Clavister: Unterschied zwischen den Versionen

Aus Meine Wiki
Zur Navigation springen Zur Suche springen
 
(21 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 
[[Category:Firewall]]
 
[[Category:Firewall]]
; Clavister cOS  
+
==Clavister cOS==
  
 
;News
 
;News
[https://www.clavister.com/about-us/clavister-news/ Clavister News]
+
:[https://www.clavister.com/about-us/clavister-news/ Clavister News]
  
 
;Schulungen
 
;Schulungen
[https://www.clavister.com/services/education/technical-courses/ Technical Courses]
+
:[https://www.clavister.com/services/education/technical-courses/ Technical Courses]
 +
 
 +
;Forum
 +
:[https://forums.clavister.com/viewforum.php?f=8&sid=6136482848cb6efdb006877370c8d448 Forum]
  
 
;Kochbuch auf Deutsch und Dokumentation auf English
 
;Kochbuch auf Deutsch und Dokumentation auf English
  
 
:[https://www.clavister.com/services/resources/configuration-cookbooks/ Configuration Cookbooks]
 
:[https://www.clavister.com/services/resources/configuration-cookbooks/ Configuration Cookbooks]
 +
 +
:[https://mega.nz/#!HRwmXSAA!HDqj_AZEMAeNnqZeDixeEl6lDPtIxb6B4lUyPYYQKFM    cOS Core Administration Guide 12.00.18 ]
 +
:[https://mega.nz/#!nE503KgZ!InwJ60HYH0Y-KpFtLINHTqjJP87Lm-ZVSx3MWhxl5qg    cOS Core CLI Reference Guide 12.00.18 ]
 
:[https://mega.nz/#!GFYBjK7R!lBp1nqycqdJ-a_xw2rfhIM85DDtPwmow7K0bin1NkNA    cOS Core Administration Guide 12.00.13 ]
 
:[https://mega.nz/#!GFYBjK7R!lBp1nqycqdJ-a_xw2rfhIM85DDtPwmow7K0bin1NkNA    cOS Core Administration Guide 12.00.13 ]
 
:[https://mega.nz/#!rVQhAQaI!Mi8NJHwUnBnuamS-zgQnRb8ntKixmd95JI9Z2JeTK20    cOS Core CLI Reference Guide 12.00.13 ]
 
:[https://mega.nz/#!rVQhAQaI!Mi8NJHwUnBnuamS-zgQnRb8ntKixmd95JI9Z2JeTK20    cOS Core CLI Reference Guide 12.00.13 ]
 
:[https://mega.nz/#!KAR1gQBb!j6tTxT1An-4mKNC6nNes4ju3ua4e2pvmekQ4AMmpLxM    InControl Administration Guide 1.85.00 ]
 
:[https://mega.nz/#!KAR1gQBb!j6tTxT1An-4mKNC6nNes4ju3ua4e2pvmekQ4AMmpLxM    InControl Administration Guide 1.85.00 ]
:[https://www.clavister.com/globalassets/documents/products-and-services/getting-started/clavister-prd-clavister-virtual-core-series-vmware-getting-started-guide-en.pdf  Clavister Virtual Series Getting Started Guide for VMware]
+
:[https://mega.nz/#!yUBnmYpB!9a6Q0_aTS6fJYqtnDV6LJu-HPSFKG88PdzCNOP78V5Q    Getting Started Guide 12.00.13 VMware ]
 +
:[https://mega.nz/#!XNZ3zS6a!a_UlP9ft-fo2X0owZHNrdkwTMmqAtRtlflCeJggkt9k    Getting Started Guide 12.00.13 KVM ]
 +
:[https://mega.nz/#!yUBnmYpB!9a6Q0_aTS6fJYqtnDV6LJu-HPSFKG88PdzCNOP78V5Q    Getting Started Guide 12.00.13 Hyper-V ]
  
