state it was in when it left the factory and before it was delivered to a customer. This process is known as a reset to factory defaults or simply a factory reset.

[Caution] Caution: cOS Stream upgrades and current configuration are lost

Resetting to defaults means that the default cOS Stream configuration will be restored as well as the original version of cOS Stream that the product left the factory with. The will mean the following:

  • Any cOS Stream upgrades that have been performed since the product left the factory will be lost. An upgrade to a newer cOS Stream version must be repeated.

  • The current cOS Stream configuration will be lost but can be restored if a backup is available.

With the NetShield 500 Series, a reset can be done in one of the following ways:

  • Using the CLI

    The CLI can be used by connecting to one of the NetShield 500 Series's Ethernet interfaces using an SSH client over a network. A reset is performed by entering the following command:

    Device:/> backup -factoryreset

    Using this command is described further in the separate Administration Guide.

  • Using the Boot Menu

    The boot menu can be accessed through the local CLI console by repeatedly pressing the Esc key while cOS Stream is starting up. The resetting of Ethernet interface IP addresses will not affect the local console connection. The complete procedure is performed with the following steps:

    1. Make sure a separate management computer running as a console is attached to the local console port of the NetShield 500 Series.

    2. Power up the NetShield 500 Series unit. This may require a restart if the hardware is already powered up.

    3. As console output appears, repeatedly press the Esc key before cOS Stream has fully started.

    4. The boot menu will now be displayed on the console.

    5. Choose the Reset system to factory default option.

    Boot menu options are described further in Section 3.4, The Boot Menu and in the separate cOS Stream Administration Guide.

  • Performing a Reset Manually

    The 500 Series can be reset manually with the following steps:

    1. The progress of the reset can be followed using a local console connection. If that is required, open a console display window connected to the NetShield 500 Series local console port.

    2. While the unit is powered up, push in the recessed reset button on the unit with a suitable pointed tool and keep it pushed in. An opened paper-clip could be used for this.

    3. Continue holding the button in for at least 10 seconds. The status LED will blink and when the blinking stops the reset is being performed.

    4. If a console was connected in step 1, the console output will indicate that the hardware has successfully been reset to its factory defaults.

    5. After completion of the reset, the NetShield 500 Series unit can now be set up again as though it had never been previously configured.

[Caution] Caution: Local console login credentials will be reset

The local console login credentials will be reset to the default values of username admin and password admin. Changing the cOS Stream admin user password as soon as possible is recommended.

Chapter 6: Warranty Service

Limitation of Warranty

Clavister warrants to the customer of the 500 Series Appliance that the Hardware components will be free from defects in material and workmanship under normal use for a period of two (2) years from the Start Date (as defined below). The warranty will only apply to failure of the product if Clavister is informed of the failure not later than two (2) years from the Start Date or thirty (30) days after that the failure was or ought to have been noticed by the customer.

The warranty will not apply to products from which serial numbers have been removed or to defects resulting from unauthorized modification, operation or storage outside the environmental specifications for the product, in-transit damage, improper maintenance, defects resulting from use of third-party software, accessories, media, supplies, consumables or such items not designed for use with the product, or any other misuse. Any replacement Hardware will be warranted for the remainder of the original warranty period or thirty days, whichever is longer.

Note that the term "Start Date" means the earlier of the product registration date OR ninety (90) days following the day of shipment by Clavister.

Obtaining Warranty Service with an RMA

Warranty service can be obtained within the warranty period with the following steps:

  1. Obtain a Return Material Authorization (RMA) Number from Clavister. This number must be obtained before the product is sent back.

    An RMA number can be obtained online by logging in to the Clavister website (http://www.clavister.com/login) and selecting the Help Desk option.

  2. The defective unit should be packaged securely in the original packaging or other suitable shipping packaging to ensure that it will not be damaged in transit.

  3. The RMA number must be clearly marked on the outside of the package.

  4. The package is then shipped to Clavister with all the costs of mailing/shipping/insurance paid by the customer. The address for shipping is:

    Clavister AB
    Sjögatan 6J
    891 60 Örnsköldsvik
    SWEDEN

    If the product has not yet been registered with Clavister through its website, some proof of purchase (such as a copy of the dated purchase invoice) must be provided with the shipped product.

[Important] Important: An RMA Number must be obtained before shipping!

