access - Manage remote accesses to the appliance
 access [web [raz | (add (internal | auxiliary | vpnipsec) <ip> [<network-mask> [<qos%>]]) | (del <ip> <network-mask>)]]
 access [admin [raz | (add | del) (internal | external | auxiliary | vpnipsec) <ip> [<network-mask>]]]
 access [mon [raz | (add | del) (internal | external | auxiliary | vpnipsec) (<ip> | <name>)]]
 access [file [raz | ((add (internal | external | auxiliary | vpnipsec) (<ip> | <name>) [(ftp | sftp) <login> [<password>]]) | (del (<ip> | <name>)))]]
 access [antivirus [raz | (add (internal | external | auxiliary | vpnipsec) <ip> [<network-mask> [<qos%>]]) | (del <ip> <network-mask>)]]
 access [manager [raz | (add (master | backup) (internal | external | auxiliary) <ip> "<manager-public-ssh-key>") | (del (master | backup))]]
This command is used to get or set access policies for functional traffic exchanged with the appliance itself (and not routed via). To configure access policies for routed traffic via the appliance see the command firewall.
The first usage form is used to define allowed networks to use the appliance as a Web gateway via a given network interface (the appliance acts as a forwarding Web proxy for those networks). Traffic bandwidths can also be customised for a network using the optional <qos%> parameter. The <qos%> value represents the percentage of the bandwidth defined for a given type of traffic (with the command qos) and should be an integer between 1 and 100. If no <qos%> is given, the value of 100% is used by default. Please note that the <qos%> value given here is only taken into account for web traffic exchanged via the internal network interface.
If no web access entry is defined, all networks located behind the internal, auxiliary and vpnipsec interfaces are allowed to access the Web with a QoS of 100% (of the value defined with the qos command). If at least one web access entry is defined, only clients located on explicitly defined networks are allowed to use the appliance as a forwarding proxy via the explicitly defined network interface. In case where the transparent mode is activated (see the command mode), the appliance will act as a transparent forwarding proxy only for defined transparent networks. Use the command transparent to define transparent networks.
The <qos%> is defined for all IPs belonging to a Web access network. The effective <qos%> for a given IP depends on the number of concurrent traffic exchanged from that network. An automatic scheduling system manages concurrent traffic to equitably share the bandwidth allocated to a given network. In a concurrent environment the <qos%> limit may be surpassed when the load of other networks is under their <qos%> limits. This mechanism is called borrowing. The borrowing could be activated or deactivated. See the command qos for further information on the borrowing mechanism. Please note that there is no obligation to have a total of 100% even if this is a recommended configuration.
The second usage form configures access policies for administrators using ssh or the Web administration GUI. Only networks defined with this command are allowed to remotely administrate the system via the specified network interface (see the command admin). The system’s administration IP address can be the internal, external or the auxiliary IP address according to the administration topology defined with the command admin. When the VLAN mode is activated (see the command mode), the internal administration IP address is the IP address associated to the admin 802.1q pseudo device (see the command vlan).
The third usage form configures access policies for monitoring (management) servers using the SNMP protocol. Only SNMP managers defined with this command are allowed to access the appliance via the specified network interface. If no management access policy is defined, SNMP accesses are not allowed.
Operations like backing up the system or loading a URL list require access to a file server. Only file servers defined with this command are allowed to exchange data with the appliance. The fourth usage form (with file keyword) allows you to define access policies for file servers. A file server is represented by its IP address or network name. If no file access policy is defined, file transfers to and from the appliance are not allowed. Supported protocols for file servers are FTP, SFTP and TFTP. For ftp and sftp servers, if a login name is given, a mandatory password is then required. If no password is given on the command line, the password is requested in hidden mode (see also the command password). Please note that if the targeted FTP server supports SSL encryption and the CCC (Clear Command Channel) FTP command, the system will use SSL/TLS for the authenticating phase in order to encrypt the transmitted credentials (login/password).
The integrated antivirus can be used as a service offered to external systems such as an MTA (Mail Transfer Agent). The fifth usage form (with antivirus keyword) allows you to define access policies for external systems. If no antivirus access policy is defined, the antivirus can’t be used as a service. Traffic bandwidths can also be customised for an external system using the optional <qos%> parameter. The <qos%> value represents the percentage of the bandwidth defined for a given type of traffic (with the command qos) and should be an integer between 1 and 100. If no <qos%> is given, the value of 100% is used by default. The system’s antivirus server IP address can be the internal, external or the auxiliary IP address according to the antivirus topology defined with the antivirus command.
When an appliance is installed as a gateway (as opposed to an appliance installed as a manager), it can be directly managed and administrated using the CLI and/or the Web GUI. In case you have a manager appliance, you have the possibility to configure gateways using that manager. Managers uses the SSH and SFTP protocols to exchange with gateways. In practice, managers upload all configuration files on gateways using the SFTP protocol and then remote execute commands on them using the SSH protocol (gateways act as SFTP nad SSH servers). Please note that to allow managers to access gateways, SSH administration should be activated on gateways (see the admin command for further information).
The sixth usage form allows you to give access to allowed mangers to administrate and configure the system. You can allow only one master manager and optionally one backup manager to administrate and configure a gateway. To allow a manager to access the system, use the keywords manager add followed by the manager’s role (master or backup), the logical interface (internal, external or auxiliary) from which the manager can access the system, the manager IP address and finally the textual representation of the managers’s SSH public key. To get the public SSH key of a manager, you can use the manager ssh show command on that manager. To delete a manager form the list of allowed manager, use the keywords manager del followed by the manager’s role (master or backup). Finally you can use the keywords manager raz to erase the allowed manager list. Using the keywords manager without any other arguments allows you to print the list of all managers. To show a manager SSH key content, you can use the "admin ssh key show <key-id>" command where <key-id> can be mmanager (for master manager) or bmanager (for backup manager).
admin (1) antivirus (1) apply (1) firewall (1) manager (1) mode (1) password (1) peer (1) qos (1) transparent (1) vlan (1)
CacheGuard Technologies Ltd <www.cacheguard.com>
Send bug reports or comments to the above author.
Copyright (C) 2009-2023 CacheGuard - All rights reserved