access

NAME
SYNOPSIS
DESCRIPTIONIP
SEE ALSO
AUTHOR
COPYRIGHT

NAME

access - Manage remote accesses to the appliance

SYNOPSIS

[1] access [web [raz | (add (internal | auxiliary | vpnipsec | admin | antivirus | file | mon | rweb | web) <ip> [<network-mask> [<qos%>]]) | (del <ip> <network-mask>)]]

[2] access [admin [raz | (add | del) (internal | external | auxiliary | vpnipsec) <ip> [<network-mask>]]]

[3] access [mon [raz | (add | del) (internal | external | auxiliary | vpnipsec) (<ip> | <name>)]]

[4] access [file [raz | ((add (internal | external | auxiliary | vpnipsec) (<ip> | <name>) [(ftp | sftp) <login> [<password>]]) | (del (<ip> | <name>)))]]

[5] access [antivirus [raz | (add (internal | external | auxiliary | vpnipsec) <ip> [<network-mask> [<qos%>]]) | (del <ip> <network-mask>)]]

[6] access [manager [raz | (add (master | backup) (internal | external | auxiliary) <ip> "<manager-public-ssh-key>") | (del (master | backup))]]

DESCRIPTIONIP

This command is used to get or set access policies for functional traffic exchanged with the appliance itself (and not routed via). To configure access policies for routed traffic via the appliance see the command firewall.

The first [1] usage form is used to define allowed networks connected or routed via a given network interface to use the appliance as a gateway for Web browsing (ie as a Web proxy). Traffic bandwidths can also be customised for a network using the optional <qos%> parameter. The <qos%> value is a percentage of the ingress or egress bandwidth allocated to web traffic and should be an integer between 1 and 100. Ingress and egress bandwidth values to which the percentage is applied are as follows:

• For accesses allowed via the native internal network interface or 802.1q pseudo network interfaces in vlan mode (web, rweb...), the ingress and egress bandwidths to consider are defined with the command usage form qos shape web internal.

• For accesses allowed via the auxiliary network interface, the ingress and egress bandwidths to consider are defined with the command usage form qos shape web auxiliary.

• For accesses allowed via the vpnipsec virtual network interface, the ingress bandwidth to consider is defined with the command usage form qos shape vpnipsec external ingress. The egress bandwidth for accesses allowed via the vpnipsec virtual network interface can’t be customised.

If no <qos%> is given, the value of 100% is used by default.

If no web access entry is defined, all networks located behind all interfaces, except the external interface, are allowed to access the Web with a QoS of 100%. If at least one web access entry is defined, only explicitly defined networks are allowed to use the appliance as a forwarding proxy via the specified network interface. In case where the transparent mode is activated (see the command mode), the appliance will act as a transparent forwarding proxy only for defined transparent networks. Use the command transparent to define transparent networks.

When the vlan mode is activated (see the command mode), you have the possibility to specify an explicit 802.1q pseudo interface instead of the internal interface. Allowed 802.1q pseudo interfaces are admin, antivirus, file, mon, rweb and web. It is recommended to always use 802.1q pseudo interfaces even if the vlan mode is disabled. In this way, the activation of the vlan mode would not require to rewrite Web access rules. Finally, when the vlan mode is activated, the web interface replaces the internal interface in all Web access rules.

The <qos%> is defined for all IPs belonging to a Web access network. The effective <qos%> for a given IP depends on the number of concurrent traffic exchanged from that network. An automatic scheduling system manages concurrent traffic to equitably share the bandwidth allocated to a given network. In a concurrent environment the <qos%> limit may be surpassed when the load of other networks is under their <qos%> limits. This mechanism is called borrowing. The borrowing could be activated or deactivated. See the command qos for further information on the borrowing mechanism. Please note that there is no obligation to have a total of 100% even if this is a recommended configuration.

The second [2] usage form configures access policies for administrators using ssh or the Web administration GUI. Only networks defined with this command are allowed to remotely administrate the system via the specified network interface (see the command admin). The system’s administration IP address can be the internal, external or the auxiliary IP address according to the administration topology defined with the admin topology command usage form. When the vlan mode is activated (see the command mode), the internal administration IP address is the IP address associated to the admin 802.1q pseudo device (see the command vlan).