Any package returned to Clavister without an RMA number will be rejected and shipped back at the customer's expense. Clavister reserves the right in such a case to levy a reasonable handling charge in addition to mailing and/or shipping costs.

Data on the Hardware

Note that Clavister is not responsible for any of the software, firmware, information, or memory data contained in, stored on, or integrated with any product returned to Clavister pursuant to a warranty claim.

Contacting Clavister

Should there be a problem with the online form then Clavister support can be contacted by going to: https://www.clavister.com/support/.

Customer Remedies

Clavister's entire liability according to this warranty shall be, at Clavister's option, either return of the price paid, or repair or replacement of the Hardware that does not meet Clavister's limited warranty and which is returned to Clavister with a copy of your receipt.

Limitations of Liability

Refer to the legal statement at the beginning of the guide for a statement of liability limitations.

Chapter 7: Safety Precautions

Safety Precautions

Clavister NetShield 500 Series devices are Safety Class I products and have protective ground terminals. There must be an uninterrupted safety earth ground from the main power source to the product’s input wiring terminals, power cord, or supplied power cord set. Whenever it is likely that the protection has been impaired, disconnect the power cord until the ground has been restored.

For LAN cable grounding:

  • If your LAN covers an area served by more than one power distribution system, be sure their safety grounds are securely interconnected.

  • LAN cables may occasionally be subject to hazardous transient voltage (such as lightning or disturbances in the electrical utilities power grid). Handle exposed metal components of the network with caution.

There are no user-serviceable parts inside these products. Only service-trained personnel can perform any adjustment, maintenance or repair.

Säkerhetsföreskrifter

Dessa produkter är säkerhetsklassade enligt klass I och har anslutningar för skyddsjord. En obruten skyddsjord måste finnas från strömkällan till produktens nätkabelsanslutning eller nätkabel. Om det finns skäl att tro att skyddsjorden har blivit skadad, måste produkten stängas av och nätkabeln avlägnas till dess att skyddsjorden har återställts.

För LAN-kablage gäller dessutom att:

  • Om LAN:et täcker ett område som betjänas av mer än ett strömförsörjningssystem måste deras respektive skyddsjord vara ihopkopplade.

  • LAN kablage kan vara föremål för farliga spänningstransienter (såsom blixtnedslag eller störningar i elnätet). Hantera metallkomponenter i förbindelse med nätverket med försiktighet.

Det finns inga delar i produkten som kan lagas av användaren. All service samt alla justeringar, underhåll eller reparationer får endast utföras av behörig personal.

Informations concernant la sécurité

Cet appareil est un produit de classe I et possède une borne de mise à la terre. La source d’alimentation principale doit être munie d’une prise de terre de sécurité installée aux bornes du câblage d’entree, sur le cordon d’alimentation ou le cordon de raccordement fourni avec le produit. Lorsque cette protection semble avoir été endommagée, débrancher le cordon d’alimentation jusqu’à ce que la mise à la terre ait été réparée.

Mise à la terre du câble de réseau local:

  • Si votre réseau local s’étend sur une zone desservie par plus d’un système de distribution de puissance, assurez-vous que les prises de terre de sécurité soint convenablement interconnectées.

  • Les câbles de réseaux locaux peuvent occasionnellement être soumis à des surtensions transitoires dangereuses (telles que la foudre ou des perturbations dans le réseau d’alimentation public). Manipulez les composants métalliques du réseau avec précautions.

Aucune pièce contenue à l’intérieur de ce produit ne peut être réparée par l’utilisateur. Tout dépannage, réglage, entretien ou réparation devra être confié exclusivement à un personnel qualifié.

Hinweise zur Sicherheit

Dies ist ein Gerät der Sicherheitsklasse I und verfügt über einen schützenden Erdungsterminal. Der Betrieb des Geräts erfordert eine ununterbrochene Sicherheitserdung von der Hauptstromquelle zu den Geräteingabeterminals, den Netzkabeln oder dem mit Strom belieferten Netzkabelsatz voraus. Sobald Grund zur Annahme besteht, dass der Schutz beeinträchtigt worden ist, das Netzkabel aus der Wandsteckdose herausziehen, bis die Erdung wiederhergestellt ist.

Für LAN-Kabelerdung:

  • Wenn Ihr LAN ein Gebiet umfasst, das von mehr als einem Stromverteilungssystem beliefert wird, müssen Sie sich vergewissern, dass die Sicherheitserdungen fest untereinander verbunden sind.