 +
;Getting started
 +
:[https://mega.nz/#!LERmRK5B!LJuEwaf4umBSC3iVN-AWkM7HYdFgJOyVMu-3l0MYIYQ Getting Started E10]
 +
:[https://mega.nz/#!GEJE0CqZ!gFa7W8q7aH4WW9ZpBdGydRnMrt_BxXLxuRgt0bF1ufc Getting Started E20]
 +
:[https://mega.nz/#!HFYg1YyZ!ctt6pRSSyDh-PfqeMcnyrq6l4pCFv5g1w0kZywUuSKs Getting Started E80B]
  
 
;SIP ALG  
 
;SIP ALG  
[https://forums.clavister.com/viewtopic.php?t=5217 Link ]
+
:[https://forums.clavister.com/viewtopic.php?t=5217 Link ]
  
 
;Clavister Firewalls
 
;Clavister Firewalls
[http://clavister-polska.pl/porownanie-modeli-2/ Produkte PL]
+
:[http://clavister-polska.pl/porownanie-modeli-2/ Produkte PL]
  
 
;Artikel
 
;Artikel
[http://www.admin-magazin.de/Das-Heft/2014/06/Im-Kurztest-Clavister-Firewall-E5 Im Kurztest: Clavister-Firewall E5]
+
:[http://www.admin-magazin.de/Das-Heft/2014/06/Im-Kurztest-Clavister-Firewall-E5 Im Kurztest: Clavister-Firewall E5]
  
[http://www.admin-magazin.de/News/Clavister-E80-neue-Firewall-fuer-kleine-und-mittlere-Firmen Clavister E80: neue Firewall für kleine und mittlere Firmen]
+
:[http://www.admin-magazin.de/News/Clavister-E80-neue-Firewall-fuer-kleine-und-mittlere-Firmen Clavister E80: neue Firewall für kleine und mittlere Firmen]
  
 
;Anleitungen (Video)
 
;Anleitungen (Video)
[https://www.youtube.com/watch?v=zLhNcekZmVY NG Firewall Clavister, podstawy konfiguracji internetu, adresacja IP, DNS, NTP]
+
:[https://www.youtube.com/watch?v=zLhNcekZmVY NG Firewall Clavister, podstawy konfiguracji internetu, adresacja IP, DNS, NTP]
 +
:[https://www.youtube.com/watch?v=2kOQpHMLsR4 How-Tos: Basic Settings]
 +
:[https://www.youtube.com/watch?v=qolPl4u0szk How-Tos: Simple Lan-to-Lan]
 +
:[https://www.youtube.com/watch?v=RZCQnI0psY8 Clavister Lan to Lan VPN How-to]
 +
:[https://www.youtube.com/watch?v=q8Tpf8jFOsM Clavister Lan to Lan VPN How-to 2]
 +
:[https://www.youtube.com/watch?v=qolPl4u0szk How-Tos: Simple Lan-to-Lan]
 +
 
  
 
;Stateful Inspection
 
;Stateful Inspection
  
Die Datenpakete werden analysiert und der Verbindungsstatus wird in die Entscheidung einbezogen. Bei dieser Technik, die in Firewalls eingesetzt wird, werden die Datenpakete (eigentlich: Segmente) während der Übertragung auf der Vermittlungsschicht (3. Schicht des OSI-Modelles) analysiert und in dynamischen Zustandstabellen gespeichert. Auf Basis des Zustands der Datenverbindungen werden die Entscheidungen für die Weiterleitung der Datenpakete getroffen. Datenpakete, die nicht bestimmten Kriterien zugeordnet werden können oder eventuell zu einer DoS-Attacke gehören, werden verworfen. Firewalls mit SPI-Technik sind daher in sicherheitsrelevanten Anwendungen den reinen Paketfilter-Firewalls überlegen. [https://de.wikipedia.org/wiki/Stateful_Packet_Inspection Quelle: Wikipedia] [http://www.searchnetworking.de/definition/Stateful-Inspection-Zustandsorientierte-Ueberpruefung Mehr Dazu Auch hier] [https://supportforums.cisco.com/t5/other-security-subjects/stateful-and-stateless-firewall/td-p/817644 Info]
+
:Die Datenpakete werden analysiert und der Verbindungsstatus wird in die Entscheidung einbezogen. Bei dieser Technik, die in Firewalls eingesetzt wird, werden die Datenpakete (eigentlich: Segmente) während der Übertragung auf der Vermittlungsschicht (3. Schicht des OSI-Modelles) analysiert und in dynamischen Zustandstabellen gespeichert. Auf Basis des Zustands der Datenverbindungen werden die Entscheidungen für die Weiterleitung der Datenpakete getroffen. Datenpakete, die nicht bestimmten Kriterien zugeordnet werden können oder eventuell zu einer DoS-Attacke gehören, werden verworfen. Firewalls mit SPI-Technik sind daher in sicherheitsrelevanten Anwendungen den reinen Paketfilter-Firewalls überlegen. [https://de.wikipedia.org/wiki/Stateful_Packet_Inspection Quelle: Wikipedia] [http://www.searchnetworking.de/definition/Stateful-Inspection-Zustandsorientierte-Ueberpruefung Mehr Dazu Auch hier] [https://supportforums.cisco.com/t5/other-security-subjects/stateful-and-stateless-firewall/td-p/817644 Info]
  
