admin - Manage administration services
admin [(snmp | ssh | wadmin | waudit) [on | off]]
admin tls [<tls-object-id>]
admin ssh key [raz | add (ftp | sftp | tftp) <file-server> <file-name> | del <key-number>]
admin topology (internal | external | auxiliary) [on | off]
admin user [raz | (add | del) <user-name>]
admin snmp [(user [<user-name>]) | (community [<community-password>]) | (privacy [<privacy-password>]) | (udp | tcp | tls [(on | off)]) | engine | (mode [(on | off)])]
admin snmp certificate [raz | add (ftp | sftp | tftp) <file-server> <file-name> | del <certificate-number>]
admin snmp [trap [raz | add (v1 | v2c) <receiver-server> [<port> [<community>]] | del (v1 | v2c) <receiver-server> [<port>] | test]]
admin snmp [trap [raz | add v3 <receiver-server> <port> <user-name> (md5 | sha) (des | aes) [<auth-password> [<privacy-password>]] | del v3 <receiver-server> <port> <user-name>]]
The first usage form of this command is used to activate or to deactivate administration/management services. These services allow remote administrators to access the system. Only SSH (secure shell) and HTTPS (secure HTTP) are supported in this version.
The keyword wadmin is related to the administration Web GUI. This service allows you to configure and administrate the appliance through a Web browser.
The keyword waudit is related to the appliance usage activity. Auditing allows you to:
* See a live summary view of different available logs (virus, access...).
* Inspect Web request contents for reverse websites (only for reverse Web site that are in audit mode and if the waf mode is activated). This feature is for debugging purpose only. Never activate this mode on a production appliance. The auditing is available at the URL https://<admin-ip>:<wadmin-port> where <admin-ip> and <waudit-port> are respectively the administration IP address and the waudit port. The administration IP address maybe be the internal, external or auxiliary IP address of the appliance according to the configured administration topology (see the command admin for further information). When the VLAN mode is activated the administration IP address may be the IP address associated to the administration 802.1q pseudo device (see the command vlan for further information).
The second usage form allows you set a TLS (SSL v3) server certificate for the Web GUI and the SNMP agent over TLS.
The third usage form allows you to manage SSH keys. Without any argument this command displays a list of defined SSH keys. The raz argument allows you to reset the SSH key list. The add argument allows you to add an RSA (or DSA) public key from a file located on a file server. Only trusted file servers are allowed. Trusted file servers are defined with the command access. The add usage form requires three mandatory arguments. The first argument is the protocol to use use (ftp, sftp, or tftp). The second argument is the IP address of the file server. The third argument is the public key file name located on the file server. It must be a valid RSA (or DSA) public key. You can use the command ssh-keygen under a UNIX system to generate SSH keys file. Note that the system supports the SSH protocol 2 only.
To remove an SSH key use the keyword del followed by the rank number of the key to delete. The rank key number can be obtained by using the "admin ssh key". SSH keys are activated after using the apply command.
Please note that SSH keys are not part of the configuration thus they are not saved when the configuration is saved.
The fourth usage form allows defining the administration access topology. The administration access topology defines logical network interfaces from which administrators can connect from. To allow administration connections from the internal interface turn the internal flag on (to deny, turn it off). To allow administration connections from the external interface turn the external flag on (to deny, turn it off). To allow administration connections from the auxiliary interface turn the auxiliary flag on (to deny, turn it off).
The fifth usage form allows you to add or remove restricted administrator users. Restricted administrators can consult or build a new configuration without having the right to apply it. Without any arguments, this command displays the list of restricted administrators. To add a restricted administrator use the keyword add followed by its user name. To delete a restricted administrator use the keyword del followed by the name of the restricted administrator to remove. A valid administrator name must begin with an alphabetic character followed by alphanumeric characters. To erase all restricted administrator use the keyword raz.
The default password for a newly created administrator is formed as follows: the string "apl!" followed by the year, the administrator user name and the number of installed users. Please note that restricted administrator users are not part of the configuration and are not saved when the configuration is saved.
The sixth usage form of the command admin allows you to configure or display the internal SNMP (Simple Network Management Protocol) agent parameters. The keyword community allows you to set the community string for SNMP v1 and v2c. In SNMP v3 the community string takes the role of the authentication password with the usage of SHA-1 hash function. The keyword user allows you to set the user name for SNMP v3. When using SNMP-v3 the data portion of the message being sent could be encrypted using AES (Advanced Encryption Standard). The keyword privacy allows you to set the encryption password for the encryption algorithm. Note that the privacy encryption is not mandatory and agent accepts requests without encryption. The keywords udp, tcp and tls allow you to activate or deactivate respectively SNMP over UDP, TCP and TCP tunneled over TLS (for encryption). For security reasons we highly recommend to use SNMP v3 with TLS or authentication and private encryption. A client TLS certificate is required to connect to SNMP agent over TLS. See below how to install a client certificate.
