Search found 19 matches

by Aron
10 Mar 2017, 16:55
Forum: SG Discussions
Topic: Access VPN remote network with different routes
Replies: 8
Views: 5238

Re: Access VPN remote network with different routes

Yes, you can set up an additional routing table with a different route to the destination, and using a PBR-rule (Policy Based Routing rule) to direct traffic into that routing table instead, based on what source ip/range/subnet the traffic is coming from.
by Aron
03 Mar 2017, 09:11
Forum: SG Discussions
Topic: VPN L2TP-PSK IPSEC with Linux Client (resurfaced)
Replies: 3
Views: 4484

Re: VPN L2TP-PSK IPSEC with Linux Client (resurfaced)

Running an ikesnoop from CLI on the Clavister can be very useful when troubleshooting IPsec negotiation problems.
ike -snoop <remote endpoint ip> -match
by Aron
28 Feb 2017, 14:32
Forum: SG How to's
Topic: Using Gateway Initiated Netcon to manage HA cluster with only one public ip
Replies: 0
Views: 2063

Using Gateway Initiated Netcon to manage HA cluster with only one public ip

This How-to applies to: Clavister cOS Core 11.10 Problem: I want to add a remote HA cluster to InControl but I don't have enough public ip addresses to assign each cluster node its own public ip for management. Solution: By using Gateway Initiated on the NetconMgmt object and allowing the cluster n...
by Aron
23 Feb 2017, 14:29
Forum: SG Discussions
Topic: Ruleset for portforwarding
Replies: 1
Views: 1636

Re: Ruleset for portforwarding

Please have a look at chapter 7.4.7. Using an IP Policy for SAT in the cOS Core Administration Guide , it describes how to setup port forwarding in cOS Core. Keep in mind that if the public ip is the interface ip, destination interface on the IP policy should be Core , if the ip is arp published the...
by Aron
08 Dec 2016, 18:07
Forum: SG Discussions
Topic: Dynamic Max Connections
Replies: 1
Views: 1551

Re: Dynamic Max Connections

Given that the device has enough RAM available, the "Dynamic Max Connections" value will be taken from the license parameter "Max Connections". For the E20 license this means 8000 connections. If the connection table is filling up you might want to consider upgrading the license to an E20 Pro (16 00...
by Aron
08 Dec 2016, 17:54
Forum: SG Discussions
Topic: Multiple WAN IP
Replies: 7
Views: 3870

Re: Multiple WAN IP

Is the rule "exchange-ssl" set up to forward the traffic to the internal server?
Can you do the ping simulation again but include a source ip?

Code: Select all

ping 78.108.60.254 -srcif=ge1 -srcip=8.8.8.8 -verbose -tcp -port=443
Also make sure that your internal server have the Clavister as its default gateway.
by Aron
02 Dec 2016, 08:53
Forum: SG Discussions
Topic: Enable interface as Trunk-port
Replies: 2
Views: 2213

Re: Enable interface as Trunk-port

Hello, Just create VLAN10, 20 and 30 using G3 as the base interface, the physical interface will still be able to receive and send non-VLAN traffic. Here is a extract from the cOS Core Administration Guide about VLAN processing in Core: VLAN Processing cOS Core follows the IEEE 802.1Q specification....
by Aron
05 Oct 2016, 12:05
Forum: SG Discussions
Topic: Multiple WAN IP
Replies: 7
Views: 3870

Re: Multiple WAN IP

Make sure that the correct ip policy/rule is triggered.
You can verify this by doing a ping simulation from the CLI.

ping <interface ip/arp published ip> -srcif=<wan interface> -srcip=<source ip> -verbose -tcp/udp -port=<destport>
by Aron
03 Oct 2016, 12:57
Forum: SG Discussions
Topic: Basic rule to allow local ICMP
Replies: 1
Views: 1616

Re: Basic rule to allow local ICMP

To allow the firewall to reply on ping on a certain interface, the ip rule/ip policy should look something like this.
Action src-if src-net dest-if dest-net service
Allow LAN lan_net Core lan_ip icmp
by Aron
03 Oct 2016, 12:50
Forum: SG Discussions
Topic: Multiple WAN IP
Replies: 7
Views: 3870

Re: Multiple WAN IP

What destination interface are you using on the inbound SAT rules for the GE1_2 and GE1_3 ip's ? For SAT policies using the interface ip, destination interface should be "Core" (all interface ip's are routed on Core). For SAT policies using ARP published ip's, destination interface should be the int...