cOS Core employs a technique called stateful inspection which means that it inspects and forwards traffic on a per-connection basis. cOS Core detects when a new connection is being established, and keeps a small piece of information or state in its state table for the lifetime of that connection. By doing this, cOS Core is able to understand the context of the network traffic which enables it to perform in-depth traffic scanning, apply bandwidth management and a variety of other functions. S. 22.
+
:cOS Core employs a technique called stateful inspection which means that it inspects and forwards traffic on a per-connection basis. cOS Core detects when a new connection is being established, and keeps a small piece of information or state in its state table for the lifetime of that connection. By doing this, cOS Core is able to understand the context of the network traffic which enables it to perform in-depth traffic scanning, apply bandwidth management and a variety of other functions. S. 22.
  
 
;Dealing with Sync Failure
 
;Dealing with Sync Failure
  
Failure of the sync interface can be confirmed by comparing the output from certain CLI commands for each unit. The number of connections could be compared with the stats command. If IPsec tunnels are heavily used, the ipsecglobalstat -verbose command could be used instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a failure to synchronize. If the sync interface is functioning correctly, there may still be some small differences in the statistics from each cluster unit but these will be minor compared with the differences seen in the case of failure. S. 658
+
:Failure of the sync interface can be confirmed by comparing the output from certain CLI commands for each unit. The number of connections could be compared with the stats command. If IPsec tunnels are heavily used, the ipsecglobalstat -verbose command could be used instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a failure to synchronize. If the sync interface is functioning correctly, there may still be some small differences in the statistics from each cluster unit but these will be minor compared with the differences seen in the case of failure. S. 658
 +
 
 +
==CLI console commands==
 +
 
 +
 
 +
Zeigt Netzwerk Interfaces und Informationen dazu (Interface name, IP Adress, Status, Interface type)
 +
  ifstat/if
 +
 
 +
Zeigt aktive DHCP IP Vergaben (Leases) (Rule, Iface, Client MAC, Client IP, Hostname, Expire)
 +
  dhcpserver -show -leases
 +
  dhcpserver -show -leases
 +
 
 +
Zeigt die Arp cache Tabele nach Interface (Alle Geräte die den Route als Gateway nutzen)
 +
  arp
 +
  arp -show G1
 +
  arp -show GS
 +
  arp -show VLAN_3000
 +
 
 +
Zeigt DNS Einstellungen
 +
  dns
 +
 
 +
Zeigt aktive routen
 +
  route
 +
 
 +
Zeigt die angelegten VLANS
 +
  vlan
 +
 
 +
Traceroute
 +
  traceroute
 +
 
 +
Ping
 +
  ping
 +
 
 +
Lokalisierung von IP
 +
  geoip -query 1.1.1.1
 +
 
 +
Zeigt die Eingenschaften von versiedenen Objekten.
 +
  show
 +
  show DNS
 +
  show DHCPServer
 +
 