  • LAN-Kabel können gelegentlich gefährlichen Übergangsspannungen ausgesetz werden (beispielsweise durch Blitz oder Störungen in dem Starkstromnetz des Elektrizitätswerks). Bei der Handhabung exponierter Metallbestandteile des Netzwerkes Vorsicht walten lassen.

Dieses Gerät enthält innen keine durch den Benutzer zu wartenden Teile. Wartungs-, Anpassungs-, Instandhaltungs- oder Reparaturarbeiten dürfen nur von geschultem Bedieningspersonal durchgeführt werden.

Considerazioni sulla sicurezza

Questo prodotte è omologato nella classe di sicurezza I ed ha un terminale protettivo di collegamento a terra. Dev’essere installato un collegamento a terra di sicurezza, non interrompibile che vada dalla fonte d’alimentazione principale ai terminali d’entrata, al cavo d’alimentazione oppure al set cavo d’alimentazione fornito con il prodotto. Ogniqualvolta vi sia probabilità di danneggiamento della protezione, disinserite il cavo d’alimentazione fino a quando il collegaento a terra non sia stato ripristinato.

Per la messa a terra dei cavi LAN:

  • Se la vostra LAN copre un’area servita da più di un sistema di distribuzione elettrica, accertatevi che i collegamenti a terra di sicurezza siano ben collegati fra loro;

  • I cavi LAN possono occasionalmente andare soggetti a pericolose tensioni transitorie (ad esempio, provocate da lampi o disturbi nella griglia d’alimentazione della società elettrica); siate cauti nel toccare parti esposte in metallo della rete.

Nessun componente di questo prodotto può essere riparato dall’utente. Qualsiasi lavoro di riparazione, messa a punto, manutenzione o assistenza va effettuato esclusivamente da personale specializzato.

Consideraciones sobre seguridad

Este aparato se enmarca dentro de la clase I de seguridad y se encuentra protegido por una borna de puesta a tierra. Es preciso que exista una puesta a tierra continua desde la toma de alimentacíon eléctrica hasta las bornas de los cables de entrada del aparato, el cable de alimentación hasta haberse subsanado el problema.

Puesta a tierra del cable de la red local (LAN):

  • Si la LAN abarca un área cuyo suministro eléctrico proviene de más de una red de distribución de electricidad, cerciorarse de que las puestas a tierra estén conectadas entre sí de modo seguro.

  • Es posible que los cables de la LAN se vean sometidos de vez en cuando a voltajes momentáneos que entrañen peligro (rayos o alteraciones en la red de energía eléctrica). Manejar con precaución los componentes de metal de la LAN que estén al descubierto.

Este aparato no contiene pieza alguna susceptible de reparación por parte del usuario. Todas las reparaciones, ajustes o servicio de mantenimiento debe realizarlos solamente el técnico.

Appendix A: 500 Series Specifications

Dimensions and Weight

Height x Width x Depth (mm) 44 x 251 x 250
Hardware Unit Weight 1.7 kg
Hardware Form Factor Desktop
19-inch Rack Mountable Yes, using rack mount kit
MTBF 41,390 hours @ 20° C

Regulatory and Safety Standards

Safety CE, UL
EMC FCC, CE, VCCI

Environmental

Operating and Storage Humidity 0% to 95% (non-condensing)
Operating Temperature 5 to 35° C

Power Specifications

Rated Power Supply Input 100-240 VAC, 50-60 Hz, 1.8 A
Rated Power Supply Output 12 VDC, 5.0A, 60W
Redundant power supply Optional
Maximum Power Consumption 20.7W
Typical Current 0.09A @AC input (0.1A at load)
BTU 80 BTU (at load)
PoE to external devices 802.3at and 802.3af from G5, G6 interfaces
PoE supply source External power adapter

Ethernet Interface Support

Gigabit RJ45 interfaces Automatic MDI-X
1000BASE-T (copper RJ45 100m)
100BASE-TX (copper RJ45 100m)
10BASE-T (copper RJ45 100m)
SFP+ interfaces 10GBASE-SR (multi-mode 300m)
10GBASE-LR (single-mode 10km)
10GBASE-ER (single-mode 40km)
10GBASE-ZR (single-mode 80km)
10GBASE-CR (direct attach)
 
Note that only Clavister supplied SFP+ modules have been tested to function correctly with the 500 Series.

For more information about Clavister products, go to: https://www.clavister.com