The third [3] usage form configures access policies for monitoring (management) servers using the SNMP protocol. Only SNMP managers defined with this command are allowed to access the appliance via the specified network interface. If no management access policy is defined, SNMP accesses are not allowed.

Operations like backing up the system or loading a URL list require access to a file server. Only file servers defined with this command are allowed to exchange data with the appliance. The fourth [4] usage form (with the file keyword) allows you to define access policies for file servers. A file server is represented by its IP address or network name. If no file access policy is defined, file transfers to and from the appliance are not allowed. Supported protocols for file servers are FTP, SFTP and TFTP. For ftp and sftp servers, if a login name is given, a mandatory password is then required. If no password is given on the command line, the password is requested in hidden mode (see also the command password). Please note that if the targeted FTP server supports SSL encryption and the CCC (Clear Command Channel) FTP command, the system will use SSL/TLS for the authenticating phase in order to encrypt the transmitted credentials (login/password).

The integrated antivirus can be used as a service offered to external systems such as an MTA (Mail Transfer Agent). The system’s antivirus server IP address can be the internal, external or the auxiliary IP address according to the antivirus topology defined with the antivirus topology command usage form. The fifth [5] usage form is used to define allowed networks connected or routed via a given network interface to use the appliance as an antivirus service. If no antivirus access policy is defined, the antivirus can’t be accessed as a service. Traffic bandwidths can also be customised for a network using the optional <qos%> parameter. The <qos%> value is a percentage of the ingress or egress bandwidth allocated to antivirus traffic and should be an integer between 1 and 100. Ingress and egress bandwidth values to which the percentage is applied are as follows:

• For accesses allowed via the native internal network interface or the 802.1q pseudo network interface called antivirus (in vlan mode), the ingress and egress bandwidths to consider are defined with the command usage form qos shape antivirus internal.

• For accesses allowed via the auxiliary network interface, the ingress and egress bandwidths to consider are defined with the command usage form qos shape antivirus auxiliary.

• For accesses allowed via the vpnipsec virtual network interface, the ingress bandwidth to consider is defined with the command usage form qos shape vpnipsec external ingress. The egress bandwidth for accesses allowed via the vpnipsec virtual network interface can’t be customised.

If no <qos%> is given, the value of 100% is used by default.

When an appliance is installed as a gateway (as opposed to an appliance installed as a manager), it can be directly managed and administrated using the CLI and/or the Web GUI. In case you have a manager appliance, you have the possibility to configure gateways using that manager. Managers uses the SSH and SFTP protocols to exchange with gateways. In practice, managers upload all configuration files on gateways using the SFTP protocol and then remote execute commands on them using the SSH protocol (gateways act as SFTP nad SSH servers). Please note that to allow managers to access gateways, SSH administration should be activated on gateways (see the admin command for further information).

The sixth [6] usage form allows you to give access to allowed mangers to administrate and configure the system. You can allow only one master manager and optionally one backup manager to administrate and configure a gateway. To allow a manager to access the system, use the keywords manager add followed by the manager’s role (master or backup), the logical interface (internal, external or auxiliary) from which the manager can access the system, the manager IP address and finally the textual representation of the managers’s SSH public key. To get the public SSH key of a manager, you can use the manager ssh show command on that manager. To delete a manager form the list of allowed manager, use the keywords manager del followed by the manager’s role (master or backup). Finally you can use the keywords manager raz to erase the allowed manager list. Using the keywords manager without any other arguments allows you to print the list of all managers. To show a manager SSH key content, you can use the "admin ssh key show <key-id>" command where <key-id> can be mmanager (for master manager) or bmanager (for backup manager).

SEE ALSO

admin (1) antivirus (1) apply (1) firewall (1) manager (1) mode (1) password (1) peer (1) qos (1) transparent (1) vlan (1)

AUTHOR

CacheGuard Technologies Ltd <www.cacheguard.com>

Send bug reports or comments to the above author.

COPYRIGHT

Copyright (C) 2009-2024 CacheGuard - All rights reserved