Manualshelf

Specifications

ManualsBrandsClavister ManualsComputer equipmentSG3200 Series
51525354555657585960
Firstly, we must change the current CLI context to be the IPRuleSet called main using the
command:
Device:/> cc IPRuleSet main
Now add an IP rule called allow_ping_outbound to allow ICMP pings to pass:
Device:/main> add IPRule name=allow_ping_outbound
Action=NAT SourceInterface=ge3
SourceNetwork=InterfaceAddresses/ge3_net
DestinationInterface=ge2
DestinationNetwork=all-nets
Service=ping-outbound
The IP rule again has the NAT action and this is necessary if the protected local hosts have private
IP addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the IP
address of the interface connected to the ISP as the source interface. Responding hosts will send
back ICMP responses to this single IP and CorePlus will then forward the response to the correct
private IP address.
Adding a Drop All Rule
Scanning of the IP rule set is done in a top-down fashion. If no matching IP rule is found for a
new connection then the default rule is triggered. This rule is hidden and cannot be changed and
its action is to drop all such traffic as well as generate a log message for the drop.
In order to gain control over the logging of dropped traffic, it is recommended to create a drop
all rule as the last rule in the main IP rule set. This rule has an Action of Drop with the source and
destination network set to all-nets and the source and destination interface set to any.
The service for this rule must also be specified and this should be set to all_services in order to
capture all types of traffic. The command for creating this rule is:
Device:/main> add IPRule name=drop_all
Action=Drop SourceInterface=any
SourceNetwork=any
DestinationInterface=any
DestinationNetwork=all-nets
Service=all_services
Uploading a License
Without a valid license loaded, CorePlus operates in demonstration mode which means it will
cease operations after 2 hours from startup. To remove this restriction, a valid license must be
uploaded to the Clavister Security Gateway.
To do this, download a license as described in the last part of Section 3.2, “Web Interface and
Wizard Setup”. This license can then be uploaded directly to CorePlus using a Secure Copy (SCP)
client (see the CorePlus Administrators Guide for more details of using SCP). As soon as upload of
the license is complete, the 2 hour restriction will be removed and CorePlus will be restricted
only by the restrictions of the license.
Chapter 3: CorePlus Configuration
53