 +
Zeigt aktive Licenz
 +
  license
 +
 
 +
Zeigt die VPN Tunnels
 +
  ipsec -show
 +
  ipsec -stat
 +
  ipsectunnels
 +
  ipsecstats      // These two commands allow you to check whether a particular vpn tunnel is up or not.
 +
  killsa          //  This command will kill any IPSec connections to a particular remote peer IP. This comes handy when a tunnel de-syncronisation occures, that is, if the tunnel does not use keepalives (example due to incompatibilities with different vendors), one side of the tunnel is up and the other side is down. In order to start over, the “killsa” command can be used
 +
  ikesnoop        // For troubleshooting IPSec vpn negotiation issues. (similar to the “debug ike” / “debug ipsec” in cisco unit)
  
 +
  pcapdump        // This command starts up the packet capture mechanism on the clavister. This command is especially useful when troubleshooting connctivity issues.
 +
 +
 +
  ha              // high-availability environments, HA status of the current unit (active/passive)
 +
  ha activate    // to handover “master” (active) control to the peer, or vice versa.
 +
  ha deactivate
 +
  if              //  Network
  
  
Zeile 57: Zeile 132:
 
   %PUTTY%\pscp.exe -pw %PASS% %USER%@%ADDRESS%:script/%SCRIPT% %LOCAL%
 
   %PUTTY%\pscp.exe -pw %PASS% %USER%@%ADDRESS%:script/%SCRIPT% %LOCAL%
 
   %PUTTY%\plink.exe -ssh -pw %PASS% %USER%@%ADDRESS% "script -remove -name=%SCRIPT%"
 
   %PUTTY%\plink.exe -ssh -pw %PASS% %USER%@%ADDRESS% "script -remove -name=%SCRIPT%"
 
 
;CLI console commands
 
 
  pcapdump        // This command starts up the packet capture mechanism on the clavister. This command is especially useful when troubleshooting connctivity issues.
 
  ipsectunnels and ipsecstats    // These two commands allow you to check whether a particular vpn tunnel is up or not.
 
  killsa          // This command will kill any IPSec connections to a particular remote peer IP.
 
  ikesnoop        // For troubleshooting IPSec vpn negotiation issues. (similar to the “debug ike” / “debug ipsec” in cisco unit)
 
  ha              // high-availability environments, HA status of the current unit (active/passive)
 
  ha activate    // to handover “master” (active) control to the peer, or vice versa.
 
  ha deactivate
 
  if              //  Network
 

Aktuelle Version vom 25. Juni 2019, 21:53 Uhr

Clavister cOS

News
Clavister News
Schulungen
Technical Courses
Forum
Forum
Kochbuch auf Deutsch und Dokumentation auf English
Configuration Cookbooks
cOS Core Administration Guide 12.00.18
cOS Core CLI Reference Guide 12.00.18
cOS Core Administration Guide 12.00.13
cOS Core CLI Reference Guide 12.00.13
InControl Administration Guide 1.85.00
Getting Started Guide 12.00.13 VMware
Getting Started Guide 12.00.13 KVM
Getting Started Guide 12.00.13 Hyper-V
Getting started
Getting Started E10
Getting Started E20
Getting Started E80B
SIP ALG
Link
Clavister Firewalls
Produkte PL
Artikel
Im Kurztest: Clavister-Firewall E5
Clavister E80: neue Firewall für kleine und mittlere Firmen
Anleitungen (Video)
NG Firewall Clavister, podstawy konfiguracji internetu, adresacja IP, DNS, NTP
How-Tos: Basic Settings
How-Tos: Simple Lan-to-Lan
Clavister Lan to Lan VPN How-to
Clavister Lan to Lan VPN How-to 2
How-Tos: Simple Lan-to-Lan