Use the command access to define allowed SNMP managers to access the SNMP agent.
The integrated SNMP agent supports TLS over TCP connections and the seventh usage form allows you to manage client TLS certificates for authentication. Client certificates can be added by loading them from a file server. Only trusted file servers are allowed. Trusted file servers are defined with the command access.
The eighth and ninth usage forms of the command admin allow you to configure or display SNMP traps and notifications sent to an SNMP manager (the receiver). The system uses TCP to send these notifications (and not UDP). The fourth argument of these usage forms specifies the trap version to send. Allowed versions are v1, v2c and v3 respectively for SNMP v1 traps, SNMP v2c inform notifications and SNMP v3 inform notifications. The fifth argument defines the receiver server IP address or DNS name. The fifth sixth argument defines the receiver listening port. For SNMP v1 and v2c if the port number is omitted, the port number is set up to 162 (SNMP trap default port). To send SNMP v1 traps and v2c inform notifications a community string should be specified. A community string acts as a password for SNMP version prior to v3. To send SNMP v3 inform notifications the user name, the authentication hash function (md5 or sha) and the encryption algorithm (des or aes) should be specified. According to the security level required by the SNMP v3 receiver, an authentication password and possibly a privacy encryption password should be given. If the receiver does not require those security levels just leave these parameters blank. Please note that when passwords are specified they must be at least 8 characters long.
To check the connectivity with SNMP receivers you can send testing traps to all configured receivers by using the keyword test. Please note that as with any other commands, the new configuration should be applied using the command apply before being able to send testing traps.
The following is a brief description of some notifications sent by the system:
* During the installation, the system reserves the required space on HDDs to store different logs based mainly on users number and reverse websites. If a log file abnormally grows too quickly (maybe because the system is under a DoS attack) an SNMP trap is sent to notify that misbehaviour.
* During the installation, the system reserves required space for different filesystems according to the HDDs capacities so the system should never have a lack of space on disks. If for any reason (maybe an introduced bug) a filesystem’s free disk space falls below the threshold of 5%, an SNMP trap is sent to notify that misbehaviour.
* All network links are monitored so in case of a link up or down an SNMP trap is sent to notify that change.
* The load average of the system is continuously monitored and average loads for the past 5 and 15 minutes are calculated. If averages exceed the thresholds of 99% and 95% respectively for the past 5-minutes and 15-minutes, an SNMP trap is sent to notify that overload.
* All essential services are monitored so in case of a failure, disruption or lack of hardware resources to start enough related system processes to support the load an SNMP trap is sent to notify the disruption.
* A health checker system continuously examines all vital services and in case of a failure of a service, tries to restart it. In that case an SNMP trap is sent to notify that action. After the attempt to restart the service, another SNMP trap is sent to notify the result of that operation (failure or success). Finally if the High Availability mode is activated (see the command "mode ha") and the attempt to restart the service fails, an SNMP trap is sent to notify the failure. In this case all VRRP interfaces are shut down to explicitly remove the failed node from the pool of HA nodes.
* During URL lists auto loading if one or more URL list files can’t be loaded an SNMP trap is sent to notify the failure.
* If the antivirus mode is activated and the virus signature data base is outdated by more the one day an SNMP trap is sent to notify the dysfunction.
* If the hardware hosting system have HDDs with SMART (Self-Monitoring, Analysis and Reporting Technology) capapabilities, they are monitored and in case of failures on HDDs notifications are sent.
* If the system has been installed with software RAID capabilites, the RAID is monitored and in case of failures on HDDs notifications are sent.
* If a USB Ethernet adapter is plugged or unplugged the system sends an SNMP trap. A similar SNMP trap is sent during the appliance startup if a NIC is added to or removed from the system.
* If the IP routing table contains multi gateways routes, the system sends an SNMP trap in case of unavailability of those gateway.
The system supports known MIBs used to monitor Linux systems and also a dedicated MIB called CacheGuard-MIB. You can find the ASN.1 MIB description of the CacheGuard-MIB on the original installation CDROM or on the official CacheGuard website.
access (1) apply (1) mode (1) password (1) system (1) tls (1) vlan (1) vrrp (1)
CacheGuard Technologies Ltd <www.cacheguard.com>
Send bug reports or comments to the above author.
Copyright (C) 2009-2018 CacheGuard - All rights reserved