Stateful Inspection
Die Datenpakete werden analysiert und der Verbindungsstatus wird in die Entscheidung einbezogen. Bei dieser Technik, die in Firewalls eingesetzt wird, werden die Datenpakete (eigentlich: Segmente) während der Übertragung auf der Vermittlungsschicht (3. Schicht des OSI-Modelles) analysiert und in dynamischen Zustandstabellen gespeichert. Auf Basis des Zustands der Datenverbindungen werden die Entscheidungen für die Weiterleitung der Datenpakete getroffen. Datenpakete, die nicht bestimmten Kriterien zugeordnet werden können oder eventuell zu einer DoS-Attacke gehören, werden verworfen. Firewalls mit SPI-Technik sind daher in sicherheitsrelevanten Anwendungen den reinen Paketfilter-Firewalls überlegen. Quelle: Wikipedia Mehr Dazu Auch hier Info
cOS Core employs a technique called stateful inspection which means that it inspects and forwards traffic on a per-connection basis. cOS Core detects when a new connection is being established, and keeps a small piece of information or state in its state table for the lifetime of that connection. By doing this, cOS Core is able to understand the context of the network traffic which enables it to perform in-depth traffic scanning, apply bandwidth management and a variety of other functions. S. 22.
Dealing with Sync Failure
Failure of the sync interface can be confirmed by comparing the output from certain CLI commands for each unit. The number of connections could be compared with the stats command. If IPsec tunnels are heavily used, the ipsecglobalstat -verbose command could be used instead and significant differences in the numbers of IPsec SAs, IKE SAs, active users and IP pool statistics would indicate a failure to synchronize. If the sync interface is functioning correctly, there may still be some small differences in the statistics from each cluster unit but these will be minor compared with the differences seen in the case of failure. S. 658

CLI console commands

Zeigt Netzwerk Interfaces und Informationen dazu (Interface name, IP Adress, Status, Interface type)

  ifstat/if

Zeigt aktive DHCP IP Vergaben (Leases) (Rule, Iface, Client MAC, Client IP, Hostname, Expire)

  dhcpserver -show -leases 
  dhcpserver -show -leases

Zeigt die Arp cache Tabele nach Interface (Alle Geräte die den Route als Gateway nutzen)

  arp
  arp -show G1
  arp -show GS
  arp -show VLAN_3000

Zeigt DNS Einstellungen

  dns

Zeigt aktive routen

  route

Zeigt die angelegten VLANS

  vlan

Traceroute

  traceroute

Ping

  ping 

Lokalisierung von IP

  geoip -query 1.1.1.1

Zeigt die Eingenschaften von versiedenen Objekten.

  show 
  show DNS
  show DHCPServer

Zeigt aktive Licenz

  license

Zeigt die VPN Tunnels

  ipsec -show
  ipsec -stat
  ipsectunnels
  ipsecstats       // These two commands allow you to check whether a particular vpn tunnel is up or not. 
  killsa          //  This command will kill any IPSec connections to a particular remote peer IP. This comes handy when a tunnel de-syncronisation occures, that is, if the tunnel does not use keepalives (example due to incompatibilities with different vendors), one side of the tunnel is up and the other side is down. In order to start over, the “killsa” command can be used
  ikesnoop        // For troubleshooting IPSec vpn negotiation issues. (similar to the “debug ike” / “debug ipsec” in cisco unit)
  pcapdump        // This command starts up the packet capture mechanism on the clavister. This command is especially useful when troubleshooting connctivity issues.


  ha              // high-availability environments, HA status of the current unit (active/passive)
  ha activate     // to handover “master” (active) control to the peer, or vice versa.
  ha deactivate
  if              //   Network


Config Download mit Batch-Datei
  REM In case of one device you can use script command to download config as readable script.
  REM It can be easy done by simple batch
  @echo off
  set PUTTY="C:\Program Files\PuTTY"
  set ADDRESS=192.168.1.1
  set USER=admin
  set PASS=admin
  set LOCAL=script.txt
  set SCRIPT=%RANDOM%.txt
  %PUTTY%\plink.exe -ssh -pw %PASS% %USER%@%ADDRESS% "script -create -name=%SCRIPT%"
  %PUTTY%\pscp.exe -pw %PASS% %USER%@%ADDRESS%:script/%SCRIPT% %LOCAL%
  %PUTTY%\plink.exe -ssh -pw %PASS% %USER%@%ADDRESS% "script -remove -name=%SCRIPT%"